Question 32
Domain 4: ML Solution Monitoring, Maintenance, and SecurityA company uses Amazon SageMaker for its ML process. A compliance audit discovers that an Amazon S3 bucket for training data uses server-side encryption with S3 managed keys (SSE-S3). The company requires customer managed keys. An ML engineer changes the S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). The ML engineer makes no other configuration changes. After the change to the encryption settings, SageMaker training jobs start to fail with AccessDenied errors. What should the ML engineer do to resolve this problem?
Correct answer: C
Explanation
SSE-KMS requires AWS KMS permissions in addition to S3 access because the data key must be encrypted and decrypted with the customer managed key. Updating the training job execution role to allow "kms:Encrypt" and "kms:Decrypt" resolves the "AccessDenied" failures after switching from SSE-S3 to SSE-KMS.
Why each option is right or wrong
A. Update the IAM policy that is attached to the execution role for the training jobs. Include the s3:ListBucket and s3:GetObject permissions.
S3 read permissions alone are insufficient when objects are encrypted with a customer managed KMS key.
B. Update the S3 bucket policy that is attached to the S3 bucket. Set the value of the aws:SecureTransport condition key to True.
SecureTransport enforces HTTPS in transit; it does not grant permission to use the KMS key.
C. Update the IAM policy that is attached to the execution role for the training jobs. Include the kms:Encrypt and kms:Decrypt permissions.
Under SSE-KMS, Amazon S3 must call AWS KMS on behalf of the SageMaker training job to generate and use data keys, so the job’s execution role needs explicit KMS permissions in addition to S3 access. The relevant authorization is in the IAM policy attached to the SageMaker execution role, and the missing actions are `kms:Encrypt` and `kms:Decrypt` on the customer managed key; without them, KMS returns `AccessDenied` when the bucket switches from SSE-S3 to SSE-KMS.
D. Update the IAM policy that is attached to the user that created the training jobs. Include the kms:CreateGrant permission.
The training job uses its execution role at runtime, not the human user's permissions.