{"id":1539,"date":"2022-02-08T18:03:49","date_gmt":"2022-02-08T18:03:49","guid":{"rendered":"https:\/\/salarydistribution.com\/machine-learning\/2022\/02\/08\/implement-mlops-using-aws-pre-trained-ai-services-with-aws-organizations\/"},"modified":"2022-02-08T18:03:49","modified_gmt":"2022-02-08T18:03:49","slug":"implement-mlops-using-aws-pre-trained-ai-services-with-aws-organizations","status":"publish","type":"post","link":"https:\/\/salarydistribution.com\/machine-learning\/2022\/02\/08\/implement-mlops-using-aws-pre-trained-ai-services-with-aws-organizations\/","title":{"rendered":"Implement MLOps using AWS pre-trained AI Services with AWS Organizations"},"content":{"rendered":"<div id=\"\">\n<p>The <a href=\"https:\/\/docs.aws.amazon.com\/solutions\/latest\/aws-mlops-framework\/aws-mlops-framework.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Machine Learning Operations (MLOps) framework<\/a> is an iterative and repetitive process for evolving AI models over time. Like DevOps, practitioners gain efficiencies promoting their artifacts through various environments (such as quality assurance, integration, and production) for quality control. In parallel, customers rapidly adopt multi-account strategies through <a href=\"https:\/\/aws.amazon.com\/organizations\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Organizations<\/a> and <a href=\"https:\/\/aws.amazon.com\/controltower\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Control Tower<\/a> to create secure, isolated environments. This combination can introduce challenges for implementing MLOps with AWS pre-trained AI Services, such as <a href=\"https:\/\/aws.amazon.com\/rekognition\/custom-labels-features\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Rekognition Custom Labels<\/a>. This post discusses design patterns for reducing that complexity while still maintaining security best practices.<\/p>\n<h2>Overview<\/h2>\n<p>Customers across every industry vertical recognize the value of operationalizing machine learning (ML) efficiently and reducing the time to deliver business value. Most AWS pre-trained AI Services address this situation through out-of-the-box capabilities for computer vision, translation, and fraud detection, among other common use cases. Many use cases require domain-specific predictions that go beyond generic answers. The AI Services can fine-tune the predictive model results using customer-labeled data for those scenarios.<\/p>\n<p>Over time, the domain-specific vocabulary changes and evolves. For example, suppose a tool manufacturer creates a computer vision model to detect its products in images (such as hammers and screwdrivers). In a future release, the business adds support for wrenches and saws. These new labels necessitate code changes on the manufacturer\u2019s websites and custom applications. Now, there are dependencies that both artifacts must release simultaneously.<\/p>\n<p>The AWS MLOps framework addresses these release challenges through iterative and repetitive processes. Before reaching production end-users, the model artifacts must traverse various quality gates like application code. You typically implement those quality gates using <a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/organizing-your-aws-environment\/organizing-your-aws-environment.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">multiple AWS accounts<\/a> within an AWS organization. This approach gives the flexibility to centrally manage these application domains and enforce guardrails and business requirements. It\u2019s becoming increasingly common to have tens or even hundreds of accounts within your organization. However, you must balance your workload isolation needs against the team size and complexity.<\/p>\n<p>MLOps practitioners have standard procedures for promoting artifacts between accounts (such as QA to production). These patterns are straightforward to implement, relying on copying code and binary resources between <a href=\"http:\/\/aws.amazon.com\/s3\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Simple Storage Service<\/a> (Amazon S3) buckets. However, AWS pre-trained AI Services don\u2019t currently support copying the trained custom model across AWS accounts. Until such a mechanism exists, you need to retrain the models in each AWS account using the same dataset. This approach involves time and cost for retraining the model in a new account. This mechanism can be a viable option for some customers. However in this post, we demonstrate the means to define and evolve these custom models centrally while securely sharing them across an AWS organization\u2019s accounts.<\/p>\n<h2>Solution overview<\/h2>\n<p>This post discusses design patterns for securely sharing AWS pre-trained AI Service domain-specific models. These services include <a href=\"https:\/\/aws.amazon.com\/fraud-detector\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Fraud Detector<\/a>, <a href=\"https:\/\/aws.amazon.com\/transcribe\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Transcribe<\/a>, and <a href=\"https:\/\/aws.amazon.com\/rekognition\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Rekognition<\/a>, to name a few. Although these strategies are broadly applicable, we focus on Rekognition Custom Labels as a concrete example. We intentionally avoid diving too deep into Rekognition Custom Labels-specific nuances.<\/p>\n<p>The architecture begins with a configured AWS Control Tower in the management account. AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment. As shown in the following diagram, we use <a href=\"https:\/\/docs.aws.amazon.com\/controltower\/latest\/userguide\/account-factory.html\" target=\"_blank\" rel=\"noopener noreferrer\">Account Factory<\/a> in AWS Control Tower to create five AWS accounts:<\/p>\n<ul>\n<li>CI\/CD account for deployment orchestration (for example, with <a href=\"https:\/\/aws.amazon.com\/codestar\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS CodeStar<\/a>)<\/li>\n<li>Production account for external end-users (for example, a public website)<\/li>\n<li>Quality assurance account for internal development teams (such as preproduction)<\/li>\n<li>ML account for custom models and supporting systems<\/li>\n<li><a href=\"https:\/\/aws.amazon.com\/blogs\/big-data\/build-a-lake-house-architecture-on-aws\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Lake House<\/a> account holding proprietary customer data<\/li>\n<\/ul>\n<p>This configuration might be too granular or coarse, depending on your regulatory requirements, industry, and size. Refer to <a href=\"https:\/\/aws.amazon.com\/blogs\/mt\/managing-the-multi-account-environment-using-aws-organizations-and-aws-control-tower\/\" target=\"_blank\" rel=\"noopener noreferrer\">Managing the multi-account environment using AWS Organizations and AWS Control Tower<\/a> for more guidance.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-large wp-image-32676\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/ml_6569_fig1-1024x375.png\" alt=\"Example AWS Organizations account configuration \" width=\"1024\" height=\"375\"><\/p>\n<h2>Create the Rekognition Custom Labels model<\/h2>\n<p>The first step to creating a Rekognition Custom Labels model is choosing the AWS account to host it. You might begin your ML journey using a single ML account. This approach consolidates any tooling and procedures into one place. However, this centralization can cause bloat in the individual account and lead to monolithic environments. More mature enterprises segment this ML account by team or workload. Regardless of the granularity, the object is the same to define centrally and train models once.<\/p>\n<p>This post demonstrates using a Rekognition Custom Labels model with a single ML account and a separate data lake account (see the following diagram). When the data resides in a different account, you must configure a resource policy to <a href=\"https:\/\/aws.amazon.com\/premiumsupport\/knowledge-center\/cross-account-access-s3\/\" target=\"_blank\" rel=\"noopener noreferrer\">provide cross-account access to the S3 bucket<\/a> objects. This procedure securely shares the bucket\u2019s contents with the ML account. See the <a href=\"https:\/\/docs.aws.amazon.com\/rekognition\/latest\/customlabels-dg\/getting-started.html\" target=\"_blank\" rel=\"noopener noreferrer\">quick start samples<\/a> for more information on <a href=\"https:\/\/aws.amazon.com\/blogs\/machine-learning\/announcing-amazon-rekognition-custom-labels\/\" target=\"_blank\" rel=\"noopener noreferrer\">creating an Amazon Rekognition domain-specific model<\/a>.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-32682\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/ml_6569_fig2.png\" alt=\"Sharing data across accounts\" width=\"602\" height=\"430\"><\/p>\n<pre><code class=\"lang-json\">{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AWSRekognitionS3AclBucketRead20191011\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rekognition.amazonaws.com\"\n            },\n            \"Action\": [\n                \"s3:GetBucketAcl\",\n                \"s3:GetBucketLocation\"\n            ],\n            \"Resource\": \"arn:aws:s3:::S3:\"\n        },\n        {\n            \"Sid\": \"AWSRekognitionS3GetBucket20191011\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rekognition.amazonaws.com\"\n            },\n            \"Action\": [\n                \"s3:GetObject\",\n                \"s3:GetObjectAcl\",\n                \"s3:GetObjectVersion\",\n                \"s3:GetObjectTagging\"\n            ],\n            \"Resource\": \"arn:aws:s3:::S3:\/*\"\n        },\n        {\n            \"Sid\": \"AWSRekognitionS3ACLBucketWrite20191011\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rekognition.amazonaws.com\"\n            },\n            \"Action\": \"s3:GetBucketAcl\",\n            \"Resource\": \"arn:aws:s3:::S3:\"\n        },\n        {\n            \"Sid\": \"AWSRekognitionS3PutObject20191011\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rekognition.amazonaws.com\"\n            },\n            \"Action\": \"s3:PutObject\",\n            \"Resource\": \"arn:aws:s3:::S3:\/*\",\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n                }\n            }\n        }\n    ]\n}<\/code><\/pre>\n<h2>Enable cross-account access<\/h2>\n<p>After you build and deploy the model, the endpoint is only available within the ML account. Do not use a <a href=\"https:\/\/aws.amazon.com\/blogs\/apn\/securely-accessing-customer-aws-accounts-with-cross-account-iam-roles\/\" target=\"_blank\" rel=\"noopener noreferrer\">static key<\/a> to share access. You must <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/tutorial_cross-account-with-roles.html\" target=\"_blank\" rel=\"noopener noreferrer\">delegate access<\/a> to the production (or QA) account using <a href=\"http:\/\/aws.amazon.com\/iam\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Identity and Access Management<\/a> (IAM) roles. To create a cross-account role in the ML account, complete the following steps:<\/p>\n<ol>\n<li>On the Rekognition Custom Labels console, choose <strong>Projects <\/strong>and choose your project name.<\/li>\n<li>Choose <strong>Models <\/strong>and your model name.<\/li>\n<li>On the <strong>Use model<\/strong> tab, scroll down to the <strong>Use your model<\/strong> section.<\/li>\n<li>Copy the model Amazon Resource Name (ARN). It should be formatted as follows: <code>arn:aws:rekognition:region-name:account-id:project\/<em>model-name<\/em>\/<em>version<\/em>\/<em>version-id<\/em>\/<em>timestamp<\/em><\/code>.<\/li>\n<li>Create a role with <code>rekognition:DetectCustomLabels<\/code> permissions to the model ARN and a trust policy allowing <code>sts:AssumeRole<\/code> from the production (or QA) account (for example, <code>arn:aws:iam::<em>PROD_ACCOUNT_ID_HERE<\/em>:root<\/code>).<\/li>\n<li>Optionally, attach additional policies for any workload-specific actions (such as accessing S3 buckets).<\/li>\n<li>Optionally, configure the <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_elements_condition.html%22%20%5Co%20%22https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_elements_condition.html\" target=\"_blank\" rel=\"noopener noreferrer\">condition element<\/a> to enforce additional delegation requirements.<\/li>\n<li>Record the new role\u2019s ARN to use in the next section.<\/li>\n<\/ol>\n<h2>Invoke the endpoint<\/h2>\n<p>With the security policies in place, it\u2019s time to test the configuration. A simple approach involves creating an <a href=\"http:\/\/aws.amazon.com\/ec2\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Elastic Compute Cloud<\/a> (Amazon EC2) instance and using the <a href=\"http:\/\/aws.amazon.com\/cli\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Command Line Interface<\/a> (AWS CLI). Invoke the endpoint with the following steps:<\/p>\n<ol>\n<li>In the production (or QA) account, create a role for Amazon EC2.<\/li>\n<li>Attach a policy allowing <code>sts:AssumeRole<\/code> to the ML account\u2019s cross-role ARN.<\/li>\n<li><a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/EC2_GetStarted.html%22%20%5Co%20%22https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/EC2_GetStarted.html\" target=\"_blank\" rel=\"noopener noreferrer\">Launch an Amazon Linux 2 instance<\/a> with the role from the previous step.<\/li>\n<li>Wait for it to provision, then <a href=\"https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/AccessingInstancesLinux.html\" target=\"_blank\" rel=\"noopener noreferrer\">connect to the Linux instance using SSH<\/a>.<\/li>\n<li>Invoke the command <code>aws iam assume-role<\/code> to switch to the cross-account role from the previous section.<\/li>\n<li><a href=\"https:\/\/docs.aws.amazon.com\/rekognition\/latest\/customlabels-dg\/rm-start.html\" target=\"_blank\" rel=\"noopener noreferrer\">Start the model endpoint<\/a>, if not already running, using the Rekognition console or the <a href=\"https:\/\/docs.aws.amazon.com\/cli\/latest\/reference\/rekognition\/start-project-version.html\" target=\"_blank\" rel=\"noopener noreferrer\">start-project-version<\/a> AWS CLI command.<\/li>\n<li>Invoke the command <a href=\"https:\/\/docs.aws.amazon.com\/cli\/latest\/reference\/rekognition\/detect-custom-labels.html\" target=\"_blank\" rel=\"noopener noreferrer\">aws rekognition detect-custom-labels<\/a> to test the operation.<\/li>\n<\/ol>\n<p>You can also perform this test using the AWS SDK and another compute resource (for example, <a href=\"http:\/\/aws.amazon.com\/lambda\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Lambda<\/a>).<\/p>\n<h2>Avoiding the public internet<\/h2>\n<p>In the previous section, the detect-custom-labels request uses the virtual private cloud\u2019s (VPC) internet gateway and traverses the public internet. TLS\/SSL encryption sufficiently secures the communication channel for many workloads. You can use <a href=\"https:\/\/aws.amazon.com\/privatelink\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS PrivateLink<\/a> to <a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/vpc-endpoints.html%22%20%5Co%20%22https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/vpc-endpoints.html\" target=\"_blank\" rel=\"noopener noreferrer\">enable connections between the VPC and supporting services<\/a> without requiring an internet gateway, NAT device, VPN connection, transit gateway, or <a href=\"https:\/\/aws.amazon.com\/directconnect\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Direct Connect<\/a> connection. Then, the detect-custom-labels request never leaves the AWS network exposed to the public internet. AWS PrivateLink supports all services used within this post. You can also enforce pre-trained AI Services <a href=\"https:\/\/aws.amazon.com\/blogs\/machine-learning\/securing-amazon-comprehend-api-calls-with-aws-privatelink\/\" target=\"_blank\" rel=\"noopener noreferrer\">using private connectivity with IAM<\/a> in the cross-role policy. This control adds another level of protection that prevents misconfigured clients from using the pre-trained AI Service\u2019s internet-facing endpoint. For additional information, see <a href=\"https:\/\/docs.aws.amazon.com\/rekognition\/latest\/dg\/vpc.html%22%20%5Co%20%22https:\/\/docs.aws.amazon.com\/rekognition\/latest\/dg\/vpc.html\" target=\"_blank\" rel=\"noopener noreferrer\">Using Amazon Rekognition with Amazon VPC endpoints<\/a>, <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/privatelink-interface-endpoints.html\" target=\"_blank\" rel=\"noopener noreferrer\">AWS PrivateLink for Amazon S3<\/a>, and <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_credentials_sts_vpce.html\" target=\"_blank\" rel=\"noopener noreferrer\">Using AWS STS interface VPC endpoints<\/a>.<\/p>\n<p>The following diagram illustrates the VPC endpoint configuration between the production account, ML account, and QA account.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-32684\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/ml_6569_fig3.png\" alt=\"Using VPC Endpoints across accounts\" width=\"630\" height=\"517\"><\/p>\n<h2>Build a CI\/CD pipeline for promoting models<\/h2>\n<p>AWS recommends continuously providing more training and test data to custom label the Amazon Rekognition project dataset to <a href=\"https:\/\/github.com\/aws-samples\/amazon-rekognition-custom-labels-feedback-solution\" target=\"_blank\" rel=\"noopener noreferrer\">improve models<\/a>. After you add more data to a project, a new model can enhance accuracy or alter labels.<\/p>\n<p>In MLOps, model artifacts must be consistent. To accomplish this with pre-trained AI Services, AWS recommends promoting the model endpoint by updating the code\u2019s reference to the new model version\u2019s ARN. This approach avoids retraining the domain-specific model in each environment (such as QA and production accounts). Your applications can use the new model\u2019s ARN as a runtime variable using <a href=\"https:\/\/aws.amazon.com\/systems-manager\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Systems Manager<\/a> within a multi-account or <a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/practicing-continuous-integration-continuous-delivery\/testing-stages-in-continuous-integration-and-continuous-delivery.html\" target=\"_blank\" rel=\"noopener noreferrer\">multi-stage environment<\/a>.<\/p>\n<p>Three granularity levels limit access to the cross-account model, specifically at the account, project, and model version level. Models are idempotent and have a unique ARN that maps to specific point-in-time training: <code>arn:aws:rekognition:account:region:project\/<em>project_name<\/em>\/<em>version<\/em>\/<em>name<\/em>\/<em>timestamp<\/em><\/code>.<\/p>\n<p>The following diagram illustrates the model rotation from QA to production.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-32685\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/ml_6569_fig4.png\" alt=\"Promoting the model version\" width=\"678\" height=\"517\"><\/p>\n<p>In the preceding architecture, the production and QA applications make API calls to use the v2 or v3 model endpoints through their respective VPC endpoints. They receive the ARN from its configuration store (for example, <a href=\"https:\/\/docs.aws.amazon.com\/systems-manager\/latest\/userguide\/systems-manager-parameter-store.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Systems Manager Parameter Store<\/a> or <a href=\"https:\/\/aws.amazon.com\/systems-manager\/features\/appconfig\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS AppConfig<\/a>). This process works with <em>n<\/em> number of environments, but we demonstrate only using two accounts for simplicity. Optionally, removing the superseded model versions prevents additional consumption of those resources.<\/p>\n<p>The ML account has an IAM role for each environment-specific (such as the Production account) that requires access. The CI\/CD pipeline as part of the deployment alters the inline policy of the IAM role to allow for access to the appropriate model.<\/p>\n<p>Consider the scenario of promoting Model-v2 from the QA account to the production account. This process requires the following steps:<\/p>\n<ol>\n<li>On the Rekognition Custom Labels console, transition the Model-v2 endpoint into a running state.<\/li>\n<li>Grant the IAM cross-account role in the ML account access to the new version of Model-v2.<\/li>\n<\/ol>\n<p>Note that the <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/reference_policies_elements_resource.html\" target=\"_blank\" rel=\"noopener noreferrer\">resource element<\/a> supports wildcards in the ARN.<\/p>\n<ol start=\"3\">\n<li>Send a test invocation to Model-v2 from the production application using the delegation role.<\/li>\n<li>Optionally, remove the cross-account role\u2019s access to Model-v1.<\/li>\n<li>Optionally, repeat steps 2\u20133 for each additional AWS account.<\/li>\n<li>Optionally, stop the Model-v1 endpoint to avoid incurring costs.<\/li>\n<\/ol>\n<p>Global policy propagation from the IAM control plane to the IAM data plane in every Region is an eventually consistent operation. This design can create slight delays for multi-Regional configurations.<\/p>\n<h2>Create guardrails through service control policies<\/h2>\n<p>Using cross-account roles creates a secure mechanism for sharing pre-trained managed AI resources. But what happens when that role\u2019s policy is too permissive? You can mitigate these risks by <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization\/%22%20%5Co%20%22https:\/\/aws.amazon.com\/blogs\/security\/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization\/\" target=\"_blank\" rel=\"noopener noreferrer\">using service control policies (SCPs) to set permission guardrails across accounts<\/a>. Guardrails specify the <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/access_policies_boundaries.html\" target=\"_blank\" rel=\"noopener noreferrer\">maximum permissions<\/a> available for an IAM identity. These capabilities can prevent a model consumer account from, for example, stopping the shared Amazon Rekognition endpoint. After defining appropriate guardrail requirements, <a href=\"https:\/\/aws.amazon.com\/blogs\/mt\/best-practices-for-organizational-units-with-aws-organizations\/%22%20%5Co%20%22https:\/\/aws.amazon.com\/blogs\/mt\/best-practices-for-organizational-units-with-aws-organizations\/\" target=\"_blank\" rel=\"noopener noreferrer\">organizational units within Organizations<\/a> allow centrally managing those policies across multiple accounts.<\/p>\n<pre><code class=\"lang-json\">{    \n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"DenyModifyingRekgnotionProjects\",\n      \"Effect\": \"Deny\",\n      \"Action\": [\n        \"rekognition:CreateProject*\",\n        \"rekognition:DeleteProject*\",\n        \"rekognition:StartProject*\",\n        \"rekognition:StopProject*\",\n      ],\n      \"Resource\": [\n        \u201carn:aws:rekognition:*:*:project\/*\n      ]\n    }\n  ]\n}\n<\/code><\/pre>\n<p>You can also configure detective controls to monitor their configuration and make sure it doesn\u2019t drift out of compliance. <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/what-is-access-analyzer.html\" target=\"_blank\" rel=\"noopener noreferrer\">AWS IAM Access Analyzer<\/a> supports assessing policies across the organization and reporting unused permissions. Additionally, <a href=\"https:\/\/aws.amazon.com\/config\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Config<\/a> enables assessing, auditing, and evaluating configurations of AWS resources. This capability supports standard security and compliance requirements, such as <a href=\"https:\/\/aws.amazon.com\/blogs\/mt\/aws-config-auto-remediation-s3-compliance\/\" target=\"_blank\" rel=\"noopener noreferrer\">verifying and remediating<\/a> the S3 bucket\u2019s encryption settings.<\/p>\n<h2>Conclusion<\/h2>\n<p>You need out-of-the-box solutions to add ML capabilities like computer vision, translation, and fraud detection. You also need security boundaries that isolate your different environments for quality control, compliance, and regulatory purposes. AWS pre-trained AI services and AWS Control Tower deliver that functionality in a manner that is easily accessible and secure.<\/p>\n<p>AWS pre-trained AI services don\u2019t currently support copying the trained custom model across AWS accounts. Until such a mechanism exists, you need to retrain the models in each AWS account using the same dataset. This post demonstrates an alternative design approach using IAM cross-account policies to share model endpoints while maintaining robust security control. Furthermore, you can stop paying for redundant training jobs! For more information on cross-account policies, see <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/tutorial_cross-account-with-roles.html\" target=\"_blank\" rel=\"noopener noreferrer\">IAM tutorial: Delegate access across AWS accounts using IAM roles<\/a>.<\/p>\n<hr>\n<h3>About the Authors<\/h3>\n<p><strong><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/Nate-Bachmeir.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-32677 alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/Nate-Bachmeir.png\" alt=\"\" width=\"100\" height=\"133\"><\/a>Nate Bachmeier<\/strong> is an AWS Senior Solutions Architect that nomadically explores New York, one cloud integration at a time. He specializes in migrating and modernizing customers\u2019 workloads. Besides this, Nate is a full-time student and has two kids.<\/p>\n<p><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/mbbourgo-1.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-32709 size-full alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/mbbourgo-1.jpg\" alt=\"\" width=\"100\" height=\"98\"><\/a><strong>Mario Bourgoin<\/strong> is a Senior Partner Solutions Architect for AWS, an AI\/ML specialist, and the global tech lead for MLOps.\u00a0 He works with enterprise customers and partners deploying AI solutions in the cloud.\u00a0 He has more than 30 years experience doing machine learning and AI at startups and in enterprises, starting with creating one of the first commercial machine learning systems for big data.\u00a0 Mario spends the balance of his time playing with his three Belgian Tervurens, cooking dinners for his family, and learning about mathematics and cosmology.<\/p>\n<p><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/mutimth-1.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-32708 size-full alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/03\/mutimth-1.jpg\" alt=\"\" width=\"100\" height=\"150\"><\/a><strong>Tim Murphy<\/strong> is a Senior Solutions Architect for AWS, working with enterprise customers in various industries to build business based solutions in the cloud. He has spent the last decade working with startups, non-profits, commercial enterprise, and government agencies, deploying infrastructure at scale. In his spare time when he isn\u2019t tinkering with technology, you\u2019ll most likely find him in far flung areas of the earth hiking mountains, surfing waves, or biking through a new city.<\/p>\n<p>       <!-- '\"` -->\n      <\/div>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/aws.amazon.com\/blogs\/machine-learning\/implement-mlops-using-aws-pre-trained-ai-services-with-aws-organizations\/<\/p>\n","protected":false},"author":0,"featured_media":1540,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/1539"}],"collection":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/comments?post=1539"}],"version-history":[{"count":0,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/1539\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media\/1540"}],"wp:attachment":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media?parent=1539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/categories?post=1539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/tags?post=1539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}