Which solution will meet these requirements?

By:
On:
In: MLS-C01
Tagged:
With: 0 Comments
A machine learning (ML) specialist uploads a dataset to an Amazon S3 bucket that is protected by server-side encryption with AWS KMS keys (SSE-KMS).The ML specialist needs to ensure that an Amazon SageMaker notebook instance can read the dataset that is in Amazon S3.

Which solution will meet these requirements?

Define security groups to allow all HTTP inbound and outbound traffic. Assign the security groups to the SageMaker notebook instance.

Configure the SageMaker notebook instance to have access to the VPC. Grant permission in the AWS Key Management Service (AWS KMS) key policy to the notebook’s VPC.

Assign an IAM role that provides S3 read access for the dataset to the SageMaker notebook. Grant permission in the KMS key policy to the IAM role.

Assign the same KMS key that encrypts the data in Amazon S3 to the SageMaker notebook instance.

Explanations:

Security groups control network traffic but do not affect permissions for encrypted data access or IAM roles; therefore, this does not ensure SageMaker can access encrypted S3 data.

Configuring VPC access does not directly grant permission for SageMaker to access KMS-encrypted S3 data. KMS permissions need to be granted to the IAM role, not to the VPC.

Assigning an IAM role with S3 read access to the SageMaker notebook instance and granting KMS permissions to this role provides the necessary access to both the encrypted S3 data and the KMS key.

KMS keys cannot be directly assigned to SageMaker instances. Permissions to use the KMS key must be granted through an IAM role, not by directly assigning the KMS key to the notebook instance.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × 2 =