Question 37
Domain 4: ML Solution Monitoring, Maintenance, and SecurityA company shares Amazon SageMaker Studio notebooks that are accessible through a VPN. The company must enforce access controls to prevent malicious actors from exploiting presigned URLs to access the notebooks. Which solution will meet these requirements?
Correct answer: A
Explanation
Amazon SageMaker Studio can use IAM policy conditions to restrict access by client IP, and the aws:sourceIp condition limits requests to approved addresses. This blocks presigned URLs from being used outside the VPN because the request must come from the allowed source IP range.
Why each option is right or wrong
A. Set up Studio client IP validation by using the aws:sourceIp IAM policy condition.
Amazon SageMaker Studio supports IAM-based access control on the presigned URL workflow, and the relevant condition key is the global IAM key aws:SourceIp (written in policies as aws:sourceIp) to restrict requests to specific client IP ranges. In this scenario, allowing only the VPN egress addresses means a presigned URL cannot be replayed from an external network, because the request is evaluated against the source IP at authorization time and is denied if it does not match the approved range.
B. Set up Studio client VPC validation by using the aws:sourceVpc IAM policy condition.
`aws:sourceVpc` applies to VPC-origin context, not typical client IP validation for VPN users.
C. Set up Studio client role endpoint validation by using the aws:PrimaryTag IAM policy condition.
`aws:PrimaryTag` is about tagging context, not validating the client network endpoint.
D. Set up Studio client user endpoint validation by using the aws:PrincipalTag IAM policy condition.
`aws:PrincipalTag` controls access by principal attributes, not by request source location.