A data science team uses Amazon SageMaker to train machine learning models. The training data is highly sensitive and stored in an Amazon S3 bucket. The security team requires that the SageMaker training instances do not have internet access and that all data transfer between SageMaker and S3 occurs over the private AWS network. How should the Architect configure the environment?

By default, Amazon SageMaker training jobs run in an AWS-managed VPC with internet access. To secure sensitive data, you can configure the training job to run within your own private VPC subnets. By not attaching a NAT Gateway or Internet Gateway, you ensure the instances have no internet access. To allow them to download training data from S3, you create a Gateway VPC Endpoint for S3, which routes the traffic securely over the AWS backbone.