Amazon SageMaker

Security and Compliance

Understand how Amazon SageMaker AI protects Deepgram deployments through AWS infrastructure security, network isolation, and VPC controls.

As a managed service, Amazon SageMaker AI is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security. To design your AWS environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar AWS Well-Architected Framework.

For more information, review the AWS documentation Infrastructure security in Amazon SageMaker AI.

API access requirements

You use AWS published API calls to access Amazon SageMaker AI through the network. Clients must support the following:

  • Transport Layer Security (TLS). AWS requires TLS 1.2 and recommends TLS 1.3.
  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Network isolation for AWS Marketplace containers

Network isolation is required to run models using resources from AWS Marketplace. For additional security, AWS Marketplace images run within an Amazon VPC. They only have access to data within their local file systems. For details, see No internet access for Marketplace algorithm and model package containers.

Because network isolation is enabled, Deepgram Marketplace containers cannot make any outbound network calls to any service, including Amazon S3 or Deepgram infrastructure. No AWS credentials are made available to the container runtime environment.

Endpoint access: public internet or VPC

A SageMaker Endpoint can be accessible over the public internet or restricted to access only from within your Amazon VPC. To restrict access to your endpoint to a VPC, create an interface VPC endpoint for SageMaker Runtime. Traffic between your VPC and SageMaker then travels over the AWS network and never traverses the public internet.

Use a VPC endpoint when you want to:

  • Keep all inference traffic on the AWS network.
  • Apply VPC security groups and route tables to control which clients reach the endpoint.
  • Meet compliance requirements that prohibit public internet exposure of inference traffic.

Compliance

Deepgram models running on Amazon SageMaker AI real-time endpoints are eligible for most common compliance frameworks, including but not limited to SOC 1/2/3, HIPAA, PCI DSS, FedRAMP Moderate (US East/West), GDPR, and ISO 27001/27017/27018. For specific compliance details for Amazon SageMaker AI, see AWS Services in Scope by Compliance Program.