AWS Clean Rooms FAQs

Q: What is AWS Clean Rooms?

AWS Clean Rooms is a new service that makes it easier for you and your partners to analyze and collaborate on your collective datasets to gain new insights, without sharing or copying one another’s underlying data or having to move it outside of AWS. You can use AWS Clean Rooms to create your own clean rooms in minutes, and start analyzing your collective datasets with just a few steps. From the AWS Management Console, you can choose the partners you want to collaborate with, select datasets, and configure restrictions for participants. With AWS Clean Rooms, you can easily collaborate with hundreds of thousands of companies already using AWS without needing to move data out of AWS or load it into another platform. When you run queries, AWS Clean Rooms reads data where it lives and applies built-in, flexible analysis rules to help you maintain control over your data. AWS Clean Rooms provides a broad set of privacy-enhancing controls for clean rooms—including query controls, query output restrictions, and query logging—that allow you to customize restrictions on the queries run by each clean room participant. AWS Clean Rooms also includes advanced cryptographic computing tools that keep data encrypted—even as queries are processed—to comply with stringent data-handling policies.

Q: What is a collaboration in AWS Clean Rooms?

A collaboration is a secure logical boundary in which members can perform SQL queries on configured tables. Only companies who have been invited to the collaboration can join the collaboration. Multiple participants can contribute data to a collaboration, and one member can query data and receive results.

Q: How do I get started with AWS Clean Rooms?

Using the AWS Management Console or API operations, you will create a clean room collaboration, invite the companies you want to collaborate with, and select one collaboration participant who can run the analysis within the collaboration. Each participant can then associate data to the collaboration from the AWS Glue Data Catalog and configure how the data will be used with analysis rules. Once all collaboration participants have associated data to the collaboration, the collaborator designated to run analysis can start querying the data subject to the constraints configured on the tables.

Q: How many members can be in a single collaboration?

AWS Clean Rooms supports up to five participants per collaboration.

Q: Who determines who has access to an AWS Clean Rooms collaboration?

You control who can participate in your AWS Clean Rooms collaboration, and can create a collaboration or join an invitation to collaborate. Participation is transparent to each party in a collaboration, and new accounts cannot be added after the collaboration is created. However, you can set up new collaborations with different customers or partners if needed. You establish and manage access to your content, and also set access to AWS services and resources through users, groups, permissions, and credentials that you control.

Q: Who can gain insights from an AWS Clean Rooms collaboration?

Multiple collaborators can contribute data, but only one collaborator can run queries and receive the results. When joining a collaboration, collaborators agree on which party will run the queries and receive the results, and only those who you invite to that collaboration can gain insights based on the analysis rules you establish.

Q: Does AWS Clean Rooms provide an identity resolution feature so that I can match my data with my partner’s data?

AWS Clean Rooms is identity-agnostic and allows you to match your user data with your partner’s data using any common key you choose to use (such as pseudonymized identifiers).

Q: In which Regions is AWS Clean Rooms available?

AWS Clean Rooms is available in US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), and Europe (Stockholm).

Q: How does AWS Clean Rooms help protect data?

With AWS Clean Rooms, you no longer need to store or maintain a copy of your data outside of your AWS environment and send to another party in order to conduct analysis for consumer insights, marketing measurement, forecasting, or risk assessment. AWS Clean Rooms helps you protect data by allowing you to restrict the kind of queries that can be run on your data tables through analysis rules configuration. AWS Clean Rooms will support two types of analysis rules: Aggregation and List. With the Aggregation analysis rule, you can configure your table such that only queries that generate aggregate statistics are allowed (such as campaign measurement or attribution). With the List analysis rule, you can configure your table such that queries can only analyze the intersection of your datasets with that of the member who can query. AWS Clean Rooms will also offer Cryptographic Computing for Clean Rooms (C3R), which is a tool that helps you keep sensitive data encrypted during your collaboration.

Q: How can I configure Analysis Rules?

In the analysis rules, you configure column-level controls that help you define how each column can be used in queries. For example, you can specify which columns can be used to calculate aggregate statistics (such as SUM(price)), and which columns can be used to join your table with other collaboration members. In the Aggregation Analysis Rule, you can also define a minimum aggregation threshold that each output row must meet. Rows that do not meet the minimum threshold are automatically filtered out by AWS Clean Rooms.

Q: What is cryptographic computing?

Cryptographic computing is a method of protecting and encrypting sensitive data while it is in use. Data can be encrypted at rest when it is stored, in motion when it is transmitted, and when it is in use. Encryption means converting plaintext data to encoded data that cannot be deciphered without a specific "key." Private Set Intersection (PSI) is a type of cryptographic computing that allows two or more parties holding datasets to compare encrypted versions in order to perform computation. The encryption occurs on premises with the shared collaborator's secret key.

Q: What is Cryptographic Computing for Clean Rooms?

AWS Clean Rooms includes Cryptographic Computing for Clean Rooms (C3R), which provides the option to pre-encrypt data using a client-side encryption tool—an SDK or command line interface (CLI)—that uses a shared secret key with other participants in an AWS Clean Rooms collaboration. This encrypts data as queries are run.

Q: Do I have to store my data in AWS Clean Rooms to be able to use it in a collaboration?

No. AWS Clean Rooms temporarily reads data directly from your designated Amazon Simple Storage Service (S3) location to run queries on behalf of the respective collaboration member. The output of the analysis is delivered to the Amazon S3 location designated by the member who can query.

Q: Can I see which queries are being run by the collaboration members on my data?

Yes. You will be able to configure AWS Clean Rooms to publish query logs in Amazon CloudWatch Logs.

Q: How do I remain compliant with applicable data privacy laws when using AWS Clean Rooms to collaborate with others?

AWS Clean Rooms encryption and analysis rules allow you to have granular control on the type of information you want to share. As a data collaborator, you are responsible for assessing the risk of each collaboration, including the risk of reidentification, and conducting your own additional due diligence to ensure compliance with any data privacy laws. If the data you are sharing is sensitive or regulated, we recommend you also use appropriate legal agreements and audit mechanisms to further reduce privacy risks.

Q: Are there any use restrictions for collaborations in AWS Clean Rooms?

Yes. The AWS Service Terms prohibit certain use cases for collaborations in AWS Clean Rooms.