Slides Setting Up Secure, Well-Governed Machine Learning Environments On AWS

22 February 2023
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up secure, well-governed machine
learning environments on AWS
Tony Fendall
Principal Solutions Architect
Amazon Web Services
Agenda
A layered approach to AI/ML Security
1. AWS Cloud Governance and Security
2. Data Governance and Security
3. AI/ML Governance and Security
Plus resources for you to continue learning
Common Personas
AWS Platform Data Engineers Project Data Scientists

Engineers Administrators
Security at all layers - Defense in depth
Machine Learning Governance & Security
Data Governance & Security
AWS Cloud Governance & Security
AWS Cloud Security
What is an AWS Account? AWS Cloud
Each AWS Account: Account A
• Is a resource container for AWS cloud services

Compute
• Is an explicit security boundary
• Is a container for cost tracking and billing
• Is a mechanism to enforce limits and thresholds
Networking &
• e.g. service quotas and API thresholds content
delivery
• Over time, organisations add more accounts to

support more applications and services Storage
and much more…
AWS Organizations
Provides you tools to centrally govern
and manage your cloud environment
• Quickly scale by creating accounts and

allocate resources
• Customize your environment by
applying governance policies
• Secure and audit your environment
• Manage costs and identify cost-saving
measures
AWS CloudTrail
Capture Store Act Review

Record activity as Retain events logs in Trigger actions Analyze recent
CloudTrail events secure an Amazon S3 when important events and logs
bucket events are detected
AWS CloudTrail
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE_PRINCIPAL_ID",
"arn": "arn:aws:sts::123456789012:user/Alice",
Who? When? What? Where? Where from? "accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"sessionContext": {
Bill 3:27pm Launch Instance us-west-2 72.21.198.64 "attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-12-30T20:21:09Z"
Alice 8:19am Added Bob to us-east-1 127.0.0.1
}
admin group }
},
Steve 2:22pm Deleted eu-west-1 205.251.23.176 "eventTime": "2022-12-31T00:02:40Z",
DynamoDB table "eventSource": "iam.amazonaws.com",
"eventName": "AddUserToGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "AWSConsole",
"requestParameters": {
"userName": "Bob",
"groupName": "admin"
},
"responseElements": null
}
Service Control Policies (SCPs)
Enable you to control which AWS service APIs are accessible:

✓ Define the list of APIs that are allowed – allowlisting Identity-based
✓ Define the list of APIs that must be blocked – denylisting policy
SCPs are:
✓ Invisible to all users in the child account, including root
✓ Applied to all users in the child account, including root
Service
Permissions: Control Policy Effective
permissions
✓ Intersection between the SCP and IAM permissions
✓ IAM Access Analyzer is SCP aware
SCP example: Prevent data deletion
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::my-prod-bucket",
"arn:aws:s3:::my-prod-bucket/*",
]
}
]
}
Managing your multi-account environment
AWS Organizations give you native tools to build your environment
If you’d like to jump-start your AWS environment using a simple UI

and built-in best practices, we recommend AWS Control Tower
AWS Control Tower
Enable governance with AWS Control Tower
Establish
Set up an AWS
guardrails
landing zone
Manage
continuously
Centralize identity Automate compliant

and access account provisioning
Where can I learn more?
Setting up secure, well-governed machine

learning environments on AWS
• How to structure your AWS Accounts for ML

workloads
• Using AWS Control Tower to apply guardrails for
ongoing governance
• Provision ML environments on demand for your
projects
https://go.aws/3G4GMVb
Establish guardrails
Organizational
Preventive guardrails
units
Enable Output Always

Granular AWS Service Control Accounts compliant
policies Policies
Detective/remediable guardrails Organizational

units
Compliant
Enable
Accounts
Granular AWS AWS Config
Non-
policies rules Output compliant
Demo
What if my AWS Account already exists?
Startup Security Baseline Workshop
• Provides step-by-step instructions to

improve your security posture
• For technical owners of AWS accounts
• Foundational security controls
http://bit.ly/3BRtaKn
Data Security
Modern data strategy
Data Machine
Lakes Learning
Catalog People,
Data
Apps, and
Sources
Governance Devices
Analytics Databases
AWS Lake Formation
Build Secure Share
Acid Centralized
transactions catalog
DB-style Amazon S3 access Delegated Catalog
Permissions managed by resource Governance discoverability
permission
ETL workflow
creation
Fine-grained Tag-based access Centralized

Catalog to scale auditing w/event
ML Storage permissions permissions forwarding
transform optimization
Simplify data ingestion Centrally define and manage Enable cross-account

and data management security and governance data sharing
Data sharing scenarios with AWS Lake Formation
Single Account Hub and Spoke Data Mesh Business to Business
PRODUCER CONSUMER LAKE LAKE

FORMATION FORMATION CUSTOMER
LAKE LAKE LAKE
CONSUMER
FORMATION FORMATION FORMATION
LAKE PARTNER
CONSUMER FORMATION
Centralized Hub and Spoke Data Mesh

Single Account Multi-Account Central Governance Multi-Customer
Simple to get started Cross-organization Organizational autonomy Cross-organization
Control and audit data exploration

activities with Amazon SageMaker
Studio and AWS Lake Formation
• Provides step-by-step instructions to

implement per-user access control and
auditing
• Based on the Machine Learning Lens of the
AWS Well-Architected Framework
https://go.aws/3vboGug
Machine Learning Security
Consistent Provisioning
AWS Service Catalog: Simplifying provisioning
Security Speed
Curation Agility
Compliance Self-Service
Standardization Time to market
Service catalogs enable organizations to deploy and

manage infrastructure and applications that reflect
the organization’s security and operational policies
Organizations End Users
Provisioning with AWS Service Catalog
AWS Platform Data Scientists Data Engineers

Engineers
Product Portfolio Constraints Product List Provisioned

Product
CloudFormation Allow controlled Users only see Amazon SageMaker
Templates in flexibility approved Notebook with pre-
JSON or YAML products approved security
controls
Enable self-service, secured data science

using Amazon SageMaker notebooks and
AWS Service Catalog
• Provides step-by-step instructions to build an

Amazon SageMaker notebook product within
AWS Service Catalog
• Ensure notebook instances are encrypted and
auditable
https://go.aws/3WCtchB
Access Control
AWS Identity and Access Management
Who Can access What
AWS Identity and

Access Management
Apply fine-grained Workforce users with Permissions Resources within

permissions to AWS IAM Identity Center and with IAM Policies your AWS organization
services and resources workloads with IAM roles
IAM Policy Examples
{ {
"Sid": "Allow data access" "Sid": "Allow Sagemaker full access"
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"s3:GetObject", "sagemaker:*"
"s3:PutObject” ],
], "Resource": "*",
"Resource": [ "Condition": {
"arn:aws:s3:::my-prod-bucket/*" "StringEquals": {
] "sagemaker:ResourceTag/Project": "P1"
} }
}
}
Amazon SageMaker Role Manager
+
Amazon AWS Identity &
SageMaker Access Management
Amazon SageMaker Role Manager helps you to

build and manage persona-based IAM roles
for common machine learning needs
Demo
Recap
Security Defense in Depth
Made easy with AWS Service Catalog and

Amazon SageMaker Role Manager
Data Governance & Security
Made easy with AWS Lake Formation
AWS Cloud Governance & Security
Made easy with AWS Control Tower and

AWS Organizations
What next? Time to get hands-on!
Workshop: Building Secure Data Science

Environments
• Self-paced workshop with hands-on labs

• Experience the roles of Platform Engineering,
Project Administrators and Data Scientists
• Get hands-on with AWS Service Catalog and
common best practices for machine learning
Security
http://bit.ly/3jHy5aH
AWS Training and Certification
Access the AI & ML learning plan courses built by AWS experts on AWS Skill Builder
• Get started with digital self-paced, on-demand training and

ramp-up guides to help you grow your technical skills
• Learn how to apply machine learning, artificial intelligence, and

deep learning to unlock new insights and value in your role
• Take the steps today, towards validating your expertise with an

AWS Certified Machine Learning – Specialty Certification https://bit.ly/3FnxDH7
Learn your way explore.skillbuilder.aws »
Visit the Data & AI/ML resource hub
Dive deeper into these resources, get inspired and learn how you can use AI and
machine learning to accelerate your business outcomes.
• 6 steps to machine learning success e-book

• 7 leading machine learning use cases e-book
• Machine learning at scale e-book
• Achieving transformative business results with machine learning e-book
• Tackling our world’s hardest problems with machine learning e-book
https://bityl.co/FqdC
• Accelerating machine learning innovation through security e-book
• … and more!
Visit resource hub
Thank you for attending AWS Innovate – Data & AI/ML Edition
We hope you found it interesting! A kind reminder to complete the survey.
Let us know what you thought of today’s event and how we can improve the event
experience for you in the future.
aws-apj-marketing@amazon.com
twitter.com/AWSCloud
facebook.com/AmazonWebServices
youtube.com/user/AmazonWebServices
slideshare.net/AmazonWebServices
twitch.tv/aws
Thank you!

Slides Setting Up Secure, Well-Governed Machine Learning Environments On AWS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Slides Setting Up Secure, Well-Governed Machine Learning Environments On AWS

Uploaded by

Copyright:

Available Formats

22 February 2023

1. AWS Cloud Governance and Security

2. Data Governance and Security

3. AI/ML Governance and Security

Plus resources for you to continue learning

AWS Platform Data Engineers Project Data Scientists

Machine Learning Governance & Security

Data Governance & Security

AWS Cloud Governance & Security

Each AWS Account: Account A

• Is a resource container for AWS cloud services

• Over time, organisations add more accounts to

and much more…

• Quickly scale by creating accounts and

Capture Store Act Review

Enable you to control which AWS service APIs are accessible:

AWS Organizations give you native tools to build your environment

If you’d like to jump-start your AWS environment using a simple UI

AWS Control Tower

Centralize identity Automate compliant

Setting up secure, well-governed machine

• How to structure your AWS Accounts for ML

Enable Output Always

Detective/remediable guardrails Organizational

Startup Security Baseline Workshop

• Provides step-by-step instructions to

Build Secure Share

Fine-grained Tag-based access Centralized

Simplify data ingestion Centrally define and manage Enable cross-account

Single Account Hub and Spoke Data Mesh Business to Business

PRODUCER CONSUMER LAKE LAKE

Centralized Hub and Spoke Data Mesh

Simple to get started Cross-organization Organizational autonomy Cross-organization

Control and audit data exploration

• Provides step-by-step instructions to

Service catalogs enable organizations to deploy and

Organizations End Users

AWS Platform Data Scientists Data Engineers

Product Portfolio Constraints Product List Provisioned

Enable self-service, secured data science

• Provides step-by-step instructions to build an

Who Can access What

AWS Identity and

Apply fine-grained Workforce users with Permissions Resources within

Amazon SageMaker Role Manager helps you to

Made easy with AWS Service Catalog and

Data Governance & Security

Made easy with AWS Lake Formation

AWS Cloud Governance & Security

Made easy with AWS Control Tower and

Workshop: Building Secure Data Science

• Self-paced workshop with hands-on labs

• Get started with digital self-paced, on-demand training and

• Learn how to apply machine learning, artificial intelligence, and

• Take the steps today, towards validating your expertise with an

Learn your way explore.skillbuilder.aws »

• 6 steps to machine learning success e-book

Visit resource hub

You might also like