Exam AWS Certified Machine Learning - Specialty topic 1 question 116 discussion

A&C...>https://aws.amazon.com/blogs/machine-learning/securing-all-amazon-sagemaker-api-calls-with-aws-privatelink/

A - VPC endpoint policy can limit the access to specific group of user/roles Not B - setting iam user policy can limit user access other aws service but not secure the traffic C - “specific” sets of instances - means security rules in instance level Not D - ACL (access control list) allows or denies specific inbound or outbound traffic at the subnet level. Not E - VPC is configured with public subnet, adding interface without limit the traffic means not secure

A. YES - for users B. NO - the users should access more than just SageMaker C. YES - for instances D. NO - ACL are not supported for SageMaker endpoint (only S3, RDS, EKS, etc.) E. NO - endpoint is already there

A. Add a VPC endpoint policy to allow access to the IAM users: This will specify the permissions for the IAM users to access the Amazon SageMaker Service API through the VPC endpoint. C. Modify the security group on the endpoint network interface to restrict access to the instances: By configuring the security group, the specialist can control which instances are allowed to communicate with the SageMaker Service API through the VPC endpoint.

Should be A & D n0? We want to configure the endpoint - first to allow IAM users, second to control access to instances. Since Security Groups are attached to instances (not VPCs) and only allow allow rules - it should be D.

Yes, A & D are correct. A> This will limit access to only names IAM users. It is like defining all for given principals as below: { "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" } ] } D-> To restrict access to certain instances or IP address you define deny rule at NACL level. Here VPC Interface endpoint is in subnet (the only subnet in VPC). So modify NACL configurations at this subnet level. Security group are only for allowing the traffic not for deny so so C is incorrect.

security group cannot restrict access explicitly, C?

Security Group controls instance level access. The question requires instance level access. The VPC endpoint is already set up. It needs a policy attachment for particular IAM Users. I would have preferred this to be IAM Roles instead of Users, as a more appropriate question. Nevertheless, answer is A & C.

A say allow access TO the IAM users? That's wired, why to the IAM users? How do you access them?

The VPC endpoint is already available waiting to be configured. No need to add one. A and E are out. Furthermore if an IAM endpoint is not set, a default one will be provided and you can't have more than 1 IAM policy but can modify the one that's available. -Restric access to only calls coming from the VPC, then modify the security group to give access to user group or roles that need access to that notebook. I think the answer is B and C

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html#nbi-private-link-policy https://docs.aws.amazon.com/vpc/latest/userguide/integrated-services-vpce-list.html