A machine learning engineer deploys a model to an Amazon SageMaker endpoint with data capture enabled. The endpoint uses a production variant with initial instance count of 2. After a week, they notice that the captured data is not being sent to the specified Amazon S3 bucket. The IAM role used by the endpoint has the following policy attached. What is the MOST likely reason for the failure?
The policy restricts writes to 'captures/' prefix, but the endpoint may use a different prefix.
Why this answer
Option C is correct because the IAM role attached to the SageMaker endpoint must have write permissions to the exact S3 prefix where data capture is configured. The policy shown likely grants access to a broader bucket or a different prefix, but not the specific path (e.g., s3://bucket-name/prefix/) that the endpoint's DataCaptureConfig specifies. Without s3:PutObject on that exact prefix, the captured data fails to upload silently.
Exam trap
The trap here is that candidates often assume any S3 write permission on the bucket is sufficient, but SageMaker data capture requires explicit permission on the exact prefix path, not just the bucket or a wildcard that doesn't match the configured prefix.
How to eliminate wrong answers
Option A is wrong because if the S3 bucket did not exist, SageMaker would fail at endpoint creation or deployment time, not after a week of operation. Option B is wrong because the question does not mention KMS encryption being enabled on the bucket, and the policy shown does not include kms:Decrypt; if KMS were used, the role would need kms:GenerateDataKey and kms:Decrypt, but the absence of those is not the issue here. Option D is wrong because s3:ListBucket is not required for writing captured data; SageMaker only needs s3:PutObject on the specific prefix, not ListBucket on the bucket.