AWS deadline-cloud documentation change
Summary
Added comprehensive security documentation sections covering model information, data privacy, network path, organization-level controls, audit trail, abuse detection, and feedback data
Security assessment
The changes add detailed security documentation about data handling, access controls, auditing, and compliance features. No evidence of addressing a specific vulnerability; instead proactively documents security features like SCP controls, CloudTrail logging, and data residency requirements.
Diff
diff --git a/deadline-cloud/latest/userguide/assistant-security.md b/deadline-cloud/latest/userguide/assistant-security.md index 5d82bbbcf..1d4210bce 100644 --- a//deadline-cloud/latest/userguide/assistant-security.md +++ b//deadline-cloud/latest/userguide/assistant-security.md @@ -6,0 +7,2 @@ +Model informationData privacyNetwork pathOrganization-level controlsAudit trailAbuse detectionFeedback data + @@ -27,0 +30,73 @@ The Deadline Cloud assistant operates within the existing Deadline Cloud securit +## Model information + +The Deadline Cloud assistant uses Anthropic Claude Sonnet 4.5 (`anthropic.claude-sonnet-4-5-20250929-v1:0`) as its foundation model, accessed through cross-region inference profiles. The assistant also includes a knowledge base built from public Deadline Cloud documentation, public AWS documentation, and public documentation for popular digital content creation applications. This knowledge base is fetched by the assistant at invocation time. AWS did not use customer data from any Deadline Cloud account to build or fine-tune the assistant. + +## Data privacy + +The Deadline Cloud assistant is subject to the data protection policies. For more information about data protection, see [Data protection](https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html) in the _User Guide_. + +The assistant holds conversation history in browser memory only. Refreshing or closing the page permanently deletes the conversation. The assistant doesn't persist any conversation data to disk, databases, or AWS services. + +If you have model invocation logging enabled in your account, your assistant conversations (including log content sent to the model) are captured in your configured logging destination (your Amazon S3 bucket or CloudWatch Logs log group). Model invocation logging is disabled by default and is entirely under your control. For more information, see [Model invocation logging](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) in the _User Guide_. + +## Network path + +The Deadline Cloud assistant runs in your browser as part of the Deadline Cloud monitor application. When you interact with the assistant, your browser makes API calls (`InvokeModelWithResponseStream`) directly to the service endpoint by using your monitor user credentials. These calls travel over HTTPS (TLS 1.2 or higher) to the public endpoint in your Region. + +Because the assistant runs in the browser, Amazon VPC interface endpoints (AWS PrivateLink) do not apply to assistant traffic. PrivateLink support is designed for server-side workloads running within a Amazon VPC, not browser-based applications. + +## Organization-level controls + +In addition to the per-monitor admin toggle, you can enforce organization-wide control over the assistant by using AWS Organizations (Organizations) service control policies (SCPs). An SCP that denies `bedrock:InvokeModelWithResponseStream` prevents the assistant from functioning, even if a monitor administrator enables the feature. + +The following example SCP denies all model invocations, which disables the assistant across all accounts in the organization or organizational unit (OU) where the policy is attached: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyBedrockInvocations", + "Effect": "Deny", + "Action": "bedrock:InvokeModelWithResponseStream", + "Resource": "*" + } + ] + } + +For more information about SCPs, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _Organizations User Guide_. + +###### Note + +This SCP blocks all model invocations in the affected accounts, including those not related to Deadline Cloud. To block only the assistant, disable it through the monitor settings instead. + +## Audit trail + +The assistant's activities are auditable through AWS CloudTrail (CloudTrail): + + * **invocations** – CloudTrail logs each `InvokeModelWithResponseStream` call as a management event. The log entry records the model ID, user identity, timestamp, and source IP. The `additionalEventData.inferenceRegion` field identifies where the request was processed. The CloudTrail event doesn't include prompt or response content. + + * **Deadline Cloud resource reads** – The assistant's read operations on Deadline Cloud resources (such as `GetJob`, `ListTasks`, `ListSessions`, and `SearchTasks`) are logged in CloudTrail as standard Deadline Cloud API calls. You can query these logs to determine which specific jobs, tasks, and sessions the assistant accessed during a conversation. + + * **CloudWatch Logs reads** – The assistant reads worker and task logs by assuming the queue role (using `deadline:AssumeQueueRoleForRead`) or fleet role (using `deadline:AssumeFleetRoleForRead`). These role assumption events are logged in CloudTrail. + + + + +## Abuse detection + +The automated abuse detection mechanisms apply to all assistant usage. For more information, see [Abuse detection](https://docs.aws.amazon.com/bedrock/latest/userguide/abuse-detection.html) in the _User Guide_. + +## Feedback data + +The assistant provides two feedback mechanisms. Each mechanism transmits different data: + + * **Thumbs up/down buttons** – When you click a thumbs up or thumbs down icon on an assistant response, only a sentiment indicator (positive or negative) and a session identifier are recorded as a telemetry event. No conversation content, log data, or prompts are included in the feedback event. + + * **General feedback form** (non-EU and non-UK regions only) – When you submit general feedback through the speech bubble icon, the form transmits only the information that you explicitly enter. This includes a category selection, a subject line, a description, and an optional email address. The form also includes your monitor's Region and the current page path as metadata. No conversation content or log data is included unless you manually type it into the form fields. General feedback is submitted to an AWS feedback service. + + + + +General feedback is unavailable in EU and UK regions because of data residency requirements. The thumbs up/down feedback is available in all regions because the telemetry event contains no customer content. +