A financial services company wants to adopt Amazon SageMaker as its default data science environment.

Amazon Web Services MLS-C01 Question Answer

A financial services company wants to adopt Amazon SageMaker as its default data science environment. The company's data scientists run machine learning (ML) models on confidential financial data. The company is worried about data egress and wants an ML engineer to secure the environment.

Which mechanisms can the ML engineer use to control data egress from SageMaker? (Choose three.)

Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink.

Use SCPs to restrict access to SageMaker.

Disable root access on the SageMaker notebook instances.

Enable network isolation for training jobs and models.

Restrict notebook presigned URLs to specific IPs used by the company.

Protect data with encryption at rest and in transit. Use AWS Key Management Service (AWS KMS) to manage encryption keys.

Explanation:

To control data egress from SageMaker, the ML engineer can use the following mechanisms:

Connect to SageMaker by using a VPC interface endpoint powered by AWS PrivateLink. This allows the ML engineer to access SageMaker services and resources without exposing the traffic to the public internet. This reduces the risk of data leakage and unauthorized access1

Enable network isolation for training jobs and models. This prevents the training jobs and models from accessing the internet or other AWS services. This ensures that the data used for training and inference is not exposed to external sources2

Protect data with encryption at rest and in transit. Use AWS Key Management Service (AWS KMS) to manage encryption keys. This enables the ML engineer to encrypt the data stored in Amazon S3 buckets, SageMaker notebook instances, and SageMaker endpoints. It also allows the ML engineer to encrypt the data in transit between SageMaker and other AWS services. This helps protect the data from unauthorized access and tampering3

The other options are not effective in controlling data egress from SageMaker:

Use SCPs to restrict access to SageMaker. SCPs are used to define the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. They do not control the data egress from SageMaker, but rather the access to SageMaker itself4

Disable root access on the SageMaker notebook instances. This prevents the users from installing additional packages or libraries on the notebook instances. It does not prevent the data from being transferred out of the notebook instances.

Restrict notebook presigned URLs to specific IPs used by the company. This limits the access to the notebook instances from certain IP addresses. It does not prevent the data from being transferred out of the notebook instances.

1: Amazon SageMaker Interface VPC Endpoints (AWS PrivateLink) - Amazon SageMaker

2: Network Isolation - Amazon SageMaker

3: Encrypt Data at Rest and in Transit - Amazon SageMaker

4: Using Service Control Policies - AWS Organizations

Disable Root Access - Amazon SageMaker

Create a Presigned Notebook Instance URL - Amazon SageMaker

Amazon Web Services MLS-C01 View All Questions