chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In this edition of our monthly blog series focused on the Financial Services Industry (FSI), we explore five critical factors related to Amazon Kendra. These include compliance achievement, data protection, computing environment isolation, API audits, and operational access and security. For each area, we will provide tailored guidance, reference architectures, and technical code to facilitate service approval for Amazon Kendra, which may require customization to fit your unique use case and environment.

Amazon Kendra is a smart search service that utilizes machine learning to transform enterprise search capabilities for your websites and applications. This allows your employees and customers to effortlessly find the content they need—ranging from business documents and corporate glossaries to internal websites—regardless of where that information resides. Kendra features both native and partner-built connectors for widely-used data sources like Amazon S3, SharePoint, ServiceNow, OneDrive, Salesforce, and Confluence, enabling seamless integration of data from various repositories into a centralized hub. With Kendra, you can leverage natural language search functionalities to quickly locate and retrieve the most pertinent answers from within various document types, including text snippets and PDFs.

When users pose questions through Q&A chatbots, agent-assist, or custom web searches, Kendra employs machine learning algorithms to grasp context and deliver relevant results promptly. This natural language search capability stands in stark contrast to traditional search technologies, ensuring that users receive quick and accurate answers no matter where the data is stored in your organization.

One notable use case for Amazon Kendra in FSI is reducing regulatory and compliance risks by improving regulatory intelligence. For instance, a collaboration with PricewaterhouseCoopers (PwC) has led to the development of a product aimed at regulated industries, granting access to vital regulatory and compliance information along with exclusive PwC insights. PwC is currently enhancing search capabilities using Amazon Kendra, enabling users to pose questions in natural language, significantly advancing beyond the limitations of keyword searches and manual document reviews.

Another application is boosting employee productivity by delivering a cohesive search and discovery experience that facilitates quicker access to relevant information. Workgrid, a Liberty Mutual Company, has developed a no-code self-service Q&A builder. Amazon Kendra extracts answers from the multitude of documents (like PDFs) scattered throughout the enterprise, enhancing Workgrid’s chatbot functionality to provide swift and accurate responses to customer inquiries.

Achieving Compliance with Amazon Kendra

At AWS, cloud security is paramount. As an AWS client, you benefit from a data center and network architecture designed to satisfy the needs of the most security-conscious organizations. Regular assessments by third-party auditors evaluate the security and compliance of Amazon Kendra, which is included in several AWS compliance programs.

Under the shared responsibility model, AWS encompasses Amazon Kendra within the following compliance frameworks, allowing customers to obtain compliance reports under an AWS non-disclosure agreement (NDA) through AWS Artifact:

  • SOC 1,2,3
  • PCI
  • ISO/IEC 27001:2013, 27017:2015, 27018:2019, ISO/IEC 9001:2015 and CSA STAR CCM v3.0
  • FedRAMP Moderate (3PAO Assessment)
  • ENS High

Customers’ compliance responsibilities when using Amazon Kendra depend on the sensitivity of their data, the compliance objectives of their organization, and relevant laws and regulations. AWS offers various resources for compliance validation.

Data Protection with Amazon Kendra

The AWS shared responsibility model also applies to data protection in Amazon Kendra. While AWS secures the global infrastructure supporting all AWS Cloud services, customers maintain control over their content hosted on that infrastructure.

We recommend that customers secure their data both in transit and at rest by employing encryption techniques. For data in transit, Amazon Kendra utilizes the HTTPS protocol to communicate securely with client applications, as well as AWS signatures for interactions with other services on behalf of your application. Clients must support Transport Layer Security (TLS) 1.2 or later, along with cipher suites that offer perfect forward secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Additionally, requests must be signed using an access key ID and a secret access key linked to an IAM principal, or you can utilize AWS Security Token Service (AWS STS) to generate temporary security credentials for signing requests.

AWS Key Management Service (KMS) simplifies the creation and management of cryptographic keys and their use across a variety of AWS services and applications. Integrated with Amazon Kendra, AWS KMS streamlines the encryption process for your data. By default, Amazon Kendra encrypts data at rest using a KMS key owned by AWS, but you can select from three options for data encryption: an AWS owned customer master key (CMK), an AWS managed CMK (created in your account and managed by Amazon Kendra), or a customer-managed CMK that you create during the setup of an Amazon Kendra index or data source.

When establishing a key through the AWS KMS console, ensure that the key has the appropriate policy allowing Amazon Kendra to utilize it. If you create a key with the Amazon Kendra console, these policies are automatically applied.

For further guidance on key policies, refer to the AWS Key Management Service Developer Guide.

Data Security

Customers can restrict access to stored information using IAM policies, permission boundaries, or Service Control Policies. For instance, the following policy grants an IAM user or role permission to use the Query operation on any resource tagged with the key “department” and the value “finance.”

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": ["kendra:Query"],
      "Resource":"arn:aws:kendra:us-east-1:111122223333:index/abcd-1234",
      "Condition": {
         "StringEquals": {
            "aws:ResourceTag/department": "finance"
         }
      }
   }]
}

Conversely, the following Service Control Policy denies access to the Query operation on that index for any user or role lacking the “department” tag with the value “finance.”

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Deny",
      "Action": ["kendra:Query"],
      "Resource":"arn:aws:kendra:us-east-1:111122223333:index/abcd-1234",
      "Condition": {
         ...
      }
   }]
}

For more information, you can check out this blog post or learn about hairstyle discrimination, as they provide essential insights into compliance and workplace culture. Lastly, for those interested in leadership development, visit this excellent resource.

Located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, Amazon IXD – VGT2 is committed to providing top-notch services and ensuring the security of your data.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *