ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Machine Learning Engineer - Associate MLA-C01 All Questions

View all questions & answers for the AWS Certified Machine Learning Engineer - Associate MLA-C01 exam
Go to Exam

Exam AWS Certified Machine Learning Engineer - Associate MLA-C01 topic 1 question 108 discussion

Exam question from Amazon's AWS Certified Machine Learning Engineer - Associate MLA-C01
Question #: 108
Topic #: 1
[All AWS Certified Machine Learning Engineer - Associate MLA-C01 Questions]

A company shares Amazon SageMaker Studio notebooks that are accessible through a VPN. The company must enforce access controls to prevent malicious actors from exploiting presigned URLs to access the notebooks.

Which solution will meet these requirements?

  • A. Set up Studio client IP validation by using the aws:sourceIp IAM policy condition.
  • B. Set up Studio client VPC validation by using the aws:sourceVpc IAM policy condition.
  • C. Set up Studio client role endpoint validation by using the aws:PrimaryTag IAM policy condition.
  • D. Set up Studio client user endpoint validation by using the aws:PrincipalTag IAM policy condition.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by ryuhei at March 6, 2025, 5:43 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AWS_Certified1
3 weeks, 1 day ago
Selected Answer: A
VPN - predefined IP range
upvoted 1 times
...
eesa
4 weeks, 1 day ago
Selected Answer: A
✅ Explanation: Context: The company is using Amazon SageMaker Studio notebooks. Access is allowed through a VPN, meaning users are coming from known, fixed IP ranges. The concern is unauthorized access via presigned URLs, which could potentially be used outside the trusted network. ✅ Why aws:sourceIp is the right choice: The aws:sourceIp condition in IAM policies allows you to restrict access based on the client's IP address. This is perfect for VPN-based setups where you know the IP range. It ensures that only users accessing from allowed IPs (e.g., your VPN subnet) can access SageMaker Studio resources, even if they have a valid presigned URL. This directly mitigates the risk of URL misuse from outside the VPN.
upvoted 3 times
...
chris_spencer
1 month, 1 week ago
Selected Answer: A
A is correct. https://aws.amazon.com/blogs/machine-learning/secure-amazon-sagemaker-studio-presigned-urls-part-1-foundational-infrastructure/ Studio supports a few methods for enforcing access controls against presigned URL data exfiltration: Client IP validation using the IAM policy condition aws:sourceIp Client VPC validation using the IAM condition aws:sourceVpc Client VPC endpoint validation using the IAM policy condition aws:sourceVpce
upvoted 1 times
...
ryuhei
1 month, 2 weeks ago
Selected Answer: B
If you apply IP restrictions, it may not be possible to properly control access via dynamic IP addresses or proxies, so the correct answer is probably B.
upvoted 3 times
chris_spencer
1 month, 1 week ago
B is incorrect, IAM condition aws:sourceVpc is use for validating Client VPC. Client VPC validation using the IAM condition aws:sourceVpc
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago