Topic 1 Question 15
A Machine Learning Specialist at a company sensitive to security is preparing a dataset for model training. The dataset is stored in Amazon S3 and contains Personally Identifiable Information (PII). The dataset: ✑ Must be accessible from a VPC only. ✑ Must not traverse the public internet. How can these requirements be satisfied?
Create a VPC endpoint and apply a bucket access policy that restricts access to the given VPC endpoint and the VPC.
Create a VPC endpoint and apply a bucket access policy that allows access from the given VPC endpoint and an Amazon EC2 instance.
Create a VPC endpoint and use Network Access Control Lists (NACLs) to allow traffic between only the given VPC endpoint and an Amazon EC2 instance.
Create a VPC endpoint and use security groups to restrict access to the given VPC endpoint and an Amazon EC2 instance
ユーザの投票
コメント(17)
Important things to note here is that
- "The Data in S3 Needs to be Accessible from VPC"
- "Traffic should not Traverse internet"
To fulfill Requirement #2 we need a VPC endpoint To RESTRICT the access to S3/Bucket - Access allowed only from VPC via VPC Endpoint
Even though Sagemaker uses EC2 - we are NOT asked to secure the EC2 :)
So the answer is A
👍 33rajs2021/10/01Between A & B, the answer should be A. From here: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html#vpc-endpoints-s3-bucket-policies We can see that we restrict access using DENY if sourceVpce (vpc endpoint), or sourceVpc (vpc) is not equal to our VPCe/VPC. So we are using a DENY (choice A) and not an ALLOW policy (choice B).
Choices C, D we eliminate because they don't address S3 access at all.
👍 11sdsfsdsf2021/10/05A THE VPC access the s3 through the VPC endpoint without internet traffic.
👍 4grandgale2021/10/01
シャッフルモード