How should a machine learning specialist architect the solution to satisfy these requirements?

By:
In: MLS-C01
Tagged:
With: 1 Comment
A library is developing an automatic book-borrowing system that uses Amazon Rekognition.Images of library members’ faces are stored in an Amazon S3 bucket.When members borrow books, the Amazon Rekognition CompareFaces API operation compares real faces against the stored faces in Amazon S3.The library needs to improve security by making sure that images are encrypted at rest.Also, when the images are used with Amazon Rekognition.they need to be encrypted in transit.The library also must ensure that the images are not used to improve Amazon Rekognition as a service.

How should a machine learning specialist architect the solution to satisfy these requirements?

Enable server-side encryption on the S3 bucket. Submit an AWS Support ticket to opt out of allowing images to be used for improving the service, and follow the process provided by AWS Support.

Switch to using an Amazon Rekognition collection to store the images. Use the IndexFaces and SearchFacesByImage API operations instead of the CompareFaces API operation.

Switch to using the AWS GovCloud (US) Region for Amazon S3 to store images and for Amazon Rekognition to compare faces. Set up a VPN connection and only call the Amazon Rekognition API operations through the VPN.

Enable client-side encryption on the S3 bucket. Set up a VPN connection and only call the Amazon Rekognition API operations through the VPN.

Explanations:

Enabling server-side encryption on the S3 bucket ensures that images are encrypted at rest. Submitting an AWS Support ticket to opt-out of using images for improving the service addresses the requirement of not using images to enhance Amazon Rekognition as a service. This option meets both encryption and privacy requirements.

Switching to an Amazon Rekognition collection does not directly address the requirement for encryption at rest or in transit. While it may provide some benefits in face recognition tasks, it does not meet the specific security requirements outlined in the scenario.

Using the AWS GovCloud (US) Region does not inherently ensure encryption at rest or in transit. Additionally, setting up a VPN connection is a method of securing communication but does not address how the images are stored or managed with respect to Amazon Rekognition.

While enabling client-side encryption would protect images at rest, it does not fulfill the requirement for ensuring that images are encrypted in transit when they are sent to Amazon Rekognition. A VPN does provide an additional layer of security for transmission, but without addressing encryption at rest specifically through S3, it does not meet all the requirements.

2025-10-06

1 Comment

  1. Billy
    Author

    I classify that the answer is:
    Enable server-side encryption on the S3 bucket. Submit an AWS Support ticket to opt out of allowing images to be used for improving the service, and follow the process provided by AWS Support.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 3 =