CCNA Mla Monitoring Security Questions

75 of 118 questions · Page 1/2 · Mla Monitoring Security topic · Answers revealed

1
MCQmedium

A company wants to implement a retraining pipeline that automatically triggers when SageMaker Model Monitor detects data drift. The retraining job should use the latest approved pipeline version in SageMaker Pipelines. Which approach meets these requirements?

A.Use a scheduled EventBridge rule to run the pipeline every day
B.Use SageMaker Model Monitor to update the model registry and trigger a deployment
C.Configure SageMaker Model Monitor to directly invoke a Lambda function on violation
D.Create an EventBridge rule that listens for SageMaker Model Monitor violation events and triggers a Lambda function that starts the pipeline
AnswerD

Model Monitor violations are captured as CloudWatch events; EventBridge can route those events to a Lambda function that starts the retraining pipeline.

Why this answer

Option D is correct because it uses an EventBridge rule to listen for SageMaker Model Monitor violation events (e.g., `aws.sagemaker.model-monitoring-violation`), which then triggers a Lambda function that starts the latest approved pipeline version in SageMaker Pipelines. This creates an automated, event-driven retraining pipeline without manual intervention or scheduled polling.

Exam trap

The trap here is that candidates may think SageMaker Model Monitor can directly invoke Lambda or update the model registry, but in reality, it only emits events to EventBridge, and the integration requires an intermediate Lambda function to orchestrate the pipeline execution.

How to eliminate wrong answers

Option A is wrong because a scheduled EventBridge rule runs the pipeline daily regardless of whether data drift has occurred, leading to unnecessary retraining and resource waste. Option B is wrong because SageMaker Model Monitor does not directly update the model registry or trigger a deployment; it only publishes violation events and metrics. Option C is wrong because SageMaker Model Monitor cannot directly invoke a Lambda function; it emits events to EventBridge, which can then trigger Lambda, but the direct invocation is not supported.

2
MCQeasy

A data scientist notices that a SageMaker endpoint is returning HTTP 5XX errors under high load. The endpoint uses a single ml.m5.large instance. The team wants to reduce these errors without changing the instance type. What is the most cost-effective step?

A.Increase the endpoint's invocation timeout to 120 seconds
B.Deploy the model on a SageMaker batch transform job
C.Configure auto-scaling for the endpoint with a target tracking policy
D.Create a new endpoint with multiple instances and use weighted routing
AnswerC

Auto-scaling adds instances during high load and removes them when traffic subsides, reducing errors cost-effectively.

Why this answer

Option C is correct because configuring auto-scaling with a target tracking policy allows the endpoint to dynamically add more instances under high load, distributing the traffic and reducing HTTP 5XX errors. Since the team cannot change the instance type, scaling out is the most cost-effective way to handle increased demand, as it only adds capacity when needed and avoids over-provisioning.

Exam trap

The trap here is that candidates may think increasing the timeout (Option A) or using batch transform (Option B) can solve real-time load issues, but these options do not address the fundamental need for horizontal scaling under high concurrency.

How to eliminate wrong answers

Option A is wrong because increasing the invocation timeout to 120 seconds does not address the root cause of 5XX errors under high load; it merely extends the time the endpoint has to respond, which can lead to increased latency and potential timeouts, but does not prevent the endpoint from being overwhelmed. Option B is wrong because deploying the model on a SageMaker batch transform job is for offline, asynchronous inference on a static dataset, not for real-time serving; it cannot replace a real-time endpoint that needs to handle live traffic. Option D is wrong because creating a new endpoint with multiple instances and weighted routing adds cost by requiring manual management and does not automatically scale based on load; it is less cost-effective than auto-scaling, which adjusts capacity dynamically.

3
MCQhard

A company uses SageMaker Model Monitor for data quality. They notice that monitoring jobs are failing intermittently with constraint violations. Upon review, they see that some features have different data types in production compared to the baseline (e.g., string instead of integer). Which type of drift is this?

A.Schema drift
B.Concept drift
C.Statistical drift
D.Bias drift
AnswerA

Schema drift involves changes in the schema, such as data type mismatches, new or missing columns.

Why this answer

Option A is correct because schema drift occurs when the structure or data types of features in production data differ from the baseline used during model training. In this scenario, a feature that was an integer in the baseline is now a string in production, which is a classic example of schema drift. SageMaker Model Monitor detects this by comparing the inferred schema of production data against the baseline schema, flagging any type mismatches as constraint violations.

Exam trap

The trap here is that candidates may confuse schema drift with statistical drift, thinking any change in feature values qualifies as statistical drift, but the key differentiator is that schema drift specifically involves changes in data type or structure, not just distributional shifts.

How to eliminate wrong answers

Option B is wrong because concept drift refers to changes in the underlying relationship between features and the target variable, not changes in data types or schema. Option C is wrong because statistical drift (e.g., distribution shift) involves changes in the statistical properties of features (like mean or variance) while data types remain consistent. Option D is wrong because bias drift relates to changes in model fairness metrics over time, such as disparate impact, not to data type mismatches.

4
MCQeasy

A data scientist wants to track the lineage of models, datasets, and training jobs in SageMaker. Which SageMaker feature should they use to capture these relationships as artifacts and actions?

A.SageMaker Model Registry
B.SageMaker Experiments
C.SageMaker ML Lineage Tracking
D.SageMaker Feature Store
AnswerC

Lineage Tracking explicitly models artifacts, actions, and contexts to provide end-to-end reproducibility.

Why this answer

SageMaker ML Lineage Tracking creates a graph of artifacts (datasets, models) and actions (training jobs, endpoints) to track the provenance of ML workflows.

5
Multi-Selecteasy

A data science team wants to automate the retraining of a model when data drift is detected. Which TWO AWS services should they use in combination to achieve this? (Choose TWO)

Select 2 answers
A.AWS Cloud9
B.Amazon DynamoDB
C.SageMaker Model Monitor
D.AWS Lambda
E.Amazon Kinesis Data Analytics
AnswersC, D

Detects drift and publishes metrics for alarms.

Why this answer

SageMaker Model Monitor detects data drift and can publish to CloudWatch Metrics. CloudWatch Alarms can trigger an SNS topic, which invokes a Lambda function that starts a SageMaker Pipeline for retraining.

6
MCQeasy

A company wants to automate remediation when a SageMaker endpoint's latency exceeds a threshold for more than 5 minutes. The team needs to be notified and a Lambda function should be invoked to scale up the endpoint. Which combination of services should be used?

A.CloudWatch Alarm → SNS topic → Lambda function
B.EventBridge rule to trigger Lambda
C.CloudWatch Logs subscription filter → Lambda function
D.SageMaker Model Monitor → Lambda function
AnswerA

CloudWatch Alarms can publish to an SNS topic which can invoke a Lambda function for automated scaling.

Why this answer

CloudWatch Alarms monitor metrics and trigger actions. SNS can notify and invoke Lambda for automated remediation. EventBridge is used for scheduled events, not direct alarm actions.

7
Multi-Selecteasy

A machine learning engineer wants to set up a retraining pipeline that triggers when model quality degrades. Which TWO components are essential for this automated retraining pipeline? (Select TWO)

Select 2 answers
A.CloudWatch Alarm on model quality metric
B.SNS topic to send notification to a Lambda function
C.SageMaker Ground Truth to collect new labels
D.SageMaker Data Wrangler to preprocess data
E.EventBridge rule to schedule retraining weekly
AnswersA, B

The alarm detects when model quality drops below a threshold.

8
MCQeasy

A machine learning engineer wants to monitor a deployed model for data drift. Which SageMaker feature should they use to automatically detect drift in the input data distribution compared to the training data baseline?

A.SageMaker Pipelines
B.SageMaker Model Monitor
C.SageMaker Debugger
D.SageMaker Clarify
AnswerB

SageMaker Model Monitor provides data quality monitoring to detect drift in input data distributions.

Why this answer

SageMaker Model Monitor can be configured to run monitoring jobs that compare live inference data against a baseline created from training data to detect data drift.

9
Multi-Selecthard

A company is deploying a foundation model using SageMaker JumpStart. They want to minimize inference costs while maintaining low latency. Which TWO strategies should they consider? (Select TWO)

Select 2 answers
A.Enable data capture for all requests to analyze usage patterns
B.Use SageMaker Savings Plans for discounted compute rates
C.Deploy the model on a single large instance to maximize throughput
D.Enable auto-scaling with a target tracking policy based on Invocations per instance
E.Use SageMaker Inference Recommender to select the most cost-effective instance type
AnswersD, E

Auto-scaling adjusts capacity to match demand, avoiding over-provisioning.

Why this answer

Option D is correct because auto-scaling with a target tracking policy based on Invocations per instance dynamically adjusts the number of instances to match demand, ensuring you only pay for the compute capacity you need while maintaining low latency. This avoids over-provisioning and reduces idle costs, directly addressing the goal of minimizing inference costs.

Exam trap

Cisco often tests the misconception that cost minimization is achieved solely through discount plans (Savings Plans) or instance size, rather than through dynamic scaling and right-sizing based on actual workload patterns.

10
MCQhard

A machine learning engineer deploys a multi-model endpoint using SageMaker. They need to track which model version was used for each inference request for compliance purposes. Which service should they integrate to capture this lineage?

A.AWS CloudTrail
B.SageMaker Model Monitor
C.SageMaker ML Lineage Tracking
D.Amazon DynamoDB with custom logging
AnswerC

Lineage Tracking captures artifacts, actions, and contexts, enabling per-request model version traceability.

Why this answer

SageMaker ML Lineage Tracking is the correct service because it is specifically designed to capture and query the lineage of machine learning artifacts, including model versions, datasets, and inference requests. By integrating with SageMaker endpoints, it automatically records the model version used for each inference, enabling compliance auditing without custom code.

Exam trap

The trap here is that candidates often confuse CloudTrail's API-level logging with application-level lineage tracking, assuming that recording the InvokeEndpoint API call is sufficient to capture model version details, but CloudTrail does not include the model version identifier in its logs unless explicitly passed as a custom header and parsed separately.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls for governance and auditing, but it does not capture the specific model version used for each inference request at the application level; it only logs the API invocation to invoke the endpoint. Option B is wrong because SageMaker Model Monitor focuses on detecting data drift and quality issues in inference data, not on tracking which model version served a particular request. Option D is wrong because Amazon DynamoDB with custom logging would require building a custom solution to capture lineage, whereas SageMaker ML Lineage Tracking provides a managed, native integration that automatically associates inference requests with model versions.

11
Multi-Selectmedium

A company wants to automatically trigger model retraining when SageMaker Model Monitor detects data drift. Which TWO services should they integrate to achieve this automation? (Choose two.)

Select 2 answers
A.AWS Step Functions
B.AWS Lambda
C.Amazon CloudWatch Alarms
D.Amazon EventBridge
E.Amazon SNS
AnswersB, D

Lambda can run the retraining pipeline code when triggered by EventBridge.

Why this answer

EventBridge can schedule or trigger events based on monitoring job completions, and Lambda can execute the retraining code. SNS is used for notifications but not direct invocation of retraining. Step Functions can orchestrate but is not required for this simple trigger.

12
MCQmedium

A machine learning team is using SageMaker Studio for model development. They need to restrict all internet access from Studio notebooks and ensure that all data stays within a VPC. Which configuration should they use?

A.Use a private link to connect Studio to the VPC
B.Enable network isolation mode for the Studio domain
C.Attach a security group that blocks all outbound traffic
D.Configure the Studio domain with VPC-only mode and disable direct internet access
AnswerD

VPC-only mode ensures Studio resources run within a VPC without internet access, meeting the requirement.

Why this answer

Option D is correct because configuring a SageMaker Studio domain with VPC-only mode and disabling direct internet access ensures that all Studio notebook traffic stays within the VPC and has no route to the public internet. This is the only configuration that both restricts internet access and enforces data residency within the VPC by using VPC-only networking, which does not rely on an internet gateway or NAT gateway for outbound traffic.

Exam trap

The trap here is that candidates often confuse network isolation mode (which applies only to training/inference containers) with VPC-only mode for Studio notebooks, or they incorrectly assume that a security group blocking all outbound traffic is a valid way to restrict internet access while still allowing necessary AWS API calls.

How to eliminate wrong answers

Option A is wrong because using a private link (AWS PrivateLink) connects Studio to the VPC via interface VPC endpoints, but it does not inherently block all internet access from the notebooks; notebooks can still reach the internet if the VPC has an internet gateway or NAT gateway. Option B is wrong because network isolation mode for a Studio domain only prevents the training or hosting containers from accessing the internet, but it does not apply to Studio notebooks themselves and does not enforce VPC-only data residency. Option C is wrong because attaching a security group that blocks all outbound traffic would prevent any outbound communication, including necessary AWS service calls (e.g., to SageMaker API or S3), breaking Studio functionality; it is not a supported method for restricting internet access while maintaining required internal traffic.

13
MCQhard

A machine learning team needs to ensure that all model training and inference jobs within SageMaker Studio run in a private network without internet access. The team also requires that inter-container traffic within the same training job be encrypted. Which configurations should they combine?

A.Configure SageMaker Studio in VPC-only mode and use KMS encryption
B.Use a VPC with a NAT gateway and enable network isolation
C.Enable inter-container traffic encryption and use a VPC with VPC endpoints
D.Enable network isolation mode and inter-container traffic encryption
AnswerD

Network isolation removes internet access, and inter-container encryption secures traffic between containers.

Why this answer

VPC-only mode restricts all traffic to the VPC, and inter-container traffic encryption ensures data in transit within the job is encrypted. These two settings together meet the requirements.

14
Multi-Selectmedium

A data science team uses SageMaker to train and deploy models. They need to track model lineage, including datasets, training jobs, and model versions, to ensure reproducibility. Which THREE actions should they take? (Select THREE)

Select 3 answers
A.Enable SageMaker ML Lineage Tracking
B.Register all models in the SageMaker Model Registry
C.Store trained models in a public S3 bucket
D.Use SageMaker Experiments to organize training runs
E.Tag all resources with metadata such as project ID and training run ID
AnswersA, B, E

Lineage tracking automatically records artifacts, actions, and contexts.

Why this answer

A is correct because SageMaker ML Lineage Tracking automatically captures the relationships between datasets, training jobs, and model versions, creating a directed acyclic graph (DAG) of the ML workflow. This enables full reproducibility by allowing you to trace which data and code produced a specific model, without manual intervention.

Exam trap

The trap here is that candidates confuse SageMaker Experiments (which tracks metrics and parameters) with ML Lineage Tracking (which tracks the full provenance graph), leading them to select D instead of A, even though Experiments alone does not capture the inter-resource relationships needed for reproducibility.

15
MCQmedium

A data science team wants to track the lineage of models, including datasets, training jobs, and endpoints, for reproducibility and audit. They need a solution that captures relationships between artifacts automatically during training and deployment. Which service should they use?

A.Amazon S3 object versioning
B.SageMaker Experiments
C.SageMaker Model Registry
D.SageMaker ML Lineage Tracking
AnswerD

Captures artifact relationships and lineage automatically.

Why this answer

SageMaker ML Lineage Tracking automatically records the relationships between artifacts (datasets, jobs, models, endpoints) and tracks the provenance of ML workflows.

16
Multi-Selectmedium

An ML team has deployed a model to a SageMaker real-time endpoint and wants to set up automated monitoring for model quality. Which TWO elements are required to configure SageMaker Model Monitor for model quality? (Select TWO.)

Select 2 answers
A.SHAP values for feature attribution
B.A constraints file with allowed deviation thresholds
C.A ground truth labels dataset for comparison
D.The endpoint's prediction output captured in real-time
E.A baseline statistics file derived from the training data
AnswersC, D

Ground truth labels are essential to compare against predictions and compute model quality metrics.

Why this answer

Option C is correct because SageMaker Model Monitor for model quality requires a ground truth labels dataset to compare the model's predictions against actual outcomes. This comparison is essential for calculating quality metrics like accuracy, precision, recall, or F1 score, which indicate how well the model is performing over time.

Exam trap

The trap here is that candidates confuse the requirements for model quality monitoring (which needs ground truth labels and captured predictions) with those for data quality monitoring (which needs a baseline statistics file and constraints), leading them to select options B or E incorrectly.

17
MCQeasy

An ML team wants to monitor the cost of their SageMaker endpoints. They have observed that some endpoints are underutilized. Which AWS offering can help them reduce costs by committing to a consistent amount of usage in exchange for a lower price?

A.SageMaker Savings Plans
B.SageMaker endpoint auto-scaling
C.SageMaker Managed Spot Training
D.SageMaker Inference Recommender
AnswerA

Savings Plans offer discounted rates in exchange for a usage commitment.

Why this answer

SageMaker Savings Plans offer a flexible pricing model where you commit to a consistent amount of compute usage (measured in dollars per hour) over a 1- or 3-year term, in exchange for a lower price compared to On-Demand rates. This directly addresses the goal of reducing costs for underutilized endpoints by allowing the team to pay a discounted rate for the baseline usage they commit to, regardless of whether the endpoint is fully utilized.

Exam trap

The trap here is that candidates often confuse cost-saving mechanisms like auto-scaling (which reduces usage) with pricing commitments (which reduce per-unit cost), leading them to select endpoint auto-scaling instead of Savings Plans.

How to eliminate wrong answers

Option B is wrong because SageMaker endpoint auto-scaling dynamically adjusts the number of instances based on traffic, which can reduce costs by scaling down during low usage, but it does not involve committing to a consistent usage amount for a lower price; it is a scaling mechanism, not a pricing commitment. Option C is wrong because SageMaker Managed Spot Training is designed for training jobs, not for hosting endpoints, and uses spare EC2 capacity at a discount but can be interrupted, making it unsuitable for persistent inference endpoints that require availability. Option D is wrong because SageMaker Inference Recommender is a tool for benchmarking and optimizing inference configurations (e.g., instance type, model compilation) to improve performance and cost efficiency, but it does not provide a pricing commitment or discount for consistent usage.

18
MCQmedium

An ML engineer monitors a SageMaker endpoint for data drift. They set up SageMaker Model Monitor to compare inference data against a baseline created from the training dataset. The monitoring schedule runs daily and reports violations. Which monitoring type should be configured to detect if the distribution of a numerical feature in real-time inference data differs significantly from the training distribution?

A.Data quality monitoring
B.Feature attribution drift monitoring
C.Bias drift monitoring
D.Model quality monitoring
AnswerA

Data quality monitoring evaluates statistical properties of features against a baseline and can detect numerical feature drift using metrics like mean, variance, or Kolmogorov-Smirnov test.

Why this answer

SageMaker Model Monitor's data quality monitoring detects feature distribution drift (statistical drift) between baseline and live data. Model quality monitoring requires ground truth labels, bias drift monitors fairness metrics, and feature attribution drift monitors SHAP values.

19
MCQmedium

A company deploys a model for credit risk assessment on a SageMaker endpoint. To comply with internal policies, they must ensure that the endpoint only allows inference requests from within a specific VPC and that the data is encrypted at rest. Which configuration meets these requirements?

A.Enable network isolation mode and use KMS for endpoint encryption
B.Configure endpoint in VPC-only mode and enable inter-container traffic encryption
C.Deploy endpoint in a public subnet and use a security group to restrict traffic
D.Configure endpoint in VPC-only mode and enable KMS encryption for the endpoint
AnswerD

VPC-only mode restricts access to VPC; KMS encryption secures data at rest.

Why this answer

Option D is correct because configuring the SageMaker endpoint in VPC-only mode ensures that inference requests can only originate from within the specified VPC, satisfying the network restriction requirement. Enabling KMS encryption for the endpoint encrypts the model data and inference data at rest using a customer-managed key, meeting the encryption-at-rest policy.

Exam trap

The trap here is confusing network isolation (which blocks outbound internet access) with VPC-only mode (which restricts inbound traffic to a VPC), and mistaking inter-container traffic encryption for encryption at rest.

How to eliminate wrong answers

Option A is wrong because network isolation mode prevents the endpoint from accessing the internet but does not restrict inbound inference traffic to a specific VPC; it also does not inherently use KMS for endpoint encryption. Option B is wrong because inter-container traffic encryption protects data in transit between containers, not data at rest, and VPC-only mode alone does not guarantee encryption at rest. Option C is wrong because deploying the endpoint in a public subnet exposes it to the internet, and while a security group can restrict traffic, it does not enforce that requests originate only from within a specific VPC, nor does it provide encryption at rest.

20
Multi-Selectmedium

A company uses SageMaker Model Monitor to detect data drift in production. The monitoring job compares the current data distribution to a baseline. Which TWO types of drift can SageMaker Model Monitor detect? (Select TWO)

Select 2 answers
A.Concept drift (change in the relationship between features and target)
B.Data quality drift (schema and statistical drift)
C.Model quality drift (performance degradation against ground truth)
D.Bias drift (change in bias metrics over time)
E.Feature attribution drift (SHAP values)
AnswersB, C

Model Monitor can detect schema violations and statistical distribution changes.

21
MCQmedium

A team trains a model using SageMaker and wants to ensure that the training job cannot access the internet, but needs to access a private S3 bucket in the same VPC. Which configuration should they use?

A.Enable network isolation and provide VPC subnet and security group
B.Enable network isolation only, without VPC configuration
C.Disable network isolation but restrict security group rules
D.Use a public S3 bucket with bucket policies
AnswerA

Network isolation blocks internet; VPC config allows access to private resources via VPC endpoints.

Why this answer

SageMaker training jobs can be configured with VPC settings. Enabling network isolation prevents internet access, but the job still needs VPC connectivity to reach S3 via VPC endpoints. Setting the VPC config allows access to private resources.

22
MCQhard

A company uses SageMaker Model Monitor's feature attribution drift monitoring with SHAP. They receive an alert that the average SHAP value for a particular feature has increased significantly compared to the baseline. The feature's input distribution has not changed. What does this likely indicate?

A.The feature is no longer relevant to predictions
B.A bug in the SHAP computation
C.Data drift in that feature
D.Concept drift in the model
AnswerD

SHAP attribution drift indicates that the model's reliance on features has changed, which is a sign of concept drift.

Why this answer

SHAP values measure the contribution of each feature to the model's predictions. A change in SHAP values while input distribution is stable suggests the model has learned a new reliance on that feature, i.e., the relationship between the feature and the target has changed — concept drift.

23
MCQmedium

A company notices that the prediction distribution of their deployed model has shifted significantly from the training data distribution, but the input data distribution remains unchanged. Which type of drift is occurring, and what is the MOST likely cause?

A.Data drift; the training data is no longer representative of the current environment
B.Bias drift; the model is making unfair predictions against a protected group
C.Concept drift; the underlying relationship between features and target has changed
D.Model drift; the model has degraded due to software issues
AnswerC

Concept drift changes the prediction function while input distribution remains stable.

Why this answer

Concept drift occurs when the relationship between input features and target variable changes, causing prediction distribution shift. Data drift would be input distribution change. The scenario specifically says input distribution unchanged but predictions shifted, indicating concept drift.

Possible cause: change in customer behavior or market conditions.

24
MCQmedium

A financial institution uses SageMaker to train and deploy models. They need to track every experiment, model version, and deployment step for audit purposes. Which SageMaker feature should they use to capture the full lineage of artifacts, actions, and contexts?

A.SageMaker Clarify
B.SageMaker Model Registry
C.SageMaker Experiments
D.SageMaker ML Lineage Tracking
AnswerD

Lineage Tracking records relationships between all ML steps for auditability.

Why this answer

SageMaker ML Lineage Tracking creates a graph of artifacts (datasets, models), actions (training jobs, deployment), and contexts (experiments). It provides a complete audit trail. Experiments alone track trials but not lineage.

Model Registry tracks model versions but not full pipeline lineage. Clarify is for bias monitoring.

25
MCQeasy

A machine learning engineer needs to automatically retrain a model whenever SageMaker Model Monitor detects data drift. Which combination of services should be used to trigger the retraining pipeline?

A.SageMaker Ground Truth → Lambda → SageMaker Training job
B.CloudWatch Alarms → SNS → Lambda → SageMaker Processing job
C.SageMaker Model Monitor → EventBridge → Step Functions → SageMaker Training job
D.SageMaker Data Wrangler → SNS → SageMaker Training job
AnswerB

Model Monitor publishes metrics to CloudWatch. A CloudWatch Alarm on drift metric triggers an SNS topic, which invokes a Lambda function that starts a SageMaker Processing job for retraining.

Why this answer

Option B is correct because SageMaker Model Monitor publishes metrics to CloudWatch, and when data drift is detected, a CloudWatch Alarm triggers an SNS notification, which invokes a Lambda function to start a SageMaker Processing job for retraining. This architecture decouples monitoring from retraining and uses native AWS services for event-driven automation.

Exam trap

The trap here is that candidates assume SageMaker Model Monitor can directly trigger retraining via EventBridge or Step Functions, but the exam expects the CloudWatch Alarms → SNS → Lambda chain because Model Monitor metrics are published to CloudWatch, not directly to EventBridge for retraining triggers.

How to eliminate wrong answers

Option A is wrong because SageMaker Ground Truth is used for creating labeled datasets, not for monitoring data drift or triggering retraining pipelines. Option C is wrong because while SageMaker Model Monitor can integrate with EventBridge, the correct flow to trigger a retraining pipeline is via CloudWatch Alarms → SNS → Lambda → SageMaker Processing job, not directly from Model Monitor to Step Functions; Step Functions would orchestrate the pipeline but the trigger must come from CloudWatch alarms on drift metrics. Option D is wrong because SageMaker Data Wrangler is a data preparation tool, not a monitoring service, and SNS alone cannot directly start a SageMaker Training job without a compute trigger like Lambda.

26
Multi-Selecthard

A company uses a SageMaker endpoint for real-time inference. To reduce costs, they want to implement auto-scaling based on the number of invocations per instance. They also need to ensure that scaling actions are recorded for audit. Which TWO steps should they take? (Select TWO.)

Select 3 answers
A.Create a target tracking scaling policy based on the InvocationsPerInstance metric
B.Enable AWS CloudTrail to log auto-scaling API calls
C.Register the SageMaker endpoint as a scalable target with Application Auto Scaling
D.Enable SageMaker Model Monitor to track invocation counts
E.Publish custom metrics to CloudWatch for endpoint utilization
AnswersA, B, C

Target tracking with InvocationsPerInstance is a common approach to scale based on invocation load.

Why this answer

Option A is correct because the InvocationsPerInstance metric is a predefined SageMaker metric that Application Auto Scaling can use with a target tracking scaling policy. This policy automatically adjusts the number of instances to maintain a target value for invocations per instance, directly reducing costs by scaling down when demand is low.

Exam trap

The trap here is that candidates may think custom metrics are required for auto-scaling, but SageMaker automatically emits the InvocationsPerInstance metric, making custom publishing unnecessary, and they may confuse Model Monitor's role with scaling metrics.

27
MCQeasy

A team wants to automatically retrain a model whenever data drift is detected on their SageMaker endpoint. Which AWS service should they use to invoke a retraining pipeline in response to a CloudWatch Alarm?

A.AWS Step Functions directly from CloudWatch Alarm
B.SageMaker Processing job scheduled via EventBridge
C.Amazon SQS queue polling by a custom application
D.Amazon SNS topic triggering an AWS Lambda function
AnswerD

This pattern is typical: CloudWatch Alarm -> SNS -> Lambda -> start retraining pipeline.

Why this answer

Option D is correct because Amazon SNS can directly subscribe to a CloudWatch Alarm and, upon alarm state change, publish a message to an SNS topic. That topic can then trigger an AWS Lambda function, which invokes the retraining pipeline (e.g., SageMaker Processing or training job). This creates a fully managed, serverless event-driven workflow without needing custom polling or additional orchestration services.

Exam trap

The trap here is that candidates often assume CloudWatch Alarms can directly invoke Step Functions or Lambda without an intermediary like SNS, but CloudWatch Alarms only support SNS, SQS, and Auto Scaling actions as direct targets.

How to eliminate wrong answers

Option A is wrong because CloudWatch Alarms cannot directly invoke AWS Step Functions; they can only send notifications to SNS, SQS, or Auto Scaling, not invoke Step Functions directly. Option B is wrong because SageMaker Processing jobs cannot be scheduled directly via EventBridge; EventBridge can trigger a Lambda or Step Functions that starts a Processing job, but the job itself is not a direct target. Option C is wrong because using an SQS queue polled by a custom application introduces unnecessary complexity, latency, and operational overhead, and is not the simplest or most recommended pattern for reacting to a CloudWatch Alarm.

28
Multi-Selecthard

A company is deploying a SageMaker endpoint and must meet strict security requirements: no public internet access, all inter-container traffic must be encrypted, and all data at rest must be encrypted with a customer-managed KMS key. Which THREE configurations should they apply? (Choose THREE.)

Select 3 answers
A.Configure the endpoint to use VPC-only mode
B.Attach a security group that only allows inbound traffic from the VPC CIDR
C.Enable inter-container traffic encryption
D.Specify a KMS key in the endpoint configuration for data encryption
E.Enable network isolation mode on the endpoint
AnswersA, C, D

VPC-only mode ensures no public internet access.

29
Multi-Selecthard

A company wants to enable cross-account access to a SageMaker model endpoint. The model is in Account A, and Account B needs to invoke it. Which TWO steps are required? (Select TWO)

Select 2 answers
A.Attach a resource-based policy to the SageMaker model in Account A allowing access from Account B's IAM role
B.Export the model from Account A and re-deploy in Account B
C.Create an IAM role in Account B with permissions to invoke SageMaker endpoints
D.Configure VPC peering between the two accounts
E.Use a SageMaker notebook instance cross-account sharing
AnswersA, C

Resource policies grant cross-account permissions directly on the model.

Why this answer

Option A is correct because SageMaker endpoints support resource-based policies that allow cross-account access. By attaching a resource-based policy to the model endpoint in Account A, you can grant the IAM role from Account B explicit permission to invoke the endpoint. This is the standard AWS mechanism for cross-account SageMaker endpoint invocation without needing to duplicate the model.

Exam trap

The trap here is that candidates often confuse network-level connectivity (VPC peering) with IAM-level authorization, or assume that cross-account access requires duplicating resources, when in fact SageMaker's resource-based policies provide a direct and secure solution.

30
MCQmedium

A company needs to give a data science team in another AWS account access to deploy a model from a shared model registry. Which approach should they use to grant cross-account access?

A.Create an IAM role in the other account with permissions to access the registry
B.Use AWS Organizations SCP to allow cross-account access
C.Share the model artifacts via Amazon S3 bucket policy and use an IAM role
D.Attach a resource-based policy to the model registry granting the other account access
AnswerD

Resource-based policies allow cross-account access to SageMaker resources like the model registry.

Why this answer

Resource-based policies (also called resource policies) can be attached to the model registry to allow cross-account access. IAM roles are used for intra-account access, not for granting access to resources in another account.

31
MCQmedium

A machine learning engineer is deploying a model using a SageMaker endpoint and needs to ensure that the model artifacts are encrypted at rest using a customer-managed KMS key. Which configuration should they set?

A.Set the KMS key in the endpoint configuration's ProductionVariant
B.Enable default encryption on the S3 bucket containing the model artifacts
C.Use SageMaker Studio's KMS integration
D.Set the KMS key when creating the model using the CreateModel API
AnswerD

The CreateModel API accepts a KMS key parameter to encrypt the model artifacts in S3 and at rest.

Why this answer

Option D is correct because the `CreateModel` API in SageMaker accepts a `ModelKmsKeyId` parameter that specifies a customer-managed KMS key for encrypting the model artifacts at rest. This key is used when SageMaker copies the artifacts from S3 to the inference instance's Amazon EBS volume, ensuring encryption at rest. The other options either apply to different resources or do not control the encryption of the model artifacts themselves.

Exam trap

The trap here is that candidates confuse S3 bucket encryption (Option B) with model artifact encryption at rest on the endpoint, or they mistakenly think the endpoint configuration's `ProductionVariant` (Option A) can set a KMS key, when in fact the key is set at the model resource level.

How to eliminate wrong answers

Option A is wrong because the `ProductionVariant` in an endpoint configuration only controls instance type, count, and variant weight—it does not have a KMS key setting; encryption for the endpoint's EBS volume is set at the endpoint configuration level via the `KmsKeyId` parameter, not per variant. Option B is wrong because enabling default encryption on the S3 bucket only encrypts objects at rest in S3, but does not control the encryption of model artifacts when they are copied to the SageMaker endpoint's EBS volume; SageMaker uses the key specified in the model resource for that step. Option C is wrong because SageMaker Studio's KMS integration applies to Studio's own storage (e.g., home directories, notebooks) and does not affect the encryption of model artifacts used by a deployed endpoint.

32
MCQhard

A machine learning team uses SageMaker Pipelines and wants to automatically retrain a model when data drift is detected. They have set up Model Monitor to publish drift violations to CloudWatch. Which approach provides a COMPLETE serverless retraining pipeline triggered by drift detection?

A.Use SageMaker Model Monitor to directly invoke a SageMaker Pipeline when drift is detected
B.Use EventBridge to schedule retraining daily regardless of drift
C.Configure a CloudWatch Alarm on drift metric → SNS topic → Lambda function that starts the SageMaker Pipeline execution
D.Create an EventBridge rule that triggers on Model Monitor drift events to start the pipeline
AnswerC

This chain fully automates retraining on drift detection without manual intervention.

Why this answer

The recommended pattern: CloudWatch Alarm triggers on drift metric → SNS message → Lambda function (receives SNS) → starts SageMaker Pipeline execution. EventBridge could also trigger on SNS events, but Lambda is simplest. EventBridge can schedule retraining but does not directly react to specific drift alarms.

Step Functions would add unnecessary complexity.

33
MCQhard

A financial services company must deploy a SageMaker endpoint that only accepts traffic from within a VPC and encrypts all data at rest and in transit using customer-managed KMS keys. They also need to prevent inter-container traffic from being visible to other users. Which combination of settings fulfills these requirements?

A.Deploy the endpoint in a private subnet and use SageMaker Model Monitor to detect unauthorized access
B.Attach a security group that only allows inbound traffic from the VPC CIDR and enable data encryption using a KMS key
C.Enable network isolation mode and use a VPC configuration with no public internet access
D.Configure the endpoint with VPC-only mode, enable inter-container traffic encryption, and specify a KMS key for endpoint data encryption
AnswerD

VPC-only mode restricts traffic to the VPC, inter-container encryption secures container-to-container traffic, and KMS key encrypts data at rest.

Why this answer

VPC-only mode restricts traffic to the VPC. Inter-container traffic encryption ensures data in transit between containers is encrypted. KMS key specified in the endpoint configuration encrypts data at rest.

34
MCQmedium

A team receives alerts that their SageMaker endpoint latency has increased significantly. They check CloudWatch metrics and see Invocations rising, but ModelLatency remains stable. Which metric should they investigate to find the source of the increased latency?

A.OverheadLatency
B.ModelLatency
C.5XXError
D.4XXError
AnswerA

OverheadLatency captures infrastructure overhead; an increase here explains the total latency rise when ModelLatency is unchanged.

Why this answer

OverheadLatency measures the time taken by the SageMaker infrastructure to handle requests before and after model inference, including request routing, authentication, and response processing. Since ModelLatency is stable but total endpoint latency has increased, the extra time must be in the overhead component, making OverheadLatency the correct metric to investigate.

Exam trap

The trap here is that candidates assume increased Invocations directly cause higher ModelLatency, but the exam tests the distinction between inference time and infrastructure overhead, leading them to incorrectly select ModelLatency instead of OverheadLatency.

How to eliminate wrong answers

Option B is wrong because ModelLatency is explicitly stated as stable, so it cannot be the source of increased latency. Option C is wrong because 5XXError indicates server-side errors, not latency; while errors can correlate with latency, the question asks for the metric directly measuring the latency increase. Option D is wrong because 4XXError indicates client-side errors (e.g., invalid requests), which do not directly cause increased endpoint latency.

35
MCQmedium

A team uses SageMaker Clarify to monitor bias drift on a deployed model. They have defined a baseline with training data and set up a monitoring schedule. After one month, they receive a violation report indicating that the post-training metrics have deviated from the baseline. What does this violation indicate?

A.The model's predictions relative to sensitive attributes have shifted compared to the training baseline
B.The SHAP values for features have changed
C.The model's predictions are becoming less accurate
D.The distribution of input features has changed
AnswerA

Bias drift monitoring tracks predefined fairness metrics over time, and a violation indicates a significant change in those metrics.

Why this answer

SageMaker Clarify bias drift monitoring compares predicted outcomes (post-training) against the baseline to detect changes in fairness metrics like disparate impact. It does not measure prediction accuracy or data quality.

36
MCQhard

An organization uses SageMaker Studio and needs to restrict Studio's internet access while allowing users to install custom packages from a private PyPI mirror hosted in a VPC. Which networking configuration should they use?

A.Use a NAT gateway to allow outbound traffic to the private PyPI mirror
B.Disable internet access for Studio and rely on SageMaker's default VPC configuration
C.Disable internet access for Studio and configure VPC-only mode, then use a VPC endpoint to the private PyPI mirror
D.Enable internet access for Studio and use a VPC endpoint to the private PyPI mirror
AnswerC

VPC-only mode blocks internet; VPC endpoint to the private mirror allows package installation from the VPC.

Why this answer

SageMaker Studio in VPC-only mode (no internet access) combined with VPC-only mode for the domain and VPC endpoints to private PyPI mirror enables package installation from the private mirror. NAT gateway or internet gateway would allow internet access, which is not desired.

37
MCQeasy

An organization needs to ensure that all data used for inference on a SageMaker endpoint is encrypted at rest. The endpoint uses a SageMaker-provided container. Which configuration should be applied?

A.Use a custom container with built-in encryption
B.Specify a KMS key in the endpoint configuration
C.Enable network isolation mode
D.Enable inter-container traffic encryption
AnswerB

A KMS key encrypts the ML storage volume attached to the endpoint, ensuring data at rest is encrypted.

Why this answer

SageMaker endpoints use AWS KMS for encryption at rest. By specifying a KMS key in the endpoint configuration, the data in the attached ML storage volume is encrypted. Inter-container traffic encryption is for encryption in transit.

38
MCQmedium

A company uses SageMaker Model Monitor to track feature attribution drift with SHAP. They notice that the SHAP values have changed significantly for a feature, while the model performance remains stable. What is the MOST likely interpretation?

A.The ground truth labels are incorrect, causing the drift
B.Data drift has occurred for that feature
C.The model is learning equally from all features, so no action is needed
D.The model's behavior has changed, which may lead to future performance degradation and warrants investigation
AnswerD

Feature attribution drift often precedes concept drift; it should be investigated.

Why this answer

Option D is correct because a significant change in SHAP values indicates that the model's internal feature importance has shifted, even if overall performance metrics like accuracy or loss remain stable. This is a classic sign of concept drift or model behavior drift, where the model's decision boundary has changed for that feature, which can lead to future performance degradation as the drift accumulates. SageMaker Model Monitor tracks feature attribution drift separately from data drift, and a change in SHAP values without data drift suggests the model is relying on the feature differently, warranting investigation.

Exam trap

The trap here is that candidates confuse feature attribution drift (SHAP drift) with data drift, assuming a change in SHAP values must be caused by a change in the input data distribution, when in fact it indicates a change in the model's learned behavior that can occur independently of data drift.

How to eliminate wrong answers

Option A is wrong because incorrect ground truth labels would typically cause a drop in model performance metrics (e.g., accuracy, precision) when evaluated, but the scenario states model performance remains stable, so label errors are not the primary cause. Option B is wrong because data drift refers to changes in the distribution of input features themselves, not changes in the model's attribution of importance to those features; SHAP drift is a separate concept from data drift. Option C is wrong because the model learning equally from all features is not indicated by SHAP value changes; significant SHAP drift for a single feature suggests the model's behavior has changed, and ignoring it could lead to future issues, so action is needed.

39
Multi-Selectmedium

A company has a SageMaker real-time endpoint that serves predictions. They want to set up automated monitoring and remediation for when the number of 5XX errors exceeds a threshold. Which TWO steps should they take? (Choose TWO.)

Select 2 answers
A.Use SageMaker Model Monitor to detect 5XX errors
B.Configure the CloudWatch Alarm to publish to an SNS topic
C.Set up a scheduled EventBridge rule to check 5XXError every minute
D.Write a custom script on EC2 to poll the endpoint and check for errors
E.Create a CloudWatch Alarm on the 5XXError metric
AnswersB, E

SNS enables notifications to trigger downstream actions like Lambda or email.

Why this answer

Option B is correct because a CloudWatch Alarm on the 5XXError metric can be configured to publish to an SNS topic, enabling automated notifications or remediation actions (e.g., via Lambda) when the alarm state is triggered. This is the standard AWS approach for alerting on endpoint errors without custom polling.

Exam trap

The trap here is that candidates confuse SageMaker Model Monitor (for data quality) with CloudWatch metrics (for operational health), leading them to select option A instead of recognizing that 5XX errors are operational metrics monitored via CloudWatch Alarms.

40
Multi-Selecthard

A company needs to secure a SageMaker real-time endpoint such that only authorized applications within a VPC can invoke the model, and all data in transit is encrypted. Which THREE configuration steps should they implement? (Choose THREE)

Select 3 answers
A.Assign a public IP to the endpoint instances
B.Disable SageMaker's API gateway logs
C.Use a KMS key for endpoint data encryption (at rest)
D.Enable VPC-only mode for the endpoint
E.Enable inter-container traffic encryption
AnswersC, D, E

Encrypts data on the instance's storage.

Why this answer

Option C is correct because using a KMS key for endpoint data encryption at rest ensures that the model data and artifacts stored on the endpoint's ML storage volumes are encrypted. This is a required step for meeting encryption compliance, though the question specifically asks about data in transit; however, KMS encryption at rest is a standard security best practice and is listed as a correct answer in the context of overall data protection for the endpoint.

Exam trap

The trap here is that candidates often confuse encryption at rest (KMS) with encryption in transit (TLS), and may overlook that inter-container traffic encryption is needed for data moving between containers, not just between the client and endpoint.

41
MCQmedium

A data scientist notices that a production model's accuracy has degraded over the past week. The training data distribution remains unchanged, but the relationship between features and the target has shifted. Which type of drift is occurring, and which monitoring approach should be used?

A.Bias drift; use SageMaker Clarify post-deployment bias monitoring
B.Data drift; use SageMaker Model Monitor data quality monitoring
C.Feature attribution drift; use SageMaker Clarify
D.Concept drift; use SageMaker Model Monitor model quality monitoring with ground truth labels
AnswerD

Model quality monitoring compares predictions to actual labels, catching concept drift.

Why this answer

Concept drift occurs when the underlying relationship between features and target changes. Model quality monitoring (comparing predictions against ground truth) detects this. Data drift monitors feature distribution changes, which are not present here.

42
MCQmedium

A machine learning team deploys a fraud detection model on a SageMaker endpoint. The model's predictions are used in real-time. The team wants to monitor for data drift by comparing incoming data distributions against a baseline created from the training data. Which SageMaker capability should they use?

A.SageMaker Model Monitor - Model Quality Monitor
B.SageMaker Model Monitor - Data Quality Monitor
C.SageMaker Model Monitor - Feature Attribution Drift Monitor
D.SageMaker Model Monitor - Bias Drift Monitor
AnswerB

Correctly monitors statistical and schema drift against a training baseline.

Why this answer

SageMaker Model Monitor's Data Quality Monitor is specifically designed to detect data drift by comparing the statistical distribution of incoming inference data against a baseline computed from the training dataset. This capability tracks metrics like mean, variance, and quantiles for each feature, alerting when significant deviations occur. For a fraud detection model requiring real-time monitoring of input distributions, this is the correct choice.

Exam trap

The trap here is that candidates often confuse 'data drift' (input distribution changes) with 'model quality drift' (prediction performance changes), leading them to select Model Quality Monitor instead of Data Quality Monitor.

How to eliminate wrong answers

Option A is wrong because Model Quality Monitor focuses on monitoring the model's predictive performance metrics (e.g., accuracy, precision, recall) against a baseline, not the distribution of input features. Option C is wrong because Feature Attribution Drift Monitor uses SHAP-based feature importance to detect shifts in how features contribute to predictions, not the raw data distributions themselves. Option D is wrong because Bias Drift Monitor tracks fairness metrics and bias over time, such as demographic parity or equal opportunity, which is unrelated to general data distribution drift.

43
MCQmedium

A company plans to deploy a large foundation model using SageMaker JumpStart. They are concerned about costs because the model will be used intermittently. Which deployment option is MOST cost-effective for intermittent traffic?

A.Purchase SageMaker Savings Plans for the endpoint
B.Deploy as a serverless endpoint
C.Use a batch transform job for each request
D.Deploy as a real-time endpoint with a multi-model endpoint
AnswerB

Serverless endpoints scale down to zero during inactivity, reducing costs for intermittent usage.

Why this answer

Serverless endpoints in SageMaker automatically scale to zero when not in use, so you pay only for the compute time consumed during inference requests. This makes them the most cost-effective option for intermittent traffic, as you avoid paying for idle compute capacity.

Exam trap

The trap here is that candidates often confuse 'multi-model endpoints' with 'serverless' and assume they both scale to zero, but multi-model endpoints still run on provisioned instances that incur hourly costs regardless of traffic.

How to eliminate wrong answers

Option A is wrong because Savings Plans provide a discount on consistent usage but still require you to pay for a minimum baseline of compute, which is wasteful for intermittent traffic. Option C is wrong because batch transform jobs are designed for processing large datasets asynchronously, not for handling individual requests in real time, and they incur startup costs per job. Option D is wrong because a multi-model endpoint still runs on persistent instances that incur costs even when idle, and while it improves utilization across models, it does not eliminate idle costs for intermittent traffic.

44
MCQmedium

A machine learning engineer wants to reduce costs for a SageMaker real-time endpoint that experiences predictable traffic patterns with low traffic at night and high traffic during business hours. Which approach is most cost-effective while maintaining availability?

A.Use a single large instance type that can handle peak traffic at all times
B.Configure an auto-scaling policy with target tracking based on the Invocations metric
C.Set up a scheduled scaling policy that manually adjusts instances at fixed times
D.Use SageMaker Inference Recommender to find the optimal instance type and then manually set instance count
AnswerB

Target tracking scales instances up/down based on demand, reducing costs during low traffic while handling peaks.

Why this answer

Target tracking scaling policies automatically adjust instance count based on a metric like invocation count or CPU utilization. Step scaling can also be used but target tracking is simpler and more cost-effective for predictable patterns.

45
MCQmedium

A company wants to deploy a foundation model from SageMaker JumpStart with the lowest possible inference cost, given that latency requirements are flexible. They have a mix of traffic volumes. Which approach should they take?

A.Use SageMaker Savings Plans to get a discount on on-demand instances
B.Deploy the model on the largest GPU instance to handle peak load
C.Deploy the model on a serverless inference endpoint
D.Select the smallest instance type that meets throughput requirements and enable automatic scaling
AnswerD

Smallest suitable instance reduces base cost; auto-scaling adds capacity only when needed, minimizing overall cost.

Why this answer

SageMaker JumpStart provides pre-built models; for cost optimization, choosing the smallest suitable instance type and enabling auto-scaling based on demand reduces cost while handling varying traffic.

46
MCQmedium

A company deploys a model for fraud detection. They want to monitor if the model's predictions become less accurate over time due to changes in the underlying data distribution, but they do not have immediate access to ground truth labels. Which type of drift should they monitor as a proxy?

A.Feature attribution drift
B.Model quality drift
C.Data drift
D.Concept drift
AnswerC

Data drift (input distribution change) can be monitored without labels; significant data drift may indicate potential concept drift.

Why this answer

Data drift (option C) is the correct proxy to monitor when ground truth labels are unavailable because it detects changes in the input feature distribution over time. If the underlying data distribution shifts, the model's predictions are likely to become less accurate even if the relationship between features and labels remains stable. This allows teams to trigger retraining or investigation before model quality degrades.

Exam trap

Cisco often tests the distinction between data drift and concept drift, and the trap here is that candidates confuse 'changes in data distribution' (data drift) with 'changes in the relationship between features and labels' (concept drift), assuming both require labels when only concept drift does.

How to eliminate wrong answers

Option A is wrong because feature attribution drift measures changes in the importance of features to the model's predictions, not shifts in the input data distribution itself, and it still requires some form of baseline comparison that may not directly indicate accuracy loss without labels. Option B is wrong because model quality drift requires access to ground truth labels to compute metrics like accuracy or F1-score, which the scenario explicitly states are unavailable. Option D is wrong because concept drift refers to changes in the underlying relationship between features and the target variable (the function mapping inputs to outputs), which cannot be detected without labels to compare predicted vs. actual outcomes.

47
Multi-Selectmedium

A team wants to secure SageMaker endpoints for a healthcare application. They must ensure data is encrypted at rest and in transit, and that the endpoint can only be accessed from within a VPC. Which THREE steps should they take? (Select THREE)

Select 3 answers
A.Use AWS KMS to encrypt the model artifacts and endpoint data
B.Store encryption keys in a public S3 bucket
C.Set the endpoint to use network isolation mode
D.Configure the endpoint to use a VPC and disable public access
E.Enable inter-container traffic encryption using TLS
AnswersA, D, E

KMS provides encryption at rest for data and models.

48
MCQhard

A company deploys a real-time inference endpoint with auto-scaling using a target tracking policy based on average Invocations per instance. They notice that during a traffic spike, the endpoint scales out too late, causing increased latency. They want to scale proactively before the spike. Which strategy should they implement?

A.Enable provisioned concurrency on the endpoint
B.Pre-warm the endpoint by sending dummy requests
C.Use a scheduled scaling action to add capacity before the expected spike
D.Switch to a step scaling policy with a higher cooldown period
AnswerC

Scheduled scaling can increase the desired capacity in advance of known traffic patterns, reducing latency during the spike.

Why this answer

Scheduled scaling with Application Auto Scaling can anticipate traffic spikes. Pre-warming endpoints or using provisioned concurrency are not native SageMaker features. Step scaling reacts to deviations but still after the fact.

49
MCQmedium

A data science team wants to automate the retraining of a model whenever SageMaker Model Monitor detects a significant drift in data quality. They need the least amount of custom code. Which approach should they use?

A.Write a custom script on an EC2 instance that polls the Model Monitor endpoint every hour and triggers retraining if drift is detected
B.Configure an Amazon EventBridge rule that listens for Model Monitor violation events and directly triggers a SageMaker Pipeline execution
C.Set up a CloudWatch Alarm on the Model Monitor violation metric that sends a notification to an SNS topic, which triggers an AWS Lambda function to start a SageMaker pipeline
D.Use SageMaker Autopilot to automatically retrain the model when performance degrades
AnswerC

This uses native CloudWatch Alarms and SNS to invoke Lambda, which can start retraining. Minimal custom code needed.

Why this answer

CloudWatch Alarms can be set on Model Monitor violation metrics. The alarm triggers an SNS topic that invokes a Lambda function to start a retraining pipeline. This requires minimal custom code.

50
MCQmedium

A company has deployed a real-time inference endpoint using SageMaker. The endpoint latency is within acceptable limits, but the team notices that the Invocations metric shows occasional spikes. They want to investigate the source of the spikes. Which CloudWatch metric should they examine to isolate the time spent in SageMaker overhead versus model inference?

A.OverheadLatency
B.Latency
C.Both ModelLatency and OverheadLatency
D.ModelLatency
AnswerC

Comparing ModelLatency and OverheadLatency allows the team to determine whether the spike is due to model inference time or SageMaker infrastructure overhead.

51
Multi-Selectmedium

A machine learning team notices an increase in 5XXError count for a SageMaker endpoint. They want to set up automated remediation. Which THREE actions should they take? (Select THREE)

Select 3 answers
A.Add an SNS topic as the alarm action
B.Increase the endpoint instance count manually
C.Create a CloudWatch Alarm on the 5XXError metric
D.Enable detailed monitoring on the endpoint
E.Configure a Lambda function to restart the endpoint or scale out
AnswersA, C, E

SNS sends notifications to subscribers or triggers automation.

Why this answer

Option A is correct because adding an SNS topic as the alarm action enables automated notifications when the CloudWatch Alarm triggers on the 5XXError metric. This allows the team to receive alerts and trigger downstream remediation workflows, such as invoking a Lambda function, without manual intervention.

Exam trap

The trap here is that candidates often confuse enabling detailed monitoring (which only increases metric frequency) with automated remediation, or they mistakenly think manual scaling counts as automated remediation.

52
MCQmedium

A machine learning engineer is monitoring a deployed model for data drift. The input features are a mix of categorical and numerical columns. The baseline is from the training data. Which SageMaker Model Monitor feature should they enable to detect changes in the distribution of each feature over time?

A.Bias drift monitoring
B.Data quality monitoring
C.Model quality monitoring
D.Feature attribution drift monitoring
AnswerB

Data quality monitoring compares the distributions of input features against a baseline to detect statistical and schema drift.

Why this answer

Data quality monitoring in SageMaker Model Monitor detects schema and statistical drift (including distribution changes) for input features. Model quality monitors predictions vs. ground truth, not input features.

53
MCQmedium

A machine learning team deploys a model for loan approval. They want to monitor data drift on the real-time endpoint using SageMaker Model Monitor. Which set of actions should they take to set up data quality monitoring?

A.Use SageMaker Clarify to detect data drift on the endpoint
B.Enable data capture on the endpoint, generate a baseline from training data, create a data quality monitoring schedule, and set up a CloudWatch Alarm on violations
C.Create a model quality monitoring schedule directly on the endpoint without any baseline
D.Enable data capture and rely on SageMaker Model Monitor to automatically infer drift without a baseline
AnswerB

This is the standard procedure: capture live data, compute baseline statistics and constraints, schedule monitoring, and alarm on drift.

Why this answer

SageMaker Model Monitor requires a baseline from training data, then schedules monitoring jobs that compare live endpoint captures against that baseline. Alerts are sent via CloudWatch Alarms.

54
MCQmedium

A company uses SageMaker Studio and wants to restrict studio user access to only the VPC. They also need to encrypt the data exchanged between the Studio app and the kernel gateway. Which configuration should they apply?

A.Configure Studio to run in a private subnet and disable internet access
B.Use a VPC endpoint for SageMaker and enable KMS encryption
C.Enable VPC-only mode and inter-container traffic encryption
D.Enable network isolation and use a VPC with a NAT gateway
AnswerC

This restricts network access and encrypts traffic between Studio components.

Why this answer

Option C is correct because enabling VPC-only mode restricts all SageMaker Studio traffic to the VPC, preventing any internet-bound communication, while inter-container traffic encryption ensures that data exchanged between the Studio app and the kernel gateway is encrypted in transit using TLS. This combination satisfies both requirements: network confinement to the VPC and encryption of inter-component traffic.

Exam trap

The trap here is that candidates often confuse 'network isolation' (which only blocks internet access for the container) with 'VPC-only mode' (which restricts all Studio traffic to the VPC), and they overlook the specific need for inter-container traffic encryption, assuming KMS or endpoint encryption covers all data paths.

How to eliminate wrong answers

Option A is wrong because configuring Studio to run in a private subnet and disabling internet access only restricts internet-bound traffic but does not encrypt the data exchanged between the Studio app and the kernel gateway; it lacks the encryption requirement. Option B is wrong because using a VPC endpoint for SageMaker and enabling KMS encryption only encrypts data at rest and traffic through the endpoint, but does not encrypt the inter-container traffic between the Studio app and the kernel gateway, nor does it restrict all Studio traffic to the VPC. Option D is wrong because enabling network isolation and using a VPC with a NAT gateway isolates the container from the internet but does not encrypt inter-container traffic, and a NAT gateway actually allows outbound internet access, contradicting the requirement to restrict access to only the VPC.

55
MCQeasy

An ML engineer needs to monitor the operational health of a SageMaker endpoint, specifically the time taken for the container to process an inference request and the overhead added by SageMaker. Which two CloudWatch metrics should they examine?

A.ModelLatency and 4XXError
B.Latency and 5XXError
C.ModelLatency and OverheadLatency
D.Invocations and Latency
AnswerC

ModelLatency measures container processing time; OverheadLatency measures SageMaker overhead. Together they give a full picture.

Why this answer

ModelLatency is the time taken by the model to respond, and OverheadLatency is the additional time added by SageMaker infrastructure. Invocations is count, not duration; Latency is total latency (ModelLatency + OverheadLatency).

56
MCQhard

A company wants to share a trained model across multiple AWS accounts for inference. The model is stored in a central account's S3 bucket and needs to be deployed in other accounts' SageMaker endpoints. What is the recommended approach?

A.Use AWS RAM to share the model artifact S3 bucket
B.Attach a resource policy to the model in the central account allowing the other accounts' SageMaker service principals to access it
C.Use SageMaker Model Registry with cross-account sharing enabled
D.Copy the model artifacts to each account's S3 bucket and create separate models
AnswerB

Resource policies enable cross-account access without moving artifacts.

Why this answer

Option B is correct because SageMaker allows you to attach a resource-based policy directly to the model resource in the central account, granting the SageMaker service principal from other accounts permission to call `sagemaker:CreateModel` and `sagemaker:CreateEndpointConfig` using the shared model. This approach avoids copying artifacts and leverages AWS Identity and Access Management (IAM) cross-account trust, where the central account's model policy explicitly allows the remote account's SageMaker service role to access the model and its underlying S3 objects.

Exam trap

The trap here is that candidates confuse AWS RAM (which shares VPCs and subnets) with resource-based policies (which share IAM-accessible resources like SageMaker models), leading them to pick Option A, even though RAM cannot share S3 objects or SageMaker model resources.

How to eliminate wrong answers

Option A is wrong because AWS RAM is used to share resources like VPC subnets, Transit Gateways, or License Manager configurations, not S3 buckets or SageMaker models; S3 bucket policies or IAM roles are required for cross-account S3 access. Option C is wrong because SageMaker Model Registry does not natively support cross-account sharing; it is a metadata and versioning service within a single account, and sharing models across accounts still requires manual artifact replication or resource policies. Option D is wrong because copying model artifacts to each account's S3 bucket is inefficient, introduces synchronization overhead, and violates the principle of a single source of truth; the recommended approach uses resource-based policies to avoid duplication.

57
MCQmedium

A machine learning team trains a model in SageMaker and wants to track every step — from dataset version to hyperparameters to final model artifact — for reproducibility and audit compliance. Which SageMaker feature should they use?

A.SageMaker Feature Store
B.SageMaker ML Lineage Tracking
C.SageMaker Experiments
D.SageMaker Model Registry
AnswerB

ML Lineage Tracking creates a directed acyclic graph of artifacts, actions, and contexts, enabling full reproducibility and audit trails.

Why this answer

SageMaker ML Lineage Tracking is the correct choice because it is specifically designed to create a directed acyclic graph (DAG) of every step in the ML workflow, including dataset versions, hyperparameters, training jobs, and model artifacts. This enables full reproducibility and audit compliance by capturing the provenance of each entity and their relationships, which is exactly what the question requires.

Exam trap

The trap here is that candidates confuse SageMaker Experiments (which tracks trial metrics and parameters) with ML Lineage Tracking (which captures the full end-to-end provenance graph), leading them to pick Experiments when the question explicitly asks for tracking every step from dataset to final artifact for audit compliance.

How to eliminate wrong answers

Option A is wrong because SageMaker Feature Store is a centralized repository for storing, managing, and sharing features (input data) for ML models, but it does not track the lineage of training steps, hyperparameters, or model artifacts. Option C is wrong because SageMaker Experiments focuses on organizing and comparing multiple training runs (trials) with their parameters and metrics, but it does not automatically capture the full lineage graph connecting datasets, models, and endpoints for audit trails. Option D is wrong because SageMaker Model Registry is a catalog for managing model versions, approvals, and deployments, but it does not track the upstream lineage of how a model was trained (e.g., which dataset version and hyperparameters were used).

58
Multi-Selectmedium

A financial services company uses SageMaker Studio. They require that all Studio traffic remains within the corporate network and that user notebooks cannot access the internet. Which TWO configurations should they implement? (Select TWO.)

Select 2 answers
A.Use security groups to block outbound traffic from Studio notebooks
B.Enable network isolation mode for all training jobs
C.Enable KMS encryption for Studio data
D.Create the SageMaker Studio domain in a VPC with VPC endpoints for SageMaker and other services
E.Configure SageMaker Studio to use VPC-only mode
AnswersD, E

Using VPC endpoints ensures Studio traffic stays within the AWS network.

Why this answer

To keep all traffic within the corporate network, SageMaker Studio must be configured with a VPC-only mode (no public internet access). Additionally, creating the Studio domain with a VPC and optionally using VPC endpoints for Studio and other services ensures traffic stays within AWS network. Network isolation mode applies to training jobs, not Studio.

Security groups control traffic but do not prevent internet access. KMS encryption is for data at rest, not network.

59
Multi-Selectmedium

A company wants to secure data in transit between the client and SageMaker endpoint, and between containers in the same endpoint. Which THREE configurations should they apply? (Choose three.)

Select 3 answers
A.Enable data encryption at rest using KMS
B.Enable network isolation for the model containers
C.Use a VPC-only endpoint configuration
D.Configure the endpoint to use HTTPS (TLS)
E.Enable inter-container traffic encryption
AnswersB, D, E

Network isolation prevents containers from accessing the internet, reducing attack surface.

Why this answer

Enforce inter-container traffic encryption, use HTTPS for the endpoint, and enable network isolation to prevent internet exposure. VPC-only mode controls network access but does not directly encrypt traffic.

60
Multi-Selectmedium

A machine learning team wants to detect concept drift in a production model. Which TWO actions should they take? (Choose TWO)

Select 2 answers
A.Set up SageMaker Model Monitor data quality monitoring schedule
B.Use SageMaker Clarify for feature attribution drift
C.Enable daily retraining to automatically correct drift
D.Enable data capture on the endpoint to collect ground truth labels
E.Set up SageMaker Model Monitor model quality monitoring schedule
AnswersD, E

Ground truth labels are needed for comparison.

Why this answer

Concept drift is detected by comparing model predictions to actual outcomes (ground truth). Capturing ground truth and using model quality monitoring is essential. Data quality monitoring would not detect concept drift.

61
MCQmedium

A team monitors a production endpoint and notices a sudden increase in 5XXError count. Which of the following is the most likely cause?

A.The endpoint is under-provisioned and requests are throttled
B.The input data format has changed
C.The model container is out of memory or crashing
D.The model is returning predictions with high latency
AnswerC

Out-of-memory errors or crashes cause the container to return 5XX responses.

Why this answer

A sudden increase in 5XX errors, particularly HTTP 503 or 502, typically indicates that the model container is failing to process requests due to resource exhaustion (e.g., OOM kills) or a crash in the inference process. In a production ML endpoint, such errors often stem from the container running out of memory, leading to the container being terminated by the orchestrator (e.g., Kubernetes OOMKill) or the application crashing internally, which directly causes 5XX responses.

Exam trap

Cisco often tests the distinction between client-side errors (4XX) and server-side errors (5XX), and the trap here is that candidates confuse throttling (429) or input format issues (400) with server-side failures, overlooking that 5XX errors specifically indicate the server or container is failing to handle the request.

How to eliminate wrong answers

Option A is wrong because under-provisioning leading to throttling typically results in 429 (Too Many Requests) errors, not 5XX errors; 5XX indicates server-side failures, not rate limiting. Option B is wrong because a change in input data format would likely cause 400 (Bad Request) errors or prediction failures, not a sudden spike in 5XX errors, as the server would reject malformed inputs at the request validation layer. Option D is wrong because high latency does not inherently generate 5XX errors; it may cause timeouts (e.g., 504 Gateway Timeout) if the load balancer or API gateway has a timeout setting, but a general increase in latency alone does not produce a broad 5XX error count unless the container crashes under load.

62
MCQeasy

A company has deployed a machine learning model on Amazon SageMaker and wants to automatically detect when the distribution of input features deviates significantly from the training data distribution. Which SageMaker feature should they use?

A.SageMaker Clarify
B.SageMaker Edge Manager
C.SageMaker Model Monitor – Model Quality Monitoring
D.SageMaker Model Monitor – Data Quality Monitoring
AnswerD

Data quality monitoring detects schema drift and statistical drift by comparing live data to a baseline.

Why this answer

SageMaker Model Monitor – Data Quality Monitoring is the correct choice because it is specifically designed to detect deviations in the distribution of input features compared to the training data distribution. It continuously monitors incoming inference requests and compares statistical properties (e.g., mean, variance, or histogram) against a baseline computed from the training dataset, alerting when drift is detected.

Exam trap

The trap here is that candidates often confuse 'Data Quality Monitoring' with 'Model Quality Monitoring', mistakenly thinking that monitoring prediction accuracy covers input distribution drift, whereas Data Quality Monitoring is explicitly for input features and Model Quality Monitoring is for output predictions.

How to eliminate wrong answers

Option A is wrong because SageMaker Clarify is used for bias detection and explainability of model predictions, not for monitoring input feature distribution drift. Option B is wrong because SageMaker Edge Manager manages and optimizes models on edge devices, focusing on deployment and inference at the edge, not on monitoring input data quality in a cloud-based SageMaker endpoint. Option C is wrong because SageMaker Model Monitor – Model Quality Monitoring tracks prediction quality metrics (e.g., accuracy, precision) against a ground truth, not the distribution of input features.

63
MCQhard

A company deploys a model for fraud detection. They need to monitor for bias after deployment, specifically whether the model's false positive rate changes across demographic groups over time. Which SageMaker feature should they use?

A.SageMaker Model Monitor – Model Quality
B.SageMaker Model Monitor – Feature Attribution Drift
C.SageMaker Clarify (post-deployment bias monitoring)
D.SageMaker Model Monitor – Data Quality
AnswerC

SageMaker Clarify can be configured to run bias monitoring jobs that detect drift in fairness metrics after deployment.

Why this answer

SageMaker Clarify provides post-deployment bias monitoring by analyzing predictions against ground truth labels for defined facets. It can track metrics like false positive rate differences over time.

64
MCQeasy

A company needs to ensure that their SageMaker Studio environment is only accessible from within their corporate network and that all data processed in Studio remains encrypted. Which configuration should they use?

A.Use SageMaker Studio with public internet access and enable AWS WAF
B.Place SageMaker Studio in a public subnet and use security groups to restrict access
C.Enable SageMaker Studio in VPC-only mode and use a KMS key for data encryption
D.Use IAM policies to allow only corporate IP addresses and enable encryption at rest with an S3 bucket key
AnswerC

VPC-only mode restricts access to the VPC; KMS encryption secures data at rest.

Why this answer

Option C is correct because enabling SageMaker Studio in VPC-only mode ensures that the Studio environment is accessible only from within the corporate network by routing all traffic through a VPC with no public internet access. Additionally, using a KMS key for data encryption provides customer-managed encryption for data at rest and in transit within the Studio environment, meeting the encryption requirement.

Exam trap

The trap here is that candidates often confuse network-level access control (VPC-only mode) with API-level access control (IAM policies), or assume that security groups alone can restrict access to a public subnet, ignoring that public subnets inherently have internet connectivity.

How to eliminate wrong answers

Option A is wrong because enabling public internet access exposes the Studio environment to the internet, which contradicts the requirement of restricting access to the corporate network; AWS WAF protects against web exploits but does not enforce network-level access control. Option B is wrong because placing SageMaker Studio in a public subnet still allows internet access via an internet gateway, and security groups alone cannot prevent traffic from leaving the VPC or enforce corporate network-only access without additional routing controls. Option D is wrong because IAM policies can restrict API access based on IP addresses but do not control network-level access to the Studio UI or kernel gateway; S3 bucket keys only encrypt data at rest in S3, not all data processed in Studio (e.g., EFS, notebook instances).

65
MCQeasy

A company wants to reduce costs for a real-time inference endpoint that experiences predictable traffic spikes during business hours and low traffic at night. Which auto-scaling policy is MOST cost-effective while maintaining performance?

A.Step scaling based on CPU utilization
B.Manual scaling by the operations team
C.Scheduled scaling that increases instances before business hours and decreases after
D.Target tracking with a custom metric for response time
AnswerC

Scheduled scaling proactively adjusts capacity, minimizing idle instances during low traffic.

Why this answer

Option C is correct because scheduled scaling directly aligns capacity with the predictable traffic pattern (business hours vs. night), allowing you to proactively add instances before demand increases and remove them afterward. This avoids the cost of over-provisioning during low-traffic periods and the latency of reactive scaling, making it the most cost-effective approach for a known, recurring schedule.

Exam trap

The trap here is that candidates often choose reactive scaling options (like step scaling or target tracking) because they seem 'automated,' but they fail to recognize that for predictable, time-based traffic patterns, scheduled scaling is both more cost-effective and more performant than any reactive policy.

How to eliminate wrong answers

Option A is wrong because step scaling based on CPU utilization is reactive—it only adds capacity after a spike begins, which can cause latency or throttling during the initial surge, and it may keep instances running longer than needed due to cooldown periods, increasing cost. Option B is wrong because manual scaling by the operations team is error-prone, requires 24/7 staffing, and cannot react quickly enough to maintain performance during sudden traffic changes, leading to either over-provisioning or under-provisioning. Option D is wrong because target tracking with a custom metric for response time is also reactive and may cause oscillations (hunting) as the system tries to maintain a target, and it does not leverage the known schedule to pre-emptively scale, resulting in higher costs from delayed or excessive scaling actions.

66
MCQmedium

A machine learning engineer is setting up a retraining pipeline that triggers when concept drift is detected. They plan to use CloudWatch Alarms to monitor the model's accuracy metric. When drift is detected, they want to automatically start a SageMaker training job. Which architecture should they use?

A.CloudWatch Alarm → SQS → Lambda → SageMaker Training Job
B.CloudWatch Alarm → EventBridge → SageMaker Training Job
C.CloudWatch Alarm → SNS → Lambda → SageMaker Training Job
D.CloudWatch Alarm → Lambda directly (without SNS)
AnswerC

This architecture allows the alarm to trigger a notification, which Lambda processes to start a training job.

Why this answer

Option C is correct because CloudWatch Alarms cannot directly invoke SageMaker training jobs; they require an intermediary like SNS to trigger a Lambda function, which then calls the SageMaker API to start the training job. This pattern ensures reliable decoupling and allows the Lambda function to handle any preprocessing or conditional logic before launching the job.

Exam trap

The trap here is that candidates assume CloudWatch Alarms can directly trigger Lambda or SageMaker, but AWS documentation explicitly limits alarm actions to SNS, Auto Scaling, EC2, and Systems Manager, requiring an intermediary like SNS for Lambda invocation.

How to eliminate wrong answers

Option A is wrong because SQS is a message queue service designed for asynchronous decoupling and worker processing, not for directly triggering a Lambda function from a CloudWatch Alarm; the alarm can publish to SNS but not directly to SQS, and SQS would require a consumer like Lambda to poll, adding unnecessary latency and complexity. Option B is wrong because CloudWatch Alarms cannot directly invoke EventBridge; they can publish to an SNS topic or use a CloudWatch Events rule (now part of EventBridge) to trigger a target, but the alarm itself does not have a direct integration with EventBridge for starting SageMaker training jobs. Option D is wrong because CloudWatch Alarms cannot directly invoke Lambda functions; they must go through SNS or a CloudWatch Events rule (EventBridge) to trigger Lambda, as the alarm's action targets are limited to SNS, Auto Scaling, EC2, and Systems Manager, not Lambda directly.

67
MCQmedium

A team uses SageMaker ML Lineage Tracking to capture the metadata of their ML workflow. They want to query the lineage to see which model version was trained from a specific dataset. Which Lineage Tracking entity represents the dataset?

A.Association
B.Action
C.Context
D.Artifact
AnswerD

Artifacts represent data objects such as datasets, models, and output files.

Why this answer

In SageMaker ML Lineage Tracking, datasets are represented as Artifacts. Actions represent processes like training, and Contexts group related entities.

68
MCQhard

A hospital deploys a model to predict patient readmission risk. To comply with regulations, they must ensure that the model's predictions do not show bias against any demographic group over time. Which service should they use for ongoing monitoring?

A.SageMaker Clarify
B.AWS Audit Manager
C.SageMaker Model Monitor
D.Amazon Macie
AnswerA

SageMaker Clarify provides bias metrics and can be scheduled to monitor predictions after deployment.

Why this answer

SageMaker Clarify is the correct service because it is specifically designed to detect bias in ML model predictions and can be configured for ongoing monitoring. It provides bias metrics (e.g., difference in positive proportion, disparate impact) and can run on a schedule to continuously evaluate predictions against demographic groups, ensuring regulatory compliance over time.

Exam trap

The trap here is confusing SageMaker Model Monitor (which tracks data drift) with SageMaker Clarify (which tracks bias), leading candidates to choose Model Monitor because they think 'monitoring' covers all aspects of model health, but bias detection requires a separate, specialized tool.

How to eliminate wrong answers

Option B (AWS Audit Manager) is wrong because it is designed to audit AWS resource usage and compliance against frameworks (e.g., SOC 2, PCI DSS), not to monitor ML model bias. Option C (SageMaker Model Monitor) is wrong because it focuses on detecting data drift and feature distribution changes, not bias in predictions against demographic groups. Option D (Amazon Macie) is wrong because it is a data security service that discovers and protects sensitive data using machine learning, not a tool for monitoring model bias.

69
Multi-Selecthard

A company wants to ensure that a SageMaker endpoint can only be invoked from within a specific VPC and that the data in transit is encrypted. Which THREE steps should they take? (Select THREE.)

Select 2 answers
A.Attach a resource policy to the endpoint that restricts access to the VPC endpoint
B.Enable network isolation mode on the endpoint
C.Create a VPC endpoint for SageMaker (com.amazonaws.region.sagemaker.api)
D.Use a VPC with a NAT gateway and configure the endpoint to use the VPC
E.Enable inter-container traffic encryption on the endpoint
AnswersA, C

The resource policy ensures only traffic from the VPC endpoint is allowed.

Why this answer

To restrict access to a VPC, use a VPC endpoint for SageMaker. To enforce that only requests from that VPC are accepted, use a resource policy that denies requests unless they come via the VPC endpoint. Inter-container traffic encryption secures data between containers, but for endpoint invocation, using a VPC endpoint with encryption ensures data in transit is encrypted.

70
MCQhard

A financial services company needs to deploy a SageMaker endpoint that processes sensitive customer data. The security policy requires that all data in transit between the endpoint and the application must be encrypted, and that the endpoint cannot be accessed from the public internet. Additionally, model containers must not be able to initiate outbound internet requests. Which combination of settings meets these requirements?

A.Attach a public endpoint with an SSL certificate and restrict access via IAM
B.Use a private subnet with a NAT Gateway and set EnableNetworkIsolation to True
C.Deploy on a multi-model endpoint with encryption at rest using KMS
D.Enable VPC-only mode for the endpoint and set EnableInterContainerTrafficEncryption to True
AnswerD

VPC-only removes public access and forces traffic through VPC; inter-container encryption secures container-to-container communication.

Why this answer

Option D is correct because enabling VPC-only mode for the SageMaker endpoint ensures the endpoint is not accessible from the public internet, and setting EnableInterContainerTrafficEncryption to True encrypts data in transit between containers within the endpoint. This combination directly satisfies the requirements for no public internet access and encrypted data in transit, while the model containers are isolated from outbound internet requests by the VPC configuration.

Exam trap

The trap here is that candidates confuse EnableInterContainerTrafficEncryption with general data-in-transit encryption, overlooking that it only applies to inter-container traffic, while VPC-only mode is needed to block public internet access and prevent outbound requests.

How to eliminate wrong answers

Option A is wrong because a public endpoint with an SSL certificate still exposes the endpoint to the public internet, violating the requirement that the endpoint cannot be accessed from the public internet; IAM alone does not prevent network-level public access. Option B is wrong because using a private subnet with a NAT Gateway actually allows outbound internet traffic from the model containers, contradicting the requirement that containers must not initiate outbound internet requests; EnableNetworkIsolation only restricts network access between containers, not outbound internet. Option C is wrong because a multi-model endpoint with encryption at rest using KMS addresses data at rest, not data in transit or public internet access; it does not prevent public endpoint exposure or encrypt inter-container traffic.

71
MCQeasy

A machine learning engineer wants to deploy a pre-trained foundation model for text summarization using SageMaker JumpStart. Which of the following is a primary cost consideration when deploying such a model?

A.The cost of fine-tuning the model on custom data
B.The cost of GPU instances required for low-latency inference
C.The cost of data transfer for inference requests
D.The cost of storing the model artifacts in S3
AnswerB

GPU instances are expensive and the main cost driver for large model inference.

Why this answer

Foundation models are large and require GPU instances, which are more expensive. Inference cost is driven by instance type (GPU vs CPU) and the number of instances. While throughput and latency are performance considerations, the primary cost factor is the compute instance type.

Data transfer costs are secondary. Fine-tuning costs are separate.

72
MCQhard

A security team requires that all data used by a SageMaker training job be encrypted at rest using a customer-managed KMS key. The data is stored in an S3 bucket that is already encrypted with SSE-KMS. What additional configuration is needed on the SageMaker training job?

A.Specify the KMS key as the VolumeKmsKeyId and OutputKmsKeyId in the training job configuration
B.Enable inter-container traffic encryption
C.No additional configuration is required because S3 SSE-KMS automatically applies
D.Use network isolation mode
AnswerA

This ensures that the training volume and output are encrypted with the same key.

Why this answer

When the input data is encrypted with a customer-managed KMS key, you must specify the same KMS key in the VolumeKmsKeyId parameter of the training job to encrypt the ML storage volume, and also set the OutputKmsKeyId for output encryption.

73
MCQmedium

A team wants to use SageMaker Clarify to monitor bias in their production model predictions. They have configured a bias drift monitor. What does SageMaker Clarify compare to detect bias drift?

A.Current input data distribution against the training data distribution
B.Current bias metrics against a baseline bias metrics computed from training data
C.Current SHAP feature attributions against baseline SHAP values
D.Current predictions against ground truth labels collected in real-time
AnswerB

Bias drift monitor compares current bias metrics (e.g., DPPL, AD) to baseline values to detect change.

Why this answer

SageMaker Clarify bias drift monitor compares the bias metrics computed on current predictions against the baseline bias metrics computed from the training data or from an earlier period. It does not compare against model quality metrics or SHAP values. The baseline is typically established during the initial monitoring setup.

74
MCQhard

A company deploys a model in a different AWS account for production. They want to allow the production account to invoke the model endpoint from a SageMaker notebook in the same account, while keeping the model in the original account. Which configuration is required?

A.Create an IAM role in the production account with cross-account trust to assume a role in the model account
B.Use SageMaker Model Registry to share the model across accounts
C.Set up VPC peering between the two accounts and use private DNS
D.Attach a resource policy to the SageMaker model in the model account that grants invoke permissions to the production account's IAM role
AnswerD

Resource policy on the model allows cross-account invocation when combined with proper IAM permissions.

Why this answer

Cross-account model access requires a resource policy on the model in Account A that grants invoke permissions to Account B. The production account's execution role must also have permission to invoke the model. SageMaker Model Registry does not handle cross-account inference.

VPC peering is not sufficient for IAM permissions. IAM role cross-account trust is needed but the model resource policy is also necessary.

75
Multi-Selectmedium

A company wants to track the lineage of their ML models for reproducibility and auditability. Which THREE services or features should they use together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon S3 versioning
B.SageMaker Experiments
C.AWS CloudTrail
D.SageMaker ML Lineage Tracking
E.AWS Config
AnswersA, B, D

Versioning enables tracking changes to datasets and model artifacts over time.

Why this answer

Amazon S3 versioning is correct because it preserves every version of an object stored in an S3 bucket, including model artifacts, datasets, and configuration files. By enabling versioning, you can retrieve and revert to any previous version of a model artifact, which is essential for reproducibility and auditability. This directly supports tracking the lineage of ML models by ensuring that the exact input data and model binaries used in a specific experiment are never overwritten or lost.

Exam trap

The trap here is that candidates confuse AWS CloudTrail or AWS Config with lineage tracking because both deal with 'tracking' and 'auditing,' but they operate at the infrastructure/API level, not at the ML experiment and artifact relationship level required for model lineage.

Page 1 of 2 · 118 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Mla Monitoring Security questions.