Enhance Security in Amazon SageMaker Ground Truth with IP-Restricted Presigned URLs

SeniorTechInfo
4 Min Read

Enhancing Security with IP-Restricted Presigned URLs in Amazon SageMaker Ground Truth

Amazon SageMaker Ground Truth revolutionizes data labeling by combining human annotators with machine learning. This powerful integration automates the labeling process, reducing costs and saving time. With SageMaker Ground Truth, you can create labeling jobs where data objects are annotated by human workers. These tasks are then distributed among a workteam assigned to perform the annotations. To access the data objects for labeling, workers are provided with Amazon S3 presigned URLs.

Presigned URLs offer temporary access to Amazon S3 objects. With SageMaker Ground Truth, these presigned URLs are generated using the grant_read_access filter and embedded into task templates. Workers can then directly access these files, such as images or documents, in their web browsers for annotation.

Introducing Enhanced Security with IP-Restricted Presigned URLs

Recognizing the need for enhanced security measures, Amazon has introduced a new feature in SageMaker Ground Truth that restricts access to presigned URLs based on the worker’s IP address or VPC endpoint. This added layer of security helps mitigate the risk of unauthorized access and ensures that sensitive data remains protected.

Benefits of the New Feature

  • Enhanced data privacy: Restricting presigned URLs to approved locations adds an extra layer of security, ensuring that data is accessed only from authorized sources.
  • Reduced risk of unauthorized access: By enforcing IP-based access controls, the risk of data exposure or sharing is minimized, especially for sensitive information.
  • Flexible security options: The feature can be customized for VPC or non-VPC settings, providing tailored security measures for your organization.
  • Auditing and compliance: Tracking access to data becomes easier, aiding in compliance with internal policies and external regulations.
  • Seamless integration: The feature seamlessly integrates with existing workflows, enhancing security without disrupting labeling processes.

With IP-Restricted presigned URLs, SageMaker Ground Truth empowers organizations with greater control over data access, ensuring that sensitive information is only accessible to authorized workers in approved locations.

Configuring IP-Restricted Presigned URLs

The new IP restriction feature can be enabled through the SageMaker API or AWS CLI. By incorporating WorkerAccessConfiguration objects, you can define access constraints for workteams, ensuring that presigned URLs are restricted to specific IP addresses or VPC endpoints.

By following the steps outlined in this blog and leveraging S3 access logs for debugging, organizations can validate that presigned URLs are accessed only from approved and consistent IP addresses.

Closure

The introduction of IP-restricted presigned URLs in Amazon SageMaker Ground Truth offers enhanced security for data accessed through the service. Organizations can now restrict access to specific IP addresses or VPC endpoints, safeguarding sensitive data effectively. We encourage you to explore this new security feature to protect your organization’s data and enhance the overall security of your labeling workflows.

About the Authors

Sundar Raghavan – AI/ML Specialist Solutions Architect at AWS.

Michael Borde – Lead Software Engineer at Amazon AI.

Jacky Shum – Software Engineer at AWS in the SageMaker Ground Truth team.

Rohith Kodukula – Software Development Engineer on the SageMaker Ground Truth team.

Abhinay Sandeboina – Engineering Manager at AWS Human In The Loop (HIL).

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *