Professional Documents
Culture Documents
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up secure, well-governed machine
learning environments on AWS
Tony Fendall
Principal Solutions Architect
Amazon Web Services
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
A layered approach to AI/ML Security
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common Personas
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security at all layers - Defense in depth
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Cloud Security
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an AWS Account? AWS Cloud
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
Provides you tools to centrally govern
and manage your cloud environment
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE_PRINCIPAL_ID",
"arn": "arn:aws:sts::123456789012:user/Alice",
Who? When? What? Where? Where from? "accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"sessionContext": {
Bill 3:27pm Launch Instance us-west-2 72.21.198.64 "attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-12-30T20:21:09Z"
Alice 8:19am Added Bob to us-east-1 127.0.0.1
}
admin group }
},
Steve 2:22pm Deleted eu-west-1 205.251.23.176 "eventTime": "2022-12-31T00:02:40Z",
DynamoDB table "eventSource": "iam.amazonaws.com",
"eventName": "AddUserToGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "AWSConsole",
"requestParameters": {
"userName": "Bob",
"groupName": "admin"
},
"responseElements": null
}
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service Control Policies (SCPs)
SCPs are:
✓ Invisible to all users in the child account, including root
✓ Applied to all users in the child account, including root
Service
Permissions: Control Policy Effective
permissions
✓ Intersection between the SCP and IAM permissions
✓ IAM Access Analyzer is SCP aware
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP example: Prevent data deletion
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::my-prod-bucket",
"arn:aws:s3:::my-prod-bucket/*",
]
}
]
}
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managing your multi-account environment
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable governance with AWS Control Tower
Establish
Set up an AWS
guardrails
landing zone
Manage
continuously
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where can I learn more?
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Establish guardrails
Organizational
Preventive guardrails
units
Compliant
Enable
Accounts
Granular AWS AWS Config
Non-
policies rules Output compliant
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What if my AWS Account already exists?
http://bit.ly/3BRtaKn
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Security
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Modern data strategy
Data Machine
Lakes Learning
Catalog People,
Data
Apps, and
Sources
Governance Devices
Analytics Databases
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Lake Formation
Acid Centralized
transactions catalog
DB-style Amazon S3 access Delegated Catalog
Permissions managed by resource Governance discoverability
permission
ETL workflow
creation
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data sharing scenarios with AWS Lake Formation
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where can I learn more?
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Machine Learning Security
Consistent Provisioning
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog: Simplifying provisioning
Security Speed
Curation Agility
Compliance Self-Service
Standardization Time to market
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Provisioning with AWS Service Catalog
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where can I learn more?
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Machine Learning Security
Access Control
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM Policy Examples
{ {
"Sid": "Allow data access" "Sid": "Allow Sagemaker full access"
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"s3:GetObject", "sagemaker:*"
"s3:PutObject” ],
], "Resource": "*",
"Resource": [ "Condition": {
"arn:aws:s3:::my-prod-bucket/*" "StringEquals": {
] "sagemaker:ResourceTag/Project": "P1"
} }
}
}
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon SageMaker Role Manager
+
Amazon AWS Identity &
SageMaker Access Management
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recap
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Defense in Depth
Machine Learning Security
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What next? Time to get hands-on!
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Training and Certification
Access the AI & ML learning plan courses built by AWS experts on AWS Skill Builder
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visit the Data & AI/ML resource hub
Dive deeper into these resources, get inspired and learn how you can use AI and
machine learning to accelerate your business outcomes.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you for attending AWS Innovate – Data & AI/ML Edition
We hope you found it interesting! A kind reminder to complete the survey.
Let us know what you thought of today’s event and how we can improve the event
experience for you in the future.
aws-apj-marketing@amazon.com
twitter.com/AWSCloud
facebook.com/AmazonWebServices
youtube.com/user/AmazonWebServices
slideshare.net/AmazonWebServices
twitch.tv/aws
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.