Domain 5: Security, Compliance, and Governance of AI Solutions 14%

Question 1

A web service that helps you manage and secure access to your AWS accounts and resources with which you can create and manage AWS users and grant them permissions to use services in your account.

Answer 1

AWS Identity and Access Management, or IAM

Question 2

T/F: It is possible to use IAM to restrict a user’s permissions to certain Regions.

Answer 2

True

Question 3

When you first create an AWS account, you begin with a single identity that has complete access to all AWS services and resources in the account. This identity is called the _____

Answer 3

root user

Question 4

An IAM policy is a ___ document that allows or denies permissions to AWS services and resources.

Answer 4

JSON

Question 5

An _____ is a collection of IAM users in which all users in the group are granted permissions specified by the policy.

Answer 5

IAM group

Question 6

T/F: To manage groups, you might want to organize IAM groups by job functions.

Answer 6

True

Question 7

T/F: Best practice for IAM groups is to attach policies to groups and only attach to users any unique permissions that they should have.

Answer 7

True

Question 8

An _____ is an identity that a person or an AWS service can assume to gain temporary access to other AWS resources or services, in which you get temporary security credentials for your session, which auto expire.

Answer 8

IAM role

Question 9

Permissions policies that are associated with IAM users, groups, and roles are called _____.

Answer 9

identity-based policies

Question 10

_____ is when your users authenticate with an identity provider like Active Directory. After they authenticate, they are given temporary credentials for AWS. AWS IAM Identity Center lets you use an external identity provider like Active Directory to authenticate users, or you can create a directory in IAM Identity Center and use that to authenticate.

Answer 10

Identity federation

Question 11

IAM Identity Center refers to users as _____ or _____.

Answer 11

workforce users or workforce identities

Question 12

T/F: You can manage permissions for all accounts in one central repository using AWS Identity Center

Answer 12

True

Question 13

T/F: You can also use AWS Identity Center to put users into groups and assign permission sets at the group level.

Answer 13

True

Question 14

_____ captures API calls and related events that are made by or on behalf of your AWS account, and it delivers the log files to an Amazon S3 bucket that you specify.

Answer 14

AWS CloudTrail

Question 15

_____ captures all API calls for SageMaker except for invoking endpoints.

Answer 15

CloudTrail

Question 16

_____ is a feature that you can use to block public access to all your objects. You can block them at the bucket or account level now, and in the future. If enabled at the bucket level, some buckets in your account might be open to the public. When enabled at the account level, no buckets, existing or new, can grant public access.

Answer 16

Amazon S3 Block Public Access

Question 17

T/F: When S3 Block Public Access is enabled, it will override any public permissions granted by bucket policies or access control lists.

Answer 17

True

Question 18

_____ provides three pre-configured role personas and predefined permissions for 12 ML activities. They include permissions to access other services like Amazon S3, AWS Glue, Amazon Athena, and Amazon CloudWatch.

Answer 18

SageMaker Role Manager

Question 19

The _____ persona is for someone who needs to use SageMaker to perform general machine learning development and experimentation.

Answer 19

data scientist

Question 20

The _____ persona is for someone who is managing models, pipelines, experiments, and endpoints, but doesn’t need to access the data in Amazon S3.

Answer 20

MLOps

Question 21

The _____ persona is used for creating a role that SageMaker compute resources can use to perform tasks such as training and inference.

Answer 21

SageMaker compute

Question 22

T/F: All AWS services offer the ability to encrypt data at rest and in transit. By encrypting your data at rest, even if someone could access your data on a storage volume, they would not be able to read it.

Answer 22

True

Question 23

_____ are used together with an encryption algorithm to encrypt data before it’s written to storage.

Answer 23

Encryption keys

Question 24

Encryption can be accomplished on the _____ side where the customer encrypts the data before sending it to an AWS service. Or encryption can be accomplished on the _____side, where the AWS service encrypts the data.

Answer 24

client’s / server

Question 25

What’s the easiest way for a customer to ensure that encryption is implemented correctly and applied consistently?

Answer 25

Server-side encryption

Question 26

T/F: SageMaker will encrypt all the data on ML storage volumes, including the ones that are used by notebook instances, SageMaker jobs, and endpoints.

Answer 26

True

Question 27

Services with default encryption use keys that are owned by the _____.

Answer 27

service and not by the customer

Question 28

If you need more control of your keys, you can use the _____ for using encryption keys that belong to your account to create, manage, and use encryption keys in your AWS account.

Answer 28

AWS Key Management Service, or AWS KMS

Question 29

Using _____, you can control the use of the keys. By using policies to control which user or service can access a key, you’re adding another layer of protection to your data.

Answer 29

IAM policies

Question 30

Do S3 and SageMaker use default encryption?

Answer 30

Yes

Question 31

Use _____ keys to control the key policies and _____ for the key, the key rotation, and to enable or disable the key.

Answer 31

customer-managed/IAM policies

Question 32

All AWS service endpoints support _____to create a secure HTTPS connection to make API requests.

Answer 32

TLS

Question 33

T/F: All requests to Amazon S3 and SageMaker through the APIs and console are made over a secure encrypted connection.

Answer 33

True

Question 34

SageMaker distributed training, uses _____.

Answer 34

multiple nodes in a cluster

Question 35

T/F: By default, inter-node traffic is not encrypted.

Answer 35

True

Question 36

_____ continually evaluates your S3 buckets and automatically generates an inventory of their size and state. It includes private or public access, shared access with other AWS accounts, and the encryption status, and it also uses ML and pattern matching to identify and alert you to sensitive data, such as personal identifiable information, or PII.

Answer 36

Amazon Macie

Question 37

At what point should PII be removed from training data?

Answer 37

At the point of ingestion and transformation

Question 38

What does Amazon provide for customers to configure their own private networks on AWS?

Answer 38

VPCs

Question 39

What will happen when you create a VPC in your account and specify your VPC when launching SageMaker Studio and notebooks?

Answer 39

It will create an elastic network interface in your VPC and attach it to the notebook instance.

Question 40

How do you control which traffic can access the internet when you’ve created your own VPC?

Answer 40

by configuring security groups, network access lists, and network firewalls

Question 41

To keep all network traffic going over only a private network, you can use _____, which connect your VPC directly to AWS services by using _____.

Answer 41

VPC interface endpoints / AWS PrivateLink

Question 42

An attacker can slightly manipulate input data in a way that will cause the model to misclassify it. This is called _____.

Answer 42

Adversarial inputs

Question 43

A sophisticated attacker can cause a model’s output to infer the training data. Known as _____, the attacker keeps feeding data into the model and studying the outputs.

Answer 43

model inversion

Question 44

In this kind of attack, an attacker gives malicious instructions to the model in the prompt with the goal of influencing its output.

Answer 44

prompt injection

Question 45

To help a model avoid being tricked, you should train models with _____.

Answer 45

adversarial input

Question 46

T/F: You should keep a separate set of data for validation purposes and validate your model after each re-training before deploying.

Answer 46

True

Question 47

_____ monitors the quality of Amazon SageMaker machine learning models in production. After deploying a model into your production environment, use this to continuously monitor the quality of your models in real time. You can use this to set up an automated alert system for deviations in model quality, such as data drift or anomalies, and it also can be used for monitoring data quality by comparing the data and model with baselines to generate statistics and metrics that are visible on SageMaker Studio and also sent to Amazon CloudWatch.

Answer 47

Amazon SageMaker Model Monitor

Question 48

_____ collect files of monitoring the model status. It notifies you when the quality of your model hits preset thresholds and stores the log files to an Amazon S3 bucket you specify.

Answer 48

Amazon CloudWatch Logs

Question 49

T/F: To be able to recreate a model, all the various artifacts that went into its development must be versioned and tracked. Code repositories, such as GitHub and AWS CodeCommit automatically retain versions of source code.

Answer 49

True

Question 50

How should training data be stored?

Answer 50

in Amazon S3 and partitioned with prefixes to uniquely identify the training dataset

Question 51

T/F: SageMaker automatically uniquely identifies each training job and stores other metadata such as hyperparameters and the unique identifiers for the container dataset and model output.

Answer 51

True

Question 52

Model versions can be stored in a model catalog by using _____. It also lets you maintain the status of a model such as spending, approved, or rejected.

Answer 52

SageMaker Model Registry

Question 53

_____ can be used to to create an immutable record of intended model uses, risk ratings, training details, and evaluation results and they can also be exported to PDF and shared with relevant stakeholders.

Answer 53

Model cards

Question 54

_____ automatically creates a graphical representation of all the elements of your end-to-end machine learning workflow.

Answer 54

Amazon SageMaker ML Lineage Tracking