What is AWS Clean Rooms?

AWS Clean Rooms helps you and your partners analyze and collaborate on your collective datasets to gain new insights without revealing underlying data to one another. You can use AWS Clean Rooms, a secure collaboration workspace, to create your own clean rooms in minutes, and start analyzing your collective datasets with just a few steps. You can choose the partners with whom you want to collaborate, select their datasets, and configure restrictions for participants.

With AWS Clean Rooms, you can collaborate with thousands of companies already using AWS. Collaboration doesn't require moving data out of AWS or loading it into another platform. When you run queries, AWS Clean Rooms reads data from its original location and applies built-in analysis rules to help you maintain control over their data.

AWS Clean Rooms provides built-in data access controls and audit support controls that you can configure. These controls include:

• Analysis rules to restrict SQL queries and provide output constraints

• Cryptographic Computing for Clean Rooms to keep data encrypted, even as queries are processed, to comply with stringent data handling policies

• Query logs to review queries and help support audits

• Differential privacy to protect against user-identification attempts. AWS Clean Rooms Differential Privacy is a fully-managed capability that protects the privacy of your users with mathematically-backed techniques and intuitive controls that you can apply in a few clicks.

• AWS Clean Rooms ML to allow two parties to identify similar users in their data without the need to share their data with each other. The first party creates and configures a lookalike model from their training data. The second party brings their seed data to a collaboration and creates a lookalike segment that resembles the training data.

The following video explains more about AWS Clean Rooms.

Are you a first-time AWS Clean Rooms user?

If you are a first-time user of AWS Clean Rooms, we recommend that you begin by reading the following sections:

• How AWS Clean Rooms works

• Accessing AWS Clean Rooms

• Setting up AWS Clean Rooms

• AWS Clean Rooms Glossary

How AWS Clean Rooms works

The following workflow assumes that:

• The collaboration member has already uploaded their data tables to Amazon S3 and created an AWS Glue table.

• (Optional) For encrypted data tables only, the collaboration member has already prepared encrypted data tables using the C3R encryption client.

In summary, the workflow for AWS Clean Rooms is as follows:

1. The collaboration creator does the following tasks:

   • Creates a collaboration.

   • Invites one or more members to the collaboration.

   • Assigns abilities to members, such as the member who can query and the member who can receive results.

     If the collaboration creator is also the member who can receive results, they specify the query results destination and format. They also provide a service role Amazon Resource Name (ARN) to write the results to the query results destination.

   • Configures which member is responsible for paying for query compute costs in the collaboration.

2. The invited member joins the collaboration by creating a membership resource.

   If the invited member is the member who can receive results, they specify the query results destination and format. They also provide a service role ARN to write to the query results destination.

   If the invited member is the member who is responsible to pay for query compute costs, they accept their payment responsibilities before joining the collaboration.

3. The member configures an existing AWS Glue table for use in AWS Clean Rooms. (This step can be done before or after joining a collaboration, unless using Cryptographic Computing for Clean Rooms.)

   Note

   AWS Clean Rooms supports AWS Glue tables. For more information about getting your data in AWS Glue, see Step 3: Upload your data table to Amazon S3.

   1. The member names the configured table and chooses which columns to use in the collaboration.

   2. The member configures one of the following analysis rules to the configured table:

      • Aggregation analysis rule or list analysis rule – To control the type of analysis that can be run on the table.

      • Custom analysis rule – To allow a specific set of pre-approved queries or a specific set of accounts that can provide queries that use your data. Allows the member to turn on differential privacy to protect against user-identification attempts.

      Note

      The member can configure the analysis rule any time before they associate their configured tables with the collaboration.

4. The member associates their configured tables with the collaboration and gives AWS Clean Rooms a service role to access their AWS Glue tables.

   Note

   This service role has permissions to the tables. The service role is assumable only by AWS Clean Rooms to run allowed queries on behalf of the member who can query. No collaboration members (other than the data owner) have access to the underlying tables in the collaboration. The data owner can turn on differential privacy to make their tables available for querying by other members.

5. The member who can query runs SQL queries on the configured tables.

   Queries can only be run if the member who is responsible to pay for query compute costs has joined the collaboration as an active member.

   The analysis rules and output constraints are enforced automatically. AWS Clean Rooms only returns the results that comply with the analysis rules defined in Step 3.b.

   For queries on encrypted data, the member who can receive results receives the encrypted output from AWS Clean Rooms that must be decrypted (see Step 8).

6. The member who can receive results reviews the results in either the AWS Clean Rooms console or in the Amazon S3 bucket that they specified.

7. The member paying for query compute costs is charged for the queries run in the collaboration.

8. (Optional) For encrypted data tables only, the member who can receive results decrypts the query results by running the C3R encryption client in the decrypt mode.

Related services

The following AWS services are related to AWS Clean Rooms:

• Amazon S3

  Collaboration members can store data that they bring into AWS Clean Rooms in Amazon S3.

  For more information, see the following topics:

  Preparing data tables for queries in AWS Clean Rooms

  What Is Amazon S3? in the Amazon Simple Storage Service User Guide

• AWS Glue

  Collaboration members can create AWS Glue tables from their data in Amazon S3 for use in AWS Clean Rooms.

  For more information, see the following topics:

  Preparing data tables for queries in AWS Clean Rooms

  What is AWS Glue? in the AWS Glue Developer Guide

• AWS CloudFormation

  Create the following resources in AWS CloudFormation: collaborations, configured tables, configured table associations, and memberships

  For more information, see Creating AWS Clean Rooms resources with AWS CloudFormation.

• AWS CloudTrail

  Use AWS Clean Rooms with CloudTrail logs to enhance your analysis of AWS service activity.

  For more information, see Logging AWS Clean Rooms API calls using AWS CloudTrail.

Accessing AWS Clean Rooms

You can access AWS Clean Rooms through the following options:

• Directly through the AWS Clean Rooms console at https://console.aws.amazon.com/cleanrooms/.

• Programmatically through the AWS Clean Rooms API. For more information, see the AWS Clean Rooms API Reference.

Pricing for AWS Clean Rooms

For pricing information, see AWS Clean Rooms Pricing.

Billing for AWS Clean Rooms

AWS Clean Rooms gives the collaboration creator the ability to configure which member is paying for query compute costs in the collaboration.

In most cases, the member who can query and the member paying for query compute costs are the same. However, if the member who can query and the member paying for query compute costs are different, then, when the member who can query runs queries against their own membership resource, the membership resource of the member paying for query compute costs is billed.

The member paying for query compute costs doesn't see any event for queries being run in their CloudTrail Event history because the payer is neither the one running the queries nor the owner of the resource against which the queries are run. However, the payer does see bills generated on their membership resource for all queries run by the member who can run queries in the collaboration.

For more information about how to create a collaboration and configure the member paying for query compute costs, see Create a collaboration.