Free AWS AIP-C01 Actual Exam Questions - Question 6 Discussion
Scenario: SageMaker notebook instances are deployed inside an isolated VPC with interface endpoints, yet unauthorized external users can still access them through the internet. Question- How can the team limit access to the SageMaker notebook instances, ensuring only authorized VPC users can connect?. Options:
It’s B because controlling access with VPC Endpoint Policies directly limits which IAM users can connect through the endpoint, preventing unauthorized users even if network rules are bypassed.
D, since locking down the security group to VPC IPs physically blocks outside traffic.
C imo, since restricting IAM actions via interface endpoints narrows access to authorized users only.
This one’s tricky but I think D is solid because restricting the security group to VPC CIDR blocks directly limits network access to the notebooks. Even if credentials leak, no external IP can connect. B controls API access but might not stop direct network access if that’s misconfigured. So, D’s a more foolproof way to block external internet traffic in this setup.
D seems best—attach a policy to the SageMaker notebook's IAM role. It's straightforward and secure for granting needed S3 access without extra complexity.