Topic 1 Question 16
A company has a team of data scientists who use Amazon SageMaker notebook instances to test ML models. When the data scientists need new permissions, the company attaches the permissions to each individual role that was created during the creation of the SageMaker notebook instance. The company needs to centralize management of the team's permissions. Which solution will meet this requirement?
Create a single IAM role that has the necessary permissions. Attach the role to each notebook instance that the team uses.
Create a single IAM group. Add the data scientists to the group. Associate the group with each notebook instance that the team uses.
Create a single IAM user. Attach the AdministratorAccess AWS managed IAM policy to the user. Configure each notebook instance to use the IAM user.
Create a single IAM group. Add the data scientists to the group. Create an IAM role. Attach the AdministratorAccess AWS managed IAM policy to the role. Associate the role with the group. Associate the group with each notebook instance that the team uses.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: A
Actually this is a best practice when working with notebooks in SageMaker. https://docs.aws.amazon.com/sagemaker/latest/dg/gs-setup-working-env.html
👍 3GiorgioGss2024/11/27 - 正解だと思う選択肢: A
Creating a single IAM role allows centralized management of permissions for all SageMaker notebook instances. When permissions need to be updated, the changes are applied to the role, and all notebook instances automatically inherit the updated permissions. Why IAM Roles? IAM roles are the recommended way to provide permissions to AWS services like SageMaker because they securely delegate permissions without requiring long-term credentials.
Why Not the Other Options? B. IAM groups manage permissions for users, not for AWS services or resources like SageMaker notebook instances. Groups cannot be attached directly to notebook instances. C. Using an IAM user with AdministratorAccess violates the principle of least privilege, granting unnecessary permissions. Additionally, IAM users are not intended to be attached to resources like notebook instances. D. This option combines unnecessary complexity (group and role association) and grants excessive permissions (AdministratorAccess), which is not secure or efficient.
👍 3motk1232024/12/09 - 正解だと思う選択肢: A
Yet another unclear question from AWS ... anyway, I am basically picking A as all the other options are not applicable or are unclear.
A. Yes, this make sense B. No, you cannot assign (aka associate) group to notebook instances C. No, for two reason: AdministratorAccess policy is overly broad (violate least privilege principle) and you cannot assign IAM user to notebook instance D. No, for many reasons: AdministratorAccess policy is overly broad, not clear what associating a role to a group means (maybe a group has permissions to assume a role ...) and you cannot assign a group to a notebook
👍 2ninomfr642024/12/31
シャッフルモード