Q: 3
[Data Engineering]
A large JSON dataset for a project has been uploaded to a private Amazon S3 bucket The Machine
Learning Specialist wants to securely access and explore the data from an Amazon SageMaker
notebook instance A new VPC was created and assigned to the Specialist
How can the privacy and integrity of the data stored in Amazon S3 be maintained while granting
access to the Specialist for analysis?
Options
Discussion
C . ACLs in A are risky and presigned URLs in D don’t meet the privacy/integrity part. B is a trap since copying local doesn’t control S3 access. Saw a similar question in some practice-C is the secure setup with VPC endpoint plus bucket policy. Correct me if I missed something on endpoint restrictions.
C. had something like this in a mock and C was the answer. VPC endpoint plus custom bucket policy limits access securely.
My vote is C. Saw a similar question in my practice set, VPC endpoint with a custom bucket policy is the AWS way to lock down access. The other options are less secure for privacy, let me know if anyone else thinks otherwise.
Don't think D is right. C locks down access with a VPC endpoint and bucket policy, so privacy/integrity are actually maintained. D's presigned URLs are more for temporary or external access, which is a trap here if you're thinking about security requirements.
A is wrong, C. Using an S3 VPC endpoint plus restricting bucket access to the VPC keeps your data private and protected. ACLs to everyone or presigned URLs aren’t secure enough here, pretty sure this matches AWS best practices.
These AWS exam questions always overcomplicate. B tbh, copying the dataset to local SageMaker volume after using the VPC endpoint sounds simpler.
I don't think opening up S3 access with ACLs or pre-signed URLs (A, D) really fits the security requirement. Also, B copies the data locally which doesn't actually secure S3 access itself. C's combo of VPC endpoint plus strict bucket policy is best for privacy and integrity. Pretty sure that's what AWS recommends. Open to other takes if anyone thinks differently about endpoint scope though.
Doesn't C fail if the VPC endpoint isn't limited to just the S3 bucket? Could allow more access than needed. C
I don’t think B covers privacy fully. C is better because the custom S3 bucket policy restricts access to only your VPC, so no public or broad access like with ACLs or presigned URLs. Pretty sure this is the most secure way per AWS docs.
C vs B? Saw a similar question in an exam report and the correct pick was C, makes sense since VPC endpoint plus bucket policy keeps data private-no need to copy locally. Anyone else see the same?
Be respectful. No spam.
