A.I. Kung Fu

Thursday, November 12, 2020

Amazon Beefs Up AI in Alexa, and Gets Charged by EU With Unfair Practices

By John P. Desmond, AI Trends Editor

AI took center stage in recently-announced updates to the Alexa virtual voice assistant, and in the charges this week from the European Commission that Amazon is breaking EU competition rules.

During Amazon’s Alexa Live event held in July, the company announced a major update to Alexa’s developer toolkit that brings AI improvements. Since launching in 2014, Amazon’s voice assistant has shipped hundreds of millions of units, which are targeted by a sizable developer community offering voice apps, called Skills, that extend the Alexa default feature set. Just as the Android and iOS large selections of third party applications differentiate those operating systems, so Skill plays an important role in Amazon’s growth strategy for Alexa, according to a recent account in siliconAngle.

Amazon added deep learning models for natural language understanding that the company said will enable Skills to recognize users’ voice commands with 15% higher accuracy on average. Current Skills users can use the new technology without any modifications, according to Amazon.

Amazon also enhanced the voice assistant platform for more specific uses that are emerging as Alexa is added to more devices, including smartphones, wearables and smart displays. A new tool, Apps for Alexa, allows developers of mobile apps to enable customer control in a hands-free way, such as with the Echo Buds wireless earbuds. Another tool enables developers to allow purchases such as food delivery orders on Alexa-powered smart screens, such as the Echo Show smart display.

Developers of Skills for the Echo Bud are getting a new capability called “skill resumption,” which allows Skills to automatically “resume” at opportune times. For example, if a consumer uses Echo Buds to hail an Uber car, Uber’s Alexa skill can automatically notify them when their ride arrives without requiring a manual invocation.

Skills have momentum; Amazon announced that customer engagement with Alexa Skills nearly doubled over the past year.

AZ1 Edge Processor Can Perform On-Device Processing, a Privacy Win

Alexa is also moving to the edge with its own chip in smart home edge devices. The Echo devices are using the company’s AZ1 Neural Edge processor, which consumes 20x less power, 85% less memory and features double the speech processing power as predecessors, according to an account from ZDNet.

Rohit Prasad, VP and head scientist for Alexa AI, Amazon

The AZ1 in concert with Amazon’s AI advances is aimed at making the Echo more aware of its surroundings. Dave Limp, senior vice president of devices and services at Amazon, stated that the new Echo devices are designed to make “moments count.” The new versions of Alexa will be able to learn from humans by asking follow-up questions when Alexa has a gap in its understanding, according to Rohit Prasad, VP and head scientist for Alexa AI at Amazon, in a presentation on new Alexa features at the virtual event. New versions will also use deep learning space parsers to understand gaps and extract new concepts, will show more natural conversation, and will engage a follow–up mode when interacting with humans.

Alexa can use visual and acoustic cues to determine the best action to take. “This natural turn-taking allows people to interact with Alexa at their own pace,” Prasad stated.

The new AI foundation technology for Alexa’s ability to interpret context and adjust how to speak to you, has been in development for years at Amazon, Prasad said.

The AZ1 edge processor is making Alexa faster. “The processor on the device is key with a fast-paced conversation,” stated Prasad. “The neural accelerator on the device makes decisions much faster.”

Alexa for Business, rolled out over a year ago, has been adding features via AWS. Skill Blueprints were launched in April 2018 as a way to allow anyone to create skills and publish them to the Skills Stores with a 2019 update.

Prasad did not outline the roadmap for Alexa for Business, but did say Echo’s new capabilities would apply to office settings as well as to yet-to-be-determined use cases. “There’s the potential to be able to teach Alexa anything in principle,” Prasad stated.

The AZ1 processor, built with Taiwanese semiconductor company MediaTek, will speed Alexa’s response to queries and commands by hundreds of milliseconds per response, according to an account in The Verge. That allows for on-device neural speech recognition.

Amazon’s preexisting products without the AZ1 send both the audio and its corresponding interaction to the cloud to be processed and back. Only the Echo and Echo Show 10 currently have the on-device memory needed to support Amazon’s new all-neural speech models. Given that the data is stored and deleted locally, the edge computing is seen as a privacy win.

European Commission Charging Amazon with Unfair Competition

All this smart processing is getting Amazon into trouble in Europe, with the European Commission this week charging the company with gaining an illegal advantage in the European marketplace. This was based on the use by Amazon of sales data of independent retailers selling through its site, data not available to other companies in the European market, and which Amazon uses to sell more of its most profitable products.

Margrethe Vestager, Executive Vice President, European Commission

Margrethe Vestager, the commission’s executive vice-president, stated that the commission’s preliminary conclusion was that Amazon used “big data” to illegally distort competition in France and Germany, the biggest online retail markets in Europe, according to an account in The Guardian. The investigators will examine whether Amazon set rules on its platform to benefit its own offers and those of independent retailers who use Amazon’s logistics and delivery services.

“We do not take issue with the success of Amazon or its size. Our concern is very specific business contacts which appear to distort genuine competition,” Vestager stated. The EU team has since July analyzed a data sample of more than 18 million transactions on more than 100 million products.

The commission determined that real time business data relating to independent retailers on the site was being fed into an algorithm used by Amazon’s own retail business. “It is based on these algorithms that Amazon decides what new products to launch, the price of each individual offer, the management of inventories and the choice of the best supplier for a product,” Vestager stated. “We therefore come to the preliminary conclusion that the use of this data allows Amazon to focus on the sale of the best-selling products, and this marginalizes third party sellers and caps their ability to grow.”

Amazon faces a possible fine of up to 10% of its annual worldwide revenue. That could amount to as much as $28 billion, based on its 2019 earnings.

In a statement Amazon said it disagreed with the findings. “There are more than 150,000 European businesses selling through our stores that generate tens of billions of euros in revenues annually,” the company stated.

Read the source articles in siliconAngle, ZDNet, The Verge and The Guardian.

from AI Trends https://ift.tt/3pqFE43
via A.I .Kung Fu

Internet of Medical Things is Beginning to Transform Healthcare

By AI Trends Staff

The Internet of Medical Things (IoMT) market is expanding rapidly, with over 500,000 medical technologies currently available, from blood pressure and glucose monitors to MRI scanners. AI poised to contribute analysis crucial to innovations such as smart hospitals.

Today’s internet-connected devices aim to improve efficiencies, lower care costs and drive better outcomes in healthcare, according to a recent account in HealthTech Magazine. Devices in the IoMT domain extend to wearable external medical devices such as skin patches and insulin pumps; implanted medical devices such as pacemakers and cardioverter defibrillators; and stationary devices such as for home monitoring and connecting imaging machines.

Projections for IoMT market size were aggressive before the COVID-19 pandemic hit, with Deloitte sizing the market at $158.1 billion by 2022, with the connected medical device segment expected to take up to $52.2 billion of that by 2022.

Now the estimates are growing. The global IoMT market was valued at $44.5 billion in 2018 and is expected to grow to $254.2 billion in 2026, according to AllTheResearch. The smart wearable device segment of IoMT, inclusive of smartwatches and sensor-laden smart shirts, made up for the largest share of the global market in 2018, at roughly 27 percent, the report found.

This area of IoMT is poised for even further growth as artificial intelligence is integrated into connected devices and can prove capable of real-time, remote measurement and analysis of patient data.

Fitbit Trackers Found to Help Patients with Heart Disease

Evidence is coming in on the effectiveness of IoMT for health care. A study conducted by researchers from Cedars-Sinai Medical Center and UCLA found that Fitbit activity trackers were able to more accurately evaluate patients with ischemic heart disease by recording their heart rate and accelerometer data simultaneously. Some 88% of healthcare providers were found in a survey last year of 100 health IT leaders by Spyglass Consulting Group, to be investing in remote patient monitoring (RPM) equipment. This is especially true for patients whose conditions are considered unstable and at risk for hospital admission.

Cost avoidance was the primary investment driver for RPM solutions, which are hoping to achieve reduced hospital readmissions, emergency department visits, and overall healthcare utilization, the study stated.

Wearable activity trackers have also proven to be a more reliable measure of physical activity and assessing five-year risk than traditional methods, according to a study by Johns Hopkins Medicine, as reported in mHealthIntelligence.

Adult participants between 50 and 85 years old wore an accelerator device at the hip for seven consecutive days to gather information on their physical activity. Individual data came from responses to demographic, socioeconomic, and health-related survey questions, along with medical records and clinical laboratory test results.

IoMT Devices Seen as Helping to Control Health Care Costs

Medical cost reductions of $300 billion are being estimated by Goldman Sachs, through remote patient monitoring and increased oversight of medication use. Startup activity is picking up. Proteus Discover, for example, has focused its smart pill capabilities on measuring the effectiveness of medication treatment; and HQ’s CorTemp is using its smart pills to monitor patients’ internal health and transmit wireless data such as core temperatures, which can be critical in life or death situations.

AI systems are seen as able to reduce therapeutic and therapeutic errors in human clinical practice, according to an account in IDST. Developing IoMT strategies that match sophisticated sensors with AI-backed analytics will be critical for developing smart hospitals of the future. “Sensors, AI and big data analytics are vital technologies for IoMT as they provide multiple benefits to patients and facilities alike,” stated Varun Babu, senior research analyst with Frost & Sullivan TechVision Research, which studies emerging technology for IT.

The rise of AI and its alliance with IoT is one of the critical aspects of the digital transformation in modern healthcare, according to an account in IoTforAll . The central pairing is likely to result in speeding up the complicated procedures and data functionalities that are otherwise tedious and time-consuming. AI along with sensor technologies from IoT can lead to better decision-making. Advances in connectivity through AI are expected to promote an understanding of therapy and enable preventive care that promises a better future.

Dr. Ian Roberts, Director of Therapeutic Technology, Healx

The impact of AI on personal healthcare is attracting wide comment. “AI is transforming every industry in which it is implemented, with its impact upon the healthcare sector already saving lives and improving medical diagnoses,” stated Dr. Ian Roberts, Director of Therapeutic Technology at Healx, a biotechnology company based in Cambridge, England, in an account in BBH (Building Better Healthcare). “The transformative effect of AI is set to switch healthcare on its head, as the technology leads to a shift from reactive treatments targeting populations to proactive prevention tailored to the individual patient.”

In the future, AI-generated healthcare recommendations are seen as extending to include personalized treatment plans. “Currently we are in the infancy of AI in healthcare, and each company drives forward another piece of the puzzle and once fully integrated the future of medicine will be forever transformed,” Dr. Roberts stated.

However, the increasingly-connected environment of IoMT is seen as bringing new risks as cyber criminals seek to exploit device and network vulnerabilities to wreak havoc. A recent global survey by Extreme Networks, a network infrastructure provider, found that one in five healthcare IT professionals are unsure if every medical device on their network has all the latest software patches installed — creating a porous security infrastructure that could potentially be bypassed.

Bob Zemke, director of healthcare solutions, Extreme

“2020 will be the year when healthcare organizations of all sizes will need to realize that they are easy pickings for cyber criminals, and put a robust, reliable and resilient network security infrastructure in place to protect themselves adequately,” stated Bob Zemke, director of healthcare solutions for Extreme.

Data science is seen as leading to more precise analytics. “In 2020, we can expect to see better patient outcomes fueled largely by the growing prevalence of data science and analytics,” stated lan Jacobson, chief data and analytic officer at Alteryx, a software company providing advanced analytics tools. “Much of the data that is required to solve some really-key challenges already exists in the public domain, and in the next year we expect more and more healthcare organizations will implement tools that help to assess this rich information as well as gain actionable insight.” The tools are seen as being effective in monitoring proper use of prescription drugs.

Read the source articles and information in HealthTech Magazine, Deloitte, AllTheResearch, mHealthIntelligence, IDST, IoTforAll and in BBH (Building Better Healthcare).

from AI Trends https://ift.tt/3nnrnTV
via A.I .Kung Fu

Scientists Employing ‘Chemputers’ in Efforts to Digitize Chemistry

By AI Trends Staff

A “chemputer” is a robotic method of producing drug molecules that uses downloadable blueprints to synthesize organic chemicals via programming. Originated in the University of Glasgow lab of chemist Lee Cronin, the method has produced several blueprints available on the GitHub software repository, including blueprints for Remdesivir, the FDA-approved drug for antiviral treatment of COVID-19.

Dr. Lee Cronin, Chair of Chemistry, University of Glasgow

Cronin, who designed the “bird’s nest” of tubing, pumps, and flasks that make up the chemputer, spent years thinking of a way researchers could distribute and produce molecules as easily as they email and print PDFs, according to a recent account from CNBC.

“If we have a standard way of discovering molecules, making molecules, and then manufacturing them, suddenly nothing goes out of print,” Cronin stated. “It’s like an ebook reader for chemistry.”

Beyond creating the chemputer, Cronin’s team recently took a second major step towards digitizing chemistry with an accessible way to program the machine. The software enables academic papers to be made into ‘chemputer-executable’ programs that researchers can edit without learning to code, the scientists announced in a recent edition of Science. The University of Glasgow team is one of dozens spread across academia and industry racing to bring chemistry into the digital age, a development that could lead to safer drugs, more efficient solar panels, and a disruptive new industry.

Cronin’s team hopes their work will enable a “Spotify for chemistry” — an online repository of downloadable recipes for molecules that could enable more efficient international scientific collaboration, including helping developing countries more easily access medications.

Nathan Collins, Chief Strategy Officer, SRI Biosciences

“The majority of chemistry hasn’t changed from the way we’ve been doing it for the last 200 years. It’s a very manual, artisan–driven process,” stated Nathan Collins, the chief strategy officer of SRI Biosciences, a division of SRI International. “There are billions of dollars of opportunity there.” He added, “This is still a very new science; it’s started to really explode in the last 18 months.”

The Glasgow team’s software includes the SynthReader tool, which scans a chemical recipe in peer-reviewed literature — like the six-step process for cooking up Remdesivir — and uses natural language processing to pick out verbs such as “add,” “stir,” or “heat;” modifiers like “dropwise;” and other details like durations and temperatures. The system translates those instructions into XDL, which directs the chemputer to execute mechanical actions with its heaters and test tubes.

The group reported extracting 12 demonstration recipes from the chemical literature, which the chemputer carried out with an efficiency similar to that of human chemists.

Cronin founded a company called Chemify to sell the chemistry robots and software. In May of 2019, the group installed a prototype at the pharmaceutical company GlaxoSmithKline.

Kim Branson, Global Head of AI and Machine Learning, GSK

“The chemputer as a concept and the work [Cronin]’s done is really quite transformational,” stated Kim Branson, the global head of artificial intelligence and machine learning at GSK. The company is exploring various automation technologies to help it make a wide array of chemicals more efficiently. Cronin’s work may let GSK “teleport expertise” around the company, he stated.

Researchers at SRI are pursuing their SynFyn synthetic-chemistry system to expedite discovery of selective molecules. Collins recently published related research, Fully Automated Chemical Synthesis: Toward the Universal Synthesizer. AutoSyn, “makes milligram-to-gram-scale amounts of virtually any drug-like small molecule in a matter of hours,” he said in a recent account in The Health Care Blog.

He sees the combination of AI and automation as an opportunity to improve the pharma R&D process. “Progress in AI offers the exciting possibility of pairing it with cutting-edge lab automation, essentially automating the entire R&D process from molecular design to synthesis and testing — greatly expediting the drug development process,” Dr. Collins stated.

SRI is pursuing partnerships to help accelerate the digitized drug discovery. A recent example is a collaboration with Exscientia, a clinical state AI drug discovery company, to work on integration of Exscientia’s Centaur Chemist AI platform to the SynFini synthetic chemistry system, described recently in a press release from SRI.

Exscientia applies AI technologies to design small molecule compounds that have reached the clinic. Molecules generated by Exscientia’s platform are highly optimized to satisfy the multiple pharmacology criteria required to enter a compound into the clinic in record time. Centaur Chemist is said to transform drug discovery into a formalized set of moves while also allowing the system to learn strategy from human experts.

Andrew Hopkins, CEO of Exscientia stated, ”The opportunity to apply AI drug design through our Centaur Chemist system with SynFini automated chemistry offers an exciting opportunity to accelerate drug discovery timelines through scientific innovation and automation.”

SRI also announced a partnership earlier this year with Iktos, a company specializing in using AI for novel drug design, to use Iktos’ generative modeling technology will be combined with SRI’s SynFini platform, according to a press release from Iktos. The goal is to accelerate the identification of drug candidates to treat multiple viruses, including influenza and COVID-19.

The Iktos AI technology is based on deep generative models, which help design virtual novel molecules that have all the desirable characteristics of a novel drug candidate, addressing challenges including simultaneous validation of multiple bioactive attributes and drug-like criteria for clinical testing.

“We hope our collaboration with SRI can make a difference and speed up the identification of promising new therapeutic options for the treatment of COVID-19,” stated Yann Gaston-Mathé, co-founder and CEO of Iktos.

Read the source articles and information in CNBC, Science, The Health Care Blog, a press release from SRI and a press release from Iktos.

from AI Trends https://ift.tt/3f1QrwM
via A.I .Kung Fu

AI Holistic Adoption for Manufacturing and Operations: Data

By Dawn Fitzgerald, the AI Executive Leadership Insider

Dawn Fitzgerald, VP of Engineering and Technical Operations, Homesite

Part Three of Four Part Series: “AI Holistic Adoption for Manufacturing and Operations” is a four-part series which focuses on the executive leadership perspective including key execution topics required for the enterprise digital transformation journey and AI Holistic Adoption for manufacturing and operations organizations. Planned topics include: Value, Program, Data and Ethics. Here we address our third topic: Data.

The Executive Leadership Perspective

For the executive leader who is taking their enterprise on a journey of Digital Transformation and AI Holistic Adoption, we started this series with the foundation of Value and then moved to the framework of the Program. Although these are the fundamental building blocks required for success, the results of any enterprise’s analytics, do, in the end, rely on the Data.

The executive leader has the responsibility to ensure that they and their team are dedicated to mastering data fluency and data excellence in the enterprise. The facets of Data Management are vast with the standard areas of focus including data discovery, collection, preparation, categorization and protection. Strategies for achieving maturity in these areas are well-established in most industries, and yet many industries still struggle. These standard areas of focus in Data Management are indeed necessary but are not sufficient for the needed AI Holistic Adoption.

To incorporate AI Holistic Adoption, a value focus must be employed where we create Value Analytics (VAs) as output from our enterprise Analytics Program. To support this program, we must expand our enterprise Data Management definition to include a Data Optimality metric, a Data Evolution Roadmap and a Data Value Efficiency metric.

The Data Optimality metric tells us how close the Value Analytics (VA) Baseline Dataset is to ‘optimal’. The Data Evolution Roadmap captures the milestones for the evolution of our Baseline Dataset for each Value Analytics release and the corresponding goals for harvesting data. The Data Value Efficiency metric simply measures how much value we achieve from harvested data. The combination of these is a powerful tool set for the executive leader to ensure the data provides the highest value to enterprise analytics at the lowest cost to the organization.

The Data Optimality Metric Definition

The Data Optimality metric tells us how close the Value Analytics (VA) Baseline Dataset is to the Data Scientist-defined ‘optimal’. The Baseline Dataset is a key component to any Value Analytic. The Baseline Dataset captures the data used for the VA as it relates to a specific development release. This link to a release is a critical distinction. By tying the Baseline Dataset to the VA design release, we recognize a snapshot of the training data associated with a specific release. We recognize that it may not be optimal so may change during the lifetime of the VA, and we plan for its change on a Data Evolution Roadmap.

To achieve enterprise AI Holistic Adoption the executive leader must ensure the foundation of Value which anchors the effort. They must also incorporate the nature of a technical development effort. Specifically, they must account for the go-to-market demands that drive risk management decisions regarding minimal viable product (MVP) in Agile or SAFe (Scaled Agile Framework) methodologies. By the very nature of development, the MVP-driven organization will plan early deliverables with incremental improvements over time. This will apply to the Baseline Dataset as well and thus, the Data Optimality Metric is created. It is used for visibility of the state of our Baseline Dataset, used to communicate expectations of its impact on the VA and used to drive the evolution of the data.

Data Optimality Metric Example

To illustrate the power of the Data Optimality metric, consider the Data Scientist who has defined an equipment predictive maintenance algorithm and has a corresponding Baseline Dataset definition. They will have defined the optimal dataset that they want which includes the IoT measurements (for example: temp, pressure and vibration), the duration of time they would like the Data collected over (for example: 6 months), the population size (for example: data collected from 10 Data Centers covering four key climate zone geographies) and a guaranteed data quality level (for example less than 10% data gaps). Since there is a low probability of this optimal Baseline Dataset availability aligning with the market-driven release timeline demands, the Data Scientist may be forced to compromise their initial Baseline Dataset by taking fewer IoT parameters (for example: only temp and pressure but no vibration), having shorter collection duration (for example: 3 months vs 6), having a smaller population size (for example: only 3 Data Centers vs 10) or accepting a lower quality level guarantee. The Data Scientist may also create simulated data for some or all of the data gaps.

The Data Scientist will then assign a Data Optimality metric to the current release Baseline Dataset (for example: current available data achieves 60% of the optimal dataset criteria). They will also state the lower Data Optimality metrics potential impact on the Value Analytic (for example: customers can expect only a 30-day prediction vs 90-day prediction pre-failure).

The executive leader can then make a business decision to go forward with this Data Optimality metric or wait the extra time necessary to harvest improved data to achieve a higher Data Optimality metric and corresponding VA improvement. To conclude this scenario example, input from the marketing team may indicate that a Q2 release of the VA with the current Data Optimality metric is acceptable due to first mover advantage and significant value, compared to competitive offers, delivered to the customer.

They may also specify that the higher Data Optimality metric must be achieved by Q4 in order to remain competitive. The Data Optimality metric enables defined incremental improvements to the Baseline Dataset over time which transcend to the ongoing VA improvement lifecycle.

The visibility provided by the Data Optimality metric is especially valuable with leading edge Value Analytic capabilities where first mover advantage in the market can lead to a substantial market penetration foothold for the business. The metric drives cost saving by bringing the decision point of release impacting information down to the local business, where the knowledge of the business is the highest. This simultaneously gives visibility to future data management actions through the enterprise and should be captured in the Data Evolution Roadmap.

The Data Evolution Roadmap

Driven by Data Optimality metric inputs, the Data Evolution Roadmap captures the milestones for the evolution of our Baseline Dataset for each Value Analytics release and the corresponding goals for harvesting future required data. The Data Evolution Roadmap establishes an enterprise framework that provides visibility, alignment, clarity and flexibility for local business decisions. It also challenges the business to define the Data Optimality metric and track Baseline Dataset improvements.

The power of the Data Evolution Roadmap enables the local businesses’ Agile development methodologies, gives cross-functional visibility of data management actions and delivers Data Management cost saving to the enterprise. Incremental improvements of the Data Optimality metric for a specific Value Analytic can be timed on the Data Evolution Roadmap based on demand. Early market traction data can be incorporated to update the business decision thus generating higher confidence in the data management expenditures and potential cost savings if deemed no longer necessary.

To achieve AI Holistic Adoption, the Data Evolution Roadmap must align directly to the Value Analytics Roadmap. Data management tasks must align and be traceable through both roadmaps to a higher end value. Successful execution of this requires rapid, tightly coupled agile development teams that span the key enterprise stakeholders such as IoT development, Data management, Data Science, platform development and marketing/sales functions. This demand-pull approach to Data Management aligns well with Agile development practices and combats the seemingly overwhelming challenges of exponential data repository growth and corresponding data management costs.

Data Repository Growth

The growth of the data repository should parallel the growth and maturity of the Analytics Program to ensure data excellence and avoid dark data obsolescence. The cost of technical debt must be acknowledged and measured.

Many companies make the mistake of a volume goal of collecting IoT data without a defined data evolution strategy aligned with the Analytics Program grounded in value. This leads to the data swamp, a stalling of the realization of Value from the AI solutions and an overall low Data Value Efficiency score as defined below.

A tighter alignment of the Data Management tasks with the Value Analytics also provides opportunity for more value-based incremental improvements of the enterprises’ tagging strategy. Tagging data with both technical and business metadata is critical but seldom done correctly first pass and certainly not without a Value focus, which requires a cross-functional team of a data architect, data scientist, subject-matter expert and marketing that anchor the value. The mechanism to continuously improve your data tagging methodology must be close to the value goals of the Analytics Program.

The Data Value Efficiency

Once the Data Optimality metric and Data Evolution Roadmap are established, a Digital Value Efficiency (DVE) metric can be measured. The Data Value Efficiency (DVE), a measurement attached to data elements, is simply the measure of how much value we achieve from harvested data. The DVE tracks the use of the data by its inclusion in different VA Baseline Datasets over time.

In most industries using AI, this metric would be considered very low. IDC research defines that currently, “80% of time is spent on data discovery, preparation, and protection, and only 20% of time is spent on actual analytics and getting to insight.” To achieve high DVE, a larger portion of our data harvested must translate into higher value actionable insights.

Since the executive leader’s responsibility is to ensure that the organization is efficient with the data management, they must focus their organization on shifting the percentage of time invested from data discovery, collection and preparation to a higher amount of time used in training models and insight generation. The DVE metric gives visibility to progress toward this goal.

The Data Evolution Roadmap pivots the enterprise focus from one of maximum data collection, and corresponding cost, to one of minimized data collection driven by the Value Analytics roadmap. Over time, this will improve the DVE metric and overall data excellence of the enterprise.

Dawn Fitzgerald is VP of Engineering and Technical Operations at Homesite, an American Family Insurance company, where she is focused on Digital Transformation. Prior to this role, Dawn was a Digital Transformation & Analytics executive at Schneider Electric for 11 years. She is also currently the Chair of the Advisory Board for MIT’s Machine Intelligence for Manufacturing and Operations program. All opinions in this article are solely her own and are not reflective of any organization.

from AI Trends https://ift.tt/38CCnZb
via A.I .Kung Fu

Epic's free game this week is a "bullet hell" action game with a lot of typing - CNET

The Textorcist: The Story of Ray Bibbia is the most unusual indie game you'll play all year.

from CNET News https://ift.tt/3ndmyfE
via A.I .Kung Fu

Marvel Cinematic Universe Phase 4: The full list of release dates - CNET

Here's where Black Widow, Spider-Man, Thor, Doctor Strange and the Disney Plus shows currently stand in the viewing calendar.

from CNET News https://ift.tt/2SB0q1C
via A.I .Kung Fu

32 best movies to watch on Netflix - CNET

Not sure what to watch tonight? Here are some of the best movies Netflix has to offer.

from CNET News https://ift.tt/3eTi6zP
via A.I .Kung Fu

17 best TV shows to stream on Amazon Prime Video - CNET

Looking for a great show to watch tonight? Let's round up Amazon's best gems.

from CNET News https://ift.tt/2K4rbKQ
via A.I .Kung Fu

Assassin's Creed Valhalla: The Nordic and English history you need to know - CNET

The more you know about the target, the sweeter the victory.

from CNET News https://ift.tt/35qpb7X
via A.I .Kung Fu

We'll spend nearly a decade of our lives staring at our phones, study says - CNET

That sure puts things into perspective.

from CNET News https://ift.tt/2UoUOZk
via A.I .Kung Fu

TikTok lives to see another day in US

US Commerce Department halts ban on Chinese owned company.

from BBC News - Technology https://ift.tt/3kp7qKw
via A.I .Kung Fu

Inside Parler, the Right's Favorite 'Free Speech' App

The top app on both Google and Apple's app stores this week promises conservatives a safe space—but gives priority treatment to its most high-profile users.

from Wired https://ift.tt/38J9sTD
via A.I .Kung Fu

Disney+ Passes 73 Million Subscribers as Streaming Takes Center Stage

The company has experienced deep losses in its theme park because of the pandemic, but investors don’t seem to care at the moment.

from NYT > Technology https://ift.tt/38EW1Ea
via A.I .Kung Fu

At all-hands, Zuckerberg said that Biden won the election, Bannon violated policies but not enough to shutter his account, Facebook isn't adverse to legislation (BuzzFeed News)

BuzzFeed News:
At all-hands, Zuckerberg said that Biden won the election, Bannon violated policies but not enough to shutter his account, Facebook isn't adverse to legislation — As false claims declaring that Joe Biden isn't the president-elect flourish on his platform, Facebook CEO Mark Zuckerberg told employees …

from Techmeme https://ift.tt/3kmFSVT
via A.I .Kung Fu

Wednesday, November 11, 2020

Honda is bringing Level 3 autonomy to production vehicles in Japan - Roadshow

The tech is called Traffic Jam Pilot and will debut in the Honda Legend sedan.

from CNET News https://ift.tt/3ngH13j
via A.I .Kung Fu

Xbox warns players not to blow vape smoke through their new Xbox Series X - CNET

"We can't believe we have to say this," Xbox tweeted.

from CNET News https://ift.tt/2IyDG0c
via A.I .Kung Fu

PS5: PlayStation's 'most extraordinary' pandemic launch

The boss of PlayStation speaks to Newsbeat about launching the PS5.

from BBC News - Technology https://ift.tt/36pBDEh
via A.I .Kung Fu

Best Black Friday 2020 laptop deals: Savings on HP, Lenovo, Surface and more - CNET

You don't need to wait until Black Friday to get a deal on a new laptop.

from CNET News https://ift.tt/3eP0YeB
via A.I .Kung Fu

More Rivian R1T and R1S details revealed, configurator goes live Nov. 16 - Roadshow

Rivian announced specifications for the Adventure and Explore packages.

from CNET News https://ift.tt/2GSSjLv
via A.I .Kung Fu

Xbox Game Pass: 16 awesome Xbox and PC games to play right now - CNET

If you're getting a new Xbox, you should also get Game Pass.

from CNET News https://ift.tt/3f2B4UV
via A.I .Kung Fu

YouTube experiencing video playback issues - CNET

The site is up, but videos aren't playing.

from CNET News https://ift.tt/2ItmfOK
via A.I .Kung Fu

YouTube is experiencing video playback issues worldwide, with YouTube TV and Google TV also affected; YouTube says it is working on a fix (Jay Peters/The Verge)

Jay Peters / The Verge:
YouTube is experiencing video playback issues worldwide, with YouTube TV and Google TV also affected; YouTube says it is working on a fix — It's not just you — YouTube seems to be having issues loading videos right now. Several Verge staffers are having trouble watching videos …

from Techmeme https://ift.tt/36rCPqL
via A.I .Kung Fu

PS5 and Xbox Series X: Why you can avoid going next-gen until 2021 - CNET

Commentary: You don't need to drop hundreds of dollars on a shiny new console just yet.

from CNET News https://ift.tt/2UiGX6D
via A.I .Kung Fu

Electric next-gen Porsche Macan sneakily revealed in clay model form - Roadshow

Porsche released photos of a bunch of never-before-seen concept cars, and the new Macan EV is in the background of one of them.

from CNET News https://ift.tt/32D1Xtj
via A.I .Kung Fu

Black Friday Walmart deals available now: $379 HP laptop, $148 55-inch Roku smart TV and more - CNET

The next phase of the retailer's early sales is happening now.

from CNET News https://ift.tt/3lBj5aB
via A.I .Kung Fu

You'll spend 9 years of your life on your phone, study says - CNET

That sure puts things into perspective.

from CNET News https://ift.tt/3ngfK10
via A.I .Kung Fu

Microsoft: 'Please don't blow vape smoke into your Xbox Series X' - CNET

Videos circulated on Wednesday purporting to show the next-generation game console overheating and spewing smoke. It turns out people were just vaping into their Xbox.

from CNET News https://ift.tt/3eOXNDu
via A.I .Kung Fu

PS5: 8 things to do when you get your brand new PlayStation - CNET

The PS5 even has spoiler settings!

from CNET News https://ift.tt/35mtiSo
via A.I .Kung Fu

NASA gets go-ahead to bring Mars rocks back to Earth - CNET

An independent review has given NASA the green light to go get some chunks of the red planet through the Mars Sample Return campaign.

from CNET News https://ift.tt/3eQiTRU
via A.I .Kung Fu

You can buy a special Black Friday Nintendo Switch bundle on Nov. 22 - CNET

Here's where you can get a Switch right now -- spoiler, it's not many places -- and here are all the retailers selling the upcoming bundle.

from CNET News https://ift.tt/3pllaJS
via A.I .Kung Fu

Best PS4 gaming headset for 2020 - CNET

Looking for a new headset for your PlayStation 4? Here are our current top picks, from basic budget models that cost less than $50 to feature-packed high-end powerhouses.

from CNET News https://ift.tt/31llrCU
via A.I .Kung Fu

'Electronic skin' stretches, heals itself (and makes me dream of a cyborg future) - CNET

Can I get a full body suit of this stuff?

from CNET News https://ift.tt/38ye1Qv
via A.I .Kung Fu

Lucasfilm defends Baby Yoda's troubling meal in Mandalorian's latest episode - CNET

The scene on Disney Plus was "intentionally disturbing, for comedic effect," says a Lucasfilm executive.

from CNET News https://ift.tt/36pNgLn
via A.I .Kung Fu

The 17 best TV shows to stream on Amazon Prime Video - CNET

Searching for a great show to watch tonight? Let's round up Amazon's best gems.

from CNET News https://ift.tt/3kl9vXS
via A.I .Kung Fu

12 of the best TV shows to stream on Disney Plus - CNET

Searching for more great shows like The Mandalorian? Let's round up Disney's best gems.

from CNET News https://ift.tt/36vlrBp
via A.I .Kung Fu

From 2020's Singles' Day sale, which was extended to 12 days from 24 hours previously, Alibaba reported sales of $56.4B while JD.com reported sales of ~$30.1B (Arjun Kharpal/CNBC)

Arjun Kharpal / CNBC:
From 2020's Singles' Day sale, which was extended to 12 days from 24 hours previously, Alibaba reported sales of $56.4B while JD.com reported sales of ~$30.1B — - Alibaba set a new sales record for the annual Singles Day shopping event. — Singles Day is typically a 24-hour shopping event …

from Techmeme https://ift.tt/38zPn1W
via A.I .Kung Fu

Google patches two Chrome zero-days that were exploited in the wild, after tips from anonymous sources; Google has patched five Chrome zero-days in three weeks (Catalin Cimpanu/ZDNet)

Catalin Cimpanu / ZDNet:
Google patches two Chrome zero-days that were exploited in the wild, after tips from anonymous sources; Google has patched five Chrome zero-days in three weeks — Google has now patched five Chrome zero-days in three weeks. — Google has released today Chrome version 86..4240.198 to patch …

from Techmeme https://ift.tt/2JUioLf
via A.I .Kung Fu

Tuesday, November 10, 2020

YouTube Premium members can get Stadia Premiere Edition for free - CNET

If you have a YouTube Premium account and sign up for Stadia, Google will gift you with Premiere Edition.

from CNET News https://ift.tt/2InyQmA
via A.I .Kung Fu

The best racing wheel and pedals for iRacing and your budget - Roadshow

Before you dive into the wild world of sim racing, you're going to need a wheel and pedals. Skip the cross-shopping and check out these favorites.

from CNET News https://ift.tt/3lmiHwh
via A.I .Kung Fu

Best DNA test for 2020: AncestryDNA vs. 23andMe and more - CNET

Looking for the best DNA test kit and the best testing services? Here are your top options.

from CNET News https://ift.tt/36qF0uu
via A.I .Kung Fu

The best detailing spray for cars in 2020 - Roadshow

Keep your car looking supreme in between a wash and wax with our top detailing spray products.

from CNET News https://ift.tt/3eL1SbQ
via A.I .Kung Fu

Uber, Lyft still sapped by COVID pandemic, plus 4 other takeaways this quarter - CNET

The latest earnings reports from both companies paint a complicated picture.

from CNET News https://ift.tt/2IsmsSy
via A.I .Kung Fu

Best place to buy tires online for 2020 - Roadshow

Buying tires can be a daunting and costly task. We've put together a list of the best places to buy tires online and what you should look for when shopping.

from CNET News https://ift.tt/38xzmcS
via A.I .Kung Fu

Best women's underwear for work outs in 2020 - CNET

Because you should be focused on your workout, not your undies.

from CNET News https://ift.tt/3kqmLuo
via A.I .Kung Fu

Remains of prehistoric flying reptile turn up among shark fossils - CNET

A British paleontologist discovers fragments of a mysterious new species of toothless pterosaur in a surprising place.

from CNET News https://ift.tt/3eKg1Gt
via A.I .Kung Fu

Analysis of Apple's A14 chip shows an increase in single-thread performance of nearly 3x in 5 years, suggesting M1 will be a formidable rival to x86 incumbents (Andrei Frumusanu/AnandTech)

Andrei Frumusanu / AnandTech:
Analysis of Apple's A14 chip shows an increase in single-thread performance of nearly 3x in 5 years, suggesting M1 will be a formidable rival to x86 incumbents — From Mobile to Mac: What to Expect? — To date, our performance comparisons for Apple's chipsets have always been in the context …

from Techmeme https://ift.tt/38w12Pl
via A.I .Kung Fu

Configuring Amazon SageMaker Studio for teams and groups with complete resource isolation

Amazon SageMaker is a fully managed service that provides every machine learning (ML) developer and data scientist with the ability to build, train, and deploy ML models quickly. Amazon SageMaker Studio is a web-based, integrated development environment (IDE) for ML that lets you build, train, debug, deploy, and monitor your ML models. Amazon SageMaker Studio provides all the tools you need to take your models from experimentation to production while boosting your productivity. You can write code, track experiments, visualize data, and perform debugging and monitoring within a single, integrated visual interface.

This post outlines how to configure access control for teams or groups within Amazon SageMaker Studio using attribute-based access control (ABAC). ABAC is a powerful approach that you can utilize to configure Studio so that different ML and data science teams have complete isolation of team resources.

We provide guidance on how to configure Amazon SageMaker Studio access for both AWS Identity and Access Management (IAM) and AWS Single Sign-On (AWS SSO) authentication methods. This post helps you set up IAM policies for users and roles using ABAC principals. To demonstrate the configuration, we set up two teams as shown in the following diagram and showcase two use cases:

Use case 1 – Only User A1 can access their studio environment; User A2 can’t access User A1’s environment, and vice versa
Use case 2 – Team B users cannot access artifacts (experiments, etc.) created by Team A members

You can configure policies according to your needs. You can even include a project tag in case you want to further restrict user access by projects within a team. The approach is very flexible and scalable.

Authentication

Amazon SageMaker Studio supports the following authentication methods for onboarding users. When setting up Studio, you can pick an authentication method that you use for all your users:

IAM – Includes the following:
- IAM users – Users managed in IAM
- AWS account federation – Users managed in an external identity provider (IdP)
AWS SSO – Users managed in an external IdP federated using AWS SSO

Data science user personas

The following table describes two different personas that interact with Amazon SageMaker Studio resources and the level of access they need to fulfill their duties. We use this table as a high-level requirement to model IAM roles and policies to establish desired controls based on resource ownership at the team and user level.

User Personas

Permissions

Admin User

Create, modify, delete any IAM resource.

Create Amazon SageMaker Studio user profiles with a tag.

Read and describe Amazon SageMaker resources.

Data Scientists or Developers

Launch an Amazon SageMaker Studio IDE assigned to a specific IAM or AWS SSO user.

Create Amazon SageMaker resources with necessary tags. For this post, we use the team tag.

Update, delete, and run resources created with a specific tag.

Read and describe Amazon SageMaker resources.

Solution overview

We use the preceding requirements to model roles and permissions required to establish controls. The following flow diagram outlines the different configuration steps:

Applying your policy to the admin user

You should apply the following policy to the admin user who creates Studio user profiles. This policy requires the admin to include the studiouserid tag. You could use a different name for the tag if need be. The Studio console doesn’t allow you to add tags when creating user profiles, so we use the AWS Command Line Interface (AWS CLI).

For admin users managed in IAM, attach the following policy to the user. For admin users managed in an external IdP, add the following policy to the rule that the user assumes upon federation. The following policy enforces the studiouserid tag to be present when the sagemaker:CreateUserProfile action is invoked.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateSageMakerStudioUserProfilePolicy",
            "Effect": "Allow",
            "Action": "sagemaker:CreateUserProfile",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "studiouserid"
                    ]
                }
            }
        }
    ]
}

AWS SSO doesn’t require this policy; it performs the identity check.

Assigning the policy to Studio users

The following policy limits Studio access to the respective users by requiring the resource tag to match the user name for the sagemaker:CreatePresignedDomainUrl action. When a user tries to access the Amazon SageMaker Studio launch URL, this check is performed.

For IAM users, attach the following policy to the user. Use the user name for the studiouserid tag value.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AmazonSageMakerPresignedUrlPolicy",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreatePresignedDomainUrl"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "sagemaker:ResourceTag/studiouserid": "${aws:username}" 
                }
            }
        }
    ]
}

For AWS account federation, attach the following policy to role that the user assumes after federation:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AmazonSageMakerPresignedUrlPolicy",
           "Effect": "Allow",
           "Action": [
                "sagemaker:CreatePresignedDomainUrl"
           ],
           "Resource": "*",
           "Condition": {
                  "StringEquals": {
                      "sagemaker:ResourceTag/studiouserid": "${aws:PrincipalTag/studiouserid}"
                 }
            }
      }
  ]
}

Add the following statement to this policy in the Trust Relationship section. This statement defines the allowed transitive tag.

"Statement": [
     {
        --Existing statements
      },
      {
      "Sid": "IdentifyTransitiveTags",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account id>:saml-provider/<identity provider>"
      },
      "Action": "sts:TagSession",
      "Condition": {
        "ForAllValues:StringEquals": {
          "sts:TransitiveTagKeys": [
            "studiouserid"
          ]
        }
      }
  ]

For users managed in AWS SSO, this policy is not required. AWS SSO performs the identity check.

Creating roles for the teams

To create roles for your teams, you must first create the policies. For simplicity, we use the same policies for both teams. In most cases, you just need one set of policies for all teams, but you have the flexibility to create different policies for different teams. In the second step, you create a role for each team, attach the policies, and tag the roles with appropriate team tags.

Creating the policies

Create the following policies. For this post, we split them into three policies for more readability, but you can create them according to your needs.

Policy 1: Amazon SageMaker read-only access

The following policy gives privileges to List and Describe Amazon SageMaker resources. You can customize this policy according to your needs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AmazonSageMakerDescribeReadyOnlyPolicy",
            "Effect": "Allow",
            "Action": [
                "sagemaker:Describe*",
                "sagemaker:GetSearchSuggestions"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerListOnlyPolicy",
            "Effect": "Allow",
            "Action": [
                "sagemaker:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerUIandMetricsOnlyPolicy",
            "Effect": "Allow",
            "Action": [
                "sagemaker:*App",
                "sagemaker:Search",
                "sagemaker:RenderUiTemplate",
                "sagemaker:BatchGetMetrics"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerEC2ReadOnlyPolicy",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerIAMReadOnlyPolicy",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

Policy 2: Amazon SageMaker access for supporting services

The following policy gives privileges to create, read, update, and delete access to Amazon Simple Storage Service (Amazon S3), Amazon Elastic Container Registry (Amazon ECR), and Amazon CloudWatch, and read access to AWS Key Management Service (AWS KMS). You can customize this policy according to your needs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AmazonSageMakerCRUDAccessS3Policy",
            "Effect": "Allow",
            "Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutBucketCORS",
"s3:ListAllMyBuckets",
"s3:GetBucketCORS",
                "s3:GetBucketLocation"         
              ],
            "Resource": "<S3 BucketName>"
        },
        {
            "Sid": "AmazonSageMakerReadOnlyAccessKMSPolicy",
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:ListAliases"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerCRUDAccessECRPolicy",
            "Effect": "Allow",
            "Action": [
"ecr:Set*",
"ecr:CompleteLayerUpload",
"ecr:Batch*",
"ecr:Upload*",
"ecr:InitiateLayerUpload",
"ecr:Put*",
"ecr:Describe*",
"ecr:CreateRepository",
"ecr:Get*",
                        "ecr:StartImageScan"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerCRUDAccessCloudWatchPolicy",
            "Effect": "Allow",
            "Action": [
"cloudwatch:Put*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:DescribeAlarms",
"logs:Put*",
"logs:Get*",
"logs:List*",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:ListLogDeliveries",
"logs:Describe*",
"logs:CreateLogDelivery",
"logs:PutResourcePolicy",
                        "logs:UpdateLogDelivery"
            ],
            "Resource": "*"
        }
    ]
}

Policy 3: Amazon SageMaker Studio developer access

The following policy gives privileges to create, update, and delete Amazon SageMaker Studio resources.
It also enforces the team tag requirement during creation. In addition, it enforces start, stop, update, and delete actions on resources restricted only to the respective team members.

The team tag validation condition in the following code makes sure that the team tag value matches the principal’s team. Refer to the bolded code for specifcs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AmazonSageMakerStudioCreateApp",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateApp"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerStudioIAMPassRole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerInvokeEndPointRole",
            "Effect": "Allow",
            "Action": [
                "sagemaker:InvokeEndpoint"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerAddTags",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AmazonSageMakerCreate",
            "Effect": "Allow",
            "Action": [
                "sagemaker:Create*"
            ],
            "Resource": "*",
            "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "team" ] }, "StringEqualsIfExists": { "aws:RequestTag/team": "${aws:PrincipalTag/team}" } }
        },
        {
            "Sid": "AmazonSageMakerUpdateDeleteExecutePolicy",
            "Effect": "Allow",
            "Action": [
                "sagemaker:Delete*",
                "sagemaker:Stop*",
                "sagemaker:Update*",
                "sagemaker:Start*",
                "sagemaker:DisassociateTrialComponent",
                "sagemaker:AssociateTrialComponent",
                "sagemaker:BatchPutMetrics"
            ],
            "Resource": "*",
            "Condition": { "StringEquals": { "aws:PrincipalTag/team": "${sagemaker:ResourceTag/team}" } }
        }
    ]
}

Creating and configuring the roles

You can now create a role for each team with these policies. Tag the roles on the IAM console or with the CLI command. The steps are the same for all three authentication types. For example, tag the role for Team A with the tag key= team and value = “<Team Name>”.

Creating the Amazon SageMaker Studio user profile

In this step, we add the studiouserid tag when creating Studio user profiles. The steps are slightly different for each authentication type.

IAM users

For IAM users, you create Studio user profiles for each user by including the role that was created for the team the user belongs to. The following code is a sample CLI command. As of this writing, including a tag when creating a user profile is available only through AWS CLI.

aws sagemaker create-user-profile --domain-id <domain id> --user-profile-name <unique profile name> --tags Key=studiouserid,Value=<aws user name> --user-settings ExecutionRole=arn:aws:iam::<account id>:role/<Team Role Name>

AWS account federation

For AWS account federation, you create a user attribute (studiouserid) in an external IdP with a unique value for each user. The following code shows how to configure the attribute in Okta:

Example below shows how to add “studiouserid” attribute in OKTA. In OKTA’s SIGN ON METHODS screen, configure following SAML 2.0 attributes, as shown in the image below. 

Attribute 1:
Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:studiouserid 
Value: user.studiouserid

Attribute 2:
Name: https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys
Value: {"studiouserid"}

The following screenshot shows the attributes on the Okta console.

Next, create the user profile using the following command. Use the user attribute value in the preceding step for the studiouserid tag value.

aws sagemaker create-user-profile --domain-id <domain id> --user-profile-name <unique profile name> --tags Key=studiouserid,Value=<user attribute value> --user-settings ExecutionRole=arn:aws:iam::<account id>:role/<Team Role Name>

AWS SSO

For instructions on assigning users in AWS SSO, see Onboarding Amazon SageMaker Studio with AWS SSO and Okta Universal Directory.

Update the Studio user profile to include the appropriate execution role that was created for the team that the user belongs to. See the following CLI command:

aws sagemaker update-user-profile --domain-id <domain id> --user-profile-name <user profile name> --user-settings ExecutionRole=arn:aws:iam::<account id>:role/<Team Role Name> --region us-west-2

Validating that only assigned Studio users can access their profiles

When a user tries to access a Studio profile that doesn’t have studiouserid tag value matching their user name, an AccessDeniedException error occurs. You can test this by copying the link for Launch Studio on the Amazon SageMaker console and accessing it when logged in as a different user. The following screenshot shows the error message.

Validating that only respective team members can access certain artifacts

In this step, we show how to configure Studio so that members of a given team can’t access artifacts that another team creates.

In our use case, a Team A user creates an experiment and tags that experiment with the team tag. This limits access to this experiment to Team A users only. See the following code:

import sys
!{sys.executable} -m pip install sagemaker
!{sys.executable} -m pip install sagemaker-experiments

import time
import sagemaker
from smexperiments.experiment import Experiment

demo_experiment = Experiment.create(experiment_name = "USERA1TEAMAEXPERIMENT1",
                                    description = "UserA1 experiment",
                                    tags = [{'Key': 'team', 'Value': 'TeamA'}])

If a user who is not in Team A tries to delete the experiment, Studio denies the delete action. See the following code:

#command run from TeamB User Studio Instance
import time
from smexperiments.experiment import Experiment
experiment_to_cleanup = Experiment.load(experiment_name="USERA1TEAMAEXPERIMENT1")
experiment_to_cleanup.delete()

[Client Error]
An error occurred (AccessDeniedException) when calling the DeleteExperiment operation: User: arn:aws:sts:: :<AWS Account ID>::assumed-role/ SageMakerStudioDeveloperTeamBRole/SageMaker is not authorized to perform: sagemaker:DeleteExperiment on resource: arn:aws:sagemaker:us-east-1:<AWS Account ID>:experiment/usera1teamaexperiment1

Conclusion

In this post, we demonstrated how to isolate Amazon SageMaker Studio access using the ABAC technique. We showcased two use cases: restricting access to a Studio profile to only the assigned user (using the studiouserid tag) and restricting access to Studio artifacts to team members only. We also showed how to limit access to experiments to only the members of the team using the team tag. You can further customize policies by applying more tags to create more complex hierarchical controls.

Try out this solution for isolating resources by teams or groups in Amazon SageMaker Studio. For more information about using ABAC as an authorization strategy, see What is ABAC for AWS?

About the Authors

Vikrant Kahlir is Senior Solutions Architect in the Solutions Architecture team. He works with AWS strategic customers product and engineering teams to help them with technology solutions using AWS services for Managed Databases, AI/ML, HPC, Autonomous Computing, and IoT.

Rakesh Ramadas is an ISV Solution Architect at Amazon Web Services. His focus areas include AI/ML and Big Data.

Rama Thamman is a Software Development Manager with the AI Platforms team, leading the ML Migrations team.

from AWS Machine Learning Blog https://ift.tt/38vljnT
via A.I .Kung Fu

Translate