exam questions

Exam AWS Certified Machine Learning - Specialty All Questions

View all questions & answers for the AWS Certified Machine Learning - Specialty exam

Exam AWS Certified Machine Learning - Specialty topic 1 question 131 discussion

A financial services company wants to adopt Amazon SageMaker as its default data science environment. The company's data scientists run machine learning
(ML) models on confidential financial data. The company is worried about data egress and wants an ML engineer to secure the environment.
Which mechanisms can the ML engineer use to control data egress from SageMaker? (Choose three.)

  • A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink.
  • B. Use SCPs to restrict access to SageMaker.
  • C. Disable root access on the SageMaker notebook instances.
  • D. Enable network isolation for training jobs and models.
  • E. Restrict notebook presigned URLs to specific IPs used by the company.
  • F. Protect data with encryption at rest and in transit. Use AWS Key Management Service (AWS KMS) to manage encryption keys.
Show Suggested Answer Hide Answer
Suggested Answer: ADE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
SophieSu
Highly Voted 3 years, 5 months ago
ADF - the concepts in ADF are explained in detail on the official Amazon Exam Readiness Exam Readiness: AWS Certified Machine Learning - Specialty. Amazon official materials do not mention other concepts in BCE.
upvoted 37 times
khchan123
1 year, 3 months ago
ADE for sure. F is for encryption and not data egress.
upvoted 2 times
...
scuzzy2010
3 years, 4 months ago
I agree with ADF. SCP is to control access to a service, it's not related to securing data.
upvoted 3 times
...
...
rahulw230
Highly Voted 3 years, 4 months ago
As per official document only 4 ways to do data egress Enforcing deployment in VPC,Enforcing network isolation,Restricting notebook pre-signed URLs to IPs,Disabling internet access Correct Ans - ADE Read Controlling data egress section Link - https://aws.amazon.com/blogs/machine-learning/millennium-management-secure-machine-learning-using-amazon-sagemaker/
upvoted 28 times
...
Togy
Most Recent 2 days, 13 hours ago
Selected Answer: ABD
Correct Choices and Reasoning: A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink: Keeps traffic within the VPC. B. Use SCPs to restrict access to SageMaker: Limits authorized actions and services. D. Enable network isolation for training jobs and models: Prevents network access during training and inference. Therefore, the three mechanisms that the ML engineer can use to control data egress from SageMaker are A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink, B. Use SCPs to restrict access to SageMaker, and D. Enable network isolation for training jobs and models.
upvoted 1 times
...
KarinaAsh
3 months, 3 weeks ago
Selected Answer: ADF
A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink PrivateLink ensures that communication between SageMaker and other AWS services happens entirely within the AWS network, avoiding exposure to the public internet. This reduces the risk of unintended data egress. D. Enable network isolation for training jobs and models Enabling network isolation ensures that containers used for training jobs and models cannot make outbound network connections. This prevents accidental or malicious data egress. F. Protect data with encryption at rest and in transit. Use AWS Key Management Service (AWS KMS) to manage encryption keys Encrypting data ensures its security even if it is inadvertently accessed or stored improperly. KMS allows centralized and secure management of encryption keys.
upvoted 1 times
...
rookiee1111
10 months, 3 weeks ago
Selected Answer: ADE
F - it takes care of data sitting in sagemaker env which is encrypted but E ensures that the srvices or its resources cannot be accessed outside of the allowed IP's
upvoted 1 times
...
vkbajoria
1 year ago
My vote for ADF
upvoted 1 times
vkbajoria
11 months, 2 weeks ago
I changed my selection It is truly ADE. I read the link provided by rahulw230
upvoted 1 times
...
...
AIWave
1 year ago
Selected Answer: ABD
A = VPC endpoints are well know safety mechanism in SM so traffic doesn’t leave AWS B = service control policy can restrict access at org level D = Network isolation limits training model access only to S3
upvoted 1 times
...
kyuhuck
1 year, 1 month ago
Selected Answer: ADF
To control data egress from SageMaker, the ML engineer can use the following mechanisms: Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink. This allows the ML engineer to access SageMaker services and resources without exposing the traffic to the public internet. This reduces the risk of data leakage and unauthorized access1 Enable network isolation for training jobs and models.
upvoted 1 times
...
sonoluminescence
1 year, 4 months ago
Question is wrong A, B, E and D are all valid to a point.
upvoted 1 times
...
jyrajan69
1 year, 6 months ago
The more I see it, the more likely I will go with ABD, the only answers than address the data egress issue
upvoted 1 times
...
jyrajan69
1 year, 6 months ago
For those who are sure that is E, please explain how you can use pre-signed urls to restrict IP's, from my understanding it is a time based access to your S3 objects, you can policies to control access, like SCP (Service Control Policy), Isolation is definitely one option so that leaves F (Encrypting in transit and Encrypting objects) as the only possible solution as BDF
upvoted 1 times
...
Mickey321
1 year, 6 months ago
Selected Answer: ADF
A and D are for sure. The challenge between E and F. E restrict access to the notebook hence indirectly control who access it and can access data but encrypting the data is more direct way to protect the egress of the data. hence leaning more towards F
upvoted 1 times
...
mawsman
1 year, 11 months ago
Selected Answer: ADE
Not F because the que4stion is "to control data egress". F (encryption) is not egress control.
upvoted 3 times
...
codehive
1 year, 11 months ago
Selected Answer: ADF
A, D, F are the mechanisms that the ML engineer can use to control data egress from SageMaker. B, C, and E do not directly control data egress from SageMaker. SCPs restrict access to AWS services, disabling root access on the SageMaker notebook instances improves security, and restricting notebook presigned URLs to specific IPs used by the company adds another layer of security, but none of these mechanisms control data egress from SageMaker.
upvoted 2 times
...
Mllb
1 year, 11 months ago
Selected Answer: ADE
https://aws.amazon.com/blogs/machine-learning/millennium-management-secure-machine-learning-using-amazon-sagemaker/
upvoted 2 times
...
Mllb
1 year, 11 months ago
Selected Answer: ADF
Are the correct
upvoted 2 times
...
aScientist
2 years, 4 months ago
Selected Answer: DEF
According to the subheadings in this case study: https://aws.amazon.com/blogs/machine-learning/millennium-management-secure-machine-learning-using-amazon-sagemaker/ The relevant options are: Controlling data egress: Enforcing deployment in VPC: This does not require a VPN to be enabled Enforcing network isolation Restricting notebook pre-signed URLs to IPs Disabling internet access Enforcing encryption: Enforcing job encryption: sagemaker:VolumeKmsKey
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago