New ML Governance Tools for Amazon SageMaker – Simplify Access Control and Enhance Transparency Over Your ML Projects

{"value":"As companies increasingly adopt machine learning (ML) for their business applications, they are looking for ways to improve governance of their ML projects with simplified access control and enhanced visibility across the ML lifecycle. A common challenge in that effort is managing the right set of user permissions across different groups and ML activities. For example, a data scientist in your team that builds and trains models usually requires different permissions than an MLOps engineer that manages ML pipelines. Another challenge is improving visibility over ML projects. For example, model information, such as intended use, out-of-scope use cases, risk rating, and evaluation results, is often captured and shared via emails or documents. In addition, there is often no simple mechanism to monitor and report on your deployed model behavior.\n\nThat’s why I’m excited to announce a **[new set of ML governance tools for Amazon SageMaker.](https://aws.amazon.com/sagemaker/ml-governance)**\n\nAs an ML system or platform administrator, you can now use **[Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Role Manager** to define custom permissions for SageMaker users in minutes, so you can onboard users faster. As an ML practitioner, business owner, or model risk and compliance officer, you can now use **[Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Model Cards** to document model information from conception to deployment and **[Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Model Dashboard** to monitor all your deployed models through a unified dashboard.\n\nLet’s dive deeper into each tool, and I’ll show you how to get started.\n\n\n### ++Introducing [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Role Manager++\nSageMaker Role Manager lets you define custom permissions for SageMaker users in minutes. It comes with a set of predefined policy templates for different personas and ML activities. Personas represent the different types of users that need permissions to perform ML activities in SageMaker, such as data scientists or MLOps engineers. ML activities are a set of permissions to accomplish a common ML task, such as running SageMaker Studio applications or managing experiments, models, or pipelines. You can also define additional personas, add ML activities, and your managed policies to match your specific needs. Once you have selected the persona type and the set of ML activities, SageMaker Role Manager automatically creates the required [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) role and policies that you can assign to SageMaker users.\n\n### ++A Primer on SageMaker and IAM Roles++\nA role is an IAM identity that has permissions to perform actions with AWS services. Besides user roles that are assumed by a user via federation from an Identity Provider (IdP) or the AWS Console, [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) requires service roles (also known as execution roles) to perform actions on behalf of the user. SageMaker Role Manager helps you create these service roles:\n\n- SageMaker Compute Role – Gives SageMaker compute resources the ability to perform tasks such as training and inference, typically used via [PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html). You can select the ```SageMaker Compute Role```\n persona in SageMaker Role Manager to create this role. Depending on the ML activities you select in your SageMaker service roles, you will need to create this compute role first.\n- **SageMaker Service Role** – Some AWS services, including SageMaker, require a service role to perform actions on your behalf. You can select the ```Data Scientist```, ```MLOps```, or ```Custom``` persona in SageMaker Role Manager to start creating service roles with custom permissions for your ML practitioners.\n\nNow, let me show you how this works in practice.\n\nThere are two ways to get to SageMaker Role Manager, either through **Getting started** in the [SageMaker console](https://console.aws.amazon.com/sagemaker) or when you select **Add user** in the SageMaker Studio Domain control panel.\n\nI start in the SageMaker console. Under **Configure role**, select **Create a role**. This opens a workflow that guides you through all required steps.\n\n\n\nLet’s assume I want to create a SageMaker service role with a specific set of permissions for my team of data scientists. In Step 1, I select the predefined policy template for the **Data Scientist** persona.\n\n\n\nI can also define the network and encryption settings in this step by selecting [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/) ([Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail)) subnets, security groups, and encryption keys.\n\nIn Step 2, I select what ML activities data scientists in my team need to perform.\n\n\n\n\nSome of the selected ML activities might require you to specify the [Amazon Resource Name](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) (ARN) of the SageMaker Compute Role so SageMaker compute resources have the ability to perform the tasks.\n\nIn Step 3, you can attach additional IAM policies and add tags to the role if needed. Tags help you identify and organize your AWS resources. You can use tags to add attributes such as project name, cost center, or location information to a role. After a final review of the settings in Step 4, select **Submit**, and the role is created.\n\nIn just a few minutes, I set up a SageMaker service role, and I’m now ready to onboard data scientists in SageMaker with custom permissions in place.\n\n### ++Introducing [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Model Cards++\nSageMaker Model Cards helps you streamline model documentation throughout the ML lifecycle by creating a single source of truth for model information. For models trained on SageMaker, SageMaker Model Cards discovers and autopopulates details such as training jobs, training datasets, model artifacts, and inference environment. You can also record model details such as the model’s intended use, risk rating, and evaluation results. For compliance documentation and model evidence reporting, you can export your model cards to a PDF file and easily share them with your customers or regulators.\n\nTo start creating SageMaker Model Cards, go to the [SageMaker console](https://console.aws.amazon.com/sagemaker), select **Governance** in the left navigation menu, and select **Model cards**.\n\n\n\n\nSelect **Create model card** to document your model information.\n\n\n\n\n\n### ++Introducing [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Model Dashboard++\nSageMaker Model Dashboard lets you monitor all your models in one place. With this bird’s-eye view, you can now see which models are used in production, view model cards, visualize model lineage, track resources, and monitor model behavior through an integration with [SageMaker Model Monitor](https://aws.amazon.com/sagemaker/model-monitor/) and [SageMaker Clarify](https://aws.amazon.com/sagemaker/clarify). The dashboard automatically alerts you when models are not being monitored or deviate from expected behavior. You can also drill deeper into individual models to troubleshoot issues.\n\nTo access SageMaker Model Dashboard, go to the [SageMaker console](https://console.aws.amazon.com/sagemaker), select **Governance** in the left navigation menu, and select **Model dashboard.**\n\n\n\nNote: The risk rating shown above is for illustrative purposes only and may vary based on input provided by you.\n\n### ++Now Available++\n[Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) Role Manager, SageMaker Model Cards, and SageMaker Model Dashboard are available today at no additional charge in all the [AWS Regions](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) where [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) is available except for the AWS GovCloud and AWS China Regions.\n\nTo learn more, visit [ML governance with Amazon SageMaker](https://aws.amazon.com/sagemaker/ml-governance) and check the [developer guide](https://docs.aws.amazon.com/sagemaker/latest/dg/governance.html).\n\n**[Start building your ML projects with our new governance tools for Amazon SageMaker today. ](https://console.aws.amazon.com/sagemaker)**\n\n— [Antje](https://twitter.com/anbarth)\n\n\n\n### Antje Barth\nAntje Barth is a Principal Developer Advocate for AI and ML at AWS. She is co-author of the O’Reilly book – Data Science on AWS. Antje frequently speaks at AI/ML conferences, events, and meetups around the world. She also co-founded the Düsseldorf chapter of Women in Big Data.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","render":"<p>As companies increasingly adopt machine learning (ML) for their business applications, they are looking for ways to improve governance of their ML projects with simplified access control and enhanced visibility across the ML lifecycle. A common challenge in that effort is managing the right set of user permissions across different groups and ML activities. For example, a data scientist in your team that builds and trains models usually requires different permissions than an MLOps engineer that manages ML pipelines. Another challenge is improving visibility over ML projects. For example, model information, such as intended use, out-of-scope use cases, risk rating, and evaluation results, is often captured and shared via emails or documents. In addition, there is often no simple mechanism to monitor and report on your deployed model behavior.</p>\n<p>That’s why I’m excited to announce a <strong><a href=\\"https://aws.amazon.com/sagemaker/ml-governance\\" target=\\"_blank\\">new set of ML governance tools for Amazon SageMaker.</a></strong></p>\n<p>As an ML system or platform administrator, you can now use <strong>Amazon SageMaker Role Manager</strong> to define custom permissions for SageMaker users in minutes, so you can onboard users faster. As an ML practitioner, business owner, or model risk and compliance officer, you can now use <strong>Amazon SageMaker Model Cards</strong> to document model information from conception to deployment and <strong>Amazon SageMaker Model Dashboard</strong> to monitor all your deployed models through a unified dashboard.</p>\\n<p>Let’s dive deeper into each tool, and I’ll show you how to get started.</p>\n<h3><a id=\\"Introducing_Amazon_SageMaker_Role_Manager_9\\"></a><ins>Introducing Amazon SageMaker Role Manager</ins></h3>\\n<p>SageMaker Role Manager lets you define custom permissions for SageMaker users in minutes. It comes with a set of predefined policy templates for different personas and ML activities. Personas represent the different types of users that need permissions to perform ML activities in SageMaker, such as data scientists or MLOps engineers. ML activities are a set of permissions to accomplish a common ML task, such as running SageMaker Studio applications or managing experiments, models, or pipelines. You can also define additional personas, add ML activities, and your managed policies to match your specific needs. Once you have selected the persona type and the set of ML activities, SageMaker Role Manager automatically creates the required <a href=\\"https://aws.amazon.com/iam/\\" target=\\"_blank\\">AWS Identity and Access Management</a> (IAM) role and policies that you can assign to SageMaker users.</p>\\n<h3><a id=\\"A_Primer_on_SageMaker_and_IAM_Roles_12\\"></a><ins>A Primer on SageMaker and IAM Roles</ins></h3>\\n<p>A role is an IAM identity that has permissions to perform actions with AWS services. Besides user roles that are assumed by a user via federation from an Identity Provider (IdP) or the AWS Console, Amazon SageMaker requires service roles (also known as execution roles) to perform actions on behalf of the user. SageMaker Role Manager helps you create these service roles:</p>\n<ul>\\n<li>SageMaker Compute Role – Gives SageMaker compute resources the ability to perform tasks such as training and inference, typically used via <a href=\\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html\\" target=\\"_blank\\">PassRole</a>. You can select the <code>SageMaker Compute Role</code><br />\\npersona in SageMaker Role Manager to create this role. Depending on the ML activities you select in your SageMaker service roles, you will need to create this compute role first.</li>\n<li><strong>SageMaker Service Role</strong> – Some AWS services, including SageMaker, require a service role to perform actions on your behalf. You can select the <code>Data Scientist</code>, <code>MLOps</code>, or <code>Custom</code> persona in SageMaker Role Manager to start creating service roles with custom permissions for your ML practitioners.</li>\\n</ul>\n<p>Now, let me show you how this works in practice.</p>\n<p>There are two ways to get to SageMaker Role Manager, either through <strong>Getting started</strong> in the <a href=\\"https://console.aws.amazon.com/sagemaker\\" target=\\"_blank\\">SageMaker console</a> or when you select <strong>Add user</strong> in the SageMaker Studio Domain control panel.</p>\\n<p>I start in the SageMaker console. Under <strong>Configure role</strong>, select <strong>Create a role</strong>. This opens a workflow that guides you through all required steps.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/405e5a38bc3349fa82c02dd95ec573ce_image.png\\" alt=\\"image.png\\" /></p>\n<p>Let’s assume I want to create a SageMaker service role with a specific set of permissions for my team of data scientists. In Step 1, I select the predefined policy template for the <strong>Data Scientist</strong> persona.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/1dd9f4a999ad46aa8303f11d415e3dae_image.png\\" alt=\\"image.png\\" /></p>\n<p>I can also define the network and encryption settings in this step by selecting <a href=\\"https://aws.amazon.com/vpc/\\" target=\\"_blank\\">Amazon Virtual Private Cloud</a> ([Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail)) subnets, security groups, and encryption keys.</p>\\n<p>In Step 2, I select what ML activities data scientists in my team need to perform.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/a0350b9f40ec4634bbbce17918e1ee1b_image.png\\" alt=\\"image.png\\" /></p>\n<p>Some of the selected ML activities might require you to specify the <a href=\\"https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html\\" target=\\"_blank\\">Amazon Resource Name</a> (ARN) of the SageMaker Compute Role so SageMaker compute resources have the ability to perform the tasks.</p>\\n<p>In Step 3, you can attach additional IAM policies and add tags to the role if needed. Tags help you identify and organize your AWS resources. You can use tags to add attributes such as project name, cost center, or location information to a role. After a final review of the settings in Step 4, select <strong>Submit</strong>, and the role is created.</p>\\n<p>In just a few minutes, I set up a SageMaker service role, and I’m now ready to onboard data scientists in SageMaker with custom permissions in place.</p>\n<h3><a id=\\"Introducing_Amazon_SageMaker_Model_Cards_44\\"></a><ins>Introducing Amazon SageMaker Model Cards</ins></h3>\\n<p>SageMaker Model Cards helps you streamline model documentation throughout the ML lifecycle by creating a single source of truth for model information. For models trained on SageMaker, SageMaker Model Cards discovers and autopopulates details such as training jobs, training datasets, model artifacts, and inference environment. You can also record model details such as the model’s intended use, risk rating, and evaluation results. For compliance documentation and model evidence reporting, you can export your model cards to a PDF file and easily share them with your customers or regulators.</p>\n<p>To start creating SageMaker Model Cards, go to the <a href=\\"https://console.aws.amazon.com/sagemaker\\" target=\\"_blank\\">SageMaker console</a>, select <strong>Governance</strong> in the left navigation menu, and select <strong>Model cards</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/ddd95185ee0c433294594869d15b261f_image.png\\" alt=\\"image.png\\" /></p>\n<p>Select <strong>Create model card</strong> to document your model information.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/adc7c85da5fe4de1933d268530f43b21_image.png\\" alt=\\"image.png\\" /></p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/ae2189dd35ab4ea2af736ba97e2b6aa8_image.png\\" alt=\\"image.png\\" /></p>\n<h3><a id=\\"Introducing_Amazon_SageMaker_Model_Dashboard_58\\"></a><ins>Introducing Amazon SageMaker Model Dashboard</ins></h3>\\n<p>SageMaker Model Dashboard lets you monitor all your models in one place. With this bird’s-eye view, you can now see which models are used in production, view model cards, visualize model lineage, track resources, and monitor model behavior through an integration with <a href=\\"https://aws.amazon.com/sagemaker/model-monitor/\\" target=\\"_blank\\">SageMaker Model Monitor</a> and <a href=\\"https://aws.amazon.com/sagemaker/clarify\\" target=\\"_blank\\">SageMaker Clarify</a>. The dashboard automatically alerts you when models are not being monitored or deviate from expected behavior. You can also drill deeper into individual models to troubleshoot issues.</p>\\n<p>To access SageMaker Model Dashboard, go to the <a href=\\"https://console.aws.amazon.com/sagemaker\\" target=\\"_blank\\">SageMaker console</a>, select <strong>Governance</strong> in the left navigation menu, and select <strong>Model dashboard.</strong></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/0ef073d4254548189b49b4de8b0480ba_image.png\\" alt=\\"image.png\\" /></p>\n<p>Note: The risk rating shown above is for illustrative purposes only and may vary based on input provided by you.</p>\n<h3><a id=\\"Now_Available_67\\"></a><ins>Now Available</ins></h3>\\n<p>Amazon SageMaker Role Manager, SageMaker Model Cards, and SageMaker Model Dashboard are available today at no additional charge in all the <a href=\\"https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/\\" target=\\"_blank\\">AWS Regions</a> where [Amazon SageMaker](https://aws.amazon.com/cn/sagemaker/?trk=cndc-detail) is available except for the AWS GovCloud and AWS China Regions.</p>\\n<p>To learn more, visit <a href=\\"https://aws.amazon.com/sagemaker/ml-governance\\" target=\\"_blank\\">ML governance with Amazon SageMaker</a> and check the <a href=\\"https://docs.aws.amazon.com/sagemaker/latest/dg/governance.html\\" target=\\"_blank\\">developer guide</a>.</p>\\n<p><strong><a href=\\"https://console.aws.amazon.com/sagemaker\\" target=\\"_blank\\">Start building your ML projects with our new governance tools for Amazon SageMaker today. </a></strong></p>\n<p>— <a href=\\"https://twitter.com/anbarth\\" target=\\"_blank\\">Antje</a></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/89acf2cd122844fb8d239124c38ee912_image.png\\" alt=\\"image.png\\" /></p>\n<h3><a id=\\"Antje_Barth_78\\"></a>Antje Barth</h3>\\n<p>Antje Barth is a Principal Developer Advocate for AI and ML at AWS. She is co-author of the O’Reilly book – Data Science on AWS. Antje frequently speaks at AI/ML conferences, events, and meetups around the world. She also co-founded the Düsseldorf chapter of Women in Big Data.</p>\n"}