You work on an application development team for a financial services firm.
You and your team are working on a mission-critical project with a very aggressive timeline for implementation.
For this project, you are building a machine learning model to predict customer retention where you are using customer PII (Personal Identifiable Information) data.
This data is very sensitive and is also controlled by SEC (Securities Exchange Commission) compliance regulations.
Therefore, your data ingestion process and data storage must be highly secure.
For this reason, you have a mandate to use encryption for all data storage. How do you use SageMaker features to ensure all of your model artifacts are highly secure with the least amount of effort on your team's part?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect.
To ensure your data is secure, you use an AWS Key Management Service key to store your data and pass it to your SageMaker resources.
You don't use SSL for this purpose.
Option B is incorrect.
SageMaker Neo is a SageMaker service that allows you to train your model once and run it anywhere in the cloud and at the edge.
SageMaker Neo does not provide encryption services.
Option C is incorrect.
You should use AWS Key Management Service keys for your data and SageMaker resource encryption.
Since your project requires encryption for regulatory compliance reasons, you need to use a customer-owned KMS key.
Option D is correct.
Since your project requires encryption for regulatory compliance reasons, you need to use a customer-owned KMS key.
You should use your customer-owned AWS KMS key to store your data on the ML EBS volume or in your S3 buckets, which you encrypt using your customer-managed KMS keys.
You also should pass your customer-owned KMS key to your SageMaker jupyter notebooks, training jobs, hyperparameter tuning jobs, batch transform jobs, and your inference endpoint to encrypt the attached machine learning storage volume.
Reference:
Please see the Amazon SageMaker developer guide titled Protecting Data at Rest Using Encryption, and the Amazon SageMaker Neo overview page.
The correct answer is D. Use your customer-owned AWS Key Management Service key to store your data on the ML EBS volume or in your S3 buckets, which you encrypt using your customer-owned Key Management Service key. Pass your customer-owned Key Management Service key to your SageMaker Jupyter notebooks, training jobs, hyperparameter tuning jobs, batch transform jobs, and your inference endpoint to encrypt the attached machine learning storage volume.
Explanation:
In this scenario, the data that is being used for building the machine learning model is very sensitive and controlled by SEC compliance regulations. Therefore, it is necessary to ensure that the data is stored and processed in a highly secure environment. The requirement is to use encryption for all data storage. AWS SageMaker provides various features that can help to achieve this.
Option A suggests using SSL to encrypt the data on S3 bucket and SageMaker Jupyter notebooks, but it doesn't mention anything about encrypting the machine learning model artifacts, and it is not enough to meet the encryption requirement for all data storage.
Option B suggests using SageMaker Neo to encrypt data at rest in the S3 bucket and passing an AWS Key Management Service (KMS) key to encrypt the S3 bucket. However, it doesn't mention anything about encrypting the attached machine learning storage volume, which is also required to ensure that all data storage is encrypted.
Option C suggests using encrypted S3 buckets and passing an AWS KMS key to encrypt the attached machine learning storage volume. However, it doesn't mention anything about encrypting the machine learning model artifacts, which is also required to ensure that all data storage is encrypted.
Option D suggests using the customer-owned AWS KMS key to encrypt the data on the ML EBS volume or in the S3 bucket. The customer can create and manage their own KMS keys, which they can use to control access to their data. By passing the customer-owned KMS key to the SageMaker Jupyter notebooks, training jobs, hyperparameter tuning jobs, batch transform jobs, and inference endpoint, the data can be encrypted at rest and in transit. This option ensures that all data storage is encrypted, including the machine learning model artifacts.
Therefore, the correct option is D.