Which combination of steps should an ML specialist take to provide this access?
(Choose two.)
Configure the SageMaker notebook instance to be launched with a VPC attached and internet access disabled.
Create and configure a VPN tunnel between SageMaker and Amazon S3.
Create and configure an S3 VPC endpoint Attach it to the VPC.
Create an S3 bucket policy that allows traffic from the VPC and denies traffic from the internet.
Deploy AWS Transit Gateway Attach the S3 bucket and the SageMaker instance to the gateway.
Explanations:
Configuring the SageMaker notebook instance with a VPC attached and disabling internet access ensures that all communication, including access to Amazon S3, happens within the private network without exposure to the internet, meeting regulatory requirements.
A VPN tunnel between SageMaker and Amazon S3 is unnecessary because Amazon S3 supports private access via VPC endpoints, making a VPN tunnel redundant and not ideal for this scenario.
Creating and configuring an S3 VPC endpoint allows secure, private access from the SageMaker notebook instance to S3 without using the internet, fulfilling the regulatory requirement.
While the S3 bucket policy can control access, it is not the best approach to ensure private communication between SageMaker and S3. The VPC endpoint (option C) is the proper mechanism for private access.
AWS Transit Gateway is not required in this scenario as the VPC endpoint (option C) directly provides the necessary functionality for private access to S3 from SageMaker. The Transit Gateway is typically used for complex inter-VPC communication, not for basic S3 access.
I would say the answer is:
Configure the SageMaker notebook instance to be launched with a VPC attached and internet access disabled.