AWS Clean Rooms Documentation

With AWS Clean Rooms, you can analyze data with up to four other parties in a single collaboration. You can generate insights from multiple companies without having to write code. You can create a clean room, invite companies you want to collaborate with, and select which participants can run analyses within the collaboration.

With AWS Clean Rooms, you can collaborate with other companies already using AWS without needing to maintain a copy of your data outside of your AWS environment or load it into another platform. Once you create or join a collaboration, you can configure your data tables from your AWS Glue Data Catalog. When you run queries in a collaboration, AWS Clean Rooms reads data from where it is stored and applies restrictions that help protect each participant’s underlying data. For each table, you can specify analysis rules. These rules help you restrict the type of SQL queries allowed on your data. You can also configure outputs constraints such as minimum aggregation thresholds.

In addition to the AWS Management Console, all AWS Clean Rooms functionality is accessible with an API. You will be able to use the AWS SDKs or command line interface (CLI) to automate AWS Clean Rooms operations, integrate Clean Rooms functionality within your existing workflows and products, or create your own version of clean room offering for your customers.

Analysis rules are restrictions that give you control of how your data can be analyzed. Collaboration members who create or join a collaboration as designated query runners can write queries to intersect and analyze your data tables subject to the analysis rules that you set. AWS Clean Rooms controls support three types of analysis rules: list, aggregation, and custom. 

Aggregation analysis rule: The aggregation analysis rule allows you to run queries that generate aggregate statistics, such as how large the intersection of two datasets is. When using the aggregation analysis rule, you can allow only aggregation queries be run on your data and enforce restrictions on specific parts of the queries that run, such as what columns must be used only in a blind match and what columns can be used in aggregations such as sums, counts or averages. You also control the minimum aggregation constraint in the output. 

List analysis rule: The list analysis rule allows you to run queries that extract the row-level list of the intersection of multiple datasets, such as the overlap of two datasets. When using the list analysis rule, you can allow only list queries be run on your data and enforce restrictions of the queries that run such as what columns must be used only in a blind match and what columns can be outputted as a list in the output. 

Custom analysis rule: The custom analysis rule allows you to create custom queries using most of ANSI-standard SQL, such as common table expressions (CTE) and window functions, as well as review and allow queries prior to collaboration partners running them, and review other collaborators' queries before they are allowed to run on your tables. When using the custom analysis rule, you can use built-in control to determine or limit, upfront, how your underlying data could be analyzed, instead of having to rely on query logs after analyses are complete. When you use custom SQL queries, you can also create or use analysis templates to store custom queries with parameters in the collaborations. This enables customers to help one in another in a collaboration, for example a member who has higher SQL experience can create templates for other members to review and potentially run. It also facilitates reusable analyses in the collaboration. 

With Analysis Builder, business users can get insights in a few easy steps, without having to write or understand SQL. You can follow steps in the guided user interface to build queries following the data restrictions that each collaborator has set on their tables based on auto-suggested criteria such as metrics, segments and filters related to your collective datasets. Use Analysis Builder in collaborations that have one or two tables configured with either aggregation or list analysis rule.

Minimum aggregation constraints will allow you to set conditions for output row returns. These constraints are in the form of COUNT DISTINCT (Column) >= Threshold. If an output row in the query result does not meet that constraint, it is redacted; this lets you  enforce minimum aggregation thresholds while providing flexibility for data collaborators to write queries of their choice.

You can run AWS Clean Rooms queries on cryptographically protected data. If you have data handling policies that require encryption of sensitive data, you can pre-encrypt your data using a collaboration-specific, shared encryption key so that data is encrypted even when queries are run. Cryptographic computing means that data used in collaborative computations remains encrypted at rest, in transit, and in use (while being processed).

Cryptographic Computing for Clean Rooms (C3R) is an open-source Java SDK with a CLI, available in GitHub. This feature is available at no additional charge. If you have big data, you can review the documentation to see how C3R can be integrated into Apache Spark.

This feature is the latest of a broad range of AWS cryptographic computing tools built to help you meet your needs, while allowing you to take advantage of flexibility and scalability of use that AWS offers.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.