AWS re:Inforce 2024
Deep Dive into Amazon Bedrock Security Architecture Aps224

Title: AWS re:Inforce 2024 - Deep dive into Amazon Bedrock security architecture (APS224)

Insights:

  • Amazon Bedrock Overview: Bedrock is a service designed to accelerate the development of generative AI applications, offering a serverless experience through a single API. It supports various foundational models for tasks like image generation, text creation, and code generation.
  • Security Management: Bedrock ensures data security by managing model weights internally within AWS, preventing any data from leaving the AWS ecosystem. This includes using AWS IAM for credential management and supporting compliance frameworks like GDPR, HIPAA, PCI, and FedRAMP Moderate.
  • Data Protection: Customer data is not used to train foundational models and is not shared with model vendors. Data is encrypted in transit and at rest using Amazon KMS, and customers can use their own customer-managed keys.
  • Logging and Monitoring: Bedrock integrates with CloudWatch and CloudTrail for logging and monitoring, allowing customers to track token consumption, model usage, prompts, responses, and API usage.
  • Model Deployment: Bedrock offers two types of model deployments: on-demand compute for general API calls and provisioned capacity compute for specific customer needs, ensuring no inference requests are logged or used to train foundational models.
  • Fine-Tuning Models: Fine-tuning is done through SageMaker training jobs, adhering to customer-defined network controls, and the fine-tuned models are stored securely within AWS without writing back to customer S3 buckets.
  • Guardrails for Security: Bedrock introduces Guardrails to filter prompts and responses, preventing the model from engaging in undesired topics, handling sensitive information, and avoiding prompt injections or attacks. This is done through natural language specifications and pre-built content filters.
  • Application-Level Security: Emphasis on securing prompts and responses at the application level to prevent toxic behavior and ensure data privacy, with customizable filters for sensitive information and specific words or phrases.

Quotes:

  • "Bedrock is not a large language model. Bedrock is not a generative AI model. It's a service that we've designed to help customers accelerate the development of generative AI applications."
  • "None of the customer's data, so your data is actually used to train the underlying foundational models, and none of it is passed to any of the model vendors."
  • "We do not log any information, but I recommend that you as a customer do log your prompts, you do log your requests, largely for auditability and also seeing what your end users are using these models for."
  • "Guardrails for Amazon Bedrock is very natural language. How do we tell the underlying foundation models you should not do this."
  • "We noticed this became a really big problem for our customers. We also noticed that, hey, we don't want to be attacked, right? Prompt injections, prompt attacks, comments to manipulate the model or red team the model are very common."
  • "It's a fully managed service. So when you make this command, you're not actually telling us how much server capacity you need. You're really giving us the correct IAM permissions, making sure you've enabled that model within the model access."
Data Lake Deep Dive Using Accelerated Indexing for Threat Detection Tdr228 SDetecting and Responding to Threats in Generative Ai Workloads Tdr302