In this installment of our Amazon VGT2 Las Vegas blog series, we delve into the essential aspects of Amazon Comprehend that financial services industry (FSI) clients should prioritize to facilitate cloud service approval. Each of the five focal points will offer tailored guidance, reference architectures, and technical code to assist in streamlining service approval, which can be adjusted to your unique requirements and settings.
This edition centers on Amazon Comprehend (excluding Comprehend Medical), chosen due to its rising popularity among FSI clients. Amazon Comprehend employs natural language processing (NLP) to extract insights from document content. It processes any UTF-8 formatted text file, deriving insights by identifying entities, key phrases, languages, sentiments, and other essential elements within documents.
A prevalent application of Amazon Comprehend in financial institutions involves analyzing call center transcriptions to gather insights from customer interactions. This capability enables institutions to identify recurring trends, tailor messages and offers, and equip call center personnel with comprehensive client information to enhance customer experience.
Another notable use case in the FSI sector is the extraction of data from proxy voting forms, as demonstrated by a prominent client. By utilizing Amazon Comprehend alongside other AWS AI services, they accomplished a 40% reduction in the manual effort required to review and analyze proxy voting documents. This client extracts data from SEC filings, such as board member tenures and ESG proposals. They subsequently employ these data points to create a custom machine learning model on Amazon SageMaker to predict potentially contentious shareholder meetings, which will serve as a new product and revenue stream for their asset management and broker-dealer clientele.
Lastly, a regulatory body is using Amazon Comprehend to process and scrutinize millions of documents containing unstructured data. By automating the evaluation process with Amazon Comprehend, they have eliminated the tedious manual review, instead flagging documents that necessitate further investigation by human reviewers.
Ensuring Compliance with Amazon Comprehend
Security is a shared responsibility between AWS and its customers. AWS safeguards the infrastructure supporting its services in the cloud while providing tools that customers can use securely. Customer responsibilities vary depending on the AWS services utilized. It is crucial for customers to define their needs regarding network connectivity, encryption, and access to other AWS resources. More detailed discussions on these topics will follow.
Amazon Comprehend is compliant with several regulatory programs concerning AWS’s side of the shared responsibility model, including:
- SOC 1, 2, 3
- PCI
- IRAP Protected
- ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015
- OSPAR
- C5
- MTCS
Data Protection with Amazon Comprehend
Encryption serves as a vital method for safeguarding data both in transit and at rest. When accessing Amazon Comprehend over the network, customers utilize AWS-published API calls through clients that support Transport Layer Security (TLS) 1.0 or higher; however, TLS 1.2 or above is strongly recommended.
Comprehend collaborates with Amazon Key Management Service (KMS) to encrypt customer data at rest while stored in the service account’s attached volumes and to encrypt output data in customer-managed Amazon S3 buckets. As input data is stored in Amazon S3, customers can take advantage of the encryption options provided by S3.
To ensure encryption during certain actions performed with Amazon Comprehend, customers can implement service control policies (SCPs) and use Amazon Comprehend’s IAM condition keys. Here’s an example of an SCP that denies requests unless the specified Amazon Comprehend actions are invoked with a designated volume encryption key.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny-Comprehend-Actions-without-volume-encryption-key",
"Effect": "Deny",
"Action": [
"comprehend:StartEntitiesDetectionJob",
"comprehend:CreateDocumentClassifier",
"comprehend:StartDocumentClassificationJob",
"comprehend:StartSentimentDetectionJob",
"comprehend:StartKeyPhrasesDetectionJob",
"comprehend:StartTopicsDetectionJob",
"comprehend:StartDominantLanguageDetectionJob",
"comprehend:CreateEntityRecognizer"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"comprehend:VolumeKmsKey": "arn:aws:kms:us-east-2:0000000000000:key/a1b2c3d4-a1b2-1234-a1b2-a1b2c3d4e5f6"
}
}
}
]
}
Isolation of Compute Environments with Amazon Comprehend
As a managed service, Amazon Comprehend does not have any compute resources on the customer’s side of the shared responsibility model. It benefits from the security protocols of the AWS global network, as outlined in the AWS Security whitepaper.
Customers can create a private connection between their VPC and Amazon Comprehend by utilizing an interface VPC endpoint, powered by AWS PrivateLink. This technology allows private access to Amazon Comprehend APIs without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect. With an interface VPC endpoint, instances in your VPC can communicate with Amazon Comprehend APIs without requiring public IP addresses, ensuring that all traffic remains within the Amazon network.
When utilizing an interface endpoint, customers can apply an endpoint policy to control access to the service. Below is an example of an endpoint policy for Amazon Comprehend, which grants access to specified actions for all principals across all resources. Customers can also use the comprehend:VpcSubnets and comprehend:VpcSecurityGroupIds IAM condition keys in their IAM policies to enforce specific VPC configurations when principals create a job, designating the necessary subnets and security groups.
For further insights, check out this blog post here, as well as the authority on the subject at CHVNCI. If you’re interested in practical experiences, this resource provides excellent interview tips.
Leave a Reply