Amazon SageMaker with guardrails on AWS

Partner Solution Deployment Guide

January 2021
Deepak Behera and Girish Chandra Tejaswi S., Brillio
Tony Bulding, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Brillio in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the Amazon SageMaker with guardrails Partner Solution in the AWS Cloud.

This deployment is for users who want to use the capabilities of SageMaker with guardrails enabled for added security.

This deployment uses security guardrails on the SageMaker environment so that customers can build, train, and deploy machine learning (ML) models in a more secure environment. It uses enhanced security by using AWS PrivateLink, Amazon CloudWatch, AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and other native services on AWS.

SageMaker with guardrails provides the following features:

A private network for performing secure API calls to other AWS services and restricting internet access for downloading packages.
Restricted SageMaker access to Amazon Elastic Container Registry (Amazon ECR).
Mandatory tagging for implementing resource policies and compliance when creating users and resources.
S3 bucket policies that restrict access to specific VPC endpoints.
Encryption of ML model artifacts and other system artifacts that are either in transit or at rest. Requests to the SageMaker API and console are made over a Secure Sockets Layer (SSL) connection.
Disabled root access to the SageMaker notebook instance at the time of launch.
Restricted IAM roles and policies for SageMaker execution and notebook access based on resource tags and project ID. Users can only open, start, and stop their own SageMaker notebooks.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

Architecture

Deploying this Partner Solution with default parameters builds the following SageMaker with guardrails environment in the AWS Cloud.

Figure 1. Partner Solution architecture for SageMaker with guardrails on AWS

As shown in Figure 1, this Partner Solution sets up the following:

AWS Lambda function (SageMakerBuild) for validating the VPC Domain Name System (DNS) and provisioning SageMaker resources.
AWS Service Catalog for triggering the SageMakerBuild function and passing parameters for creating resources.
AWS Identity and Access Management (IAM) roles, including:
- User role for accessing and launching the Service Catalog.
- Service Catalog launch constraint role for providing permission to provision resources.
- SageMaker execution role for providing limited access to the SageMaker notebook as determined by policies.
In the private resource subnet:
- Amazon SageMaker for running ML models and workflow.
- Amazon Elastic File System (Amazon EFS) for sharing common modules to SageMaker notebooks.
In the private Elastic Network Interface (ENI) subnet, interface endpoints through which SageMaker communicates with the following AWS services:
- Amazon CloudWatch for real-time monitoring of the SageMaker environment.
- Amazon Elastic Container Registry (Amazon ECR) with ECR Policy for storing the latest ML model images for future deployments.
- AWS Security Token Service (AWS STS) for providing access to an IAM role to perform operations on other AWS services.
Amazon Simple Storage Service (Amazon S3) gateway endpoint to access the S3 bucket for storing and retrieving ML data and bucket policy for restricting bucket access.
A dedicated S3 bucket used as a data store for training models and SageMaker model artifacts.
AWS PrivateLink, Amazon CloudWatch, AWS IAM, AWS Key Management Service (AWS KMS), and other native services on AWS to provide enhanced security.

* The template that deploys this Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Partner Solution provides the following deployment options:

Deploy SageMaker with guardrails into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys SageMaker with guardrails into this new VPC.
Deploy SageMaker with guardrails into an existing VPC. This option provisions SageMaker with guardrails in your existing AWS infrastructure.

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and SageMaker with guardrails settings.

Predeployment steps

Amazon SageMaker is not supported in all AWS Regions. For a current list of supported Regions for SageMaker, see the Supported Regions in the Technical requirements section.

Deployment steps

Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.
Choose the correct AWS Region, and then choose Next.
On the Create stack page, keep the default setting for the template URL, and then choose Next.

On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.
Choose Create stack. The stack takes about 5 minutes to deploy.
Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Amazon SageMaker with guardrails deployment is ready.
To view the created resources, choose the Outputs tab.

Postdeployment steps

Optionally deploy as a Service Catalog product

After the base infrastructure is configured by the CloudFormation template, data scientists and other users can assume the IAM role (SCEndUserrole) or group that was provided in the CloudFormation output when launching the Service Catalog and then launch SageMaker.

Be sure to specify the same environment name that is provided in the CloudFormation template.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.