AWS Certified Cloud Practitioner

Explanation

Correct Answer: B - Run SageMaker training and inference by using network isolation.

Why this is correct:

1. Network isolation in Amazon SageMaker provides the capability to run SageMaker jobs in a VPC without internet access. This is specifically designed for compliance requirements that mandate isolated environments.

2. Key features of SageMaker network isolation:

   • Runs SageMaker training jobs, processing jobs, and endpoints within a VPC
   • Prevents internet access from the SageMaker containers
   • Allows control over network traffic using security groups and network ACLs
   • Enables private connectivity to other AWS services through VPC endpoints

Why the other options are incorrect:

• A. SageMaker Experiments: This is a feature for organizing, tracking, and comparing machine learning experiments, but it doesn't provide network isolation or prevent internet access.

• C. Encrypt data at rest: While encryption is important for security and compliance, it addresses data protection at rest, not network isolation or internet access control. The question specifically asks about "isolated environment without internet access."

• D. Associate appropriate IAM roles: IAM roles control permissions and access to AWS resources, but they don't provide network isolation or prevent internet connectivity. IAM is about authentication and authorization, not network security.

Additional context:

When you enable network isolation for SageMaker:

• Training jobs run in containers that cannot make outbound network calls
• Inference containers are similarly isolated
• You can still access necessary resources through VPC endpoints (like S3, ECR, etc.)
• This is essential for regulatory compliance frameworks like HIPAA, PCI DSS, FedRAMP, etc., that require strict network controls.

This solution directly addresses the requirement for "an isolated environment without internet access" while still allowing SageMaker to function properly through controlled VPC connectivity.