AWS Clean Rooms FAQs

AWS Clean Rooms ML helps you and your partners apply ML models on your collective data to unlock predictive insights without sharing sensitive information with each other. With this AWS Clean Rooms capability, you can invite your partners to a clean room and apply an AWS managed, ready-to-use ML model that is trained to each collaboration to generate lookalike datasets in a few steps, saving months of development work to build, train, tune, and deploy your own model.

AWS Clean Rooms ML helps customers with multiple use cases. For example, an airline can use data about its customers, collaborate with an online booking service, and identify prospect travelers with similar characteristics; auto lenders and insurers can identify prospective auto insurance customers who share characteristics with a set of existing lease owners; and brands and publishers can model lookalike segments of in-market customers and deliver highly relevant advertising experiences, without either company sharing their underlying data with the other. Healthcare modeling will be available in the coming months.

AWS Clean Rooms ML was built and tested across various datasets, such as e-commerce and streaming video, and can help customers improve accuracy on lookalike modeling by up to 36% when compared with representative industry baselines. In real-world applications like prospecting for new customers, this accuracy improvement can translate into savings of millions of dollars.

With AWS Clean Rooms ML lookalike modeling, you can train your own custom model using your data and invite your partners to bring a small sample of their records to a collaboration to generate an expanded set of similar records while protecting you and your partner’s underlying data. AWS Clean Rooms ML takes a small sample of records from one party and finds a much larger set of records or lookalike segment from another collaborator's dataset. AWS Clean Rooms ML does not share data with either party, and parties can remove their data or delete a custom model whenever they want. You can specify the desired size of the resulting lookalike segment, and AWS Clean Rooms ML will privately match the unique profiles in your sample list with those in your partner's dataset and then train an ML model that predicts how similar each profile in your collaborator's dataset is to those in your sample. AWS Clean Rooms ML will automatically group the profiles that are similar to the sample list and output the resulting lookalike segment. AWS Clean Rooms ML removes the need to share data to build, train, and deploy ML models with your partners. With AWS Clean Rooms ML, your data is only used to train your model and is not used for AWS model training. You can use intuitive controls that help you and your partners tune the model’s predictive results.

Data protection starts with the security foundation of AWS, and AWS Clean Rooms is built on top of AWS security services including AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and AWS CloudTrail. This allows you to extend your existing data protection strategy to data collaboration workloads. With AWS Clean Rooms, you no longer need to store or maintain a copy of your data outside your AWS environment and send to another party to conduct analysis for consumer insights, marketing measurement, forecasting, or risk assessment.

When you set up an AWS Clean Rooms collaboration and use SQL analysis, you can specify different abilities for each collaboration member to suit your specific use cases. For example, if you want the output of the query to go to a different member, you can designate one member as the query runner who can write queries and another member as the query result receiver who can receive the results. This gives the collaboration creator the ability to make sure that the member who can query doesn't have access to the query results.

AWS Clean Rooms also has SQL query controls that allow you to restrict the kind of queries or specific queries that can be run on your data tables through analysis rules configuration. AWS Clean Rooms supports three types of SQL analysis rules: aggregation, list, and custom. With the aggregation analysis rule, you can configure your table such that only queries that generate aggregate statistics are allowed (such as campaign measurement or attribution). With the list analysis rule, you can configure controls such that queries can only analyze the intersection of your datasets with that of the member who can query. With the custom analysis rule, you can configure query-level controls to allow specific accounts or queries to be run on your dataset. When using custom analysis rules, you can choose to use Differential Privacy. AWS Clean Rooms Differential Privacy helps you protect the privacy of your users with mathematically backed and intuitive controls in a few steps. As a fully managed capability of AWS Clean Rooms, no prior differential privacy experience is needed to help you prevent the re-identification of your users. Another control is aggregation thresholds, which prevent queries from drilling down to small, potentially re-identifiable groups.

With AWS Clean Rooms ML, your data is only used to train your model and is not used for AWS model training. AWS Clean Rooms ML does not use any company's training or lookalike segment data with another, and you can delete your model and training data whenever you want.

No. Datasets are stored in collaborators AWS accounts. AWS Clean Rooms temporarily reads data from collaborators accounts to run queries, train ML models or expand seed segments. Results of an analysis are sent to the S3 location designed for the analysis.

Models generated by AWS Clean Rooms ML are stored by the service, can be encrypted with a customer managed AWS KMS key, and can be deleted by the customer at any point.

AWS Clean Rooms encryption and analysis rules allow you to have granular control on the type of information you want to share. As a data collaborator, you are responsible for assessing the risk of each collaboration, including the risk of reidentification, and conducting your own additional due diligence to ensure compliance with any data privacy laws. If the data you are sharing is sensitive or regulated, we recommend you also use appropriate legal agreements and audit mechanisms to further reduce privacy risks.

Yes. The AWS Service Terms prohibit certain use cases for collaborations in AWS Clean Rooms.

Yes. The AWS HIPAA compliance program includes AWS Clean Rooms as a HIPAA-eligible service. If you have an executed Business Associate Addendum (BAA) with AWS, you can now use AWS Clean Rooms to create HIPAA-compliant collaborations. If you don't have a BAA or have other questions about using AWS for your HIPAA-compliant applications, contact us for more information. To learn more, see AWS HIPAA Compliance and AWS for Healthcare and Life Sciences.

In the SQL analysis rules, you configure column-level controls that help you define how each column can be used in queries. For example, you can specify which columns can be used to calculate aggregate statistics—such as SUM(price)—and which columns can be used to join your table with other collaboration members. In the Aggregation analysis rule, you can also define a minimum aggregation threshold that each output row must meet. Rows that do not meet the minimum threshold are automatically filtered out by AWS Clean Rooms.

Yes. You will be able to configure AWS Clean Rooms to publish query logs in Amazon CloudWatch Logs. With the custom analysis rule, you can also review queries (stored in analysis templates) before they run in the collaboration. 

Differential privacy is a mathematically proven framework for helping data privacy protection. The primary benefit behind differential privacy is to help protect data at the individual level by adding a controlled amount of randomness—noise—to obscure the presence or absence of any single individual in a dataset that is being analyzed.

AWS Clean Rooms Differential Privacy helps you protect the privacy of your users with mathematically backed and intuitive controls in a few steps. As a fully managed capability of AWS Clean Rooms, no prior differential privacy experience is needed to help you prevent the re-identification of your users. AWS Clean Rooms Differential Privacy obfuscates the contribution of any individual’s data in generating aggregate insights in collaborations so that you can run a broad range of SQL queries to generate insights about advertising campaigns, investment decisions, clinical research, and more.

You can begin using AWS Clean Rooms Differential Privacy in just a few steps after starting or joining an AWS Clean Rooms collaboration as a member with abilities to contribute data. After you have created a configured table, which is a reference to your table in the AWS Glue Data Catalog, you simply choose to turn on differential privacy while adding a custom analysis rule to the configured table. Next, you associate the configured table to your AWS Clean Rooms collaboration and configure a differential privacy policy in the collaboration to make your table available for querying. You can use a default policy to quickly complete the setup or customize it to meet your specific requirements.

Once AWS Clean Rooms Differential Privacy is set up, your collaboration partner can start running queries on your table—without requiring any expertise in differential privacy concepts or additional setup from their partners. With AWS Clean Rooms Differential Privacy, query runners can run custom and flexible analyses including complex query patterns with common table expressions (CTEs) and commonly used aggregate functions such as COUNT and SUM.

Cryptographic computing is a method of protecting and encrypting sensitive data while it is in use. Data can be encrypted at rest when it is stored, in motion when it is transmitted, and when it is in use. Encryption means converting plaintext data to encoded data that cannot be deciphered without a specific "key." Private set intersection (PSI) is a type of cryptographic computing that allows two or more parties holding datasets to compare encrypted versions to perform computation. The encryption occurs on premises with the shared collaborator's secret key.

AWS Clean Rooms includes C3R, which provides the option to pre-encrypt data using a client-side encryption tool—an SDK or command line interface (CLI)—that uses a shared secret key with other participants in an AWS Clean Rooms collaboration. This encrypts data as queries are run.