Hands-On Lab: Implementing Governance and Compliance for AI Workloads on AWS

Welcome to this guided hands-on lab. As organizations deploy Generative AI and Machine Learning models, establishing a robust framework for Security, Governance, and Compliance becomes critical. In this lab, you will act as an AI Governance Engineer. You will configure AWS services to enforce data protection, establish an audit trail for AI API activities, and retrieve compliance documentation to satisfy regulatory requirements like GDPR and HIPAA.

Prerequisites

Before starting this lab, ensure you have the following:

An active AWS Account with AdministratorAccess.
AWS CLI installed and configured locally (aws configure).
Basic familiarity with the terminal/command line.
Familiarity with the concepts of the CIA triad (Confidentiality, Integrity, Availability) and the AWS Shared Responsibility Model.

Learning Objectives

By completing this lab, you will be able to:

Implement Data Governance: Configure secure, compliant storage for AI training datasets using Amazon S3.
Establish Auditing & Transparency: Enable AWS CloudTrail to record all API interactions (e.g., model invocations) for traceability.
Monitor Compliance: Understand how to evaluate resource configurations against regulatory frameworks.
Retrieve Certifications: Use AWS Artifact to access SOC, ISO, and HIPAA compliance reports for AWS AI services.

Architecture Overview

The following diagram illustrates the governance and auditing pipeline you will build. AWS CloudTrail will capture all API activity related to your AI systems, storing those logs in a secure Amazon S3 bucket. AWS Config (conceptualized here) evaluates the compliance of these resources.

Loading Diagram...

Step-by-Step Instructions

Step 1: Create a Secure S3 Bucket for AI Data and Logs

Data governance requires that all AI training data and system logs are stored securely, with encryption at rest and public access blocked. We will create a bucket to serve as our compliance log destination.

bash

# Define your bucket name (must be globally unique)
export BUCKET_NAME="brainybee-ai-governance-logs-$RANDOM"
export REGION="us-east-1"

# Create the bucket
aws s3api create-bucket \
    --bucket $BUCKET_NAME \
    --region $REGION

# Block all public access (Crucial for HIPAA/GDPR compliance)
aws s3api put-public-access-block \
    --bucket $BUCKET_NAME \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

📸 Screenshot: Take a screenshot of your terminal showing the successful bucket creation JSON output.

▶💻 Console alternative

Navigate to Amazon S3 in the AWS Console.
Click Create bucket.
Enter a globally unique name (e.g., brainybee-ai-governance-logs-12345).
Leave Block all public access checked.
Click Create bucket.

Step 2: Apply a Governance Policy to the Bucket

To allow AWS CloudTrail to write audit logs to our S3 bucket, we must attach a resource-based policy. This ensures the integrity and availability of our logs.

bash

# Fetch your AWS Account ID
export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

# Create a policy JSON file
cat <<EOF > bucket-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::$BUCKET_NAME"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::$BUCKET_NAME/AWSLogs/$ACCOUNT_ID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
EOF

# Apply the policy to the bucket
aws s3api put-bucket-policy --bucket $BUCKET_NAME --policy file://bucket-policy.json

[!TIP] Why is this important? AI systems often operate like "black boxes." If a model produces biased or anomalous outputs, an untampered audit log is the only way to retrace the steps (accountability) and see who invoked the model and with what data.

Step 3: Enable AWS CloudTrail for AI Traceability

Now, we will create a Trail to record management and data events. This provides the transparency required by regulations like the EU's Artificial Intelligence Act.

bash

# Create the Trail
aws cloudtrail create-trail \
    --name ai-compliance-trail \
    --s3-bucket-name $BUCKET_NAME

# Start logging
aws cloudtrail start-logging --name ai-compliance-trail

▶💻 Console alternative

Navigate to AWS CloudTrail in the Console.
Click Create trail.
Name it ai-compliance-trail.
Choose Use existing S3 bucket and select the bucket you created in Step 1.
Click Next, leave defaults, and click Create trail.

Step 4: Access AWS Artifact for Compliance Reports

Compliance involves proving to auditors that your underlying infrastructure meets industry standards (e.g., ISO, NIST 800-53, PCI DSS). Since AWS operates on a Shared Responsibility Model, you rely on AWS Artifact to prove the "Security OF the Cloud."

Note: AWS Artifact requires accepting legal terms and is best accessed via the Console.

In the AWS Management Console, search for and open AWS Artifact.
In the left navigation pane, click Reports.
In the search bar, type SOC 2 or HIPAA.
Click on the AWS SOC 2 Report.
Click Download report (You may need to accept the NDA prompt).

📸 Screenshot: Capture the AWS Artifact Reports dashboard showing the available compliance documents.

Checkpoints

Verify that your governance infrastructure is running correctly:

Checkpoint 1: Verify S3 Public Access Block Ensure your training data cannot be accessed from the public internet.

bash

aws s3api get-public-access-block --bucket $BUCKET_NAME

Expected Result: A JSON output showing all four Block Public Access settings set to true.

Checkpoint 2: Verify Trail Status Ensure your auditing system is actively recording AI events.

bash

aws cloudtrail get-trail-status --name ai-compliance-trail

Expected Result: "IsLogging": true

Troubleshooting

Error	Cause	Fix
`BucketAlreadyExists`	S3 bucket names must be globally unique across all of AWS.	Change the `$BUCKET_NAME` variable to include more random numbers or your initials.
`AccessDenied` on `put-bucket-policy`	Your IAM user lacks permissions to modify bucket policies.	Ensure you are logged in with `AdministratorAccess` or a role with `s3:PutBucketPolicy`.
`InsufficientS3BucketPolicyException`	The CloudTrail service cannot write to the S3 bucket.	Re-run Step 2 carefully, ensuring the `$ACCOUNT_ID` and `$BUCKET_NAME` variables evaluated correctly in the JSON.

Stretch Challenge

Challenge: Implement an AWS Config Rule to continuously monitor your S3 bucket. Using the CLI or Console, deploy the AWS Config managed rule named s3-bucket-server-side-encryption-enabled. This rule will automatically flag any S3 buckets in your account that do not have encryption enabled—a critical control for GDPR and HIPAA compliance.

▶Show Solution (CLI)

bash

aws configservice put-config-rule --config-rule "{\n  \"ConfigRuleName\": \"s3-encrypted-check\",\n  \"Source\": {\n    \"Owner\": \"AWS\",\n    \"SourceIdentifier\": \"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED\"\n  }\n}"

Cost Estimate

Amazon S3: Free tier eligible. Outside of free tier, ~$0.023 per GB/month.
AWS CloudTrail: The first management event trail per region is FREE.
AWS Artifact: Access to compliance reports is FREE.
Estimated Total Cost: $0.00 for this 30-minute lab.

[!WARNING] Always run the teardown steps to prevent unintended data accumulation and future charges.

Clean-Up / Teardown

Run the following commands to delete all provisioned resources:

bash

# 1. Stop and delete the CloudTrail
aws cloudtrail stop-logging --name ai-compliance-trail
aws cloudtrail delete-trail --name ai-compliance-trail

# 2. Empty and delete the S3 Bucket
# CAUTION: --force deletes all contents inside the bucket immediately
aws s3 rb s3://$BUCKET_NAME --force

Concept Review

Understanding the distinction between Security, Governance, and Compliance is heavily tested on the AWS Certified AI Practitioner exam.

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

The Three Pillars of AI Trust

Concept	Definition	AI Example	AWS Service Alignment
Security	Protects data/infrastructure ensuring Confidentiality, Integrity, Availability.	Encrypting AI training data at rest to prevent unauthorized access.	Amazon Macie, IAM, AWS WAF
Governance	Provides the framework to optimize value while managing risks and accountability.	Establishing a review cadence for model drift and logging all model invocations.	AWS CloudTrail, Amazon SageMaker Model Cards
Compliance	Systematic adherence to internal policies, industry standards, and laws.	Ensuring the AI system meets HIPAA requirements for processing PHI.	AWS Artifact, AWS Audit Manager, AWS Config

Additional Key Concepts

Defense in Depth: Using multiple, layered security controls (e.g., locking the S3 bucket via IAM and using Bucket Policies and tracking access via CloudTrail).
NIST 800-53: US federal security standard.
GDPR: European Union data privacy standard demanding user control over data.
HIPAA: US healthcare standard for protecting Protected Health Information (PHI).