Q61 — AWS DEA-C01 Ch.1
Question 61 of 100 | ← Chapter 1
A data engineer is configuring Amazon SageMaker Studio to use AWS Glue interactive sessions to prepare data for machine learning (ML) models. The data engineer receives an access denied error when the data engineer tries to prepare the data by using SageMaker Studio. Which change should the engineer make to gain access to SageMaker Studio?
- A. Add the AWSGlueServiceRole managed policy to the data engineer's IAM user.
- B. Add a policy to the data engineer's IAM user that includes the sts:AssumeRole action for the AWS Glue and SageMaker service Principals in the trust policy. ✓
- C. Add the AmazonSageMakerFullAccess managed policy to the data engineer's IAM user.
- D. Add a policy to the data engineer's IAM user that allows the sts:AddAssociation action for the AWS Glue and SageMaker service Principals in the trust policy.
Correct Answer: B. Add a policy to the data engineer's IAM user that includes the sts:AssumeRole action for the AWS Glue and SageMaker service Principals in the trust policy.
Explanation
AWS服务间的交互权限配置通常涉及跨服务角色委托。使用AWS Glue交互会话时,SageMaker Studio需要权限通过AWS Security Token Service(STS)承担(AssumeRole)Glue服务角色。IAM用户需被授权执行sts:AssumeRole动作,且信任策略需允许Glue和SageMaker的服务主体。AWS官方文档强调,当服务A调用服务B时,必须在IAM角色信任关系中明确允许服务A的主体(如sagemaker.amazonaws.com)担任该角色。选项B正确配置了必要的STS权限,而其他选项未解决跨服务角色委托问题。