New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon MLS-C01 Exam - Topic 8 Question 83 Discussion

Actual exam question for Amazon's MLS-C01 exam
Question #: 83
Topic #: 8
[All MLS-C01 Questions]

A machine learning (ML) engineer has created a feature repository in Amazon SageMaker Feature Store for the company. The company has AWS accounts for development, integration, and production. The company hosts a feature store in the development account. The company uses Amazon S3 buckets to store feature values offline. The company wants to share features and to allow the integration account and the production account to reuse the features that are in the feature repository.

Which combination of steps will meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: A, B

The combination of steps that will meet the requirements are to create an IAM role in the development account that the integration account and production account can assume, attach IAM policies to the role that allow access to the feature repository and the S3 buckets, and share the feature repository that is associated with the S3 buckets from the development account to the integration account and the production account by using AWS Resource Access Manager (AWS RAM). This approach will enable cross-account access and sharing of the features stored in Amazon SageMaker Feature Store and Amazon S3.

Amazon SageMaker Feature Store is a fully managed, purpose-built repository to store, update, search, and share curated data used in training and prediction workflows. The service provides feature management capabilities such as enabling easy feature reuse, low latency serving, time travel, and ensuring consistency between features used in training and inference workflows. A feature group is a logical grouping of ML features whose organization and structure is defined by a feature group schema. A feature group schema consists of a list of feature definitions, each of which specifies the name, type, and metadata of a feature. Amazon SageMaker Feature Store stores the features in both an online store and an offline store. The online store is a low-latency, high-throughput store that is optimized for real-time inference.The offline store is a historical store that is backed by an Amazon S3 bucket and is optimized for batch processing and model training1.

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization). An IAM role is an IAM identity that you can create in your account that has specific permissions. You can use an IAM role to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you can create an IAM role in your development account that allows the integration account and the production account to assume the role and access the resources in the development account. You can attach IAM policies to the role that specify the permissions for the feature repository and the S3 buckets.You can also use IAM conditions to restrict the access based on the source account, IP address, or other factors2.

AWS Resource Access Manager (AWS RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS resources that you own with other accounts using resource shares. A resource share is an entity that defines the resources that you want to share, and the principals that you want to share with. For example, you can share the feature repository that is associated with the S3 buckets from the development account to the integration account and the production account by creating a resource share in AWS RAM. You can specify the feature group ARN and the S3 bucket ARN as the resources, and the integration account ID and the production account ID as the principals.You can also use IAM policies to further control the access to the shared resources3.

The other options are either incorrect or unnecessary. Using AWS Security Token Service (AWS STS) from the integration account and the production account to retrieve credentials for the development account is not required, as the IAM role in the development account can provide temporary security credentials for the cross-account access. Setting up S3 replication between the development S3 buckets and the integration and production S3 buckets would introduce redundancy and inconsistency, as the S3 buckets are already shared through AWS RAM. Creating an AWS PrivateLink endpoint in the development account for SageMaker is not relevant, as it is used to securely connect to SageMaker services from a VPC, not from another account.


1: Amazon SageMaker Feature Store -- Amazon Web Services

2: What Is IAM? - AWS Identity and Access Management

3: What Is AWS Resource Access Manager? - AWS Resource Access Manager

by Kerry at Dec 12, 2023, 07:21 AM

Limited Time Offer

25%

Off

Get Premium MLS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lashon
3 months ago
Surprised they didn't mention using AWS STS in the right way!
upvoted 0 times
...
Latosha
3 months ago
D sounds like overkill for just sharing features.
upvoted 0 times
...
Jesus
3 months ago
Not sure about B, isn't AWS RAM limited to certain resources?
upvoted 0 times
...
Amie
4 months ago
Totally agree with A! IAM roles are key for cross-account access.
upvoted 0 times
...
Franklyn
4 months ago
A and B seem like the best options here.
upvoted 0 times
...
Amira
4 months ago
Setting up S3 replication sounds familiar, but I wonder if option D is really needed if we can just share the feature repository directly. I’m leaning towards A and B, though.
upvoted 0 times
...
Geoffrey
4 months ago
I vaguely recall something about AWS STS, but I’m not sure if option C is necessary here. It seems a bit complicated for just accessing a feature repository.
upvoted 0 times
...
Chauncey
4 months ago
I feel like we had a similar practice question about sharing resources. I think option B could be the right choice since AWS RAM is designed for sharing resources, but I'm not 100% confident.
upvoted 0 times
...
Taryn
5 months ago
I remember we discussed IAM roles in class, and I think option A makes sense for allowing access across accounts. But I'm not entirely sure about the specifics of the policies needed.
upvoted 0 times
...
Oren
5 months ago
I'm pretty confident I know the right solution here. The combination of creating an IAM role with the necessary permissions and using AWS RAM to share the feature repository should meet all the requirements. I'll double-check my work, but I think I'm on the right track.
upvoted 0 times
...
Mitzie
5 months ago
Okay, let me think this through step-by-step. First, I need to ensure the integration and production accounts can access the feature repository and S3 buckets in the development account. Creating an IAM role with the right permissions seems like a good approach. Then, I should look into using AWS RAM to share the feature repository across the accounts.
upvoted 0 times
...
Leah
5 months ago
Hmm, I'm a bit confused about the different AWS services mentioned here. I'll need to review my notes on AWS Resource Access Manager, AWS STS, and S3 replication to make sure I understand how they can be used to address the requirements.
upvoted 0 times
...
Enola
5 months ago
This question seems straightforward - it's asking for the combination of steps to share the feature repository across multiple AWS accounts. I think the key is to focus on the requirements around access control and data replication.
upvoted 0 times
...
Portia
5 months ago
Hmm, this looks like a tricky one. I'll need to make sure I download the file correctly and search for the right pattern.
upvoted 0 times
...
Claribel
5 months ago
Okay, I think I've got a good handle on Model B. The key is that it doesn't require the ASBRs to maintain or distribute the VPN-IPv4 routes, which makes it highly scalable. I'm confident I can select the right answer here.
upvoted 0 times
...
Becky
5 months ago
I remember practicing with this concept, and it seems like whole-interval recording is the answer since that's when the behavior occurs for the full time.
upvoted 0 times
...
Sylvie
2 years ago
Definitely. And setting up S3 replication (option D) could be a good way to ensure the data is available in the other accounts, even if they can't directly access the development S3 buckets.
upvoted 0 times
...
Viva
2 years ago
I'm thinking options A and B sound like the best approach. Creating an IAM role that the other accounts can assume, and then using AWS RAM to share the feature repository, would allow for secure access and reuse of the features.
upvoted 0 times
...
Annelle
2 years ago
I agree. We should definitely avoid using the AWS STS to retrieve credentials for the development account. That could be a security risk.
upvoted 0 times
Josephine
2 years ago
B: Share the feature repository that is associated with the S3 buckets from the development account to the integration account and the production account by using AWS Resource Access Manager (AWS RAM).
upvoted 0 times
...
Malcom
2 years ago
A: Create an IAM role in the development account that the integration account and production account can assume. Attach IAM policies to the role that allow access to the feature repository and the S3 buckets.
upvoted 0 times
...
...
Tom
2 years ago
Hmm, this is an interesting question. It seems like we need to find a way to share the feature repository and the S3 buckets with the integration and production accounts without compromising security.
upvoted 0 times
...

Save Cancel