Q: What is AWS Clean Rooms?
AWS Clean Rooms is a new service that makes it easier for you and your partners to analyze and collaborate on your collective datasets to gain new insights without revealing underlying data to one another. You can use AWS Clean Rooms to create your own clean rooms in minutes, and start analyzing your collective datasets with just a few steps. From the AWS Management Console, you can choose the partners you want to collaborate with, select datasets, and configure restrictions for participants. With AWS Clean Rooms, you can easily collaborate with hundreds of thousands of companies already using AWS without needing to move data out of AWS or load it into another platform. When you run queries, AWS Clean Rooms reads data where it lives and applies configurable and flexible analysis rules to help you maintain control over your data. AWS Clean Rooms provides a broad set of privacy enhancing controls for clean rooms—including data access controls, query controls, query output restrictions, and query logging—that allow you to customize restrictions on the queries run by each clean room participant. AWS Clean Rooms also includes advanced cryptographic computing tools that keep data encrypted—even as queries are processed to comply with stringent data-handling policies.
Q: What is a collaboration in AWS Clean Rooms?
A collaboration is a secure logical boundary in which members can perform SQL queries on conﬁgured tables. Only companies who have been invited to the collaboration can join the collaboration. Multiple participants can contribute data to a collaboration, and one member can query data and receive results.
Q: How do I get started with AWS Clean Rooms?
Using the AWS Management Console or API operations, you will create a clean room collaboration, invite the companies you want to collaborate with, and select one collaboration participant who can run the analysis within the collaboration. Each participant can then associate data to the collaboration from the AWS Glue Data Catalog and configure how the data will be used with analysis rules. Once all collaboration participants have associated data to the collaboration, the collaborator designated to run analysis can start querying the data subject to the constraints configured on the tables.
Q: How many members can be in a single collaboration?
AWS Clean Rooms supports up to five participants per collaboration.
Q: Who determines who has access to an AWS Clean Rooms collaboration?
You control who can participate in your AWS Clean Rooms collaboration, and can create a collaboration or join an invitation to collaborate. Participation is transparent to each party in a collaboration, and new accounts cannot be added after the collaboration is created. However, you can set up new collaborations with different customers or partners if needed. You establish and manage access to your content, and also set access to AWS services and resources through users, groups, permissions, and credentials that you control.
Q: Who can gain insights from an AWS Clean Rooms collaboration?
Multiple collaborators can contribute data, but only one collaborator can run queries and receive the results. When joining a collaboration, collaborators agree on which party will run the queries and receive the results, and only those who you invite to that collaboration can gain insights based on the analysis rules you establish.
Q: Does AWS Clean Rooms provide an identity resolution feature so that I can match my data with my partner’s data?
AWS Clean Rooms is identity-agnostic and allows you to match your user data with your partner’s data using any common key you choose to use (such as pseudonymized identifiers).
Q: In which Regions is AWS Clean Rooms available?
AWS Clean Rooms is available in US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Paciﬁc (Seoul), Asia Paciﬁc (Singapore), Asia Paciﬁc (Sydney), Asia Paciﬁc (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), and Europe (Stockholm).
Security and data protection
Q: How does AWS Clean Rooms help protect data?
With AWS Clean Rooms, you no longer need to store or maintain a copy of your data outside of your AWS environment and send to another party in order to conduct analysis for consumer insights, marketing measurement, forecasting, or risk assessment. AWS Clean Rooms helps you protect data by allowing you to restrict the kind of queries or specific queries that can be run on your data tables through analysis rules configuration. AWS Clean Rooms supports three types of analysis rules: aggregation, list, and custom. With the aggregation analysis rule, you can configure your table such that only queries that generate aggregate statistics are allowed (such as campaign measurement or attribution). With the list analysis rule, you can configure controls such that queries can only analyze the intersection of your datasets with that of the member who can query. With the custom analysis rule, you can configure query-level controls to allow specific accounts or queries to be run on your dataset. AWS Clean Rooms will also offer Cryptographic Computing for Clean Rooms (C3R), which is a tool that helps you keep sensitive data encrypted during your collaboration.
Q: How can I configure Analysis Rules?
In the aggregation and list analysis rules, you configure query controls that help you define how each column can be used in queries. You specify which columns can be used to filter, such as using a WHERE clause, and which columns can be used to join your table with other collaboration members. In the aggregation analysis rule, you can also define a minimum aggregation threshold that each output row must meet. Rows that do not meet the minimum threshold are automatically filtered out by AWS Clean Rooms. With the custom analysis rule, you configure query controls to define what queries can run on your dataset. You can choose to allow only specific queries, stored in analysis templates, that you have reviewed. Alternatively, can choose to specify collaborators whose queries will then be allowed without review.
Q: What is cryptographic computing?
Cryptographic computing is a method of protecting and encrypting sensitive data while it is in use. Data can be encrypted at rest when it is stored, in motion when it is transmitted, and when it is in use. Encryption means converting plaintext data to encoded data that cannot be deciphered without a specific "key." Private Set Intersection (PSI) is a type of cryptographic computing that allows two or more parties holding datasets to compare encrypted versions in order to perform computation. The encryption occurs on premises with the shared collaborator's secret key.
Q: What is Cryptographic Computing for Clean Rooms?
AWS Clean Rooms includes Cryptographic Computing for Clean Rooms (C3R), which provides the option to pre-encrypt data using a client-side encryption tool—an SDK or command line interface (CLI)—that uses a shared secret key with other participants in an AWS Clean Rooms collaboration. This encrypts data as queries are run.
Q: Do I have to store my data in AWS Clean Rooms to be able to use it in a collaboration?
No. AWS Clean Rooms temporarily reads data directly from your designated Amazon Simple Storage Service (S3) location to run queries on behalf of the respective collaboration member. The output of the analysis is delivered to the Amazon S3 location designated by the member who can query.
Q: Can I see which queries are being run by the collaboration members on my data?
Yes. You will be able to configure AWS Clean Rooms to publish query logs in Amazon CloudWatch Logs. With the custom analysis rule, you can also review queries (stored in Analysis Templates) before they run in the collaboration.
Q: How do I remain compliant with applicable data privacy laws when using AWS Clean Rooms to collaborate with others?
AWS Clean Rooms encryption and analysis rules allow you to have granular control on the type of information you want to share. As a data collaborator, you are responsible for assessing the risk of each collaboration, including the risk of reidentification, and conducting your own additional due diligence to ensure compliance with any data privacy laws. If the data you are sharing is sensitive or regulated, we recommend you also use appropriate legal agreements and audit mechanisms to further reduce privacy risks.
Q: Are there any use restrictions for collaborations in AWS Clean Rooms?
Yes. The AWS Service Terms prohibit certain use cases for collaborations in AWS Clean Rooms.
Q: Is AWS Clean Rooms HIPAA eligible?
Yes, the AWS HIPAA compliance program includes AWS Clean Rooms as a HIPAA eligible Service. If you have an executed Business Associate Agreement (BAA) with AWS, you can now use AWS Clean Rooms to create HIPAA-compliant collaborations. If you don't have a BAA or have other questions about using AWS for your HIPAA-compliant applications, contact us for more information.
To learn more, see the following resources:
Get started building with AWS Clean Rooms in the AWS Management Console today.
Dive deeper into how AWS Clean Rooms will help you collaborate without sharing raw data.
Learn how leading companies are using AWS Clean Rooms to unlock insights through collaboration.
Talk to our team and learn more about AWS Clean Rooms.