Feedback
Follow Us
Automated reasoning

New AWS tool recommends removal of unused permissions

IAM Access Analyzer feature uses automated reasoning to recommend policies that remove unused accesses, helping customers achieve “least privilege”.

By Loris D'AntoniChungha Sung
December 19, 2024
Share

AWS Identity and Access Management (IAM) policies provide customers with fine-grained control over who has access to what resources in the Amazon Web Services (AWS) Cloud. This control helps customers enforce the principle of least privilege by granting only the permissions required to perform particular tasks. In practice, however, writing IAM policies that enforce least privilege requires customers to understand what permissions are necessary for their applications to function, which can become challenging when the scale of the applications grows.

To help customers understand what permissions are not necessary, we launched IAM Access Analyzer unused access findings at the 2023 re:Invent conference. IAM Access Analyzer analyzes your AWS accounts to identify unused access and creates a centralized dashboard to report its findings. The findings highlight unused roles and unused access keys and passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions.

Policy checks in context.png
Related content
Custom policy checks help democratize automated reasoning
New IAM Access Analyzer feature uses automated reasoning to ensure that access policies written in the IAM policy language don’t grant unintended access.

To take this service a step further, in June 2024 we launched recommendations to refine unused permissions in Access Analyzer. This feature recommends a refinement of the customer’s original IAM policies that retains the policy structure while removing the unused permissions. The recommendations not only simplify removal of unused permissions but also help customers enact the principle of least privilege for fine-grained permissions.

In this post, we discuss how Access Analyzer policy recommendations suggest policy refinements based on unused permissions, which completes the circle from monitoring overly permissive policies to refining them.

Policy recommendation in practice

Let's dive into an example to see how policy recommendation works. Suppose you have the following IAM policy attached to an IAM role named MyRole:

{
  "Version": "2012-10-17",
  "Statement": [
   {
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:GetFunctionConfiguration",
        "lambda:UpdateFunctionConfiguration",
        "lambda:UpdateFunctionCode",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:ListVersionsByFunction",
        "lambda:GetFunction",
        "lambda:Invoke*"
      ],
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-lambda"
   },
  {
    "Effect" : "Allow",
    "Action" : [
      "s3:Get*",
      "s3:List*"
    ],
    "Resource" : "*"
  }
 ]
}



        
The above policy has two policy statements:
  • The first statement allows actions on a function in AWS Lambda, an AWS offering that provides function execution as a service. The allowed actions are specified by listing individual actions as well as via the wildcard string lambda:Invoke*, which permits all actions starting with Invoke in AWS Lambda, such as lambda:InvokeFunction.
  • The second statement allows actions on any Amazon Simple Storage Service (S3) bucket. Actions are specified by two wildcard strings, which indicate that the statement allows actions starting with Get or List in Amazon S3.
Enabling Access Analyzer for unused finding will provide you with a list of findings, each of which details the action-level unused permissions for specific roles. For example, for the role with the above policy attached, if Access Analyzer finds any AWS Lambda or Amazon S3 actions that are allowed but not used, it will display them as unused permissions.

            

  

    

        

        

          

            
              

                  Related content
              

            
            
                
A billion SMT queries a day

            

            
    
Amazon Web Services (AWS) is a cloud computing services provider that has made significant investments in applying formal methods to proving correctness of its internal systems and providing assurance of correctness to their end-users. In this paper, we focus on how we built abstractions and eliminated specifications to scale a verification engine for AWS access policies, Zelkova, to be usable by all AWS



          

        

    

  




        
The unused permissions define a list of actions that are allowed by the IAM policy but not used by the role. These actions are specific to a namespace, a set of resources that are clustered together and walled off from other namespaces, to improve security. Here is an example in Json format that shows unused permissions found for MyRole with the policy we attached earlier:

            

    
[
 {
    "serviceNamespace": "lambda",
    "actions": [
      "UpdateFunctionCode",
      "GetFunction",
      "ListVersionsByFunction",
      "UpdateFunctionConfiguration",
      "CreateFunction",
      "DeleteFunction",
      "GetFunctionConfiguration",
      "AddPermission"
    ]
  },
  {
    "serviceNamespace": "s3",
    "actions": [
        "GetBucketLocation",
        "GetBucketWebsite",
        "GetBucketPolicyStatus",
        "GetAccelerateConfiguration",
        "GetBucketPolicy",
        "GetBucketRequestPayment",
        "GetReplicationConfiguration",
        "GetBucketLogging",
        "GetBucketObjectLockConfiguration",
        "GetBucketNotification",
        "GetLifecycleConfiguration",
        "GetAnalyticsConfiguration",
        "GetBucketCORS",
        "GetInventoryConfiguration",
        "GetBucketPublicAccessBlock",
        "GetEncryptionConfiguration",
        "GetBucketAcl",
        "GetBucketVersioning",
        "GetBucketOwnershipControls",
        "GetBucketTagging",
        "GetIntelligentTieringConfiguration",
        "GetMetricsConfiguration"
    ]
  }
]




        
This example shows actions that are not used in AWS Lambda and Amazon S3 but are allowed by the policy we specified earlier.

            

  

    

        
            

                
                    
    
        Neha Rungta
    

                
            

        

        

          

            
              

                  Related content
              

            
            
                
For Neha Rungta, it's the journey that matters

            

            
    
Rungta had a promising career with NASA, but decided the stars aligned for her at Amazon.



          

        

    

  




        
How could you refine the original policy to remove the unused permissions and achieve least privilege? One option is manual analysis. You might imagine the following process:
  • Find the statements that allow unused permissions;
  • Remove individual actions from those statements by referencing unused permissions.
This process, however, can be error prone when dealing with large policies and long lists of unused permissions. Moreover, when there are wildcard strings in a policy, removing unused permissions from them requires careful investigation of which actions should replace the wildcard strings.
Policy recommendation does this refinement automatically for customers!
The policy below is one that Access Analyzer recommends after removing the unused actions from the policy above (the figure also shows the differences between the original and revised policies):

            

    
{
  "Version": "2012-10-17",
  "Statement" : [
   {
      "Effect" : "Allow",
      "Action" : [
-       "lambda:AddPermission",
-       "lambda:GetFunctionConfiguration",
-       "lambda:UpdateFunctionConfiguration",
-       "lambda:UpdateFunctionCode",
-       "lambda:CreateFunction",
-       "lambda:DeleteFunction",
-       "lambda:ListVersionsByFunction",
-       "lambda:GetFunction",
        "lambda:Invoke*"
      ],
      "Resource" : "arn:aws:lambda:us-east-1:123456789012:function:my-lambda"
    },
    {
     "Effect" : "Allow",
     "Action" : [
-      "s3:Get*",
+      "s3:GetAccess*",
+      "s3:GetAccountPublicAccessBlock",
+      "s3:GetDataAccess",
+      "s3:GetJobTagging",
+      "s3:GetMulti*",
+      "s3:GetObject*",
+      "s3:GetStorage*",
       "s3:List*"
     ],
     "Resource" : "*"
   }
  ]
}




        
Let’s take a look at what’s changed for each policy statement.
For the first statement, policy recommendation removes all individually listed actions (e.g., lambda:AddPermission), since they appear in unused permissions. Because none of the unused permissions starts with lambda:Invoke, the recommendation leaves lambda:Invoke* untouched.
For the second statement, let’s focus on what happens to the wildcard s3:Get*, which appears in the original policy. There are many actions that can start with s3:Get, but only some of them are shown in the unused permissions. Therefore, s3:Get* cannot just be removed from the policy. Instead, the recommended policy replaces s3:Get* with seven actions that can start with s3:Get but are not reported as unused.

            

  

    

        
            

                
                    
    
        Automated Reasoning 
    

                
            

        

        

          

            
              

                  Related content
              

            
            
                
How AWS’s Automated Reasoning Group helps make AWS and other Amazon products more secure

            

            
    
Amazon scientists are on the cutting edge of using math-based logic to provide better network security, access management, and greater reliability.



          

        

    

  




        
Some of these actions (e.g., s3:GetJobTagging) are individual ones, whereas others contain wildcards (e.g., s3:GetAccess* and s3:GetObject*). One way to manually replace s3:Get* in the revised policy would be to list all the actions that start with s3:Get except for the unused ones. However, this would result in an unwieldy policy, given that there are more than 50 actions starting with s3:Get.
Instead, policy recommendation identifies ways to use wildcards to collapse multiple actions, outputting actions such as s3:GetAccess* or s3:GetMulti*. Thanks to these wildcards, the recommended policy is succinct but still permits all the actions starting with s3:Get that are not reported as unused.
How do we decide where to place a wildcard in the newly generated wildcard actions? In the next section, we will dive deep on how policy recommendation generalizes actions with wildcards to allow only those actions that do not appear in unused permissions.
A deep dive into how actions are generalized
Policy recommendation is guided by the mathematical principle of “least general generalization” — i.e., finding the least permissive modification of the recommended policy that still allows all the actions allowed by the original policy. This theorem-backed approach guarantees that the modified policy still allows all and only the permissions granted by the original policy that are not reported as unused.
To implement the least-general generalization for unused permissions, we construct a data structure known as a trie, which is a tree each of whose nodes extends a sequence of tokens corresponding to a path through the tree. In our case, the nodes represent prefixes shared among actions, with a special marker for actions reported in unused permissions. By traversing the trie, we find the shortest string of prefixes that does not contain unused actions.
The diagram below shows a simplified trie delineating actions that replace the S3 Get* wildcard from the original policy (we have omitted some actions for clarity):

            

    

        
    
        Access Analyzer trie.png
    


        

        
    


    
        
A trie delineating actions that can replace the Get* wildcard in an IAM policy. Nodes containing unused actions are depicted in orange; the remaining nodes are in green.

    


        
At a high level, the trie represents prefixes that are shared by some of the possible actions starting with s3:Get. Its root node represents the prefix Get; child nodes of the root append their prefixes to Get. For example, the node named Multi represents all actions that start with GetMulti.

            

  

    

        
            

                
                    
    
        Elliptic-curve addition.gif
    

                
            

        

        

          

            
              

                  Related content
              

            
            
                
Better-performing “25519” elliptic-curve cryptography

            

            
    
Automated reasoning and optimizations specific to CPU microarchitectures improve both performance and assurance of correct implementation.



          

        

    

  




        
We say that a node is safe (denoted in green in the diagram) if none of the unused actions start with the prefix corresponding to that node; otherwise, it is unsafe (denoted in orange). For example, the node s3:GetBucket is unsafe because the action s3:GetBucketPolicy is unused. Similarly, the node ss is safe since there are no unused permissions that start with GetAccess.
We want our final policies to contain wildcard actions that correspond only to safe nodes, and we want to include enough safe nodes to permit all used actions. We achieve this by selecting the nodes that correspond to the shortest safe prefixes—i.e., nodes that are themselves safe but whose parents are not. As a result, the recommended policy replaces s3:Get* with the shortest prefixes that do not contain unused permissions, such as s3:GetAccess*, s3:GetMulti* and s3:GetJobTagging.
Together, the shortest safe prefixes form a new policy that, while syntactically similar to the original policy, is the least-general generalization to result from removing the unused actions. In other words, we have not removed more actions than necessary.
You can find how to start using policy recommendation with unused access in Access Analyzer. To learn more about the theoretical foundations powering policy recommendation, be sure to check out our science paper.

    



                            
                        

                    
                


                
                    

                        

    

        Research areas
    


    
        
    



                    

                

                
                    

                        

    

        Tags
    


    
        
    



                    

                

                
                    

                        
                    

                

                
                    
About the Author

                    

                        
                            
    

        

            
                

                    Loris D'Antoni
                

            
            
            
                

                    Loris D'Antoni is an associate professor of computer science and engineering at the University of California, San Diego, and an Amazon Visiting Academic.
                

            
        

    



                        
                            
    

        

            
                

                    Chungha Sung
                

            
            
            
                

                    Chungha Sung is a senior applied scientist with Amazon Web Services.
                

            
        

    



                        
                    

                
            

        


        
    

    
    

        
Related content

        
    




    
        
    

    



    
    

        
Work with us
See more jobs
        
            See more jobs
        
    




    
        

            

                
                    

                        

    

    

        
            

                Applied Scientist , Automated Reasoning Group
            

        

        

            
                

            

            

            

            
                
US, MA, Boston

            
        


        
    
The Automated Reasoning Group is looking for a Applied Scientist with expertise in programming language semantics and deductive verification techniques (e.g. Lean, Dafny) to deliver novel code reasoning capabilities at scale. You will be part of a larger organization that develops a spectrum of formal software analysis tools and applies them to software at all levels of abstraction from assembler through high-level programming languages. You will work with a team of world class automated reasoning experts to deliver code reasoning technology that is accessible to all developers.




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Supply Chain Data Scientist, Supply Chain & Integration
            

        

        

            
                

            

            

            

            
                
BR, SP, Sao Paulo

            
        


        
    
Esta é uma posição de colaborador individual, com base em nosso escritório de São Paulo. Procuramos uma pessoa dinâmica, analítica, inovadora, orientada para a prática e com foco inabalável no cliente. Na Amazon, nosso objetivo é exceder as expectativas dos clientes, garantindo que seus pedidos sejam entregues com máxima rapidez, precisão e eficiência de custo. A determinação da rota de cada pacote é realizada por sistemas complexos, que precisam acompanhar o crescimento acelerado e a complexidade da malha logística no Brasil. Diante desse cenário, a equipe de Otimização de Supply Chain está à procura de um cientista de dados experiente, capaz de desenvolver modelos, ferramentas e processos para garantir confiabilidade, agilidade, eficiência de custos e a melhor utilização dos ativos. O candidato ideal terá sólidas habilidades quantitativas e experiência com conjuntos de dados complexos, sendo capaz de identificar tendências, inovar processos e tomar decisões baseadas em dados, considerando a cadeia de suprimentos de ponta a ponta. Key job responsibilities * Executar projetos de melhoria contínua na malha logística, aproveitando boas práticas de outros países e/ou desenvolvendo novos modelos. * Desenvolver modelos de otimização e cenários para planejamentos logísticos. * Criar modelos de otimização voltados para a execução de eventos e períodos de alta demanda. Automatizar processos manuais para melhorar a produtividade da equipe. * Auditar operações, configurações sistêmicas e processos que possam impactar custos, produtividade e velocidade de entregas. * Realizar benchmarks com outros países para identificar melhores práticas e processos avançados, conectando-os às operações no Brasil. About the team Nosso time é composto por engenheiros de dados, gerentes de projetos e cientistas de dados, todos dedicados a criar soluções escaláveis e inovadoras que suportem e otimizem as operações logísticas da Amazon no Brasil. Nossa missão é garantir a eficiência de todas as etapas da cadeia de suprimentos, desde a primeira até a última milha, ajudando a Amazon a entregar resultados com agilidade, precisão e a um custo competitivo, especialmente em um ambiente de rápido crescimento e complexidade.




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Economist I, AWS Central Economics and Science
            

        

        

            
                

            

            

            

            
                
US, CA, San Francisco

            
        


        
    
We are hiring an Economist with the ability to disambiguate very challenging structural problems in two and multi-sided markets. The right hire will be able to get dirty with the data to come up with stylized facts, build reduced form model that motivate structural assumptions, and build to more complex structural models. The main use case will be understanding the incremental effects of subsidies to a two sided market relate to sales motions characterized by principal agent problems. Key job responsibilities This role with interface directly with product owners, scientists/economists, and leadership to create multi-year research agendas that drive step change growth for the business. The role will also be an important collaborator with other science teams at AWS. A day in the life Our team takes big swings and works on hard cross organizational problems where the optimal success rate is not 100%. We also ask people to grow their skills and stretch and make sure we do it in a supportive and fun environment. It’s about empirically measured impact, advancement, and fun on our team. We work hard during work hours but we also don’t encourage working at nights or on weekends except in very rare, high stakes cases. Burn out isn’t a successful long run strategy. Because we invest in the long run success of our group it’s important to have hobbies, relax and then come to work refreshed and excited. It makes for bigger impact, faster skill accrual and thus career advancement. About the team Our group is technically rigorous and encourages ongoing academic conference participation and publication. Our leaders are here for you and to enable you to be successful. We believe in being servant leaders focused on influence: good data work has little value if it doesn’t translate into actionable insights that are rolled out and impact the real economy. We are communication centric since being able to explain what we do ensures high success rates and lowers administrative churn. Also: we laugh a lot. If it’s not fun, what’s the point?




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Machine Learning Applied Scientist, Account Integrity
            

        

        

            
                

            

            

            

            
                
US, CA, San Diego

            
        


        
    
Do you want to join an innovative team of scientists who leverage new technologies like reinforcement learning (RL), large language models (LLMs), graph analytics, and machine learning to help Amazon provide the best customer experience by protecting Amazon customers from hackers and bad actors? Do you want to build advanced algorithmic systems that integrate these state-of-the-art techniques to help manage the trust and safety of millions of customers every day? Are you excited by the prospect of analyzing and modeling terabytes of data and creating sophisticated algorithms that combine RL, LLMs, graph embeddings, and traditional machine learning methods to solve complex real-world problems? Do you like to innovate, simplify, and push the boundaries of what's possible? If yes, then you may be a great fit to join the Amazon Account Integrity team, where you'll have the opportunity to work at the forefront of AI and machine learning, tackling challenging problems that have a direct impact on the security and trust of Amazon's customers. The Amazon Account Integrity team works to ensure that customers are protected from bad actors trying to access their accounts. Our greatest challenge is protecting customer trust without unjustly harming good customers. To strike the right balance, we invest in mechanisms which allow us to accurately identify and mitigate risk, and to quickly correct and learn from our mistakes. This strategy includes continuously evolving enforcement policies, iterating our Machine Learning risk models, and exercising high‐judgement decision‐making where we cannot apply automation. Please visit https://www.amazon.science for more information




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Research Scientist, Optimization, Planning and Task-Assignment, Amazon Robotics
            

        

        

            
                

            

            

            

            
                
US, MA, North Reading

            
        


        
    
Are you excited about developing algorithms and models to power Amazon's next generation robotic storage systems? Are you looking for opportunities to build and deploy them on real problems at truly vast scale? At Amazon Fulfillment Technologies and Robotics we are on a mission to build high-performance autonomous systems that perceive and act to further improve our world-class customer experience - at Amazon scale. We are looking for enthusiastic scientists for a variety of roles. The Research team at Amazon Robotics is seeking a passionate, collaborative, hands-on Research Scientist to develop planning and scheduling algorithms to support Amazon's next generation robotic storage systems. The focus of this position workflow optimization and robot task-assignment. It includes designing and evaluating planning and scheduling algorithms using a combination of machine learning and optimization methods as appropriate. This work spans from research such optimal decision making, to policy learning, to experimenting using simulation and modeling tools, to running large-scale A/B tests on robots in our facilities. The ideal candidate for this position will be familiar with planning or learning algorithms at both the theoretical and implementation levels. You will have the chance to solve complex scientific problems and see your solutions come to life in Amazon’s warehouses! Key job responsibilities - Research design - How should solve a particular research problem - Research delivery - Proving/dis-proving strategies in offline data or in simulation - Production studies - Insights from production data or ad-hoc experimentation - Prototype implementation - Building key parts of algorithms or model prototypes A day in the life On a typical day in this role you will work to progress your research projects, meet with engineering, systems, and solutions stakeholders, brainstorm with other scientists on the team, and participate in team processes. You will follow your research projects though the entire life cycle of design, implementation, evaluation, analysis, and will communicate your findings and results through technical papers and reports. You will consult with engineering teams as they incorporate your models and analyses into system and process designs. Amazon offers a full range of benefits that support you and eligible family members, including domestic partners and their children. Benefits can vary by location, the number of regularly scheduled hours you work, length of employment, and job status such as seasonal or temporary employment. The benefits that generally apply to regular, full-time employees include: 1. Medical, Dental, and Vision Coverage 2. Maternity and Parental Leave Options 3. Paid Time Off (PTO) 4. 401(k) Plan If you are not sure that every qualification on the list above describes you exactly, we'd still love to hear from you! At Amazon, we value people with unique backgrounds, experiences, and skillsets. If you’re passionate about this role and want to make an impact on a global scale, please apply! About the team Our multi-disciplinary science team includes scientists with backgrounds in simulation, planning and scheduling, grasping and manipulation, machine learning, and operations research. We develop novel planning algorithms and machine learning methods and apply them to real-word robotic warehouses, including: * Planning and coordinating the paths of thousands of robots * Dynamic allocation and scheduling of tasks to thousands of robots * Learning how to adapt system behavior to varying operating conditions * Co-design of robotic logistics processes and the algorithms to optimize them Our team also serves as a hub to foster innovation and support scientists across Amazon Robotics. We also coordinate research engagements with academia, such as the Robotics section of the Amazon Research Awards.




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Applied Scientist - Prime Video
            

        

        

            
                

            

            

            

            
                
US, WA, Seattle

            
        


        
    
Are you interested in shaping the future of entertainment? Prime Video's technology teams are creating best-in-class digital video experience. As a Prime Video technologist, you’ll have end-to-end ownership of the product, user experience, design, and technology required to deliver state-of-the-art experiences for our customers. You’ll get to work on projects that are fast-paced, challenging, and varied. You’ll also be able to experiment with new possibilities, take risks, and collaborate with remarkable people. We’ll look for you to bring your diverse perspectives, ideas, and skill-sets to make Prime Video even better for our customers. With global opportunities for talented technologists, you can decide where a career Prime Video Tech takes you! In this role, you will invent science and systems for Transactional Video on Demand and Channels, including machine learning-based pricing and promotion systems. You will work with a team of scientists and product managers to design customer-facing products, and you will work with technology teams to productize and maintain the associated solutions. We are looking for an applied scientist to join our interdisciplinary team of Data Scientists, Applied Scientists, Economists, Data Engineers and Software Engineers. The ideal candidate combines machine learning expertise with the ability to deploy algorithms into production. You have deep knowledge of recommender systems and/or personalization models and experience applying them to Amazon-scale data. You understand tradeoffs between business needs and model complexity, and you take calculated risks in developing rapid prototypes and iterative model improvements. You are excited to learn from and alongside seasoned scientists, engineers, and business leaders. You are an excellent communicator and effectively translate technical findings into production systems and business action (and customer delight). Key responsibilities As an Applied Scientist on this team, you will: - Develop and implement recommender models for studio partners and customers; - Perform hands-on analysis and modeling of enormous datasets to develop insights that increase customer engagement and monetization; - Run experiments, gather data, and perform statistical analysis; - Collaborate with tech and engineering teams to develop and optimize production systems; - Research new and innovative machine learning approaches; - Work with other scientists to raise the science and coding bar across Prime Video. About the team Prime Video is a first-stop entertainment destination offering customers a vast collection of premium programming in one app available across thousands of devices. Prime members can customize their viewing experience and find their favorite movies, series, documentaries, and live sports – including Amazon MGM Studios-produced series and movies; licensed fan favorites; and programming from Prime Video add-on subscriptions such as Apple TV+, Max, Crunchyroll and MGM+. All customers, regardless of whether they have a Prime membership or not, can rent or buy titles via the Prime Video Store, and can enjoy even more content for free with ads.




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Principal Applied Scientist , AGI Foundations
            

        

        

            
                

            

            

            

            
                
US, CA, San Francisco

            
        


        
    
The AGI team has a mission to push the envelope with multimodal LLMs and Gen AI in Computer Vision, in order to provide the best-possible experience for our customers. This role is part of the foundations modeling team with focus on model pre-training across modalities. Key job responsibilities You will be responsible for defining key research directions, adopting or inventing new machine learning techniques, conducting rigorous experiments, publishing results, and ensuring that research is translated into practice. You will develop long-term strategies, persuade teams to adopt those strategies, propose goals and deliver on them. You will also participate in organizational planning, hiring, mentorship and leadership development. You will be technically fearless and with a passion for building scalable science and engineering solutions. You will serve as a key scientific resource in full-cycle development (conception, design, implementation, testing to documentation, delivery, and maintenance).




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Responsible AI Data Scientist, Generative AI Innovation Center
            

        

        

            
                

            

            

            

            
                
US, WA, Seattle

            
        


        
    
This is an exciting opportunity to shape the future of AI and make a real impact on our customers' generative AI journeys. Join the Generative AI Innovation Center to help customers shape the future of Responsible Generative AI while prioritizing security, privacy, and ethical AI practices. In this role, you will play a pivotal role in guiding AWS customers on the responsible and secure adoption of Generative AI, with a focus on Amazon Bedrock, our fully managed service for building generative AI applications. AWS Generative AI Innovation Center is looking for a Generative AI Data Scientist, who will guide customers on operationalizing Generative AI workloads with appropriate guardrails and responsible AI best practices, including techniques for mitigating bias, ensuring fairness, vulnerability assessments, red teaming, model evaluations, hallucinations, grounding model responses, and maintaining transparency in generative AI models. You'll evangelize Responsible AI (RAI), help customers shape RAI policies, develop technical assets to support RAI policies including demonstrating guardrails for content filtering, redacting sensitive data, blocking inappropriate topics, and implementing customer-specific AI safety policies. The assets you develop, will equip AWS teams, partners, and customers to responsibly operationalize generative AI, from PoCs to production workloads. You will engage with policy makers, customers, AWS product owners to influence product direction and help our customers tap into new markets by utilizing GenAI along with AWS Services. As part of the Generative AI Worldwide Specialist organization, Innovation Center, you will interact with AI/ML scientists and engineers, develop white papers, blogs, reference implementations, and presentations to enable customers and partners to fully leverage Generative AI services on Amazon Web Services. You may also create enablement materials for the broader technical field population, to help them understand RAI and how to integrate AWS services into customer architectures. You must have deep understanding of Generative AI models, including their strengths, limitations, and potential risks. You should have expertise in Responsible AI practices, such as bias mitigation, fairness evaluation, and ethical AI principles. In addition you should have hands on experience with AI security best practices, including vulnerability assessments, red teaming, and fine grained data access controls. Candidates must have great communication skills and be very technical, with the ability to impress Amazon Web Services customers at any level, from executive to developer. Previous experience with Amazon Web Services is desired but not required, provided you have experience building large scale solutions. You will get the opportunity to work directly with senior ML engineers and Data Scientists at customers, partners and Amazon Web Services service teams, influencing their roadmaps and driving innovation. Travel up to 40% may be possible. AWS Sales, Marketing, and Global Services (SMGS) is responsible for driving revenue, adoption, and growth from the largest and fastest growing small- and mid-market accounts to enterprise-level customers including public sector. The AWS Global Support team interacts with leading companies and believes that world-class support is critical to customer success. AWS Support also partners with a global list of customers that are building mission-critical applications on top of AWS services. Key job responsibilities - Guide customers on Responsible AI and Generative AI Security: Act as a trusted advisor to our customers, helping them navigate the complex world of Generative AI and ensure they are using it responsibly and securely. - Operationalize generative AI workloads: Support customers in taking their generative AI projects from proof-of-concept to production, implementing appropriate guardrails and best practices. - Demonstrate Generative AI Risks and Mitigations: Develop technical assets and content to educate customers on the risks of generative AI, including bias, offensive content, cyber threats, prompt hacking, and hallucinations. - Collaborate with GenAI Product/Engineering and Customer-Facing Builder Teams: Work closely with the Amazon Bedrock product and engineering teams and customer-facing builders to launch new services, support beta customers, and develop technical assets. - Thought Leadership and External Representation: Serve as a thought leader in the Generative AI space, representing AWS at industry events and conferences, such as AWS re:Invent. - Develop technical content, workshops, and thought leadership to enable the broader technical community, including Solution Architects, Data Scientists, and Technical Field Community members. About the team About the team Diverse Experiences AWS values diverse experiences. Even if you do not meet all of the qualifications and skills listed in the job description, we encourage candidates to apply. If your career is just starting, hasn’t followed a traditional path, or includes alternative experiences, don’t let it stop you from applying. Why AWS? Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform. We pioneered cloud computing and never stopped innovating — that’s why customers from the most successful startups to Global 500 companies trust our robust suite of products and services to power their businesses. Inclusive Team Culture Here at AWS, it’s in our nature to learn and be curious. Our employee-led affinity groups foster a culture of inclusion that empower us to be proud of our differences. Ongoing events and learning experiences, including our Conversations on Race and Ethnicity (CORE) and AmazeCon (gender diversity) conferences, inspire us to never stop embracing our uniqueness. Mentorship & Career Growth We’re continuously raising our performance bar as we strive to become Earth’s Best Employer. That’s why you’ll find endless knowledge-sharing, mentorship and other career-advancing resources here to help you develop into a better-rounded professional. Work/Life Balance We value work-life harmony. Achieving success at work should never come at the expense of sacrifices at home, which is why flexible work hours and arrangements are part of our culture. When we feel supported in the workplace and at home, there’s nothing we can’t achieve in the cloud.




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Applied Scientist, ML Apps, People eXperience Technology Central Science (PXTCS)
            

        

        

            
                

            

            

            

            
                
US, IL, Chicago

            
        


        
    
Do you want to use your expertise in translating innovative science into impactful products to improve the lives and work of over a million people worldwide? If you do, People eXperience Technology Central Science (PXTCS) would love to talk to you about how to make that a reality. PXTCS is an interdisciplinary team that uses economics, behavioral science, statistics, and machine learning to identify products, mechanisms, and process improvements that both improve Amazonian’s wellbeing and their ability to deliver value for Amazon’s customers. We work with HR teams across Amazon to make Amazon PXT the most scientific human resources organization in the world. As an applied scientist on our team, you will work with business leaders, scientists, and economists to translate business and functional requirements into concrete deliverables, define the science vision and translate it into specific plans for applied scientists, as well as engineering and product teams. You will partner with scientists, economists, and engineers on the design, development, testing, and deployment of scalable ML and econometric models. This is a unique, high visibility opportunity for someone who wants to have impact, dive deep into large-scale solutions, enable measurable actions on the employee experience, and work closely with scientists and economists. This role combines science leadership, organizational ability, and technical strength. Key job responsibilities As an Applied Scientist, ML Applications, you will: • Design, develop, and evaluate innovative machine learning solutions to solve diverse challenges and opportunities for Amazon customers • Advance the team's engineering craftsmanship and drive continued scientific innovation as a thought leader and practitioner. • Partner with the engineering team to deploy your models in production. • Partner with scientists from across PXTCS to solve complex problems and use your team’s expertise to accelerate their ability get their work into production. • Work directly with Amazonians from across the company to understand their business problems and help define and implement scalable ML solutions to solve them.




        

        

        

        
    




                    

                
                    

                        

    

    

        
            

                Sr. Data Scientist, Generative AI Innovation Center
            

        

        

            
                

            

            

            

            
                
US, VA, Arlington

            
        


        
    
Are you looking to work at the forefront of Machine Learning and AI? Would you be excited to apply cutting edge Generative AI algorithms to solve real world problems with significant impact? The Generative AI Innovation Center at AWS is a new strategic team that helps AWS customers implement Generative AI solutions and realize transformational business opportunities. This is a team of strategists, data scientists, engineers, and solution architects working step-by-step with customers to build bespoke solutions that harness the power of generative AI. The team helps customers imagine and scope the use cases that will create the greatest value for their businesses, select and train and fine tune the right models, define paths to navigate technical or business challenges, develop proof-of-concepts, and make plans for launching solutions at scale. The GenAI Innovation Center team provides guidance on best practices for applying generative AI responsibly and cost efficiently. You will work directly with customers and innovate in a fast-paced organization that contributes to game-changing projects and technologies. You will design and run experiments, research new algorithms, and find new ways of optimizing risk, profitability, and customer experience. We’re looking for Data Scientists capable of using GenAI and other techniques to design, evangelize, and implement state-of-the-art solutions for never-before-solved problems. This position requires that the candidate selected be a US Citizen. Key job responsibilities As an Data Scientist, you will - Collaborate with AI/ML scientists and architects to Research, design, develop, and evaluate cutting-edge generative AI algorithms to address real-world challenges - Interact with customers directly to understand the business problem, help and aid them in implementation of generative AI solutions, deliver briefing and deep dive sessions to customers and guide customer on adoption patterns and paths to production - Create and deliver best practice recommendations, tutorials, blog posts, sample code, and presentations adapted to technical, business, and executive stakeholder - Provide customer and market feedback to Product and Engineering teams to help define product direction About the team ABOUT AWS: Diverse Experiences Amazon values diverse experiences. Even if you do not meet all of the preferred qualifications and skills listed in the job description, we encourage candidates to apply. If your career is just starting, hasn’t followed a traditional path, or includes alternative experiences, don’t let it stop you from applying. Why AWS Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform. We pioneered cloud computing and never stopped innovating — that’s why customers from the most successful startups to Global 500 companies trust our robust suite of products and services to power their businesses. Work/Life Balance We value work-life harmony. Achieving success at work should never come at the expense of sacrifices at home, which is why we strive for flexibility as part of our working culture. When we feel supported in the workplace and at home, there’s nothing we can’t achieve in the cloud. Inclusive Team Culture Here at AWS, it’s in our nature to learn and be curious. Our employee-led affinity groups foster a culture of inclusion that empower us to be proud of our differences. Ongoing events and learning experiences, including our Conversations on Race and Ethnicity (CORE) and AmazeCon (gender diversity) conferences, inspire us to never stop embracing our uniqueness. Mentorship and Career Growth We’re continuously raising our performance bar as we strive to become Earth’s Best Employer. That’s why you’ll find endless knowledge-sharing, mentorship and other career-advancing resources here to help you develop into a better-rounded professional.




        

        

        

        
    




                    

                
            

        

    

    

        See more jobs
    






        




    

        
            
        
        

            

                
                    

                        

                    

                
            

            
                

                    

                        

  

      
          

              
                  
    
        View from space of a connected network around planet Earth representing the Internet of Things.
    

              
          

      

      

        

          
              
Have feedback?

          

          
    
Let us know by taking this short survey



        

        
          
          

              Get started
          

          
        
      

  



                    

                

            
        

    


    

        

        
            
Amazon.com | Conditions of Use | Privacy | © 1996-2024 Amazon.com, Inc. or its affiliates

        
        
            

    
Follow Us