Exam AWS Certified Machine Learning - Specialty topic 1 question 131 discussion

ADF - the concepts in ADF are explained in detail on the official Amazon Exam Readiness Exam Readiness: AWS Certified Machine Learning - Specialty. Amazon official materials do not mention other concepts in BCE.

As per official document only 4 ways to do data egress Enforcing deployment in VPC,Enforcing network isolation,Restricting notebook pre-signed URLs to IPs,Disabling internet access Correct Ans - ADE Read Controlling data egress section Link - https://aws.amazon.com/blogs/machine-learning/millennium-management-secure-machine-learning-using-amazon-sagemaker/

Correct Choices and Reasoning: A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink: Keeps traffic within the VPC. B. Use SCPs to restrict access to SageMaker: Limits authorized actions and services. D. Enable network isolation for training jobs and models: Prevents network access during training and inference. Therefore, the three mechanisms that the ML engineer can use to control data egress from SageMaker are A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink, B. Use SCPs to restrict access to SageMaker, and D. Enable network isolation for training jobs and models.

A. Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink PrivateLink ensures that communication between SageMaker and other AWS services happens entirely within the AWS network, avoiding exposure to the public internet. This reduces the risk of unintended data egress. D. Enable network isolation for training jobs and models Enabling network isolation ensures that containers used for training jobs and models cannot make outbound network connections. This prevents accidental or malicious data egress. F. Protect data with encryption at rest and in transit. Use AWS Key Management Service (AWS KMS) to manage encryption keys Encrypting data ensures its security even if it is inadvertently accessed or stored improperly. KMS allows centralized and secure management of encryption keys.

F - it takes care of data sitting in sagemaker env which is encrypted but E ensures that the srvices or its resources cannot be accessed outside of the allowed IP's

My vote for ADF

A = VPC endpoints are well know safety mechanism in SM so traffic doesn’t leave AWS B = service control policy can restrict access at org level D = Network isolation limits training model access only to S3

To control data egress from SageMaker, the ML engineer can use the following mechanisms: Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink. This allows the ML engineer to access SageMaker services and resources without exposing the traffic to the public internet. This reduces the risk of data leakage and unauthorized access1 Enable network isolation for training jobs and models.

Question is wrong A, B, E and D are all valid to a point.

The more I see it, the more likely I will go with ABD, the only answers than address the data egress issue

For those who are sure that is E, please explain how you can use pre-signed urls to restrict IP's, from my understanding it is a time based access to your S3 objects, you can policies to control access, like SCP (Service Control Policy), Isolation is definitely one option so that leaves F (Encrypting in transit and Encrypting objects) as the only possible solution as BDF

A and D are for sure. The challenge between E and F. E restrict access to the notebook hence indirectly control who access it and can access data but encrypting the data is more direct way to protect the egress of the data. hence leaning more towards F

Not F because the que4stion is "to control data egress". F (encryption) is not egress control.

A, D, F are the mechanisms that the ML engineer can use to control data egress from SageMaker. B, C, and E do not directly control data egress from SageMaker. SCPs restrict access to AWS services, disabling root access on the SageMaker notebook instances improves security, and restricting notebook presigned URLs to specific IPs used by the company adds another layer of security, but none of these mechanisms control data egress from SageMaker.

https://aws.amazon.com/blogs/machine-learning/millennium-management-secure-machine-learning-using-amazon-sagemaker/

Are the correct

According to the subheadings in this case study: https://aws.amazon.com/blogs/machine-learning/millennium-management-secure-machine-learning-using-amazon-sagemaker/ The relevant options are: Controlling data egress: Enforcing deployment in VPC: This does not require a VPN to be enabled Enforcing network isolation Restricting notebook pre-signed URLs to IPs Disabling internet access Enforcing encryption: Enforcing job encryption: sagemaker:VolumeKmsKey