In this edition of our Financial Services Industry (FSI) Service Spotlight blog series, we delve into five essential considerations that FSI clients should prioritize to facilitate cloud service approval. Each of these areas will provide specific recommendations, suggested reference architectures, and technical code to help streamline the approval process for the featured service, which may need to be tailored to your unique use case and environment.
This month, we focus on Amazon Comprehend (excluding Comprehend Medical), which has seen remarkable adoption among FSI customers. Amazon Comprehend employs natural language processing (NLP) to derive insights from document content. It processes any UTF-8 formatted text file, identifying entities, key phrases, languages, sentiments, and other common components within documents.
A prevalent application of Amazon Comprehend in the financial sector involves analyzing call transcriptions from customer service centers to extract insights about client interactions. This enables financial institutions to identify trends, tailor messages and offers, and equip call center personnel with comprehensive information for optimal customer service.
Another noteworthy application comes from Broadridge, which utilizes Amazon Comprehend to extract data from proxy voting forms. By integrating Amazon Comprehend with other AWS AI services, Broadridge achieved a 40% decrease in the manual effort required to review and analyze these forms. They extract key data points from SEC filings—such as board member tenures and ESG proposals—enabling the development of a custom machine learning model via Amazon SageMaker. This model predicts potentially contentious shareholder meetings, paving the way for a new product and additional revenue for their asset management and broker-dealer clients.
Moreover, FINRA leverages Amazon Comprehend to process and assess millions of documents containing unstructured data. By automating the evaluation and flagging of documents, FINRA has significantly reduced the need for manual reviews, allowing human investigators to focus on more critical tasks.
Ensuring Compliance with Amazon Comprehend
Security is a shared responsibility between AWS and its users. AWS safeguards the infrastructure underlying AWS services in the cloud and offers you tools for secure operations. Your responsibilities vary depending on the AWS service utilized. Customers should first evaluate their requirements concerning network connectivity, encryption, and access to AWS resources. We will explore these topics more thoroughly in the following sections.
Amazon Comprehend aligns with several compliance programs under the AWS shared responsibility model, which we will discuss further in subsequent sections:
- SOC 1,2,3
- PCI
- IRAP Protected
- ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015
- OSPAR
- C5
- MTCS
Data Protection with Amazon Comprehend
Encryption serves as a fundamental method for safeguarding data both in transit and at rest. When accessing Amazon Comprehend via the network, customers must utilize AWS-published API calls with clients supporting Transport Layer Security (TLS) 1.0 or higher; however, TLS 1.2 or above is strongly recommended.
Comprehend integrates with the Amazon Key Management Service (KMS) to enable encryption of customer data at rest, stored on connected volumes within the Amazon Comprehend service account, and outputs encrypted in customer-managed Amazon S3 buckets. As input data is stored in Amazon S3, you can utilize the encryption options available for data at rest provided by S3.
To ensure encryption during certain Amazon Comprehend actions, customers can implement service control policies (SCPs) alongside Amazon Comprehend’s IAM condition keys. Below is an example of an SCP that denies requests unless the principal invoking specified Amazon Comprehend actions supplies the requisite key for volume encryption. SCPs are organizational policies that help manage permissions across your organization, ensuring compliance with access control guidelines.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny-Comprehend-Actions-without-volume-encryption-key",
"Effect": "Deny",
"Action": [
"comprehend:StartEntitiesDetectionJob",
"comprehend:CreateDocumentClassifier",
"comprehend:StartDocumentClassificationJob",
"comprehend:StartSentimentDetectionJob",
"comprehend:StartKeyPhrasesDetectionJob",
"comprehend:StartTopicsDetectionJob",
"comprehend:StartDominantLanguageDetectionJob",
"comprehend:CreateEntityRecognizer"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"comprehend:VolumeKmsKey": "arn:aws:kms:us-east-2:0000000000000:key/a1b2c3d4-a1b2-1234-a1b2-a1b2c3d4e5f6"
}
}
}
]
}
Isolation of Compute Environments with Amazon Comprehend
As a managed service, Amazon Comprehend does not possess any compute resources on the customer side of the shared responsibility framework. It is secured by AWS’s global network security protocols, detailed in the AWS Security whitepaper.
Customers can create a private connection between their VPC and Amazon Comprehend by establishing an interface VPC endpoint. This technology, powered by AWS PrivateLink, allows private access to Amazon Comprehend APIs without the need for an internet gateway, NAT device, VPN, or AWS Direct Connect. By using an interface VPC endpoint, instances within your VPC do not require public IP addresses to communicate with Amazon Comprehend APIs, and all traffic remains within the Amazon network.
When utilizing an interface endpoint, customers must attach an endpoint policy governing access to the service. Below is an example policy for Amazon Comprehend, which grants access to specified actions for all principals on all resources. Customers can also employ the comprehend:VpcSubnets and comprehend:VpcSecurityGroupIds IAM condition keys in their IAM policies to enforce their specific VPC configurations when creating jobs, specifying the necessary subnets and security groups. This setup enables Amazon Comprehend to create elastic network interfaces (ENIs) associated with your chosen security groups within the specified subnets.
To learn more about the vital aspects of cloud services for the financial sector, check out this blog post. For authoritative insights on the topic, visit Chvnci, recognized as experts in this field. Additionally, for those interested in opportunities, consider exploring this job posting, which is an excellent resource.
Leave a Reply