reference deployment
Amazon SageMaker with Guardrails on AWS
Embark on your digital transformation journey
This Quick Start deployment of Amazon SageMaker adds guardrails so you can build, train, and deploy machine learning (ML) models in a more secure environment. Guardrails are high-level rules that provide ongoing governance for your overall AWS environment. AWS provides additional security by using AWS PrivateLink, Amazon CloudWatch, AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and other native services.
Guardrails deploy within an AWS-managed virtual private cloud (VPC) and elastic network interfaces to provide security mechanisms and add-on features that are not provided with native SageMaker. They also provide more secure access to AWS services with VPC endpoint interfaces and Amazon Amazon Simple Storage Service (Amazon S3) bucket gateways within your own VPC.
This Quick Start was developed by Brillio in collaboration with AWS.
Brillio is an AWS Partner.
-
What you'll build
-
How to deploy
-
Cost and licenses
-
What you'll build
-
This Quick Start sets up the following:
- AWS Lambda function (SageMakerBuild) for validating the VPC Domain Name System (DNS) and provisioning SageMaker resources.
- AWS Service Catalog for triggering the SageMakerBuild function and passing parameters for creating resources.
- AWS Identity and Access Management (IAM) roles, including:
- User role for accessing and launching the Service Catalog.
- Service Catalog launch constraint role for providing permission to provision resources..
- SageMaker execution role for providing limited access to the SageMaker notebook as determined by policies.
- In the private resource subnet:
- Amazon SageMaker for running ML models and workflow.
- Amazon Elastic File System (Amazon EFS) for sharing common modules to SageMaker notebooks.
- In the private Elastic Network Interface (ENI) subnet, interface endpoints through which SageMaker communicates with the following AWS services:
- Amazon CloudWatch for real-time monitoring of the SageMaker environment.
- Amazon Elastic Container Registry (Amazon ECR) with ECR Policy for storing the latest ML model images for future deployments.
- AWS Security Token Service (AWS STS) for providing access to an IAM role to perform operations on other AWS services.
- Amazon S3 gateway endpoint to access the S3 bucket for storing and retrieving ML data and bucket policy for restricting bucket access.
- A dedicated S3 bucket used as a data store for training models and SageMaker model artifacts.
- AWS PrivateLink, Amazon CloudWatch, AWS IAM, AWS Key Management Service (AWS KMS), and other native services on AWS to provide enhanced security.
-
How to deploy
-
To deploy SageMaker with guardrails, follow the instructions in the deployment guide. The deployment process takes about 5 minutes and includes these steps:
- If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
- Launch the Quick Start, choosing from the following options:
- Test the deployment.
Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.
-
Cost and licenses
-
You are responsible for the cost of the AWS services and any paid third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.
The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.
Tip: After you deploy the Quick Start, you can enable the AWS Cost and Usage Report. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month and finalizes the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?
