Build GenAI Applications Using Amazon Bedrock With AWS PrivateLink To Protect Your Data Privacy
Manage and protect data security and compliance standards.
Xiaoyu Xing
Amazon Employee
Published Jan 12, 2024
Last Modified Apr 26, 2024
Most would likely agree that Data Privacy is an important issue that cannot be overlooked when it comes to data analytics and machine learning. Generative AI is making waves, but without proper security control, Generative AI tools could be susceptible to data theft. This could lead to unauthorized access or disclosure of sensitive information, potentially leading to privacy violations and possible misuse of both sensitive personal data or intellectual property.
Amazon Bedrock, a fully managed service, allows you to build generative AI applications that support data security and compliance standards, including GDPR and HIPAA.
With Amazon Bedrock,
- Your content (e.g. prompt data, fine-tuning data, vector store data with RAG (Retrieval Augmented Generation) etc.) is not shared with a third party model providers (including AWS).
- You can use AWS PrivateLink to establish private connectivity between the Foundation Models (FM) and on-premises networks or your AWS VPC (Virtual Private Cloud), without exposing your traffic to the public internet. (This blog post's focus)
- Your data is always encrypted in transit (TLS1.2) and at rest. You can use your own keys or AWS KMS (Key Management Service) keys to encrypt the data.
- You can encrypt and store customized (fine-tuned) models with a KMS key that's either managed by AWS or by yourself.
You can further configure VPC for fine-tuning jobs with Bedrock, which prevent the training data from being accessible over the internet. - Potential misuse is prevented by Bedrock abuse detection. This feature automatically (no human review or access to user inputs or model outputs) identifies and mitigates potential violations of AWS's Acceptable Use Policy (AUP) and Responsible AI Policy, or a third party model provider's AUP.
As you can see, Amazon Bedrock provides you comprehensive security and compliance capabilities. Here I just list some of them. Let's dive a bit deeper on using AWS PrivateLink to establish private connectivity between your GenAI application and the FMs or your fine-tuned models on Amazon Bedrock.
Privacy breaches on the internet present genuine risks but with AWS PrivateLink you can link your own VPCs, on-premise networks, and supported AWS services (e.g. Amazon Lambda, Amazon Bedrock) privately (private IP) without exposing your data to the public internet.
The figure below shows how AWS PrivateLink works.
Interface VPC endpoint, powered by PrivateLink, connect you to:
- other AWS services
- services hosted by AWS Partners
- supported solutions available in AWS Marketplaces
- enterprise applications in another VPC
Security benefits of AWS PrivateLink:
- Regulatory Compliance (e.g. HIPAA, PCI) - preventing sensitive data (e.g.PII) from traversing through the internet.
- Privately access AWS services - connecting your VPC to AWS services privately.
You can configure security groups of services (e.g. Lambda) on your VPC to control the access to the corresponding AWS services (e.g. Bedrock) as well.
In addition to the security benefit, AWS PrivateLink also makes it easier to connect AWS services across different AWS accounts and VPCs to simplify your network architecture.
There are many patterns to build up GenAI application with Amazon Bedrock. Let's focus on demonstration of how to establish a private link with Bedrock with Amazon Lambda function as the key component of a GenAI application.
The figure below shows the reference architecture, where the client can access to the GenAI application via AWS PrivateLink. Client can be on-premise or on AWS VPC (which can be the same or different from where the GenAI application located). Be aware that the GenAI application should be on the same region with the connected Amazon Bedrock endpoint. At the time of writing this blog post, Amazon Bedrock is not supported in all the AWS Regions, so remember to check the supported regions.
One way to build this up is to follow the steps below:
I use this example as a simplified GenAI application, where Lambda functions interact with Amazon Bedrock to generate text.
From VPC console:
Configure VPC settings:
Note:
- When creating VPC choose Tenancy with "Default" since Lambda doesn't work with "Dedicated" tenancy for now.
To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy. - It is a good idea to have at least 2 AZs(Availability Zones) and 2 subnets considering resilience.
- You have the option to choose the specific AZs. This is useful since not all AZs support Bedrock VPC endpoint. To identify which AZs are in an AWS region and support Bedrock VPC endpoint, run the following command:
An example of use-east-1 is like this:
Security Group controls the traffic that is allowed to reach (inbound rules) and leave (outbound rules) the resources that it is associated with.
In this example, create a security group with inbound rule allowing HTTPS protocol.
Limit the source IP addresses if you only need to allow a list of specific IP addresses to access your application.
In this example, create a security group with inbound rule allowing HTTPS protocol.
Limit the source IP addresses if you only need to allow a list of specific IP addresses to access your application.
Setup inbound and outbound rules:
Lambda function is by default running on the Lambda service VPC with public internet access. To connect your lambda function to your own VPC, use a Hyperplane ENI (Elastic Network Interface). Hyperplane ENI provides NAT capabilities from the Lambda VPC to your account VPC. When creating or updating a Lambda function, Lambda allocates one Hyperplane ENI for each subnet in the function's VPC configuration.
4.1. Before connecting your Lambda function to your VPC, you need to give extra permission to the lambda function's execution role
- Get the Lambda function's execution role:
- AWS IAM(Identity & Access Management) console, add AWS managed policy - AWSLambdaVPCAccessExecutionRole
This role allows Lambda to do the following actions:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
- "ec2:AssignPrivateIpAddresses"
- "ec2:UnassignPrivateIpAddresses"
4.2. Configure Lambda VPC access
Add the private subnets and security group to the Lambda function's VPC configuration.
Now your Lambda function is connected with your VPC. You can repeat the same steps for other Lambda functions.
In order to connect your VPC and Amazon Bedrock service using AWS PrivateLink, you need to create an interface VPC endpoint.
From VPC console, create an endpoint:
Choose Bedrock VPC endpoints as "bedrock-runtime":
Choose VPC and private subnets created in step two:
You can further control Bedrock VPC endpoint access via endpoint policy.
Configure endpoint policy:
After all the above steps, it is time to test your GenAI application by invoking Lambda functions.
The test can be executed form your client or from a Lambda console:
Check the response:
Detailed logs from Lambda function's corresponding CloudWatch logs are like this. This is useful for troubleshooting.
This example is focusing on Lambda as GenAI application key component.
If your application uses additional AWS beyond Amazon Lambda - and it interacts with Amazon Bedrock and supports VPC connections - then the same approach described in this blog can also be applied to those services.
AWS PrivateLink is powerful to privately connect your services on VPC with Amazon Bedrock.
With AWS PrivateLink, you can further control who can access your application and what actions they can take via Security Group and Endpoint Policy.
With AWS PrivateLink, you can further control who can access your application and what actions they can take via Security Group and Endpoint Policy.
Building up your GenAI with Amazon Bedrock, your prompts and your data is not used in AWS's first class models or third party models; data remains in the region where they were created; all the customization (fine-tuning model) you do with the model is per customer, per tenant, completely isolated, encrypted, and maintained completely separated from the models themselves.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.