Free AWS AIP-C01 Actual Exam Questions - Question 11 Discussion
Scenario: An ML pipeline uses a SageMaker Service API VPC interface endpoint in a public subnet. The team must ensure that only specific Amazon EC2 instances and IAM users can invoke SageMaker API operations through that endpoint. Question- Which combination of actions should the team take to secure the traffic to the SageMaker Service API? (Select TWO.) Options:
Maybe C to limit instance access and D for controlling IAM user permissions.
C is key for limiting which instances can connect; do endpoint policies really handle individual IAM users that granularly?
I’m thinking A might not be as relevant since enabling private DNS mostly ensures traffic stays within the VPC but doesn’t restrict who can access the endpoint. B sounds complicated and reactive rather than preventive, plus blocking via Lambda based on flow logs might introduce delays. Between C and D, securing the endpoint’s security group (C) keeps unauthorized instances out on the network side, and the endpoint policy (D) controls API call permissions at the identity level. But is the endpoint policy flexible enough to specify individual IAM users or just roles? That detail could be crucial
D imo, because endpoint policies can restrict access based on IAM users, and C makes sense to lock down the security group to only approved EC2 instances. Those two together cover both identity and network control effectively.
Makes sense to use D since endpoint policies can restrict by IAM users, plus C to limit network traffic only from certain instances. That covers both identity and network-level controls. So C and D.
I think C makes sense since controlling the security group for the VPC endpoint network interface lets you restrict traffic source at the network level, which helps limit it to specific EC2 instances. Also, D seems logical because attaching a custom VPC endpoint policy lets you explicitly specify which IAM users or roles can invoke the SageMaker API, giving precise access control. Does enabling private DNS (A) really help with restricting who can call the API, or just where the traffic goes?
D. This directly targets stopping training jobs early when improvements plateau, which is exactly what the question asks for. While it mainly benefits built-in algorithms or those supporting early stopping hooks, it’s the only option that explicitly automates resource savings by cutting off poorly performing jobs sooner. The others either extend runtime or change tuning strategy but don’t provide automatic early termination, so they won’t help reduce unnecessary long runs as effectively.
D/B? D seems like the best fit since it directly addresses early stopping to save resources. But as noted, it mainly works with built-in algorithms or those supporting the early stopping hook. If you’re using custom containers without that support, D might not help much. B could be a backup if you want to tighten the objective metric so the tuner ignores poor models faster, though it won’t stop jobs mid-run—just affects job selection. So if your setup supports early stopping, go with D; otherwise, tweaking the objective metric (B) might be your fallback.
Does enabling early stopping with option D apply to all types of training algorithms in SageMaker, or are there exceptions where it won't work? Just want to make sure it's always effective.