Exam AWS Certified Machine Learning Engineer - Associate MLA-C01 topic 1 question 16 discussion

Yet another unclear question from AWS ... anyway, I am basically picking A as all the other options are not applicable or are unclear. A. Yes, this make sense B. No, you cannot assign (aka associate) group to notebook instances C. No, for two reason: AdministratorAccess policy is overly broad (violate least privilege principle) and you cannot assign IAM user to notebook instance D. No, for many reasons: AdministratorAccess policy is overly broad, not clear what associating a role to a group means (maybe a group has permissions to assume a role ...) and you cannot assign a group to a notebook

Creating a single IAM role allows centralized management of permissions for all SageMaker notebook instances. When permissions need to be updated, the changes are applied to the role, and all notebook instances automatically inherit the updated permissions. Why IAM Roles? IAM roles are the recommended way to provide permissions to AWS services like SageMaker because they securely delegate permissions without requiring long-term credentials. Why Not the Other Options? B. IAM groups manage permissions for users, not for AWS services or resources like SageMaker notebook instances. Groups cannot be attached directly to notebook instances. C. Using an IAM user with AdministratorAccess violates the principle of least privilege, granting unnecessary permissions. Additionally, IAM users are not intended to be attached to resources like notebook instances. D. This option combines unnecessary complexity (group and role association) and grants excessive permissions (AdministratorAccess), which is not secure or efficient.

Actually this is a best practice when working with notebooks in SageMaker. https://docs.aws.amazon.com/sagemaker/latest/dg/gs-setup-working-env.html