Implementing AI Governance and Compliance Baselines on AWS
Governance and compliance regulations for AI systems
Implementing AI Governance and Compliance Baselines on AWS
[!NOTE] Estimated Time: 30 minutes Difficulty: Guided Cloud Provider: AWS
Welcome to this Hands-On Lab! In the era of Generative AI, establishing a secure, compliant, and well-governed infrastructure is critical. As outlined in Domain 5 of the AWS Certified AI Practitioner (AIF-C01) exam, organizations must protect AI systems while adhering to strict governance frameworks.
In this lab, you will implement foundational security and compliance controls for an AI data storage environment using AWS CloudTrail (for logging and observability) and AWS Config (for automated compliance checks).
Prerequisites
Before starting this lab, ensure you have the following:
- AWS Account: An active AWS account with administrator permissions.
- AWS CLI: Installed and configured with your credentials (
aws configure). - Knowledge: Basic understanding of the AWS Shared Responsibility Model and general AI security principles (confidentiality, integrity, availability).
- Placeholders: Whenever you see
<YOUR_ACCOUNT_ID>or<YOUR_REGION>(e.g.,us-east-1), replace them with your actual AWS account ID and chosen region.
Learning Objectives
By completing this lab, you will be able to:
- Deploy a secure data storage foundation for AI datasets using Amazon S3 with encryption at rest.
- Implement data governance strategies by enabling comprehensive API logging and observability using AWS CloudTrail.
- Enforce compliance regulations automatically by deploying AWS Config rules to ensure AI data storage meets security standards.
Architecture Overview
The following diagram illustrates the governance and security architecture you will build. User actions and AI data access are logged, while configuration states are continuously evaluated for compliance.
Step-by-Step Instructions
Step 1: Create a Secure AI Data Storage Bucket
Data privacy and security are paramount for AI systems. We will start by creating an Amazon S3 bucket to act as our AI data lake and enforcing server-side encryption at rest to protect sensitive training data.
# 1. Create the S3 bucket
aws s3api create-bucket \
--bucket brainybee-ai-data-<YOUR_ACCOUNT_ID> \
--region <YOUR_REGION> \
--create-bucket-configuration LocationConstraint=<YOUR_REGION>
# 2. Enforce Server-Side Encryption (SSE-S3)
aws s3api put-bucket-encryption \
--bucket brainybee-ai-data-<YOUR_ACCOUNT_ID> \
--server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'[!TIP] Always use unique bucket names. Adding your Account ID ensures global uniqueness.
▶🖥️ Console Alternative
- Navigate to the S3 console.
- Click Create bucket.
- Name the bucket
brainybee-ai-data-<YOUR_ACCOUNT_ID>. - Scroll to Default encryption, ensure Server-side encryption is enabled, and select Amazon S3 managed keys (SSE-S3).
- Click Create bucket.
📸 Screenshot: A newly created bucket listed in the S3 console with encryption marked as "Enabled".
Step 2: Establish Governance with AWS CloudTrail
Governance requires observability and auditability. By creating a trail, you ensure every API call made to your AI infrastructure is logged. This provides a transparent audit history critical for regulatory compliance (e.g., GDPR, HIPAA).
# 1. Create a separate bucket for CloudTrail logs
aws s3api create-bucket \
--bucket brainybee-logs-<YOUR_ACCOUNT_ID> \
--region <YOUR_REGION> \
--create-bucket-configuration LocationConstraint=<YOUR_REGION>
# 2. Apply a policy to allow CloudTrail to write to the bucket
aws s3api put-bucket-policy \
--bucket brainybee-logs-<YOUR_ACCOUNT_ID> \
--policy '{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::brainybee-logs-<YOUR_ACCOUNT_ID>/AWSLogs/<YOUR_ACCOUNT_ID>/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}}}]}'
# 3. Create and start the CloudTrail
aws cloudtrail create-trail \
--name ai-governance-trail \
--s3-bucket-name brainybee-logs-<YOUR_ACCOUNT_ID>
aws cloudtrail start-logging \
--name ai-governance-trail▶🖥️ Console Alternative
- Navigate to the CloudTrail console.
- Click Create trail.
- Name it
ai-governance-trail. - Choose Create a new S3 bucket and let AWS auto-generate the bucket and policy.
- Click Next, leave the default event types (Management events), and click Create trail.
📸 Screenshot: The CloudTrail dashboard showing
ai-governance-trailwith status "Logging".
Step 3: Implement Automated Compliance with AWS Config
Manual compliance checks are prone to human error. AWS Config continuously monitors your resources. We will deploy a rule that checks if S3 buckets have encryption enabled—a standard requirement for AI data privacy.
# 1. Enable AWS Config (if not already enabled)
# Note: AWS Config requires a delivery channel and configuration recorder.
# For simplicity in the CLI, ensure it is turned on via the Quick Setup in the console.
# 2. Deploy the Managed Config Rule for S3 Encryption
aws configservice put-config-rule \
--config-rule '{"ConfigRuleName": "s3-bucket-server-side-encryption-enabled", "Source": {"Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"}}'[!IMPORTANT] AWS Config must be enabled in your account to evaluate rules. If you get an error in the CLI, follow the Console Alternative below to initialize Config first.
▶🖥️ Console Alternative
- Navigate to the AWS Config console.
- If this is your first time, click 1-click setup to enable the service.
- Navigate to Rules in the left sidebar and click Add rule.
- Search for
s3-bucket-server-side-encryption-enabled. - Select the rule, leave defaults, and click Save.
📸 Screenshot: The AWS Config Rules list showing the newly added S3 encryption rule.
Checkpoints
Verify that your infrastructure is secure, governed, and compliant.
Checkpoint 1: Verify S3 Encryption
Run the following command to ensure your AI data bucket is enforcing encryption:
aws s3api get-bucket-encryption --bucket brainybee-ai-data-<YOUR_ACCOUNT_ID>Expected Output: JSON displaying SSEAlgorithm: AES256.
Checkpoint 2: Verify Governance Logging
Check the status of your CloudTrail:
aws cloudtrail get-trail-status --name ai-governance-trailExpected Output: IsLogging: true.
Checkpoint 3: Verify Compliance Evaluation
To understand how AWS Config evaluates the rule, review this flowchart:
Check your compliance status manually via CLI:
aws configservice get-compliance-details-by-config-rule \
--config-rule-name s3-bucket-server-side-encryption-enabledExpected Output: Your S3 bucket brainybee-ai-data-<YOUR_ACCOUNT_ID> should be listed with a COMPLIANCE_TYPE of COMPLIANT.
Troubleshooting
| Error Message / Issue | Likely Cause | Solution |
|---|---|---|
AccessDenied on S3 bucket creation | IAM User lacks s3:CreateBucket permissions | Attach the AmazonS3FullAccess policy to your IAM user for this lab. |
InvalidToken or SignatureDoesNotMatch | Stale CLI credentials | Re-run aws configure and update your Access Key / Secret Key. |
NoSuchConfigurationRecorderException | AWS Config is not initialized | Open the AWS Config console and complete the one-time initial setup wizard. |
Config Rule shows INSUFFICIENT_DATA | Config hasn't evaluated the resource yet | Wait 3-5 minutes, or manually trigger the evaluation in the Config console. |
Clean-Up / Teardown
[!WARNING] Remember to run the teardown commands to avoid ongoing charges. AWS Config and CloudTrail incur costs over time for active rules and data storage.
Execute the following commands to delete all provisioned resources:
# 1. Delete the AWS Config Rule
aws configservice delete-config-rule \
--config-rule-name s3-bucket-server-side-encryption-enabled
# 2. Stop and Delete the CloudTrail
aws cloudtrail stop-logging --name ai-governance-trail
aws cloudtrail delete-trail --name ai-governance-trail
# 3. Empty and Delete S3 Buckets
# CAUTION: This deletes all data in the buckets.
aws s3 rm s3://brainybee-ai-data-<YOUR_ACCOUNT_ID> --recursive
aws s3api delete-bucket --bucket brainybee-ai-data-<YOUR_ACCOUNT_ID> --region <YOUR_REGION>
aws s3 rm s3://brainybee-logs-<YOUR_ACCOUNT_ID> --recursive
aws s3api delete-bucket --bucket brainybee-logs-<YOUR_ACCOUNT_ID> --region <YOUR_REGION>Verify that the buckets and trails no longer appear in your AWS Console.