AWS wellarchitected medium security documentation change
Summary
Added detailed logging and monitoring guidance for SageMaker AI HyperPod environments including CloudTrail, CloudWatch, S3 storage, and security alerts. Enhanced traceability requirements for generative AI workloads with application identities and AI policy documentation.
Security assessment
The changes explicitly address security monitoring and incident detection through logging of API calls, resource access events, and suspicious activity alerts. Specific security controls like CloudTrail and Security Hub integration demonstrate concrete security improvements for detecting unauthorized access.
Diff
diff --git a/wellarchitected/latest/generative-ai-lens/gensec01-bp04.md b/wellarchitected/latest/generative-ai-lens/gensec01-bp04.md index 8d8cb69ee..026ab07e6 100644 --- a//wellarchitected/latest/generative-ai-lens/gensec01-bp04.md +++ b//wellarchitected/latest/generative-ai-lens/gensec01-bp04.md @@ -22,0 +23,8 @@ For additional controls, consider implementing guardrails to mask or remove sens +When using Amazon SageMaker AI HyperPod environments using Amazon EKS or Slurm, enable AWS CloudTrail to log API calls and resource access events related to SageMaker AI, EKS, and Slurm workloads. Configure Amazon CloudWatch Logs to capture detailed logs from training jobs, inference endpoints, and orchestration layers, and record user actions and model invocations. + +Set up centralized log storage in Amazon S3 or CloudWatch Logs for secure retention and analysis. Use CloudWatch Alarms or AWS Security Hub to automatically alert on suspicious or unauthorized activities, and regularly review logs to detect unusual patterns or potential security incidents. + +These strategies provide comprehensive traceability, help support compliance, and enable rapid detection and response to unauthorized access, fully aligning with AWS Well-Architected security best practices for generative AI workloads. + +Consider implementing access or query logging on data stores or generative business intelligence (BI) solutions. For traceability purposes, log both name of the generative AI application and the end-user making the request. Agentic workloads will require additional logging for each agent called. Generative AI workloads should be architected with application identities for traceability purposes. Consider recording these identities in your organization's AI policy document alongside other relevant security information such as workload owner or permission boundaries. + @@ -40 +48 @@ For additional controls, consider implementing guardrails to mask or remove sens -**Related practices:** +**Related best practices:** @@ -47 +55 @@ For additional controls, consider implementing guardrails to mask or remove sens -**Related guides, videos, and documentation:** +**Related documents:** @@ -61,0 +70,8 @@ For additional controls, consider implementing guardrails to mask or remove sens + * [Observability for SageMaker AI HyperPod Cluster Orchestrated by Amazon EKS](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-eks-cluster-observability.html) + + * [SageMaker AI HyperPod Cluster Resources Monitoring (Slurm)](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-hyperpod-cluster-observability-slurm.html) + + * [Logging Amazon SageMaker AI API Calls Using AWS CloudTrail](https://docs.aws.amazon.com/sagemaker/latest/dg/logging-using-cloudtrail.html) + + * [Amazon SageMaker AI HyperPod Now Integrates with Amazon EventBridge](https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-sagemaker-hyperpod-integrates-amazon-eventbridge-status-change-events) +