AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-02-25 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-rag.md

Summary

Refactored documentation from RAG (Retrieval Augmented Generation) security to model customization security. Added guidance on securing model training jobs, data protection for custom models, VPC configurations, and threat mitigation for data/model poisoning.

Security assessment

The changes shift focus from RAG security to model customization security, introducing new sections on encryption for training jobs, network isolation via VPC, canary detection for data leakage, and Safetensors format for secure model imports. While these are security enhancements, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-rag.md b/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-rag.md
index ec6a518af..4e6309a03 100644
--- a//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-rag.md
+++ b//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-rag.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – generative AI](introduction.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – AI security](introduction.html)
@@ -7 +7 @@ RationaleSecurity considerationsRemediationsRecommended AWS services
-# Capability 2. Providing secure access, usage, and implementation to generative AI RAG techniques
+# Capability 2. Providing secure access, usage, and implementation for generative AI model customization
@@ -9 +9 @@ RationaleSecurity considerationsRemediationsRecommended AWS services
-The following diagram illustrates the AWS services recommended for the Generative AI account for retrieval augmented generation (RAG) capability. The scope of this scenario is to secure RAG functionality.
+The scope of this scenario is to secure model customization. This use case focuses on securing the resources and training environment for a model customization job as well as securing the invocation of a custom model. The following diagram illustrates the AWS services recommended for the Generative AI account for this capability.
@@ -11 +11 @@ The following diagram illustrates the AWS services recommended for the Generativ
-![AWS services recommended for the Generative AI account for RAG functionality.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/rag.png)
+![AWS services recommended for model customization.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/model-customization.png)
@@ -13 +13 @@ The following diagram illustrates the AWS services recommended for the Generativ
-The Generative AI account includes services that are required for storing embeddings in a vector database, storing conversations for users, and maintaining a prompt store along with a suite of required security services to implement security guardrails and centralized security governance. You should create Amazon S3 gateway endpoints for the model invocation logs, prompt store, and knowledge base data source buckets in Amazon S3 that the VPC environment is configured to access. You should also create a CloudWatch Logs gateway endpoint for the CloudWatch logs that the VPC environment is configured to access.
+The Generative AI account includes services required for customizing a model along with a suite of required security services to implement security guardrails and centralized security governance. To allow for private model customization, you should create Amazon S3 gateway endpoints for the training data and evaluation Amazon S3 buckets that a private VPC environment is configured to access. 
@@ -17 +17 @@ The Generative AI account includes services that are required for storing embedd
-[Retrieval Augmented Generation (RAG)](https://aws.amazon.com/what-is/retrieval-augmented-generation/) is a generative AI technique used where a system enhances its responses by retrieving information from an external, authoritative knowledge base before generating an answer. This process helps overcome the limitations of FMs by giving them access to up-to-date and context-specific data, which improves the accuracy and relevance of the generated responses. This use case refers to Scope 3 of the [Generative AI Security Scoping Matrix](https://aws.amazon.com/blogs/security/securing-generative-ai-an-introduction-to-the-generative-ai-security-scoping-matrix/). In Scope 3, your organization builds a generative AI application by using a pre-trained FM such as those offered in Amazon Bedrock. In this scope, you control your application and any customer data used by your application, whereas the FM provider controls the pre-trained model and its training data. 
+[Model customization](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-models.html) improves foundation model (FM) performance for specific use cases by providing training data. Amazon Bedrock offers two customization methods: 
@@ -19 +19 @@ The Generative AI account includes services that are required for storing embedd
-When you give users access to Amazon Bedrock knowledge bases, you should address these key security considerations: 
+  * Continued pre-training with unlabeled data to enhance domain knowledge 
@@ -21 +21 @@ When you give users access to Amazon Bedrock knowledge bases, you should address
-  * Secure access to the model invocation, knowledge bases, conversation history, and prompt store 
+  * Fine-tuning with labeled data to optimize task-specific performance
@@ -23 +22,0 @@ When you give users access to Amazon Bedrock knowledge bases, you should address
-  * Encryption of conversations, prompt store, and knowledge bases
@@ -25 +23,0 @@ When you give users access to Amazon Bedrock knowledge bases, you should address
-  * Alerts for potential security risks such as prompt injection or sensitive information disclosure
@@ -27,0 +26 @@ When you give users access to Amazon Bedrock knowledge bases, you should address
+Customized models require [Provisioned Throughput](https://docs.aws.amazon.com/bedrock/latest/userguide/prov-throughput.html) for inference.
@@ -28,0 +28 @@ When you give users access to Amazon Bedrock knowledge bases, you should address
+This capability addresses the following scenarios from the [Generative AI Security Scoping Matrix](https://aws.amazon.com/blogs/security/securing-generative-ai-an-introduction-to-the-generative-ai-security-scoping-matrix/):
@@ -30 +30 @@ When you give users access to Amazon Bedrock knowledge bases, you should address
-The next section discusses these security considerations and generative AI functionality. 
+  * **Scope 4 - Model customization** – You customize an FM (from [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) or [Amazon SageMaker Jumpstart](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-jumpstart.html)) with your data to improve performance for specific tasks or domains. You control the application, customer data, training data, and customized model. The FM provider controls the pre-trained model and its training data.
@@ -32 +32 @@ The next section discusses these security considerations and generative AI funct
-###### Design considerations
+  * **Scope 5 - Model training from scratch** – You train a model from scratch using datasets you provide. You control the training data, model algorithm, training infrastructure, application, customer data, and related infrastructure.
@@ -34 +33,0 @@ The next section discusses these security considerations and generative AI funct
-We recommend that you avoid customizing an FM with sensitive data (see the section on [generative AI model customization](./gen-ai-customization.html) later in this guide). Instead, use the RAG technique to interact with sensitive information. This method offers several advantages: 
@@ -36 +34,0 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
-  * Tighter control and visibility. By keeping sensitive data separate from the model, you can exercise greater control and visibility over the sensitive information. The data can be easily edited, updated, or removed as needed, which helps ensure better data governance. 
@@ -38 +35,0 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
-  * Mitigating sensitive information disclosure. RAG allows for more controlled interactions with sensitive data during model invocation. This helps reduce the risk of unintended disclosure of sensitive information, which could occur if the data were directly incorporated into the model's parameters. 
@@ -40 +37 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
-  * Flexibility and adaptability. Separating sensitive data from the model provides greater flexibility and adaptability. As data requirements or regulations change, the sensitive information can be updated or modified without the need to retrain or rebuild the entire language model.
+Beyond customizing models within Amazon Bedrock, you can use the [Custom Model Import](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-import-model.html) feature to import models customized in other environments, such as Amazon SageMaker AI. Use [Safetensors](https://huggingface.co/docs/safetensors/en/index) for the imported model serialization format. Unlike `pickle`, Safetensors stores only tensor data, not arbitrary Python objects. This approach eliminates vulnerabilities from unpickling untrusted data because Safetensors can't execute code.
@@ -41,0 +39 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
+To detect potential training data leakage, introduce canaries into your training data. Canaries are unique, identifiable strings that should never appear in model outputs. Configure prompt logging to alert when these canaries are detected, indicating the model may be memorizing and reproducing training data inappropriately.
@@ -42,0 +41 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
+### Amazon Bedrock model customization
@@ -43,0 +43 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
+You can privately and securely customize FMs with your own data in Amazon Bedrock to build applications specific to your domain, organization, and use case. Fine-tuning increases model accuracy by providing your own task-specific, labeled training dataset to further specialize FMs. Continued pre-training trains models using your own unlabeled data in a secure and managed environment with customer managed keys. For more information, see [Customize your model to improve its performance for your use case](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-models.html) in the Amazon Bedrock documentation.
@@ -45 +45 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
-### Amazon Bedrock knowledge bases
+### Model training or fine-tuning with SageMaker AI
@@ -47 +47 @@ We recommend that you avoid customizing an FM with sensitive data (see the secti
-You can use [Amazon Bedrock Knowledge Bases](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base.html) to build RAG applications by connecting FMs with your own data sources securely and efficiently. This feature uses Amazon OpenSearch Serverless as a vector store to retrieve relevant information from your data efficiently. The data is then used by the FM to generate responses. Your data is synchronized from Amazon S3 to the knowledge base, and [embeddings](https://aws.amazon.com/what-is/embeddings-in-machine-learning/) are generated for efficient retrieval.
+You can train new models or fine-tune existing models by using [Amazon SageMaker AI training jobs](https://docs.aws.amazon.com/sagemaker/latest/dg/how-it-works-training.html). This solution creates models customized for your business needs while maintaining control of all resources, including Amazon Elastic Compute Cloud (Amazon EC2) instances, training code, and training infrastructure.
@@ -51 +51 @@ You can use [Amazon Bedrock Knowledge Bases](https://docs.aws.amazon.com/bedrock
-Generative AI RAG workloads face unique risks, including data exfiltration of RAG data sources and poisoning of RAG data sources with prompt injections or malware by threat actors. Amazon Bedrock Knowledge Bases offer robust security controls for data protection, access control, network security, logging and monitoring, and input/output validation that can help mitigate these risks. 
+Model customization creates artifacts, including the model and its weights, that are used in production workloads. This stage faces the following threats:
@@ -53,5 +53 @@ Generative AI RAG workloads face unique risks, including data exfiltration of RA
-## Remediations
-
-### Data protection
-
-Encrypt your knowledge base data in transit and at rest by using an AWS KMS customer managed key that you create, own, and manage. When you configure a data ingestion job for your knowledge base, encrypt the job with a customer managed key. If you opt to let Amazon Bedrock create a vector store in Amazon OpenSearch Service for your knowledge base, Amazon Bedrock can pass an AWS KMS key of your choice to Amazon OpenSearch Service for encryption.
+  * **Data and model poisoning** – A threat actor injects malicious data to alter model behavior, introducing bias and causing unintended outputs.
@@ -59 +55 @@ Encrypt your knowledge base data in transit and at rest by using an AWS KMS cust
-You can encrypt sessions in which you generate responses from querying a knowledge base with an AWS KMS key. You store the data sources for your knowledge base in your S3 bucket. If you encrypt your data sources in Amazon S3 with a customer managed key, attach a policy to your [knowledge base service role](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html). If the vector store that contains your knowledge base is configured with an AWS Secrets Manager secret, encrypt the secret with a customer managed key.
+  * **Sensitive information disclosure** – A model trained on datasets containing personally identifiable information (PII) leaks sensitive information during inference.
@@ -61 +56,0 @@ You can encrypt sessions in which you generate responses from querying a knowled
-For more information and the policies to use, see [Encryption of knowledge base resources](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-kb.html) in the Amazon Bedrock documentation.
@@ -63,3 +57,0 @@ For more information and the policies to use, see [Encryption of knowledge base
-### Identity and access management
-
-Create a custom service role for knowledge bases for Amazon Bedrock by following the principle of least privilege. Create a trust relationship that allows Amazon Bedrock to assume this role, and create and manage knowledge bases. Attach the following identity policies to the custom knowledge base service role: 
@@ -67 +58,0 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions to [access Amazon Bedrock models](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-access-models)
@@ -69 +60 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions to[ access your data sources in Amazon S3](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-access-ds)
+SageMaker AI and Amazon Bedrock provide features that mitigate these risks, including data protection, access control, network security, logging, and monitoring.
@@ -71 +62 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions to [access your vector database in OpenSearch Service](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-oss)
+## Remediations
@@ -73 +64 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions to [access your Amazon Aurora database cluster ](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-rds)(optional)
+This section reviews the AWS services and features that address the risks that are specific to this capability.
@@ -75 +66 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions to[ access a vector database that's configured with a Secrets Manager secret ](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-secret)(optional)
+### Data protection
@@ -77 +68 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions for AWS to [manage an AWS KMS key for transient data storage during data ingestion](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-kms-ingestion)
+Encrypt the model customization job, output files (training and validation metrics), and resulting custom model. For this encryption, use an AWS Key Management Service (AWS KMS) [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) that you create, own, and manage. 
@@ -79 +70 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions to [chat with your document](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-chatdoc)
+When you use Amazon Bedrock to run a model customization job, you store the input files (training and validation data) in your Amazon S3 bucket. When the job is completed, Amazon Bedrock stores the output metrics files in the S3 bucket that you specified when you created the job. Amazon Bedrock stores the resulting custom model artifacts in an S3 bucket controlled by AWS. By default, input and output files are encrypted with [Amazon S3 SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) server-side encryption using an AWS managed key. You can choose to [encrypt these files](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html) with a customer managed key.
@@ -81 +72 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-  * Permissions for AWS to [manage a data source from another user's AWS account](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-otherds) (optional). 
+### Identity and access management
@@ -82,0 +74 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
+Create a custom AWS Identity and Access Management (IAM) service role for model customization or model import that follows the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). 
@@ -83,0 +76 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
+To create a service role for model customization, follow the [instructions](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-iam-role.html) in the Amazon Bedrock documentation.
@@ -84,0 +78 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
+To create a service role for importing pre-trained models, follow the [instructions](https://docs.aws.amazon.com/bedrock/latest/userguide/model-import-iam-role.html) in the Amazon Bedrock documentation. 
@@ -86 +80 @@ Create a custom service role for knowledge bases for Amazon Bedrock by following
-Knowledge bases support security configurations to set up data access policies for your knowledge base and network access policies for your private Amazon OpenSearch Serverless knowledge base. For more information, see [Create a knowledge base](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-create.html) and [Service roles](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam-sr.html) in the Amazon Bedrock documentation.
+### Network security
@@ -88 +82 @@ Knowledge bases support security configurations to set up data access policies f
-### Input and output validation
+[Use a VPC](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-model-job-access-security.html#vpc-model-customization:~:text=Protect%20your%20model%20customization%20jobs%20using%20a%20VPC) with Amazon Virtual Private Cloud (Amazon VPC) to control access to your data. When you create your VPC, use the default DNS settings for your endpoint route table so that standard Amazon S3 URLs resolve.
@@ -90 +84 @@ Knowledge bases support security configurations to set up data access policies f
-Input validation is crucial for Amazon Bedrock knowledge bases. Use malware protection in Amazon S3 to scan files for malicious content before uploading them to a data source. For more information, see the AWS blog post [Integrating malware scanning into your data ingestion pipeline with antivirus for Amazon S3](https://aws.amazon.com/blogs/apn/integrating-malware-scanning-into-your-data-ingestion-pipeline-with-antivirus-for-amazon-s3/).
+If you configure your VPC with no internet access, create an [Amazon S3 VPC endpoint](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html). Use this VPC endpoint to allow your model customization jobs to access the S3 buckets that store your training and validation data and model artifacts.
@@ -92 +86 @@ Input validation is crucial for Amazon Bedrock knowledge bases. Use malware prot
-Identify and filter out potential prompt injections in user uploads to knowledge base data sources. Additionally, detect and redact personally identifiable information (PII) as another input validation control in your data ingestion pipeline. Amazon Comprehend can help detect and redact PII data in user uploads to knowledge base data sources. For more information, see [Detecting PII entities](https://docs.aws.amazon.com/comprehend/latest/dg/how-pii.html) in the Amazon Comprehend documentation.
+For SageMaker AI, configure the training job with a [VPC configuration](https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html), including private subnets and security groups that restrict both inbound and outbound traffic. This approach helps to ensure that Amazon EC2 instances can only access the resources that you define. Combined with Amazon S3 VPC endpoints, this approach helps to ensure that EC2 instances only access specified S3 buckets.
@@ -94 +88 @@ Identify and filter out potential prompt injections in user uploads to knowledge
-We also recommend that you use Amazon Macie to detect and generate alerts on potential sensitive data in the knowledge base data sources, to enhance overall security and compliance. Implement [Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) to help enforce content policies, block unsafe inputs/outputs, and help control model behavior based on your requirements.
+After you set up your VPC and endpoint, attach permissions to your [model customization IAM role](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-model-job-access-security.html). After you configure the VPC and required roles and permissions, you can create a [model customization job](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-model-job-access-security.html#:~:text=Protect%20your%20model%20customization%20jobs%20using%20a%20VPC) that uses this VPC. By creating a VPC with no internet access and an associated Amazon S3 VPC endpoint for training data, you can run your model customization job with private connectivity without internet exposure. 
@@ -98,3 +92 @@ We also recommend that you use Amazon Macie to detect and generate alerts on pot
-### Amazon OpenSearch Serverless
-
-[Amazon OpenSearch Serverless](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless.html) is an on-demand, auto-scaling configuration for Amazon OpenSearch Service. An OpenSearch Serverless collection is an OpenSearch cluster that scales compute capacity based on your application's needs. Amazon Bedrock knowledge bases use Amazon OpenSearch Serverless for [embeddings](https://aws.amazon.com/what-is/embeddings-in-machine-learning/) and Amazon S3 for the [data sources](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-ds.html) that [sync](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-ingest.html) with the OpenSearch Serverless [vector index](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-setup.html). 
+This section discusses the AWS services that are recommended to build this capability securely. In addition to the services in this section, use Amazon OpenSearch Service and Amazon Comprehend as discussed in [Capability 3](./gen-ai-agents.html).
@@ -102 +94 @@ We also recommend that you use Amazon Macie to detect and generate alerts on pot
-Implement strong [authentication and authorization](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html) for your OpenSearch Serverless vector store. Implement the principle of least privilege, which grants only the necessary permissions to users and roles. 
+### Amazon S3
@@ -104 +96 @@ Implement strong [authentication and authorization](https://docs.aws.amazon.com/
-With[ data access control](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html) in OpenSearch Serverless, you can allow users to access collections and indexes regardless of their access mechanisms or network sources. You manage access permissions through data access policies, which apply to collections and index resources. When you use this pattern, verify that the application [propagates the identity](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation.html) of the user to the knowledge base, and the knowledge base enforces your role or attribute-based access controls. This is achieved by configuring the[ knowledge Base service role](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html) with the [principle of least privilege](https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_permissions_least_privileges.html#:~:text=The%20principle%20of%20least%20privilege,usability%2C%20efficiency%2C%20and%20security.) and controlling access to the role tightly. 
+When you run a model customization job, the job accesses your Amazon S3 bucket to download input data and upload job metrics. You can choose fine-tuning or continued pre-training as the model type when you submit your [model customization job](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-submit.html) on the Amazon Bedrock console or API. After a model customization job completes, [analyze the training process results](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-analyze.html). To do this, you can view the files in the output S3 bucket that you specified when you submitted the job or view details about the model.
@@ -106 +98 @@ With[ data access control](https://docs.aws.amazon.com/opensearch-service/latest
-OpenSearch Serverless supports [server-side encryption](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-encryption.html) with AWS KMS to protect data at rest. Use a customer managed key to encrypt that data. To allow the creation of an AWS KMS key for transient data storage in the process of ingesting your data source, attach a[ policy ](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-kms-ingestion)to your knowledge bases for the Amazon Bedrock service role. 
+[Encrypt](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) both buckets with a customer managed key. Use Amazon S3 Object Lock or versioning to ensure data integrity. For additional network security hardening, create a [gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) for the S3 buckets that the VPC environment accesses. [Log and monitor](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) all access. Use [resource-based policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) to control access to your Amazon S3 files.
@@ -108 +100 @@ OpenSearch Serverless supports [server-side encryption](https://docs.aws.amazon.
-[Private access](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html) can apply to one or both of the following: OpenSearch Serverless-managed VPC endpoints and supported AWS services such as Amazon Bedrock. Use [AWS PrivateLink](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-vpc.html) to create a private connection between your VPC and OpenSearch Serverless endpoint services. Use [network policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html#serverless-network-policies) rules to specify Amazon Bedrock access.
+### Amazon Macie
@@ -110 +102 @@ OpenSearch Serverless supports [server-side encryption](https://docs.aws.amazon.
-Monitor OpenSearch Serverless by [using Amazon CloudWatch](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/monitoring-cloudwatch.html), which collects raw data and processes it into readable, near real-time metrics. OpenSearch Serverless is integrated with [AWS CloudTrail](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/logging-using-cloudtrail.html), which captures API calls for OpenSearch Serverless as events. OpenAmazon OpenSearch Service integrates with [Amazon EventBridge](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-monitoring-events.html) to notify you of certain events that affect your domains. Third-party auditors can assess the security and [compliance](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-compliance.html) of OpenSearch Serverless as part of multiple AWS compliance programs. 
+[Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and help protect your sensitive data in AWS. You need to identify the type and classification of data that your workload is processing to ensure that appropriate controls are enforced. Macie can help identify sensitive data in your prompt store and model invocation logs stored in S3 buckets. 
@@ -112 +104 @@ Monitor OpenSearch Serverless by [using Amazon CloudWatch](https://docs.aws.amaz
-### Amazon S3
+You can use Macie to automate discovery, logging, and reporting of sensitive data in Amazon S3. You can do this in two ways: Configure Macie to perform automated sensitive data discovery, or create and run sensitive data discovery jobs. For more information, see [Discovering sensitive data with Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/data-classification.html) in the Macie documentation. 
@@ -114 +106 @@ Monitor OpenSearch Serverless by [using Amazon CloudWatch](https://docs.aws.amaz
-Store your [data sources](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-ds-manage.html) for your knowledge base in an S3 bucket. If you encrypted your data sources in Amazon S3 by using a custom AWS KMS key (recommended), attach [ a policy](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-kb.html#encryption-kb-ds) to your [knowledge base service role](https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html). Use[ malware protection in Amazon S3](https://aws.amazon.com/blogs/apn/integrating-malware-scanning-into-your-data-ingestion-pipeline-with-antivirus-for-amazon-s3/) to scan files for malicious content before uploading them to a data source. We also recommend that you host your [model invocation logs](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#setup-s3-destination) and commonly used prompts as a prompt store in Amazon S3. All buckets should be[ encrypted](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) with a customer managed key. For additional network security hardening, you can create a[ gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) for the S3 buckets that the VPC environment is configured to access. [Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) should be logged and monitored. Enable [versioning](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html) if you have a business need to retain the history of Amazon S3 objects. Apply object-level immutability with [Amazon S3 Object Lock](https://aws.amazon.com/s3/features/object-lock/). You can use [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html#intro-access-resource-based-policies) to control access to your Amazon S3 files more tightly. 
+### Amazon EventBridge
@@ -116 +108 @@ Store your [data sources](https://docs.aws.amazon.com/bedrock/latest/userguide/k
-### Amazon Comprehend
+Use [EventBridge](https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-eventbridge.html) to configure SageMaker to respond automatically to model customization job status changes in Amazon Bedrock. Events from Amazon Bedrock are delivered to EventBridge in near real time. You can write simple [rules](https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-eventbridge.html#monitoring-eventbridge-create-rule) to automate actions when an event matches a rule.
@@ -118 +110 @@ Store your [data sources](https://docs.aws.amazon.com/bedrock/latest/userguide/k
-[Amazon Comprehend](https://docs.aws.amazon.com/comprehend/latest/dg/what-is.html) uses natural language processing (NLP) to extract insights from the content of documents. You can use Amazon Comprehend to [detect](https://docs.aws.amazon.com/comprehend/latest/dg/how-pii.html#how-pii-locate) and [redact](https://docs.aws.amazon.com/comprehend/latest/dg/how-pii.html#how-pii-redact) PII entities in English or Spanish text documents. Integrate Amazon Comprehend into your [data ingestion pipeline](https://aws.amazon.com/blogs/machine-learning/detecting-and-redacting-pii-using-amazon-comprehend/) to automatically detect and redact PII entities from documents before you index them in your RAG knowledge base, to help ensure compliance and protect user privacy. Depending on the document types, you can use [Amazon Textract](https://docs.aws.amazon.com/textract/latest/dg/textract-to-comprehend.html) to extract and send text to Amazon Comprehend for analysis and redaction.
+### AWS KMS
@@ -120 +112 @@ Store your [data sources](https://docs.aws.amazon.com/bedrock/latest/userguide/k
-Amazon S3 enables you to encrypt your input documents when creating a text analysis, topic modeling, or custom Amazon Comprehend job. Amazon Comprehend [integrates with AWS KMS](https://docs.aws.amazon.com/comprehend/latest/dg/kms-in-comprehend.html) to encrypt the data in the storage volume for `Start*` and `Create*` jobs, and it encrypts the output results of `Start*` jobs by using a customer managed key. We recommend that you use the `aws:SourceArn` and `aws:SourceAccount` global condition context keys in [resource policies to limit the permissions](https://docs.aws.amazon.com/comprehend/latest/dg/cross-service-confused-deputy-prevention.html) that Amazon Comprehend gives another service to the resource. Use [AWS PrivateLink](https://docs.aws.amazon.com/comprehend/latest/dg/vpc-interface-endpoints.html) to create a private connection between your VPC and Amazon Comprehend endpoint services. Implement [identity-based policies](https://docs.aws.amazon.com/comprehend/latest/dg/security_iam_id-based-policy-examples.html) for Amazon Comprehend with the principle of least privilege. Amazon Comprehend is integrated with [AWS CloudTrail](https://docs.aws.amazon.com/comprehend/latest/dg/logging-using-cloudtrail.html), which captures API calls for Amazon Comprehend as events. Third-party auditors can assess the security and compliance of Amazon Comprehend as part of multiple [AWS compliance programs](https://docs.aws.amazon.com/comprehend/latest/dg/comp-compliance.html).
+Use a customer managed key to encrypt the model customization job, output files (training and validation metrics), resulting custom model, and [Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) that host the training, validation, and output data. For more information, see [Encryption of custom models](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html) in the Amazon Bedrock documentation.
@@ -122 +114 @@ Amazon S3 enables you to encrypt your input documents when creating a text analy
-### Amazon Macie
+A [key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) is a resource policy for an AWS KMS key. Key policies are the primary way to control access to KMS keys. You can also use IAM policies and grants to control access to KMS keys, but every KMS key must have a key policy. Use a [key policy to provide permissions](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html#encryption-key-policy) to a role to access the custom model encrypted with the customer managed key. This approach allows specified roles to use a custom model for inference.
@@ -124 +116 @@ Amazon S3 enables you to encrypt your input documents when creating a text analy
-Macie can[ help identify sensitive data ](https://docs.aws.amazon.com/macie/latest/user/data-classification.html)in your knowledge bases that are stored as data sources, model invocation logs, and prompt store in S3 buckets. For Macie security best practices, see the [Macie](./gen-ai-model-inference.html#model-inference-services-macie) section earlier in this guidance. 
+### Amazon CloudWatch
@@ -126 +118 @@ Macie can[ help identify sensitive data ](https://docs.aws.amazon.com/macie/late
-### AWS KMS
+Use [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) to monitor training job metrics in SageMaker and fine-tuning metrics in Amazon Bedrock. [Create alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) to receive notifications when a job fails or when a metric deviates from baseline.
@@ -128 +120 @@ Macie can[ help identify sensitive data ](https://docs.aws.amazon.com/macie/late
-Use customer managed keys to encrypt the following: [data ingestion jobs](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-kb.html#encryption-kb-ingestion) for your knowledge base, the [Amazon OpenSearch Service vector database](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-kb.html#encryption-kb-oss), [sessions](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-kb.html#encryption-kb-runtime) in which you generate responses from querying a knowledge base, [model invocation logs in ](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#setup-s3-destination)Amazon S3[, ](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#setup-s3-destination)and the [S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) that hosts the data sources. 
+### AWS CloudTrail
@@ -130 +122 @@ Use customer managed keys to encrypt the following: [data ingestion jobs](https:
-Use Amazon CloudWatch and AWS CloudTrail as explained in the previous [model inference](./gen-ai-model-inference.html) section.
+Use [CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) to log all events on your AWS resources. Create a trail filtered on your training resources, including datasets on Amazon S3. This trail enables you to act on suspicious activity surrounding your resources.
@@ -140 +132 @@ Capability 1. Model inference
-Capability 3. Autonomous agents
+Capability 3. RAG