AWS wellarchitected documentation change
Summary
Expanded monitoring guidance with Amazon SageMaker Lakehouse integration, added QuickSight BI tool reference, updated section headers, and added new documentation link for CloudTrail+Q integration
Security assessment
The changes enhance documentation about monitoring data access and security logging capabilities, but do not address a specific security vulnerability. The additions focus on improving visibility through existing AWS security tools (CloudTrail/CloudWatch) which is a security best practice.
Diff
diff --git a/wellarchitected/latest/generative-ai-lens/gensec03-bp01.md b/wellarchitected/latest/generative-ai-lens/gensec03-bp01.md index 4c82084fc..e033a5de7 100644 --- a//wellarchitected/latest/generative-ai-lens/gensec03-bp01.md +++ b//wellarchitected/latest/generative-ai-lens/gensec03-bp01.md @@ -19 +19 @@ Implement comprehensive monitoring across both control and data planes to enhanc -Monitoring at the control plane and data layers should track data access, as well as control plane API requests to the services in question. Most cloud-based systems publish these events over an event bus for capture, storage, and eventual analysis. +Monitoring at the control plane and data layers should track data access, as well as control plane API requests to the services in question. Most cloud-based systems publish these events over an event bus for capture, storage, and eventual analysis. These capabilities are considered normal within a modern data architecture. As data and AI workloads become more closely intertwined in your organization, solutions like Amazon SageMaker AI and its new Lakehouse capability help simplify the collection and capturing of data access requests by models, workloads, and users. Your organization AI policy document should define how data access requests are captured and monitored across your environment. @@ -21 +21 @@ Monitoring at the control plane and data layers should track data access, as wel -Consider AWS CloudTrail to record management and data events. Amazon Bedrock, Amazon Q Business, and other generative AI services integrate with CloudTrail and can be used to record control plane operations like custom model import and runtime operations like `invokeAgent`. Amazon CloudWatch can be configured to capture logs for generative AI applications as well. A combination of these AWS services or the use of a third-party logging solution, if needed, improves visibility into application security. +Consider AWS CloudTrail to record management and data events. Amazon Bedrock, Amazon Q Business, and other generative AI services integrate with CloudTrail and can be used to record control plane operations like custom model import and runtime operations like invokeAgent. Amazon CloudWatch can be configured to capture logs for generative AI applications as well. A combination of these AWS services or the use of a third-party logging solution, if needed, improves visibility into application security. CloudWatch and CloudTrail integrate well with other managed AWS services powered by data, such Quick Suite Q, a generative business intelligence (BI) tool. @@ -102 +102 @@ Consider AWS CloudTrail to record management and data events. Amazon Bedrock, Am -**Related practices:** +**Related best practices:** @@ -109 +109 @@ Consider AWS CloudTrail to record management and data events. Amazon Bedrock, Am -**Related guides, videos, and documentation:** +**Related documents:** @@ -119,0 +120,2 @@ Consider AWS CloudTrail to record management and data events. Amazon Bedrock, Am + * [Gain Insights with Natural Language Query into your AWS environment using Amazon CloudTrail and Amazon Q in QuickSight](https://aws.amazon.com/blogs/mt/gain-insights-with-natural-language-query-into-your-aws-environment-using-amazon-cloudtrail-and-amazon-q-in-quicksight/) +