AWS Public Sector Blog

Deep dive into FedRAMP 20x Key Security Indicators: Decoding the 63 KSIs

Paul Keastead — Mon, 27 Apr 2026 15:15:32 +0000

The Federal Risk and Authorization Management Program (FedRAMP) 20x program replaces hundreds of narrative control descriptions with Key Security Indicators (KSIs) organized across 12 themes.

In this post, we break down every KSI theme, categorize each indicator by validation approach, and provide a practical gap analysis framework so you can begin preparing your cloud service offering (CSO) for FedRAMP 20x authorization on Amazon Web Services (AWS).

What are Key Security Indicators?

In our first blog post, we introduced FedRAMP 20x and its shift from static documentation to automated evidence. KSIs are the building blocks of that shift. Each KSI represents a measurable, concrete security outcome, which cloud service providers (CSPs) must demonstrate through automated validation, documented processes, or both.

The Phase 2 pilot completeness requirements set a clear bar: Automated validation must cover at least 70% of KSIs, every KSI must be addressed, and evidence must be available in both human-readable and machine-readable formats. Understanding what each KSI requires is the first step toward meeting that bar.

The 12 KSI themes at a glance

The following table summarizes all 12 KSI themes, their associated KSI counts, and primary focus areas to help you quickly assess where your organization stands:

Theme	Name	KSI count	Focus area
CSX	Cross-Cutting	3	Implementation summaries, Minimum Assessment Standard (MAS) scope, priority ordering
AFR	Authorization by FedRAMP	10	MAS, vulnerability disclosure, scanning/remediation, Plan of Action and Milestones (POA&M), significant change notification (SCN), authorization data, persistent validation, continuous monitoring
CNA	Cloud Native Architecture	8	Network segmentation, attack surface minimization, distributed denial of service (DDoS) protection, API security, automated posture enforcement
CMT	Change Management	4	Change control, immutable infrastructure, deployment validation
IAM	Identity and Access Management	7	Phishing-resistant multi-factor authentication (MFA), authentication without passwords, least privilege, just-in-time (JIT) access
MLA	Monitoring, Logging, and Auditing	5	Audit log generation, security information and event management (SIEM) integration, configuration evaluation
SVC	Service Configuration	8	Encryption at rest and in transit, Federal Information Processing Standards (FIPS) cryptography, secrets management, secure defaults
RPL	Recovery Planning	4	Recovery time objective (RTO), recovery point objective (RPO), backup procedures, recovery testing
PIY	Policy and Inventory	5	Asset inventory, software inventory, executive support, software development lifecycle (SDLC) security
INR	Incident Response	3	Incident response plan, procedures, post-incident review
CED	Cybersecurity Education	4	General training, role-specific training, developer training, response/recovery training
SCR	Supply Chain Risk	2	Supply chain risk assessment, third-party monitoring

Table 1: The 12 KSI themes at a glance

Categorizing KSIs: Automate, document, or both

Not every KSI can be validated by a machine. Some require documented processes, executive attestations, or human judgment. We categorize each KSI into one of three buckets to help you plan your implementation approach:

Fully automatable KSIs can be validated entirely through automated tooling, such as AWS Config rules, AWS Security Hub checks, or infrastructure as code (IaC) scanning. Examples include KSI-SVC-SNT (encrypt network traffic), KSI-CNA-RNT (restrict network traffic), and KSI-IAM-MFA (enforce phishing-resistant MFA).
Process and documentation KSIs require written policies, procedures, or human review cycles. Examples include KSI-INR-AAR (after-action reports), KSI-PIY-RES (executive support review), and KSI-CED-RGT (general training review).
Both KSIs have an automated component and a documented process component. For example, KSI-AFR-VDR (vulnerability detection and response) requires automated scanning tools and a documented methodology with defined service-level agreement (SLA) timelines.

The following figure illustrates how KSIs are distributed across these three categories and the validation lifecycle from preventive controls through runtime monitoring:

Figure 1: FedRAMP 20x KSI validation lifecycle showing the distribution of KSIs across automated, documented, and hybrid categories, with AWS services mapped to each validation stage

Theme-by-theme breakdown

In this section, we explore the areas relevant to each KSI theme and the AWS services related to that theme.

Authorization by FedRAMP (AFR), 10 KSIs

This is the most complex theme because each KSI ties to a FedRAMP-specific standard. KSI-AFR-MAS requires you to identify every information resource in scope, including people, budgets, and systems. KSI-AFR-VDR requires a complete vulnerability detection and response methodology with N1 through N5 severity ratings and defined remediation timelines. KSI-AFR-SCN requires classifying changes as routine, adaptive, or transformative, each with different notification timelines.

On AWS, services such as Amazon Inspector and AWS Security Hub can help address KSI-AFR-VDR. AWS CloudTrail and Amazon EventBridge support KSI-AFR-SCN by detecting and classifying infrastructure changes.

Cloud Native Architecture (CNA), 8 KSIs

These KSIs focus on network segmentation, attack surface minimization, and automated posture enforcement. KSI-CNA-MAT (minimize attack surface) and KSI-CNA-RNT (restrict network traffic) are strong candidates for automated validation using Amazon Virtual Private Cloud (Amazon VPC) security groups, network access control lists (ACLs), and AWS Network Firewall. KSI-CNA-EIS (enforce intended state) maps directly to AWS Config rules that detect drift from your desired configuration.

Identity and Access Management (IAM), 7 KSIs

KSI-IAM-MFA (phishing-resistant MFA) and KSI-IAM-ELP (least privilege) are foundational. AWS IAM Identity Center supports phishing-resistant MFA with FIDO2 security keys. AWS IAM Access Analyzer helps validate least privilege by identifying unused permissions. KSI-IAM-JIT (just-in-time access) can be addressed through temporary role assumption with time-bounded sessions.

Service Configuration (SVC), 8 KSIs

Encryption is the main idea of this theme. KSI-SVC-SNT (secure network traffic) and KSI-SVC-VRI (validate resource integrity) require FIPS 140-2 validated cryptographic modules. AWS Key Management Service (AWS KMS) provides FIPS-validated key management, and AWS Certificate Manager (ACM) automates Transport Layer Security (TLS) certificate provisioning. KSI-SVC-ACM (automate configuration management) aligns with IaC practices using AWS CloudFormation or Terraform.

Monitoring, Logging, and Auditing (MLA), 5 KSIs

KSI-MLA-OSM (operate SIEM capability) requires centralized, tamper-resistant logging. AWS CloudTrail with organization-level trails, Amazon CloudWatch logs, and AWS Security Hub provide the foundation. KSI-MLA-EVC (evaluate configurations) maps to AWS Config conformance packs that persistently evaluate resource configurations.

Change Management (CMT) 4 KSIs, Recovery Planning (RPL) 4 KSIs, Incident Response (INR) 3 KSIs, and remaining themes

The remaining themes align well with established cloud-based practices and are summarized here at a higher level. CMT KSIs favor immutable infrastructure patterns (KSI-CMT-RMV) where changes are deployed through redeployment rather than in-place modification, a natural fit for IaC workflows.

RPL KSIs require documented and tested recovery objectives. INR KSIs require both documented procedures and evidence of post-incident reviews. CED KSIs are entirely process-based, requiring evidence of training programs. SCR KSIs require supply chain risk assessments and automated monitoring of third-party dependencies.

Understanding persistent validation

A critical concept in FedRAMP 20x is the word persistent. FedRAMP defines it as “occurring in a firm, steady way that is repeated over a long period of time.” For moderate impact systems, machine-based KSI validation must run at least every 3 days. Non-machine KSIs must be validated at least every 3 months.

This means your validation infrastructure must be always-on, not a point-in-time assessment. On AWS, this translates to Amazon EventBridge scheduled rules triggering AWS Step Functions workflows that collect evidence from AWS Config, AWS Security Hub, Amazon Inspector, and other services on a recurring cadence.

Conducting your KSI gap analysis

Start your gap analysis with these steps:

Assess your current state. For each of the 63 KSIs, document whether you have full coverage, partial coverage, or no coverage today. If you’re running the Landing Zone Accelerator on AWS (LZA) with the Universal Configuration, many CNA, MLA, and IAM KSIs already have partial coverage through AWS Security Hub, Amazon GuardDuty, AWS Config, and AWS CloudTrail.
Identify automation candidates. Flag every KSI where AWS provides a service or feature that can produce machine-readable evidence. Target the 70% automated validation threshold.
Catalog documentation gaps. For process-based KSIs, determine whether you have existing policies that can be adapted or whether new documentation is needed.
Prioritize by theme. Follow the recommended priority order: AFR KSIs first (they define the framework), then CNA and IAM (foundational security posture), then SVC and MLA (operational security), and finally the remaining themes.
Plan your evidence pipeline. Every KSI needs evidence in both human-readable clear summaries with context, timestamps, and plain-language explanations of what was verified, and machine-readable formats. Plan how each piece of evidence will be generated, stored, and published.

What comes next

With your gap analysis complete, the next step is implementing preventive controls that prohibit noncompliant configurations before they reach your environment. In our next blog, we cover how AWS Organizations service control policies (SCPs) enforce KSIs at the organizational level, reducing both your compliance burden and your assessment surface.

Next steps and resources

Contact AWS Security Assurance Services – Get help with your FedRAMP authorization journey
FedRAMP 20x overview – Program overview, goals, and phased delivery timeline
FedRAMP 20x Phase 2 requirements – Completeness requirements and KSI-AFR discussion
FedRAMP 20x goals – The five key goals driving the 20x program
AWS Security Hub – Centralized security findings aggregation
AWS Config – Persistent configuration evaluation and compliance
Landing Zone Accelerator on AWS – Multi-account environment with built-in security controls
Prepare for FedRAMP 20x with AWS automation and validation – Series introduction and architecture overview

Turning urgency into opportunity: NJIT’s 10-week cloud migration

Blake Haggerty — Mon, 27 Apr 2026 15:00:52 +0000

New Jersey Institute of Technology (NJIT) faced a decision when sudden licensing changes meant the university’s operating costs for its private virtual cloud environment would rise significantly. The university operates with a single, centralized IT team managing all technology infrastructure—from core services to discipline-specific academic platforms, high-performance research computing, grant-funded projects, data warehouses, and more—so the potential budget impact called for a fast, coordinated response.

With only 10 weeks before renewal, NJIT worked with Amazon Web Services (AWS) and TEKsystems Global Services (TGS) to migrate more than 200 essential virtual servers to the AWS Cloud—70% faster than typical timelines. These workloads included enterprise applications, web servers, academic file and database servers, and infrastructure support servers. The swift transition avoided a costly licensing increase and positioned the university to operate more effectively at scale and shift investments from legacy technologies to student-facing services.

Supporting enterprise, academic, and research technology from one IT team

While many higher education institutions operate with decentralized IT departments across the organization, NJIT centralized its technology infrastructure years ago. “We have such a wide catalog of services,” said Matthew Hoskins, director of core systems and cloud services for NJIT. “Every technology is somewhere in the university. If we’re not using it in the enterprise, someone is trying to teach it in a classroom.”

The scope is immense: databases for academics and research, coding environments, web hosting, distributed file systems, storage, high-performance computing, and even infrastructure for the university’s makerspace. The team also manages cybersecurity, digital signage, and support for new buildings, facilitating campus growth.

NJIT’s centralized structure allowed the university to scale efficiently while maintaining consistency across all these environments. When licensing changes put pressure on its entire infrastructure, that same centralization became an advantage—enabling the school to rapidly evaluate all 500+ servers and coordinate decisions on which workloads to migrate first. For institutions with siloed IT departments, that kind of coordinated response would be nearly impossible.

Navigating the complexity of a 10-week deadline

NJIT was gradually moving workloads to the cloud, but the compressed timeline created by sudden licensing changes introduced new challenges. Working across multiple teams, NJIT needed to quickly identify which systems required immediate migration from its 500-plus server environment.

The selection process required coordination between the applications management group, academic research and computing, business and academic stakeholders, and core systems teams to determine what could realistically move to the cloud now and what needed to stay on premises until later phases. NJIT identified 200 servers as ideal candidates for cloud migration.

After this selection, the next challenge lay in migrating systems without complete visibility into application architectures. “We didn’t necessarily have an extensive understanding of all these applications and their dependencies,” said Hoskins. “We didn’t fully understand how they communicate with each other in some cases.” This lack of documentation would become one of the project’s biggest technical challenges, requiring the team to discover dependencies and connections in real time.

While migrations of this scale often take six to 12 months, the right combination of preparation, collaboration, and tools can significantly accelerate that timeline. For NJIT, success meant assembling a team ready to move fast and solve problems collaboratively as they emerged.

Building the team, securing funding, and reskilling for the cloud

With limited documentation, tight deadlines, and 200 servers to migrate, NJIT relied on existing relationships with TGS, an AWS Premier Tier Services Partner, and AWS. All three organizations established a collaborative approach from the start. “Not every consulting company would want to take on a project like that,” said Hoskins.

Adam Mendlik, principal cloud architect at TGS, described the approach: “We had conversations early on where we aligned on what NJIT wanted to accomplish, and the challenges they faced. Having that shared understanding was key to the collaboration and meeting the deadline together.”

AWS played a critical role in achieving the aggressive timeline. Beyond providing funding through the AWS Migration Acceleration Program (MAP), AWS solutions architects worked closely with the team on weekly calls, troubleshooting issues, and providing architectural guidance. The engagement included two in-person workshops of intensive hands-on training sessions with labs and exercises that transferred essential cloud expertise to NJIT’s staff, so they could manage and continue modernizing its new environment long after the migration was completed.

Managing technical challenges and modernization

After migration began, the team navigated new technical hurdles. Adjusting processing power and memory for each application was built into the project timeline, allowing the team to refine configurations as real-world performance data replaced initial estimates. The biggest challenge proved to be complex re-IPing requirements that forced the applications team to hunt down hardcoded IP addresses buried in legacy applications. When those addresses were identified and fixed, many connectivity issues that had initially seemed daunting simply disappeared. Resolving this and other technical debt throughout the project has continued to pay dividends, making NJIT’s technology operations more efficient and effective.

The collaborative teamwork enabled NJIT to tackle broader improvements alongside immediate problems. Rather than simply replicating its existing environment, the TGS team implemented a scalable, secure, and governed Landing Zone Accelerator on AWS (LZA) that provides a holistic view of AWS accounts across the enterprise. This modernized account structure introduced role-based access controls, network architecture controls for inbound and outbound traffic, and improved security governance across all environments.

This landing zone environment also introduced account vending capabilities for NJIT’s research division, allowing rapid provisioning for specialized workloads. With department-level billing, resource tagging for cost visibility, and detailed governance controls in place, NJIT can now track spending by team or project and deploy advanced artificial intelligence (AI) workloads in Quantiphi baioniq with confidence. Additionally, TGS addressed AWS LZA limitations by implementing a custom solution for load balancer deployment, providing flexibility for future application architectures.

Redirecting savings to student-focused programs

“If we can deliver IT services more efficiently, there’s more money for programs that benefit students directly,” said Hoskins. “We don’t want to spend more on IT than we have to.” This philosophy drove the entire project, and the results delivered exactly what NJIT needed.

By migrating to AWS, NJIT achieved more than $100,000 in cost avoidance tied to the impending licensing increase. In addition to that one-time savings, the migration delivered substantial annual operational savings while transforming how the university funds technology infrastructure, shifting from large capital expenses to operational expenses and freeing budget managers from rigid hardware refresh cycles. NJIT also gained infrastructure that automatically scales with campus growth, along with an IT team focused on innovation rather than hardware maintenance.

Within a year of the announced increases in virtual server licensing, NJIT had completed the migration and built significant internal cloud expertise, positioning the university ahead of peer institutions still planning its moves. TGS delivered these outcomes on time and within budget, reinforcing the value of strategic collaboration during high-pressure projects. Most importantly, TGS and AWS helped NJIT move toward its long-term goal of spending less on infrastructure and more on educational programs and ongoing innovation.

Moving toward database modernization and serverless computing

The migration’s success gave NJIT confidence to accelerate its cloud journey. The team is now moving toward database modernization with Amazon Relational Database Service (Amazon RDS) and exploring serverless computing and containerization—innovations that would have been much harder to pursue while managing aging on-premises infrastructure.

For universities facing similar pressures, the NJIT experience demonstrates that a crisis can become an opportunity when approached strategically. The key lessons are practical:

Plan six to 12 months ahead, when possible, but don’t let tight timelines prevent action
Choose who to work with as carefully as technology—look for teams willing to collaborate and take some risks
Invest in staff training during compressed projects, as the cloud expertise gained is invaluable

NJIT’s approach shows that with the right team and a willingness to move fast, infrastructure challenges don’t have to become crises. What could have been a major disruption ultimately became a strategic positioning for continued modernization.

Learn how AWS helps institutions build resilient infrastructure that supports educational missions.

Read related stories on the AWS Public Sector Blog

The transformative impact of generative AI on business workflows in a highly regulated industry

Yunjie Chen — Thu, 23 Apr 2026 19:41:00 +0000

The aerospace industry represents one of the most complex regulatory environments for software development, where system failures can result in catastrophic consequences including loss of human life and multibillion-dollar assets. Blue Origin operates within this framework, in which software systems control every aspect of rocket propulsion, navigation, life support, and mission-critical operations.

Unlike traditional software companies that can iterate rapidly, aerospace companies must adhere to safety and mission-critical standards such as DO-178C (Software Considerations in Airborne Systems and Equipment Certification) and NPR 7150.2D (NASA Software Engineering Requirements). These standards mandate extensive verification and validation processes, creating a unique environment where innovation must be balanced against rigorous safety protocols—making it an ideal case study for examining how generative AI can be integrated into highly regulated development workflows using Amazon Web Services (AWS).

The current state of aerospace software development

Current aerospace software development operates under a safety-first methodology that prioritizes risk mitigation over time-to-market. Such development must adhere to the following principles:

Extensive documentation requirements – Documentation often comprises 60–80% of total development effort, with requirements for configuration management, change control records, and verification matrices.
Formal verification processes – Software must undergo extensive static analysis and testing that can include thousands of test cases. Hardware-in-the-loop simulations are standard practice.
Multilevel reviews and approvals – Design reviews involve cross-functional teams that include systems engineers, safety engineers, and regulatory compliance specialists. Independent verification and validation (IV&V) teams provide objective assessment of software quality and compliance.
Long development cycles – Aerospace software development cycles typically span 2–5 years for major systems, with minor updates requiring months of verification before deployment.

These stringent requirements call for a strict software development lifecycle (SDLC) with many lengthy verification steps (Figure 1). This V-Model approach progresses from mission and stakeholder requirements through system design and software requirements on the descending left side, then validates through corresponding verification phases (from unit testing through integration and system verification to final mission validation) on the ascending right side.

Figure 1: Aerospace software development lifecycle (V-Model) showing the relationship between requirements definition phases on the left and corresponding verification phases on the right, from mission requirements through system validation

Generative AI as a workflow catalyst

Current aerospace SDLC workflows might not adequately meet the industry’s growing demands for speed, accuracy, and agility. Generative AI provides an opportunity to streamline these processes.

One powerful application lies in augmenting the requirements generation process. The following diagram shows a typical requirements workflow, where requirements gathering and analysis are thorough but time intensive. Engineers must collect and analyze stakeholder needs, then document them in comprehensive specifications focused on feasibility, correctness, completeness, and consistency. The workflow proceeds from change requests through requirements analysis and documentation, followed by formal review processes, and finally to version-controlled requirements storage. The AI requirement checker integrates into this flow between initial documentation and formal review, automatically validating requirements against quality standards.

Requirement defects become exponentially more expensive to fix as development progresses. Generative AI solutions, such as requirement checkers, address this by identifying issues before formal review begins, substantially reducing review time and costly downstream issues.

Figure 2: Typical aerospace software requirement generation process, showing the workflow from change requests through version-controlled requirements, with AI requirement checker integration highlighted in green

High-quality, validated requirements enable more effective testing. Generative AI can help eliminate defects in requirements, and similarly it can automatically generate test plans from requirements. As illustrated in the following figure, AI can analyze requirements documentation and create corresponding test plans for complete requirements coverage, automatically populating test plan templates while maintaining full traceability throughout the verification process. The workflow begins with requirements and relevant standards as inputs to the AI system, which uses predefined templates to generate comprehensive test cases that directly trace back to specific requirements, ensuring complete coverage and regulatory compliance.

Figure 3: AI augmentation in the typical aerospace requirement-based test plan generation, showing how AI generates test cases from requirements, standards, and templates to produce requirement-based test plans with full traceability.

Generative AI solutions for aerospace software development

The ideal generative AI solution for aerospace software development requires automated documentation and traceability, integrated compliance into agentic AI operations processes, continuous risk assessment, and abilities to incorporate aerospace domain-specific knowledge.

Most existing commercial software solutions lack the comprehensive capabilities needed, making a custom-built solution using AWS not only preferable, but necessary. Agentic AI represents a fundamental shift from traditional automation to autonomous problem-solving, ushering in an era of AI-augmented SDLC management.

At its core, an AI agent functions as an intelligent entity that perceives its environment, processes complex information, and makes informed decisions. In software development, these agents understand intricate requirements while using contextual information to review requirements for accuracy and completeness. They can intelligently decompose complex requirements, generate comprehensive test plans, produce executable code and tests, and integrate seamlessly with the entire development ecosystem.

Agentic AI in the aerospace industry

The generative AI solutions built for Blue Origin incorporate these key agentic AI characteristics:

Autonomy – Agents operate independently, making decisions about requirement correctness and maturity or generating test plans with minimal human supervision, using AWS agentic capabilities that provide the appropriate level of context to support these autonomous workflows.
Reasoning and planning – Agents analyze requirements, understand the environment in which they exist, and formulate strategic plans.
Tool use – Agents using existing software tools, APIs, Model Context Protocol (MCP), and AI models.
Memory and learning – Agents retain information from past interactions and learn from successes and failures.
Goal-oriented – Agents work toward specific objectives, continuously refining their approach.

The following figure illustrates how aerospace software development workflow changes with the adoption of agentic AI. Traditional software development lifecycle includes six main steps from planning, requirement analysis, to defining requirements followed by design, development, testing, and finally deployment and maintenance. These rigorous and labor-intensive steps are required to ensure software robustness and reliability for highly regulated mission critical applications. With agentic AI, it augments the existing process and shortens the software development lifecycle by reducing labor-intensive task durations such as requirements discovery, code generation, and testing. Furthermore, AI agents are employed to streamline code release management, and post-release performance monitoring and debugging.

Figure 4: Software development lifecycle and agentic AI workflow intersect, showing traditional SDLC phases at the top and corresponding AI-augmented processes underneath, from requirements discovery through monitoring and evolution.

The AI orchestration platform in Amazon Elastic Kubernetes Service (Amazon EKS) through Amazon Bedrock operates as a centralized intelligent development assistant that integrates multiple data sources and knowledge repositories in Amazon Relational Database Service (Amazon RDS). The platform uses AI agents powered by large language models (LLMs) such as Claude Sonnet by Anthropic in Amazon Bedrock and Amazon Nova to process developer requests through a unified interface such as an integrated developer environment (IDE) or command line interface (CLI). When users interact with the system, the platform dynamically routes Amazon OpenSearch Service queries to specialized agents that access relevant Amazon Bedrock knowledge bases containing relevant project data. These agents employ reasoning capabilities to understand context, retrieve information, and generate responses such as requirement analysis. The following diagram shows this architecture.

Figure 5: Architecture showing the integration of Amazon OpenSearch Service, Amazon Bedrock knowledge bases and agents, Amazon EKS, Amazon RDS for PostgreSQL, and Amazon Simple Storage Service (Amazon S3) to create an AI-powered development assistance platform

Summary

At Blue Origin, generative AI has revolutionized software development by reducing the documentation burden 40-60% through automated generation of traceability matrices, specifications, and compliance reports while performing real-time safety assessments and requirement-based test plan creation. This AI-augmented approach maintains rigorous safety standards while dramatically reducing development timelines by 40%, accelerating innovation cycles without compromising the process assurance requirements of human spaceflight software development.

Beyond aerospace, this workflow transformation extends to other highly regulated industries such as healthcare, finance, and defense. Generative AI creates dynamic, intelligent systems capable of continuous learning, so human developers can focus on strategic thinking while autonomous agents handle repetitive tasks. AWS provides the robust platform for deploying these transformative solutions, creating a harmonious blend of human intelligence and AI capabilities for more efficient and innovative enterprises.

Organizations can capture the significant reduction in documentation burden and faster development timelines that AI-powered requirement checkers and automated test plan generation delivers with the comprehensive AWS AI services supporting the secure AI deployment with guardrails and observability. These will free engineering teams from repetitive tasks so they can focus on strategic innovation while maintaining the rigorous safety standards your industry demands, with applications extending to healthcare, finance, and defense sectors facing similar regulatory challenges. To learn more about how AWS helps public sector organizations deploy AI-driven solutions, connect with the AWS Public Sector Team today.

Breaking Down Barriers: How AWS Democratizes Genomic Data for the World

Dr. Dawn Heisey-Grove — Tue, 21 Apr 2026 22:00:48 +0000

Part 1 of 3: Democratizing Access to Genomic Data and Analytics

Every human deserves access to innovations that could save their life. Yet for decades, groundbreaking genomic research remained locked behind institutional walls, accessible only to well-funded laboratories.

At Amazon Web Services (AWS), we believe global IT infrastructure and advanced analytical capabilities are necessary tools to address these challenges. We’re transforming how researchers discover treatments, how clinicians diagnose conditions, and, ultimately, how millions of people receive care.

This blog is the first in a three-part series that explores how AWS is transforming genomic research through democratized data access, sovereign-by-design outbreak intelligence platforms, and population-scale biobanks that enable global collaboration while maintaining data security and privacy.

The Challenge: A World of Data, Islands of Access

Genomics has become a big data industry, and researchers everywhere face multifaceted challenges:

Volume of storage. A single Next-Generation Sequencing (NGS) instrument can produce over 1TB of data per day, with estimates predicting organizations will generate between two and 40 exabytes of genomic data within the next decade.
Computational barriers. Analyzing genomic data requires massive computing power previously available only to major research institutions.
Geographic and sovereignty barriers. Researchers in low- and middle-income countries often lack infrastructure, but countries prefer to maintain control over sensitive health data while still enabling collaborative research

When only wealthy institutions can analyze genomic data, medical breakthroughs apply only to smaller, wealthier populations, leaving billions underserved by the promise of precision medicine.

Cloud Infrastructure for Global Health Equity

AWS addresses these challenges through open data initiatives, purpose-built genomic services, and strategic credit programs that put powerful technology within reach of organizations supporting underserved populations.

AWS Registry of Open Data: 95+ Genomic Datasets and Growing

The AWS Registry of Open Data democratizes data access. The registry hosts 95+ genomic data sources—including the Sequence Read Archive (40PB+), Cancer Genome Atlas (2.5PB+), and Human Cell Atlas (300TB)—making them readily available in Amazon Simple Storage Service (Amazon S3). Researchers can analyze data where it lives, dramatically reducing time-to-insight and costs.

AWS Services for Genomic Workloads

AWS HealthOmics – A fully managed service for specialized genomic storage and managed workflow execution at scale.
High-performance computing – AWS Batch, AWS ParallelCluster, and GPU/FPGA-accelerated Amazon Elastic Compute Cloud (Amazon EC2) instances for variant calling and gene expression analysis.
Secure, compliant storage – Amazon S3 and Amazon Glacier Deep Archive for cost-effective long-term storage.
Amazon Nova Forge – For developing specialized domain models, from drug discovery assistants to custom genomics models.

Real-World Impact: Opening Doors for Researchers Worldwide

At AWS, we believe our cloud and AI services are powerful tools to address the world’s urgent and complex health challenges.

The true measure of democratization isn’t in technology specifications, it’s in whose lives are changed. In 2021, we launched the AWS Health Equity Initiative (HEI), a three-year $60M commitment to advance global health equity.

Here are two examples of these investments:

Korea University: Advancing Female Autism Research in East Asia

Autism research historically focused on male subjects and Western populations, leaving critical gaps in our understanding of how the condition manifests in women and in East Asian populations. Dr. Joon-Yong An at Korea University set out to change this by analyzing 1.4 petabytes of genomic data to identify sex-specific genetic factors.

Using AWS credits, Dr. An’s team processed whole-genome sequencing data from over 42,000 individuals across Korean and international autism cohorts, facilitating large-scale collaborative studies in East Asia where autism research is limited.

Using scalable AWS services like EC2 with GPU acceleration and S3, they conducted a Category-Wide Association Study framework to prioritize noncoding variants associated with autism. The team also trained high-performance deep learning models to predict sex-specific genetic factors.

“By efficiently processing large-scale genomic datasets, our solution accelerates the discovery of female-specific risk factors, facilitating more accurate diagnoses and personalized interventions. Ultimately, our findings will contribute to reducing health disparities and improving health outcomes for autistic individuals,” reported Dr. An.

“Our work opened new avenues for researchers to explore sex-related genetic factors in various neurodevelopmental and psychiatric conditions. By democratizing access to computationally intensive genomic research, AWS empowered us to bridge gender disparities in autism diagnosis and treatment, ensuring that overlooked populations receive the medical attention and resources they deserve.”

Imagenomix: Precision Cancer Diagnostics for All Backgrounds

Approximately 98% of global cancer patients lack access to targeted genetic testing, largely due to the high cost (~$6,000 per patient) and slow turnaround (33+ days) of conventional NGS panels.

Using AWS infrastructure, Imagenomix developed IGX Predict, an AI-powered platform that analyzes standard pathology slides to predict gene mutations in as little as three minutes, at a fraction of the cost of traditional Next-Generation Sequencing (NGS). By training their models on diverse patient populations, Imagenomix ensures their diagnostic tools work accurately across all racial and ethnic backgrounds.

The social impact of this approach is profound. IGX Predict dramatically lowers barriers to patients’ access to NGS by achieving a 100% tissue success rate compared to a 26% failure rate with traditional methods. This enables clinicians to rapidly identify the right patients for clinical trials and targeted therapies, regardless of where they are in the world.

“Finding the right patients is the biggest bottleneck in drug development, and that bottleneck disproportionately excludes patients from underrepresented populations,” said Travis Wold, CEO of Imagenomix. “Our mission is to make precision cancer diagnostics accessible to everyone — not just the few — by turning a standard pathology slide into genetic insight in minutes.”

With a growing product pipeline spanning lung, breast, and brain cancers, Imagenomix is positioning itself as the new standard in precision access, ensuring that advances in genomic medicine reach every patient, everywhere.

Bridging Data and Discovery: The AWS Open Data-NVIDIA Knowledge Graph Hackathon

Dr. An’s autism research and Imagenomix’s AI driven precision diagnostics platform, showcase how AWS credit programs and scalable infrastructure democratize computational power for genomic discovery. The second pillar of democratization — open access to foundational genomic datasets hosted freely on AWS — creates opportunities for collaborative innovation at unprecedented scale, exemplified by a hackathon that united researchers globally to advance trustworthy AI in biomedicine.

In October 2025, AWS partnered with NVIDIA to host a transatlantic hackathon bringing together 53 researchers from the US and UK. Over three days, seven teams built prototype systems combining knowledge graphs with GraphRAG to make AI outputs more trustworthy in biomedical research, using Amazon Neptune, Open Data on AWS, and NVIDIA’s PyTorch Geometric RAG resources.

Teams created solutions addressing critical challenges, from GeNETwork’s precision oncology knowledge graph integrating cancer genomics and pharmacological data, to BioGraphRAG’s citation-supported biomedical question answering system.

The Path Forward: From Access to Action

Democratizing access to genomic data is just the beginning. Part 2 of this blog series explores how AWS enables global pathogen surveillance and outbreak intelligence through sovereign-by-design platforms, which allow countries to collaborate on infectious disease tracking while maintaining control over their sensitive health data within national borders.

The future of global health depends on ensuring that genomic insights benefit everyone, not just those in wealthy nations or well-funded institutions. Through open data initiatives, purpose-built services, and strategic support for underserved researchers, AWS helps build that future one genome at a time.

Learn more about AWS Social Impact
Learn more about Registry of Open Data on AWS
Learn more about AWS for Healthcare & Life Sciences

About the Authors:

This blog series was developed by AWS Skilling and Social Impact (SSI) in collaboration with AWS Healthcare and Life Sciences specialists. AWS SSI exists to fuel, align, and amplify the good that AWS does in the world, helping organizations transform health outcomes through cloud and AI technology.

24 new or updated datasets available on the Registry of Open Data on AWS

Kyle Cook — Tue, 21 Apr 2026 21:37:58 +0000

The Amazon Web Services (AWS) Open Data Sponsorship Program makes high-value, cloud-optimized datasets publicly available on AWS. AWS works with data providers to democratize access to data by making it available to the public.

People can use it for analyzing data on AWS or developing new cloud-based techniques, formats, and tools that lower the cost of working with data. This is to encourage the development of communities that benefit from access to shared datasets.

Through the AWS Open Data Sponsorship Program, customers are making over 300 petabytes of high-value, cloud-optimized data available for public use.

All publicly available datasets can be found in the Registry of Open Data on AWS and are also discoverable on AWS Data Exchange. This quarter, AWS released 24 new or updated datasets.

What are people doing with the Registry of Open Data on AWS?

Organizations are using the Registry of Open Data on AWS in many different ways, including:

Purdue University democratizes geospatial data through the AWS Open Data Sponsorship Program with Purdue University’s Data to Science Initiative (D2S). With this program, researchers across disciplines can share and access a unified collection of geospatial datasets from around the world. AWS recently participated in and helped sponsor Purdue Geographic Information Systems (GIS) Day 2025: Unlocking GeoAI Data and Tools, where we presented to faculty, students, and researchers about the value of cloud technology in the geospatial space.
Scientists Map Aging Brain in Unprecedented Detail, Revealing Clues to Alzheimer’s and More using the Registry of Open Data on AWS. Hosting the dataset on the Registry of Open Data on AWS makes it widely accessible while removing the heavy computational barriers typically required to handle large biological datasets. Having nearly 900,000 spatially mapped cells in the cloud means scientists around the world can explore the data without needing specialized infrastructure.
Arnis, an open source tool, transforms real-world locations into playable Minecraft worlds by processing geospatial data hosted on AWS. By migrating to Terrain Tiles—a global elevation dataset on the Registry of Open Data on AWS—Arnis eliminated data retrieval costs while serving nearly 300,000 users.
Columbia University’s Learning the Earth with Artificial Intelligence and Physics (LEAP) and the U.S. National Science Foundation (NSF) Science and Technology Center collaborated with AWS to build AutoClimDS, an agentic AI system that researchers with no specialized coding expertise can use to conduct climate data science workflows using natural language.

OpenFold3 Training Data from OpenFold Consortium

The OpenFold Consortium announced a major OpenFold3 update as well as the public release of training datasets and full-stack tooling for reproducible biomolecular AI. OpenFold3 is an open source deep learning system for cofolding that predicts the 3D structures of biomolecular complexes from sequence and molecular inputs, including proteins interacting with small molecules and nucleic acids. OpenFold3 enables structure prediction for biomolecular complexes relevant to drug discovery, protein engineering, and basic research, supporting both evaluation workflows and downstream method development.

With this update, OpenFold3 is available as an end-to-end open cofolding stack, including training datasets, model weights, training and inference code, and evaluation scripts released under permissive licenses. This full-stack release facilitates independent reproduction of reported results, rigorous benchmarking, and extension through fine-tuning and method development, which are difficult capabilities to achieve with closed or inference-only systems.

The OpenFold3 dataset joins 23 other new or updated datasets on the Registry of Open Data on AWS in the following categories:

Climate and weather

Geospatial

Life sciences

AI/ML

Vesuvius Challenge – CT Scans of Herculaneum Papyri from Vesuvius Challenge

How can you make your data available?

The AWS Open Data Sponsorship Program covers the cost of storage for publicly available high-value, cloud-optimized datasets. We work with data providers who seek to:

Democratize access to data by making it available for analysis on AWS
Develop new cloud-based techniques, formats, and tools that lower the cost of working with data
Encourage the development of communities that benefit from access to shared datasets

Learn how to propose your dataset to the AWS Open Data Sponsorship Program.

Learn more about open data on AWS.

The four questions every government leader should be asking about AI

David Appel — Mon, 20 Apr 2026 20:34:56 +0000

The pace of change in AI is reshaping how governments approach national security, economic progress, scientific discovery, and critical infrastructure. Over the past several months, I’ve sat across the table from cabinet officials, combatant commanders, intelligence leaders, and their counterparts worldwide. The conversations are urgent, the stakes are real, and the questions keep coming back to four themes.

1. GPUs alone are not an AI strategy

Many believe that AI success requires rooms full of GPUs. Procure the hardware, secure power agreements, stand up the clusters, and mission outcomes will follow. I understand the instinct—it feels tangible, controllable, sovereign. But hardware alone has never been the bottleneck.

A room full of GPUs isn’t a capability. Organizations often underestimate the cost and complexity to deliver at scale with monitoring, governance, and security. The real challenge is the time it takes to get from raw hardware and data to mission insight and capability, a problem that requires integrated services working together seamlessly.

On-premises AI infrastructure requires building or leasing specialized facilities, months of procurement lead time, and teams of engineers to manage GPU clusters. By the time you’ve stood up the environment, you’re already a generation behind your adversaries.

Security at scale matters. Cyber threats are industrialized, automated, and accelerating. CrowdStrike’s 2025 Global Threat Report documented a 150% surge in state-sponsored espionage in 2024, with 300% spikes in critical industries. Attacks on healthcare, energy, and government infrastructure are relentless. Protecting critical assets against this threat landscape means building and automating security operations from scratch.

In the cloud, that protection comes at scale. Amazon Web Services (AWS) monitors 4.8 billion flows of network traffic per second and 1 billion host telemetry events per second. Our active defense systems, from global honeypot intelligence to automated takedown of malicious infrastructure, operate at a scale only possible in the cloud.

We’re already seeing this at Idaho National Laboratory, where agentic AI tools compress nuclear energy design cycles from years to months. The scientists aren’t managing infrastructure or defending perimeters—they’re focused on breakthrough research.

The question government leaders should be asking isn’t “where do I put my GPUs?” It’s “how can I move my people from data to decision faster?” The answer lives in the cloud.

2. Mission-critical requires resilience

Recent events worldwide have reminded us that physical infrastructure, no matter where it sits, is not immune to disruption. Data centers can be impacted by conflict, natural disasters, and cascading failures. These sobering realities deserve serious architectural thinking, not slogans.

The instinct to spread workloads as a hedge against disruption is understandable. But it conflates two different concepts: multi-cloud and multi-region. Multi-cloud is about choice, and choice is valuable. The question is how to exercise options in ways that strengthen resilience rather than fragment your workload’s security and operational posture. There are scenarios where multi-cloud makes sense: different mission areas with distinct requirements, workload-specific optimizations, or regulatory mandates requiring provider diversity.

Multi-region is an architecture discipline of isolated regions, each with independent power, cooling, and networking, designed to fail over. Not all cloud regions are created equal. AWS is intentionally architected for resilience through AWS Regions and Availability Zones. Each AWS Region is physically isolated from other Regions, and each contains multiple Availability Zones with independent power, cooling, and networking. This is a fundamental architectural difference that directly influences mission continuity decisions.

Multi-cloud introduces operational complexity. Maintaining full workload portability between providers means duplicating security models, replicating data pipelines, training teams on multiple platforms, and managing the overhead of fundamentally different architectures. In a threat environment where nation-state actors run years-long campaigns against critical infrastructure, fragmented security postures and complexity are what adversaries exploit.

The biggest cost reductions and strongest security outcomes result from the depth of a well-architected and optimized environment with a provider that has earned the right to run your most sensitive workloads.

3. No government should bet its mission on a single foundation model

The foundation model (FM) landscape is moving faster than any technology cycle I’ve seen in my career. Models that lead today might be unavailable or surpassed tomorrow. Licensing terms shift. Geopolitical considerations emerge. New capabilities appear from unexpected places. In this environment, locking your mission to a single model provider isn’t a strategy.

This is why Amazon Bedrock provides access to multiple FMs with consistent security controls, governance guardrails, and compliance frameworks. You choose the model that fits the mission. When the landscape shifts, as it inevitably will, you switch without re-architecting your application and security posture.

Model choice is only the beginning. AWS helps customers build systems that can plan, reason, and execute multistep tasks on behalf of mission operators. Amazon Bedrock AgentCore simplifies how to build, deploy, and scale these agentic capabilities on top of an increasing choice of models. When your agent framework is model-agnostic, you can swap or tailor the underlying FMs without rebuilding the workflow, giving government teams the ability to adopt the best available model for each mission as the landscape evolves.

Your data, together with model choice, unlocks differentiation. Government organizations gain the most when they combine open-source and commercial models with domain-specific data such as geospatial intelligence, medical records, logistics patterns, and threat assessments. This requires capabilities for fine-tuning, continued pre-training, agents, knowledge bases, and guardrails.

The model landscape will shift. The only question is whether your architecture lets you shift with it.

4. What AWS is doing about it

Government leaders consistently ask, “What are you actually doing?”

We’re investing at scale: AWS announced an investment of up to $50 billion in AI and supercomputing infrastructure for US government agencies, adding nearly 1.3 gigawatts of capacity across Top Secret, Secret, and AWS GovCloud (US) Regions.

We’re removing financial barriers with up to $100 million in federal credits: $50 million through the Warfighter Capability Accelerator for DoD and the defense industrial base, and $50 million through the Genesis Accelerator for DOE, national labs, and research organizations. Through OneGov, we’re simplifying the path for government builders to modernize to cloud services with $1B in savings to accelerate their cloud journeys.

We’re also continuing to increase the availability of new services, features, and models across our government Regions, expanding our partner network to help commercial cloud innovation reach the mission as fast as possible.

And we’re protecting the broader internet, not only our own infrastructure. In the past year, we’ve dismantled criminal botnets, disrupted nation-state cyber campaigns, and shared threat intelligence with governments and partners worldwide. We process 1 billion honeypot interactions per day and have prevented 2.7 trillion scanning attempts in the last twelve months. Security isn’t a feature we bolt on—it’s foundational to everything we build.

We’ve been doing this for more than 15 years. First to build purpose-built government infrastructure. First to achieve accreditation across all classification levels. First to bring generative AI to the most sensitive government environments. That’s not a talking point—it’s a commitment.

What government leaders should do next

The technology is proven and available. What’s needed now is action:

Stress-test your resilience architecture – Ask your team: if your data center goes down tomorrow, what’s your recovery time? If the answer involves rebuilding across a different provider, you don’t have resilience—you have a plan to rebuild. Architect for multi-Region failover within a proven provider and exercise it. Use our Mission Resilience lens to implement best practices.
Adopt a multi-model strategy now – Don’t wait for a model to be restricted or deprecated. Stand up a multi-model environment through Amazon Bedrock today, fine-tune on your domain data, and build the muscle to switch to new models and versions as the landscape shifts.
Pick a real mission problem and see what agentic AI can do now – Compress a timeline. Automate a workflow. Show your organization what’s possible when the infrastructure gets out of the way.
Engage us – The credits are available. The infrastructure is built for government. Our partners are ready. Reach out to your AWS account team or visit AWS Cloud Computing for Federal Government to connect with an expert on your mission.

The convergence of AI, cloud computing, and national security is creating an inflection point that will define the next decade of government capability. The path forward isn’t through rooms full of GPUs and fragmented architectures. It’s through decisive action on a secure, scalable, multi-model cloud—backed by a team with the deepest government cloud experience in the world.

We’re ready. Let’s build together.

A Decade of Innovation: Celebrating 10 Years of Impact at AWS Imagine for Nonprofits

Rick Buettner — Sun, 19 Apr 2026 13:43:31 +0000

How the nonprofit sector is leading the way on responsible AI, data equity, and mission-driven technology — and what’s next.

This year’s AWS Imagine for Nonprofits conference marked a milestone: 10 years of bringing together nonprofit leaders, technologists, and mission-driven innovators to explore how technology can accelerate social and environmental impact.

Held at MGM National Harbor in Oxon Hill, Maryland, the event was equal parts anniversary celebration of all nonprofits have achieved in the last decade and forward-looking summit on the opportunity ahead.

As Rick Buettner, Managing Director of Global Nonprofits at AWS, reminded the packed room, “At Amazon, it’s always day one. What that means is that we’re just getting started.”

This year also coincides with the 20th anniversary of Amazon Web Services (AWS), adding extra weight to the reflection on how far cloud and AI technology have advanced with the sector. Over the course of the day, attendees heard from nonprofit leaders, AWS executives, and a Grammy and Oscar-winning artist and philanthropist about the power of data, responsible AI, and cross-sector collaboration. Here are the key highlights and announcements from this year’s conference.

10 Years of nonprofit innovation

Lauren Stovall, Global Head of Nonprofit Programs at AWS and the creator of the Imagine Nonprofit Conference, opened her keynote remarks by capturing the spirit that has defined the event since its founding: “This event has always been designed with the acknowledgement that you all are innovators — because you have to be. When society falls short, you all are the ones that provide hope. When people are in need, you’re the ones that rush in to help. And when traditional systems fail, you build new ones.”

Looking back at a decade of sustained partnership, Stovall highlighted how nonprofit technology has evolved from early cloud experiments to sophisticated, AI-powered solutions that are transforming billions of lives. “The purposeful application of technology has transformed billions of lives and created pathways to serve billions more,” she said. “I think we can all agree: time well spent.”

Three organizations exemplify what a decade of innovation looks like in practice:

THORN’s Safer platform has helped detect more than 12 million suspected child sexual abuse material (CSAM) files and content on online platforms — an enterprise-grade tool protecting children in the digital age at scale.
Global Citizen’s AWS-powered app has activated 43 million actions, unlocked $49 billion in funding, and positively impacted 1.3 billion people — roughly one in six people on the planet.
The Allen Institute has mapped the complete adult mouse brain, simulating 10 million neurons and 26 billion synapses, paving the way for the first map of the human brain and enabling AI-powered inferences about diseases like Alzheimer’s and Parkinson’s.

“That refusal to accept the status quo, paired with innovative thinking, is what makes nonprofits so special.”

— Lauren Stovall, Global Head of Nonprofit Programs, AWS

Amplifying voices with AI: Fair Trade USA

Felipe Arango, CEO of Fair Trade USA, delivered one of the keynote’s most compelling addresses — a challenge to technologists and nonprofits alike to ensure that the AI benefits the people who need it most.

“AI can predict what you’ll buy before you even know you want it,” Arango told the audience. “But the person that grew that product still doesn’t have access to clean water or to health and educational opportunities for their kids. Consumers don’t choose what they don’t see. And today, too many people at the beginning of our supply chains are still invisible. That’s not a technology gap. That is a design gap.”

The numbers underscore the urgency: 75% of the world’s poor still live in rural areas; by 2050, half of the suitable land for growing coffee could disappear in some regions while 125 million people depend on that crop worldwide.

Over nearly three decades, Fair Trade USA has built a model grounded in one belief: “The people closest to the problems are also the closest ones to the solution.” The results are tangible: $1.3 billion mobilized supporting over 1.6 million farmers, fishers, and workers across operations spanning 50+ countries, with more than 1,500 brands participating in the fair trade movement and 30+ years of producer community data now being unlocked with AI.

“Data is becoming the new land, and power is shifting with it. Who owns it, who understands it, and who benefits from it — if producers don’t own their data, they will be ridden out of the future.”

— Felipe Arango, CEO, Fair Trade USA

To address this, Fair Trade USA is leveraging Amazon Bedrock to amplify producer voices at scale. Their vision is to move “from labels to lived outcomes, from claims to evidence” — building a system where every product carries a living story owned and told by producers, visible at the moment of discovery, at the moment of purchase, and long after.

“Imagine buying coffee and instantly seeing the people and the solutions that your purchase supported — not as marketing, but as truth,” Arango said. “We have the tools. We have the moment. The question is what we choose to build, and for whom.”

Arango framed the AWS partnership as critical infrastructure for this vision: “You are building infrastructure that can help shape how people make informed decisions. We are building systems to ensure those decisions include everyone. Together we can make fairness the default — not a filter, not a feature, the foundation of trade.”

Protecting the natural world: Jane Goodall Institute

Dr. Lilian Pintea, Vice President of Conservation Science at the Jane Goodall Institute, took the audience back 25 years to a candlelit table at Jane’s house in Gombe National Park — the moment he and Dr. Goodall first reviewed satellite imagery showing all the trees of Gombe from space.

“Jane looked at me and said, ‘This is magic,'” Pintea recalled. “And I felt that we were at the beginning of a special journey.”

That journey has led to one of the most ambitious digital preservation efforts in science. JGI’s Gombe Stream Research Center holds the world’s longest ongoing study of chimpanzees — 66 years of continuous observation. The scale of the archive is extraordinary: 500,000+ pages of handwritten research notes in local Kiswahili and Kiga languages with unique JGI notation, decades of video and audio recordings including soundscapes from Gombe, and the only location in the world tracking five generations of chimpanzees and their individual life histories.

The challenge: digitizing even the last third of the chimpanzee archive at the current manual pace would take 13 years. The AWS Generative AI Innovation Center visited Gombe last August to understand data workflow gaps — and the collaboration that followed has been transformative.

“With AWS, we’re making sure the next generation of researchers and conservationists doesn’t just inherit that knowledge — they build on it.”

— Dr. Lilian Pintea, VP of Conservation Science, Jane Goodall Institute

In one of her last videos, Dr. Jane Goodall herself articulated the vision: “AI technologies should be considered as tools used to address the needs of local communities and support them in the stewardship of the land so that it will improve the lives of people, animals, and the environment. All of which is interconnected.”

Responsible AI: AWS’s framework for the nonprofit sector

A key theme throughout the day was a focus on building a strong data strategy. Without a data foundation, AI has the potential to become ineffective and inaccurate. AWS is helping nonprofits build the data foundation first, then layer responsible AI on top. The approach includes:

Automatically identifying sensitive data and securing it
Centralizing data across siloed systems and governing it responsibly
Automatically evaluating foundational models against organizational AI policies
Keeping the human in the loop — “AI is serving us. We are not serving AI. We always have to remember that.”

FINCA International’s Aura platform offers a compelling proof point. Previously siloed across multiple poverty alleviation systems, FINCA centralized its data and then built Aura using Amazon Bedrock and Anthropic’s Claude. The result: researchers can now quickly identify which interventions work best for which communities, map new solutions, and give feedback to ensure the AI stays aligned with organizational goals.

National Geographic Society and AWS

Dave Levy, Vice President of Worldwide Public Sector at AWS, took the stage to bridge two themes that ran throughout the day: the power of legacy data and the transformative potential of AI-driven storytelling.

“One of the most powerful things technology can do is help us preserve information and learn from the past while we build for the future,” Levy said.

With that, he announced a landmark new partnership between the National Geographic Society and AWS. The National Geographic Society has spent 138 years documenting the world — ocean floors, ancient civilizations, vanishing ecosystems — amassing billions of assets. The partnership will digitize billions of assets from the National Geographic archive, use AI to make the archive searchable and accessible in entirely new ways, and increase the speed and scale of the Society’s storytelling for researchers, educators, and explorers worldwide.

Levy also reflected on his conversation with Dr. Goodall at last year’s Imagine conference: “That conversation has stayed with me nearly every day and it will always stay with me. I share her belief that we all have the power to make a difference every single day.”

A conversation with John Legend

In a fireside chat, Dave Levy sat down with Grammy and Oscar-winning artist, producer, and philanthropist, John Legend for a wide-ranging conversation about technology, storytelling, and systemic social change.

Their discussion explored Legend’s work in criminal justice reform, racial equity, and education — and how sustained cross-sector partnerships and committed advocacy can drive change at the systems level. Legend shared his perspective on the unique role nonprofits and technology play in building communities where dignity, safety, and opportunity are accessible to all.

AWS Imagine Grant: 2026–2027 cycle now open

AWS announced that the 2026–2027 funding cycle for the AWS Imagine Grant is now open. Since the program launched in 2018, AWS has awarded more than $21 million in unrestricted grants to more than 180 nonprofit organizations worldwide. The program is operational for eligible nonprofits based in five countries across the globe – the United States, Canada, United Kingdom, Australia, and New Zealand.

Stovall emphasized that the grant is designed to do more than fund technology projects — it’s meant to spark strategic thinking: “We really truly hope that the application process itself helps codify thinking, bring together stakeholders, and really start looking at how data, advanced cloud capabilities, and AI can be brought into your organizational strategy to amplify your work while also supercharging impact reporting and storytelling.”

Organizations interested in applying are encouraged to visit the AWS Imagine Grant website to learn more about eligibility and the application process. The deadline for the 2026-2027 grant cycle is June 5, 2026.

Building connections that drive impact

Beyond the keynote stage, AWS Imagine for Nonprofits 2026 offered attendees immersive opportunities to explore technology solutions, connect with experts, and experience the power of AWS tools firsthand.

At the AWS Builder’s Lounge, nonprofit technologists and mission leaders could engage directly with AWS solutions through hands-on workshops and 1:1 Solutions Architect consultations. Attendees explored practical implementations of cloud infrastructure, data analytics, and AI-powered tools designed specifically for nonprofit use cases. A diverse community of AWS partners were there, offering specialized expertise in areas ranging from data migration and security to custom application development and AI implementation. And, in the Impact Lounge, attendees had the opportunity to talk with the AWS for Nonprofits team, as well as discover resources and programs to help them accomplish their goals. Here, nonprofit leaders shared their journeys – the challenges they faced, the solutions they built, and the communities they serve.

Looking ahead: Day one for the next decade

The 2026 AWS Imagine for Nonprofits conference made one thing clear: the nonprofit sector is not just adopting AI — it is helping define what responsible, mission-driven AI looks like. From amplifying the voices of farmers and workers across the global supply chain to preserving 66 years of primate research before it is lost forever, nonprofits are proving that technology is most powerful when it is in service of something larger than efficiency.

If you couldn’t attend this year’s conference or would like to revisit your favorite sessions, check out the on-demand session library.

To learn more about how AWS supports nonprofits, visit the AWS for Nonprofits homepage. And if your organization is ready to accelerate its technology strategy, start a conversation with our team today.

Building an AI-ready university campus with AWS

Shashank Tanksali — Wed, 15 Apr 2026 14:26:29 +0000

AI adoption is accelerating across university campuses, but most institutions approach it through disconnected pilots and departmental silos. When universities treat AI as a collection of tools rather than an institutional capability, the result is fragmented investments, duplicated efforts, inconsistent policies, and moving too slow to address student and faculty needs, which leads to missed opportunities to transform teaching, research, and operations at scale.

Universities need to figure out how to adopt AI strategically. Based on insights from the 2025 EDUCAUSE research on AI in higher education, only 23% of universities measure AI return on investment (ROI), yet those that do scale their initiatives twice as fast. The difference lies in treating AI as an institutional capability requiring coordinated strategy, not as isolated tools or IT projects.

Institutions that build coordinated AI capabilities today will accelerate discovery, personalize learning at scale, and operate more efficiently. Those that don’t risk falling behind in serving students, advancing research, and fulfilling their public mission. AI readiness needs to focus on more than technology. To be successful progressing through the stages of AI adoption, universities need to align strategy, governance, people, and culture to transform how your institution serves its mission in the age of artificial intelligence.

AI has moved from emerging technology to foundational capability in higher education. But without coordinated strategy, universities risk creating new forms of inequality while leaving transformative potential unrealized. Students in the same lecture hall have radically different AI access. Researchers waste time navigating bureaucracy instead of advancing discovery. Administrative systems remain siloed while AI could connect them. Without a clearly defined AI adoption pathway, shadow IT use of AI is almost certain.

This post outlines an AI-ready framework for use by higher education institutions worldwide. The framework takes a holistic approach to integrating AI across campuses while addressing the critical challenges of data governance, security, academic integrity, workforce readiness, and equity.

A framework for institutional AI readiness

To become AI-ready, universities need to do more than deploy a single system or run isolated pilots. AI readiness requires a coordinated framework that aligns strategy, technology, governance, people, and culture with your core mission of teaching, research, and public service.

The framework consists of six interconnected pillars that transform AI from fragmented experiments into an institutional capability:

Data and digital foundations – Treating data as a strategic asset with scalable infrastructure
Responsible AI governance – Establishing ethical, transparent, and compliant systems with human oversight
People, skills, and talent enablement – Empowering your entire community through education and development
Culture and change readiness – Fostering experimentation while addressing resistance
Scalable use cases – Implementing high-impact applications across teaching, research, and operations
Measurement and adaptability – Continuously measuring impact and refining strategies

Universities that approach AI as only another IT project will struggle. Those that treat it as institutional transformation—requiring executive leadership, cross-functional collaboration, and cultural change—will lead.

These pillars represent an interconnected system where progress in one area enables advancement in others rather than a checklist to complete sequentially. Instead of thinking of the process of becoming AI ready as linear, think of these six pillars as the foundation of institutional transformation.

Data and digital foundations

Start with strategy, not servers. Before investing in infrastructure, your organization needs to answer the fundamental question of how to use AI to advance your mission of teaching, research, and public service.

This clarity drives everything else. Establish an AI committee with executive sponsorship and appoint an institutional AI champion—someone who can bridge academic, administrative, and technical perspectives. Position AI as a long-term institutional capability and build the foundation AI needs to thrive. Don’t limit your efforts by making it an IT project that lives in one department.

AI depends on high-quality, accessible data. Treat your data as a strategic asset with scalable infrastructure, data quality standards for reliable model training, and sharing mechanisms while protecting privacy. Your infrastructure should grow with your ambitions. Amazon Web Services (AWS) provides the elasticity to scale from pilot projects to campus-wide deployments without massive upfront investment.

Responsible AI governance

Trust is your most valuable asset, so you must protect it. In higher education, trust isn’t optional. Students, faculty, parents, and the public expect you to use AI ethically, transparently, and in compliance with academic norms.

Create an AI governance body with diverse representation that includes academic affairs (provost’s office), faculty from multiple disciplines, legal and compliance, IT and security, and student representatives. This body should establish clear policies that answer:

When is AI use appropriate and when isn’t it?
How do we drive transparency in AI-assisted decisions?
What human oversight is required for sensitive applications?
How do we handle bias, errors, and appeals?
What are our data privacy and security standards?

Stakeholders sometimes worry that governance efforts will slow innovation. In reality, effective governance enables it by giving your community confidence to experiment within clear guardrails. By using AWS responsible AI, you can accelerate trusted AI innovation with effective governance.

People, skills, and talent enablement

A $2 million AI infrastructure investment delivers zero ROI if faculty don’t know how to use it. AI readiness depends on empowering your entire community—faculty, researchers, staff, and students—to understand and use AI effectively.

For faculty and researchers:

Provide hands-on AI workshops and create communities of practice
Offer research computing and course development support for AI integration

For staff:

Create pathways for staff to develop technical skills
Develop AI literacy programs that demystify the technology

For students:

Provide AI tool access to support learning and research
Teach responsible AI use and critical evaluation of AI outputs to prepare for an AI-augmented workforce

Setting the goal to make everyone an AI expert isn’t realistic. Instead, ensure everyone can use AI appropriately in their role. The state of the art in AI is evolving rapidly and evolving your training and enablement to keep up to date with it is important.

Culture and change readiness

Address the human side of transformation. Technology adoption fails without cultural readiness. Faculty worry about academic integrity. Staff fear job displacement. Administrators struggle with risk management. Students navigate unclear expectations.

Build a culture that embraces AI by:

Addressing concerns directly – Host open forums where community members can voice fears and ask questions. Acknowledge legitimate concerns about job impacts, bias, and academic integrity rather than dismissing them.
Fostering experimentation – Adopt the Amazon “two-way door decision” framework—make reversible decisions quickly to test ideas. With modern AI tools, you can prove or disprove concepts in weeks, not years. Encourage rapid experimentation within your governance guardrails.
Celebrating innovation – Recognize and reward faculty, staff, and students who pioneer responsible AI use. Share success stories across campus to build momentum.
Enabling cross-functional collaboration – Break down silos between academic affairs, IT, research computing, and administration. AI initiatives succeed when diverse perspectives shape implementation.
Reinforcing academic values – Frame AI as amplifying rather than replacing human judgment, creativity, and critical thinking. Position AI as a tool that frees people for higher-value work.

Cultural change takes time. Start with early adopters, demonstrate value, and let success create momentum.

Scalable use cases across teaching, research, and operations

Move from pilots to impact. AI readiness becomes tangible through high-impact use cases that scale beyond isolated experiments. Start with applications that solve real problems and demonstrate clear value.

Wharton School developed an innovative virtual teaching assistant (TA) chat assistant using generative AI on AWS, specifically using Amazon Bedrock and Claude by Anthropic in Amazon Bedrock. The assistant offered:

Personalized learning support – AI tutors provide around-the-clock assistance, adapting to individual student needs and learning pace.
AI-assisted course design – Faculty use AI to generate practice problems, create assessments, and develop course materials, which frees time for direct student interaction and curriculum innovation.
Virtual labs and simulations – AI-powered simulations enable hands-on learning in disciplines where physical labs are expensive, dangerous, or impractical.

Examples in research:

Accelerated data analysis – Researchers use AI to process datasets that would take months manually, identifying patterns and insights that advance discovery.
Literature review and synthesis – AI tools help researchers stay current with exponentially growing academic literature, identifying relevant papers and synthesizing findings.

Examples in operations:

Student success analytics – Predictive models identify students at risk of dropping out, enabling proactive intervention and support.
Enrollment and financial forecasting – AI improves planning accuracy, helping institutions optimize resources and manage budgets effectively.
Administrative efficiency – AI-assisted case management streamlines processes in financial aid, human resources (HR), facilities, and other administrative functions such as procurement, which reduces wait times and improves service quality. California Polytechnic State University, with total procurement spend exceeding $190 million in 2023–2024, pioneered the use of generative AI to revolutionize its procurement process by using Amazon Bedrock and Claude AI models to generate more efficient and accurate scopes of work (SOWs).

The key to scaling is to start with use cases that have clear success metrics, engaged stakeholders, and potential for campus-wide adoption. Learn from each implementation and apply lessons to the next.

Measurement and adaptability

Because AI readiness is an ongoing journey of learning and adaptation, measuring progress is essential. Without measurement, you can’t demonstrate value, justify investment, or guide future decisions.

Define success criteria tied to outcomes:

Teaching – Student learning gains, engagement metrics, completion rates
Research – Time to discovery, publication output, grant success rates
Operations – Cost savings, service quality improvements, staff productivity

Establish feedback loops:

Regularly survey faculty, staff, and students about AI tool effectiveness
Monitor AI system performance and accuracy
Track adoption rates and identify barriers to use
Assess whether AI initiatives advance your strategic priorities
Share AI successes broadly to inspire others

Adapt as you learn:

Refine policies based on real-world experience
Adjust investments toward highest-impact applications
Update governance as technologies and regulations evolve
Reassess your AI strategy annually as capabilities mature

The universities that lead in AI won’t be those with the most advanced technology—they’ll be those that learn fastest and adapt most effectively.

The following graphic illustrates these six pillars.

Figure 1: AI-readiness framework for a university

AI-readiness maturity model

Understanding the six pillars is one thing but knowing where your institution stands is another. The AI-readiness maturity model provides a practical framework to evaluate your current capabilities and chart your path forward.

Most universities fall into one of five maturity stages, from experimental (isolated pilots) to transformational (AI as core institutional capability). Success in AI adoption requires executive commitment, cross-functional collaboration, investment in people alongside technology, and governance that enables rather than blocks innovation.

Importantly, you might be at different levels across different pillars—advanced in research computing but early-stage in teaching applications, for example. This is normal and helps you prioritize investments strategically while enabling a shared communication model across all stakeholders on AI maturity.

Experimental

The experimental stage is marked by the following characteristics:

Individual faculty and researchers experiment with AI tools in isolation
No coordinated strategy or institutional policies
Data exists in departmental silos with no integration or governance
Ad-hoc technology purchases without central oversight

What this looks like in practice: A computer science professor uses a chatbot for course prep. A biology lab runs machine learning (ML) models on local servers. The admissions office pilots a chatbot. None of these groups know about the others’ work, and there’s no institutional guidance on appropriate use.

Key challenge: Fragmentation leads to duplicated efforts, inconsistent policies, and missed opportunities for collaboration.

Opportunistic

The opportunistic stage is marked by the following characteristics:

Departmental AI initiatives emerge, often grant-funded
Basic coordination within departments but silos remain between them
Partial data integration within specific domains
Departmental-level governance and policies
Growing awareness of AI potential but no campus-wide strategy

What this looks like in practice: The college of engineering establishes an AI research center. The medical school launches a health analytics initiative. IT provides GPU resources for research. Each operates independently with its own policies and priorities.

Key challenge: Departments compete for resources and duplicate investments. Inconsistent policies create confusion about acceptable AI use.

Progression pathway: Establish an executive-sponsored AI committee with cross-functional representation to begin coordinating efforts.

Coordinated

The coordinated stage is marked by the following characteristics:

University-wide AI strategy defined and communicated
Formal AI governance committee with diverse representation
Executive AI champion appointed (often at vice president or provost level)
Institutional AI policies, governance standards, and guidelines published
Systematic skill-building programs launched

What this looks like in practice: The university publishes AI principles and acceptable use policies, and an AI steering committee meets monthly to coordinate initiatives across departments.

Key challenge: Moving from coordination to actual integration requires sustained investment and cultural change.

Progression pathway: Pilot high-impact use cases that demonstrate value across teaching, research, and operations. Use success stories to build momentum and justify expanded investment.

Integrated

The integrated stage is marked by the following characteristics:

AI embedded across teaching, research, and operations
Mature governance processes with clear escalation paths
Centralized AI tools, shared data repositories, and continuous improvement processes
AI literacy among faculty, staff, and students
Cross-functional teams routinely collaborate on AI initiatives
Measurement systems track impact and ROI

What this looks like in practice: Personalized learning platforms serve thousands of students. Research teams routinely use AI for data analysis and discovery. Administrative systems use AI for forecasting and decision support. The institution measures AI impact on learning outcomes, research productivity, and operational efficiency. New faculty receive AI training during onboarding.

Key challenge: Maintaining momentum and avoiding complacency. Ensuring equity of access across all student populations.

Progression pathway: Expand successful use cases. Invest in advanced capabilities like custom model development. Share learnings externally to establish thought leadership.

Transformational

The transformational stage is marked by the following characteristics:

AI as core institutional capability, not merely a tool
AI informs strategic decision-making and institutional governance
Continuous innovation cycles with rapid experimentation
Global leadership in AI-enabled teaching, research, or operations
AI capabilities attract top faculty, researchers, and students
Institution shapes broader higher education AI practices
Sophisticated measurement of AI’s mission impact

What this looks like in practice: The university is recognized nationally for AI innovation. Research breakthroughs are accelerated by AI capabilities. Graduates are sought after for their AI literacy. The institution contributes to AI policy discussions and shares frameworks with peers. AI enables new models of education and discovery that weren’t previously possible.

Key challenge: Staying ahead while technology evolves rapidly. Balancing innovation with responsible governance.

The following graphic illustrates the maturity model.

Figure 2: AI-readiness maturity model for a university

Key insights from the maturity model

You don’t need to be at stage 5 to create value. Even at stages 2 and 3, institutions can achieve significant impact through coordinated efforts.

Progress isn’t linear. You might advance quickly in some pillars while others lag. This is normal—use it to inform investment priorities.

Culture matters as much as technology. Institutions that invest only in infrastructure without addressing governance, skills, and culture struggle to advance beyond stage 2.

Leadership commitment is essential. Universities that progress to stage 4 and beyond have sustained executive sponsorship and dedicated resources.

Learn from others. Connect with peer institutions at similar maturity levels to share lessons learned and avoid common pitfalls.

The maturity model is a guide to intentional progress aligned with your mission and resources. Start where you are, be honest about gaps, and advance systematically.

Take your next step

Begin by assessing your readiness. Use the maturity model to evaluate your institution. EDUCAUSE offers a complimentary Higher Education AI Readiness Assessment, created with AWS, that is designed specifically for higher education institutions to benchmark capabilities and identify priority areas for investment.

You also need to learn from peers. Explore how universities worldwide are building AI capabilities through AWS customer stories and see real-world implementations across teaching, research, and operations.

Finally, build capabilities. AWS education programs provide resources for every stage of your AI readiness journey:

AWS Academy – Ready-to-teach cloud computing and AI/ML curriculum for faculty
AWS Educate – No-cost cloud learning resources for students and educators
AWS research credits – Support for AI-intensive research projects and computational workloads
AWS Training and Certification – Professional development pathways for IT staff and administrators

Connect with the AWS Education team to discuss your specific challenges and explore how we can support your AI readiness journey. Our higher education specialists work with institutions at every maturity level—from establishing initial strategy to scaling campus-wide implementations.

Join the community by attending AWS re:Invent and AWS Public Sector Summit events to connect with peers, learn from customer presentations, and discover the latest AI innovations for higher education.

The institutions that invest in AI readiness today—building foundations, empowering their people, and learning as they scale—will define the future of higher education. Your students, faculty, and researchers are counting on you to lead.

Ready to begin? Start with an honest assessment, identify your highest-impact opportunities, and take the first step toward transforming your campus for the AI era.

Why graduates aren’t AI-ready: Six frictions revealed in new AWS-Pearson study on education to workforce gaps

Maryclaire Abowd — Mon, 13 Apr 2026 16:08:33 +0000

The workplace is changing faster than higher education can keep up, putting student success at risk. As artificial intelligence (AI) redefines what employers expect from new hires, graduates are entering the workforce with a widening gap between what they learned within their higher education curriculum and what their new jobs require.

A new joint research report from Pearson and Amazon Web Services (AWS) examines this challenge. As a lifelong learning company, Pearson brings expertise in learning science and curriculum design. AWS brings insight into how AI is deployed across industries and institutions. Together, the two organizations developed the AI Readiness: Building the Bridge from Higher Education to Work report to understand where the transition from higher education to work breaks down and what institutions and both public- and private-sector employers can do about it.

Conducted in collaboration with independent research firm PSB Insights, the study draws on survey data from over 2,700 learners, higher education leaders, and employers, and qualitative interviews with higher education leaders across six countries: the United States, the United Kingdom, the Kingdom of Saudi Arabia, Brazil, Malaysia, and Vietnam.

The findings reveal that AI readiness is not a single skills gap waiting to be filled. It is a systemic breakdown in the transition from learning to work, driven by six frictions that compound on one another.

Six frictions stalling the learning-to-work transition

Dr. Vincent Liardi, global marketing lead for thought leadership in higher education at Pearson, noted that the six frictions were not assumed at the outset. They surfaced from the data itself.

“We really let the data lead us to where the friction points were,” said Liardi. “We truly have an evidence-based friction framework.”

The research identifies six structural barriers that reinforce each other across the education-to-workforce pipeline: pace, connection, capability, governance, experience, and skills. Institutions have made real progress in giving students access to AI tools, but the study found that access alone does not close the gap. The depth of AI learning has not kept pace with the breadth of tools available, and faculty readiness remains one of the most significant barriers to student preparedness. Higher education leaders and students also view AI readiness differently; a perception gap explored further in the full findings.

Additionally, more than half of employers surveyed said they cannot find graduates with the right AI skills. The full study explores how each friction contributes to this gap and what it takes to close it, including a portrait of the research’s “Optimal AI-Ready Graduate,” defined not by tool proficiency alone but by an integrated set of capabilities spanning applied judgment, ethical reasoning, and collaboration.

A diagnostic framework to help leaders act

Liardi described one of the key messages of the research this way: “AI-ready graduates don’t emerge by chance,” he said. “Readiness is built where learning and work connect.”

To help institutions strengthen that connection, the study provides a friction framework designed as a practical tool for leaders to identify which of the six frictions are most acute in their own context and then prioritize interventions. That framework inverts each friction into a desired outcome.

A well-positioned institution, according to the research, is agile in its curriculum, connected to industry, equipped with AI-capable faculty, governed by clear and enabling policy, structured to deliver applied experience, and producing graduates with the compound skills employers require.

Employers have a role to play in reaching that outcome, too. The report encourages organizations to move beyond thinking of themselves as passive consumers of talent and instead co-produce AI-ready graduates through shared governance, co-designed curricula, structured feedback loops, and clearer job posting language about AI-readiness expectations.

Students can also take ownership of their readiness. The report recommends building a digital portfolio of AI-integrated projects rather than relying solely on a resume, cover letter, or degree to demonstrate competency. One finding from the study underscores why that matters. When employers were given a forced choice between two hypothetical candidates—one with strong AI skills but no degree and one with a degree but limited AI experience—the degree’s advantage was just four percentage points.

The report closes with the Friction Framework Self-Assessment, which provides higher education leaders a set of questions as a starting point for evaluating where their institution stands today.

Maryclaire Abowd, senior business development manager for education and research at AWS, said higher education leaders have been looking for exactly this kind of evidence-based support. “Leaders have been asking for guidance on how to actually move forward,” said Abowd. “This research is designed to give them that.”

From global findings to localized action plans

This global report is the first phase of a broader research initiative. Pearson and AWS will release six country-specific reports in the coming months, offering localized findings and recommendations tailored to each market examined. These reports will give institutional leaders a more granular view of the frictions shaping AI readiness in their own region.

The data, the diagnostic framework, and the full set of recommendations are available now. Read the complete AI Readiness: Building the Bridge from Higher Education to Work report to assess where your institution or organization stands and identify where to act first.

Learn more about Amazon’s Future Ready 2030 initiative and how AWS Training and Certification are equipping early-career professionals with essential skills in the AI era. To learn how AWS supports researchers and educators, connect with an AWS for Education expert.

How universities can collaborate with AWS to design technology experiences that deliver student success

Brigette Bucke — Sun, 12 Apr 2026 17:53:42 +0000

Last year, 75 students at a science, technology, engineering, and mathematics (STEM) mentorship organization serving first-generation and low-income college students spent 4 hours building generative AI applications from scratch. They didn’t merely learn AI fundamentals, they developed business cases, presented functional prototypes, and left with portfolio projects ready for job interviews. That outcome didn’t happen by accident. It happened because we asked one question before designing a single slide: What do these students actually need?

That question is the foundation of how Amazon Web Services (AWS) approaches university collaborations. Technology companies visit campuses every week with standard presentations and product demos. Students sit through information sessions that don’t connect to their coursework, career goals, or lived experiences. Faculty miss opportunities to blend current industry practices with academic exploration. Universities miss the chance to direct student creativity toward real-world challenges where there are no predetermined answers.

AWS takes a different approach. Instead of presenting what we want to show, we start by understanding what your students need to succeed—and then we build the experience around that. In this post, we present a framework for universities to maximize educational outcomes from industry engagements.

Working backwards from student needs

The AWS Working Backwards methodology starts with the customer. In a university context, the customer is the student. When you tell us what your students need, we design the experience to deliver it:

When computer science students need portfolio projects for job interviews, we design hands-on workshops where they build real applications.
When business students are studying digital transformation, we bring customer case studies and strategic frameworks they can analyze.
When engineering students need capstone project ideas, we provide real-world technical challenges they can solve.
When graduate business students are learning strategic planning, we share our Working Backwards methodology they can apply to their own ventures.
When community college students need industry certifications for immediate employment, we create certification preparation workshops.
When graduate students are conducting research, we connect them with our technical teams for collaboration opportunities.
When liberal arts students want to understand technology’s business impact, we design case studies that blend humanities perspectives with technical innovation.

The key principle is that students leave with something tangible, such as a working application, a certification, a portfolio project, or a strategic framework they can apply immediately. We can host these experiences at AWS offices for industry exposure or on your campus as faculty-sponsored learning events that align with your university’s mission and academic culture.

What we need from you

To design the most valuable experience for your students, we need to understand your specific context. The more you can share with us up front, the better we can tailor the content, format, and delivery.

Student demographics and academic focus:

Are we working with first-year students who need foundational concepts or advanced students ready for complex technical challenges?
Which departments and majors would benefit most, and what is their technical background?
Are students primarily focused on technical careers, business roles, or interdisciplinary opportunities?

Curriculum integration:

Can our event align with existing coursework requirements, giving students practical application opportunities for concepts they are learning in class?
Are there specific skills gaps or learning objectives we can address that would strengthen your program outcomes?
Can students earn academic credit or create portfolio pieces from their participation?

Institutional culture and values:

What matters most to your university community, and how can we align our presentation style, examples, and interaction with your educational philosophy?

If serving underrepresented students is a priority, we want our content and speakers to reflect those values and create meaningful opportunities for all students

Your definition of success:

What outcomes would make this collaboration valuable for your students, faculty, and institution?
How can we measure and demonstrate the educational impact of our work together?
What would make you want to engage with us again?

Equity and accessibility

Designing for student success means designing for all students. When we plan together, we address equity and accessibility from the start:

How do we create experiences that all students can participate in, regardless of technical background, financial resources, or prior experience?
What accommodations might be needed for students with disabilities?
What technology access do students have, and do we need to provide equipment or accounts?
How do we create examples and speakers that reflect the diversity of your student population?

These aren’t afterthoughts—they’re design requirements. AWS is committed to creating experiences that serve every student in the room.

Sustaining value beyond the event

A single workshop is a starting point, not an endpoint. When we plan together, we think through what comes next:

Will students retain access to the tools, platforms, or resources we introduce?
What continued access do they need to learning materials, documentation, or mentorship opportunities?
Are there any costs to students for certifications, accounts, or materials that we should plan for?

AWS offers a range of resources that can extend the value of our collaboration, including AWS Educate for foundational cloud learning, AWS Academy for curriculum-integrated cloud education, and AWS re/Start for workforce development. Understanding your students’ ongoing needs helps us connect them to the right resources after our event ends.

Implementation keys

Several aspects of your implementation will help determine how successful it is. For the best chance of success, elements such as preparation, faculty involvement, follow-up activities, and assessment and feedback need to be fleshed out in detail prior to the start of the program.

Preparation makes all the difference in the success of your student experience. When you brief us on your student context and learning objectives, we customize our content and examples for maximum relevance. The more you can tell us about your students’ backgrounds, current coursework, and career aspirations, the better we can tailor the experience to meet their specific needs.

When faculty participate in our events and connect our content to ongoing coursework, students see clearer relationships between industry practices and academic learning. Faculty feedback also helps us improve our educational contributions over time, creating a continuous improvement cycle that benefits future collaborations.

The real value often comes after the event. When universities create follow-up opportunities for students to apply what they have learned, pursue additional certifications, or connect with our team for ongoing mentorship, the impact grows significantly. We’re always ready to support these extended learning opportunities when you help us understand how to contribute most effectively.

Assessment and feedback drive improvement. When you share student feedback, learning outcome data, and suggestions for improvement, we refine our approaches and create more valuable experiences for future collaborations. This cycle of feedback and iteration is how we move from good events to great ones.

These collaborations create meaningful value for everyone involved. Students gain practical skills, industry exposure, portfolio projects, and professional networks that strengthen their career readiness. Faculty benefit from current industry insights they can integrate into their teaching, curriculum development opportunities, and professional connections that keep them engaged with evolving industry practices. Universities strengthen industry relationships, enhance program offerings, and improve student outcomes that demonstrate their commitment to practical, career-focused education. AWS gains the opportunity to contribute meaningfully to the educational institutions that shape the next generation of builders while building relationships with emerging talent and gaining insights that inform our product development and educational resource creation.

This value is reciprocal, flowing continuously between students and the university, the university and AWS, and back. The following graphic illustrates the flow of value between the university, students, and AWS.

Getting started

The conversation starts with your students. Tell us about their backgrounds, their goals, and what success looks like for your institution. From there, we work together to design an experience that serves your educational mission and delivers genuine value—not another generic industry presentation. To begin a conversation about your specific student needs and collaboration opportunities, reach out to your AWS account team or the AWS Public Sector team. Visit AWS Educate to explore AWS education programs and resources.

We’re committed to creating experiences that serve all students and support lasting educational impact. Together, we can build something worth coming back for.

Accelerate your organization’s compliance journey with a Secure Research Environment on AWS

John Paul Laverde — Thu, 09 Apr 2026 12:42:29 +0000

Please note that the following post is intended for informational purposes only. The approach detailed below may not be suitable for all organizations and/or compliance programs. It is important to evaluate this potential solution against the compliance needs of your organization and any applicable regulatory obligations you may have.

What if your institution could accelerate research compliance in weeks instead of 12–14 months? Traditional on-premises approaches take so long that by the time you meet requirements, regulators might have already updated the criteria and your researchers might have missed critical funding deadlines. Meanwhile, the grants went to institutions that got compliant faster.

Amazon Web Services (AWS) developed the Secure Research Environment (SRE) to help institutions remain agile and competitive while supporting alignment with evolving security and compliance standards. This preconfigured cloud infrastructure provides a strong security foundation and standardized architectural patterns that can accelerate an organization’s compliance journey as requirements evolve. In constrained funding environments, the SRE helps organizations establish compliance-aligned capabilities early, enabling researchers to focus on discovery and innovation while institutions remain well positioned to compete for grants.

Drawing on extensive experience in cloud security, compliance auditing, and executive risk advisory, this post explores how Secure Research Environments (SREs) leverage security controls and architectural patterns to support alignment with multiple compliance frameworks. It highlights how automation and standardized design can streamline access to regulated research environments, while emphasizing that final compliance outcomes depend on organizational implementation, configuration, and formal assessment.

When compliance becomes a barrier to discovery

Right now, your researchers face a perfect storm. Compliance standards are changing rapidly while grant funding is becoming increasingly scarce.

The National Institutes of Health (NIH) issued a mandate requiring NIST SP 800-171 for all controlled-access biomedical data repositories. Organizations that handle Controlled Unclassified Information (CUI) now require Cybersecurity Maturity Model Certification (CMMC) 2.0. Without it, your institution can’t apply for federal-based research grants, limiting your access to federal funding opportunities. Additional US agencies are following suit. Internationally, your organization must demonstrate compliance with the General Data Protection Regulation (GDPR) and ISO 27001 when handling sensitive information. Canada and the United Kingdom enforce their own data privacy regulations.

As compliance requirements expand, so do the costs of meeting them. And these challenges can have downstream effects across your institution. If your institution can’t secure funding from limited resources, you can’t expand your research footprint. For universities, this could affect R1 status or growth trajectory. For national labs, research hospitals, and defense contractors, it means losing competitive positioning for critical grants and the ability to attract top talent.

Beyond competitive standing, noncompliance carries regulatory and financial risks. False claims violations can result in significant fines, and data spillage involving CUI might carry additional penalties.

Address multiple compliance frameworks with one preconfigured solution

The SRE on AWS helps you address these challenges by providing your institution with a robust, more secure foundation for processing sensitive, protected, and sovereign workloads. In the US, this includes NIST SP 800-172, CMMC, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Federal Information Security Management Act (FISMA), and many more. Internationally, the SRE supports GDPR, the Personal Information Protection and Electronic Documents Act (PIPEDA), ISO 27001, and other frameworks.

The SRE establishes a centralized environment, meaning your research, IT, and organizational support teams can provide thorough support to your researchers across disciplines while maintaining compliance with funding agencies’ requirements and regulations. AWS delivers this through a preconfigured multi-account architecture that meets essential compliance requirements.

Your research organization can deploy the solution in under 3 months (sometimes as little as 1 week for single frameworks) at a fraction of the cost of traditional on-premises approaches, which require significant capital investment and often leave researchers waiting or resorting to workaround solutions that might not meet compliance requirements.

Under the AWS shared responsibility model, AWS maintains the technical foundation, infrastructure security, automated security controls, and preventive guardrails. Your institution manages its data, policies, and documentation requirements, with support from step-by-step guides and training materials provided by AWS. For your IT teams, this centralized approach alleviates the burden of managing multiple one-off compliance environments and responding to those last-minute requests from researchers.

How the SRE architecture automates compliance

The SRE is built using the Landing Zone Accelerator on AWS (LZA), which automates the deployment of a more secure, resilient, scalable cloud foundation. Depending on your institution’s requirements, the SRE can be deployed on AWS GovCloud (US), commercially, or both.

Figure 1 illustrates the architecture, including AWS Organizations with a multi-account structure, centralized identity and access management (IAM), centralized logging and monitoring, a segmented network with traffic inspection, and centralized DNS management. Within this foundation, the SRE creates separate compliance buckets called organizational units for different regulatory requirements. When your researcher wins a grant, they work with your IT department to identify which compliance standards apply. IT places the researcher into the appropriate bucket: HIPAA for health research, CMMC for defense projects, FISMA for federal work, and so on. Researchers working on multiple grants with different compliance requirements can access multiple buckets simultaneously, with each project automatically inheriting the correct controls.

When your researchers spin up services inside their bucket, they naturally inherit the appropriate security and compliance controls, which means they can meet required standards and conduct their research more securely without additional configuration.

Figure 1: Overview of the SRE Landing Zone architecture on AWS illustrating organizational units for different compliance frameworks

Scale and adapt as your compliance needs evolve

As your institutional needs evolve, your IT team can quickly add new compliance buckets or expand existing ones without rebuilding infrastructure from scratch. When compliance requirements change, you can update your SRE configurations rather than starting over, protecting your investment and maintaining continuous grant eligibility. This helps your SRE scale in line with your research ambitions.

Additionally, for organizations with heightened data protection requirements beyond standard compliance frameworks, the SRE can be extended with a Trusted Research Environment (TRE) on AWS. This adds an additional security layer at the data level for fine-grained control over data ingress and egress.

Give your researchers a seamless compliance experience

Although the SRE handles infrastructure-level compliance, your researchers experience something much more streamlined. From your researchers’ perspective, compliance happens behind the scenes. They don’t need to understand HIPAA requirements or configure security settings. They log in to their more secure research portal, a customized interface that shows only the products and services relevant to their specific grant. They focus on their research while compliance controls work automatically in the background. The portal serves as the primary access point for your researchers and their external partners, streamlining collaboration while maintaining strict compliance standards.

This streamlined approach gives your researchers what they need while helping avoid common institutional headaches such as shadow IT environments, unauthorized server purchases, and last-minute scrambles to provision compliant resources.

Extending secure research globally

Research institutions worldwide face the same core challenge: meeting rigorous compliance requirements without slowing down scientific discovery. The AWS SRE is built on a flexible, multi-account architecture that can be configured to reflect the regulatory requirements of any jurisdiction, whether your institution operates under a single national framework or navigates overlapping international standards. The SRE provides a consistent, scalable foundation that travels with your research mission.

Get started with alignment and deployment

Successful SRE implementation starts with organizational alignment. Your chief information officer (CIO), vice president of research, and chief information security officer (CISO) must work together from the outset to support your researchers’ compliance needs. You can be successful if you bring these leaders together early with a shared commitment to helping your researchers and aligning on what’s needed to succeed before implementation begins.

After that foundation is in place, each SRE implementation includes two major workstreams that run in parallel. By building infrastructure and preparing compliance documentation simultaneously, you close the months-long gap between technical completion and audit readiness that frequently stalls deployment. The two parallel workstreams are:

Technical build – Deploy infrastructure, including AWS Organizations, organizational units, network architecture, security controls, and automation using the LZA.
Compliance and audit readiness – AWS Security Assurance Services prepares you for certification by providing documentation, control mapping, and evidence collection.

AWS offers three flexible pathways for deployment:

AWS Partners and Security Assurance Services – AWS Partners handle technical deployment, and Security Assurance Services prepares you for compliance certifications. Best for institutions seeking expert implementation support. AWS Partners can maintain your environment or teach your team to manage it independently. To get started, explore the AWS Partner Network to find an experienced partner.
Guided build and Security Assurance Services – Your team builds the SRE with guidance from AWS solutions architects while Security Assurance Services handles compliance. Best for institutions seeking to develop internal expertise and gain deep knowledge for independent management and scaling. To get started, review the LZA implementation guide and connect with your AWS account team.
AWS Professional Services and Security Assurance Services – AWS Professional Services builds your environment and Security Assurance Services handles compliance. Best for institutions seeking AWS engagement with full-service implementation. To get started, contact AWS Professional Services to scope your engagement.

Is your institution ready to gain an edge in competing for grants?

With the SRE, your IT team can take a centralized, automated approach to research compliance, your researchers can stay focused on their work, and your institution can stay positioned to win grants. Review the deployment pathways to find the right approach for your institution or visit the documentation on the LZA (the technical foundation of the SRE), AWS Partner Network, and AWS Professional Services.

You can also take the next step by contacting AWS directly to learn more about building your SRE.

Read related stories on the AWS Public Sector Blog

Federated learning for biobank data at the CMU-NVIDIA Hackathon

Ben Busby — Mon, 06 Apr 2026 13:33:25 +0000

Biobanks around the world are sitting on rich genomic, clinical, and imaging datasets, but strict privacy, governance, and regulatory requirements make it difficult to centralize this data for large-scale machine learning (ML) purposes. Federated learning (FL) offers a way forward by keeping sensitive data at each institution while sending only model updates to a coordinating server, preserving data sovereignty and reducing privacy risks.

During the January 2026 Carnegie Mellon University (CMU)–NVIDIA Federated Learning Hackathon for Biomedical Applications, ten teams built end‑to‑end prototypes on NVIDIA FLARE (NVIDIA Federated Learning Application Runtime Environment), with data prepared for modeling on Amazon Web Services (AWS), to test how FL could support real‑world biobank collaboration at scale. Several teams used datasets from the Registry of Open Data on AWS, which has a collection of over 225 life sciences datasets across genomics, imaging, and proteins. In this post, we detail the projects the teams worked on, with links to the GitHub repositories from each team, so anyone can access and build on these projects.

The following photograph shows CMU–NVIDIA Hackathon organizers Dr. Melanie Gainey, STEM Librarian and Open Science Program Director at CMU, and Dr. Ben Busby, Global Omics Alliances Manager at NVIDIA, introducing the event to a packed room of participants.

Figure 1: CMU–NVIDIA Hackathon. Photographer: Rebecca Devereaux, CMU Multimedia Specialist

Laying the groundwork with FedGen

Before you can test federated AI workflows, you need realistic data that respects biobank constraints. FedGen tackled this by generating synthetic genomic datasets that mimic real-world properties such as linkage disequilibrium, site-specific variability, covariates, and site-level imbalance across multiple virtual biobanks.

The team built a FLARE-based client–server framework where each client trained a logistic regression model locally for a binary trait, with only weight updates shared across the federation and optional client-side privacy filters applied. This synthetic infrastructure now serves as a reusable testbed for future federated genome-wide association studies (GWAS) on AWS and on-premises biobank environments.

Harmonizing pathology with FedPathHarmony

Histopathology images are notoriously sensitive to site-specific staining protocols, scanner hardware, and local pipelines, all of which can cause models to learn institutional signatures instead of biology. The FedPathHarmony team explored harmonization of the CAMELYON dataset in a federated setting, using stain normalization and style transfer to align images across sites before or during FL training.

By integrating these harmonization steps into NVIDIA FLARE workflows, the team showed that it’s possible to reduce domain shift while keeping raw pathology images at each biobank. Their prototype highlights how algorithmic harmonization and federated orchestration can work together to improve generalization of diagnostic models across hospitals.

Auditing federated readiness at scale with FedViz

Before researchers can use data from different biobanks, they need to first understand what data each biobank has. They need to be able to compare these features and understand the sample size and data quality from each biobank before they can decide which biobank’s data they should use. FedViz tackles this challenge by providing a visualization command center built on harmonized metadata from large-scale consortia, allowing researchers to audit gaps in harmonization and quantify federated readiness across the cohorts.

Pangenome graphs with OmniGenome

Pangenome graphs need data from multiple ancestries and sequencing centers, but these datasets are often siloed across biobanks. OmniGenome focused on building a federated framework for pangenome construction and analysis, using data from the Human Pangenome Reference Consortium (HPRC) as a proof of concept alongside federated genomic hashing without exposing raw sequences. They validated this approach on data from 1000 Genomes, focused on variants with Alzheimer’s disease risk. This work suggests that comparable pangenome representations can be built in a federated setting, which can then be shared across biobanks without exposing raw sequence data.

Untangling ancestry with Med_SNP_Deconvolution

Polygenic risk scores and ancestry inference tools built on existing genomic studies have shown limited generalizability across diverse populations, leaving a critical gap in equitable genomic medicine. Current approaches to ancestry inference require access to individual-level genotype data, making cross-institutional collaboration difficult under increasingly strict data privacy regulations.

Med_SNP_Deconvolution tackles this issue by providing an end-to-end computational framework that transforms phased variant data into recombination-defined haploblock cluster identifiers—discrete categorical features that preserve population structure while obscuring individual-level variation—and integrates GPU-accelerated machine learning with NVIDIA FLARE federated infrastructure, enabling multiple research sites to collaboratively train ancestry classification models without centralizing raw genotype data.

Federated rare disease subtyping with RAIDers

Rare diseases such as Amyotrophic Lateral Sclerosis (ALS) present a unique challenge for genomic research: patient cohorts are too small and too scattered across institutions to yield statistically meaningful results, and strict privacy regulations prevent researchers from pooling raw data across biobanks.

RAIDers (Rare Disease and AI) tackles this problem by building a federated computational framework that integrates 480 pathogenic variants from ClinVar and population allele frequency data from gnomAD to generate a synthetic cohort of more than 8,000 simulated patients across five institutions. They create a tool that validates a federated subtyping pipeline on synthetic data. RAIDers demonstrates that coherent ALS molecular subtypes can be discovered without centralizing sensitive genomic data, establishing a scalable architecture for rare disease subtyping that is ready for integration with real-world controlled-access biobank datasets.

Multi-omic cancer subtyping with OncoLearn

Cancer research increasingly depends on integrating genomic, transcriptomic, and clinical data to define meaningful subtypes. Current multi-omic models are constrained by patient privacy regulations, the logistical barriers of aggregating sensitive genetic datasets, and the poor generalizability of single-site cohorts across diverse global populations.

OncoLearn built a federated multi‑omic cancer subtyping pipeline for classifying breast cancer (BRCA) subtypes using the cancer genome atlas (TCGA) dataset. The framework evaluates the efficacy of traditional supervised learning against modern transfer learning, validating this approach across five subtypes and demonstrating that federated transfer learning achieves high accuracy despite local computational constraints. The team’s open source codebase demonstrates how federated multi‑omic models could help cancer centers collaborate on precision oncology while maintaining their institutional data boundaries.

The following photograph shows CMU–NVIDIA Hackathon researchers working together on multi-omic cancer subtyping with OncoLearn.

Figure 2: Researchers working with OncoLearn. Photographer: Rebecca Devereaux, CMU Multimedia Specialist.

Aligning risk prediction with PRSAggregator

Polygenic risk scores (PRS) aggregate effects across thousands of variants to stratify disease risk, but most PRS are derived from European-ancestry dominant cohorts and thus transfer poorly to other populations due to differences in linkage disequilibrium and allele frequencies. PRSAggregator set out to harmonize PRS computation in a federated framework by enabling sites to collaboratively train or calibrate risk models and then aggregate scores in a privacy-preserving fashion.

The prototype explored federated strategies for aligning model parameters and evaluation metrics across sites, making it easier to interpret PRS distributions and thresholds globally. This work points toward a future in which federated pipelines help standardize genetic risk prediction across institutions and ancestries.

The following photograph shows the PRSAggregator team presenting their project on the third day of the CMU–NVIDIA Hackathon.

Figure 3: PRS Aggregator team presenting their project on day 3. Photographer: Rebecca Devereaux, CMU Multimedia Specialist.

Fusing modalities with MuFFLe

Cancer prognosis models require multimodal data, such as RNA sequencing, clinical variables, and imaging, drawn from patients across multiple institutions. But privacy regulations and unequal access to healthcare technology mean that not every hospital can collect the same data types or share raw patient records across sites.

MuFFLe (Multimodal Framework for Federated Learning) tackles this problem by providing a privacy-preserving federated learning framework that integrates RNA sequencing and clinical features for tumor progression prediction, using NVIDIA FLARE to ensure each hospital trains only on its local data and shares encrypted model updates—never raw patient records—with a central aggregation server.

A key innovation is MuFFLe’s ability to handle modality gaps between institutions. When a smaller hospital lacks RNA sequencing capabilities, the framework selectively disables that encoder and zeroes out its embeddings, allowing the global model to train collaboratively even when data modalities are unequal across sites.

Validated on bladder cancer recurrence data from the CHIMERA Challenge, MuFFLe successfully stratified 176 patients into three distinct risk clusters with interpretable attention heatmaps that highlight the tissue regions and gene features driving each prediction, establishing a scalable, extensible architecture for multimodal federated cancer prognosis.

Predicting protein fitness with FedProFit

Predicting how combinatorial protein mutations affect protein function is a critical challenge in protein engineering, but the experimental data needed to train accurate models—deep mutational scanning (DMS) assays—is scattered across hospitals, academic labs, and industry partners who can’t easily share proprietary or sensitive sequence data.

FedProFit tackles this problem by providing a federated learning framework with NVIDIA FLARE for predicting protein fitness scores across distributed DMS datasets, using NVIDIA BioNeMo’s ESM-2 650M protein language model as a frozen backbone and training only lightweight prediction heads locally at each client site. This way, only model weights, never raw sequence data, are shared with the central aggregation server.

To simulate realistic cross-institutional collaboration, the framework partitions the ProteinGym substitution benchmark, which comprises approximately 2.4 million missense variants across 217 DMS assays, into four federated client nodes representing a clinical hospital (human proteins), a virology lab (viral proteins), an antibiotic resistance lab (prokaryote proteins), and an academic bio-foundry (eukaryote proteins). This demonstrates that a single federated model can learn meaningful fitness predictions across highly heterogeneous biological domains without any site needing to expose its underlying data.

Shared infrastructure, shared impact

Across these ten projects, a consistent pattern emerged. By combining NVIDIA FLARE’s federated orchestration with cloud-scale compute and Open Data on AWS, teams could prototype sophisticated biomedical AI workflows in only a few days. The CMU–NVIDIA Hackathon projects collectively explored disease subtyping, GWAS, pangenomes, ancestry stratification, rare diseases, polygenic risk scores, multimodal data integration, and protein function through a federated lens grounded in real biobank constraints. Although each prototype is an early step, together they outline a technical blueprint for how biobanks, hospitals, and research organizations might collaborate on next‑generation biomedical AI without moving their most sensitive data.

The following is a group photograph of participants and organizers.

Figure 4: All participants and organizers gather on the final day of the hackathon. Photographer: Rebecca Devereaux, CMU Multimedia Specialist.

What’s next?

Researchers, engineers, and students who want to build on this work can start today by exploring the open source repositories from the CMU–NVIDIA Hackathon and reusing data pipelines for their own biobank scenarios. A full preprint shares deeper technical details for each project so that others can replicate and extend these prototypes. We also invite collaborators and biobanks interested in piloting federated learning workflows to connect with the organizing team and to join us at the next Federated Learning Hackathon at CMU Libraries in January 2027, where we’ll continue pushing the boundaries of privacy‑preserving biomedical AI.

To learn more about the CMU–NVIDIA Hackathon, read the CMU blog post about the event, Where Industry Meets Experimentation.

Acknowledgements:

Ayush Tripathi – Solutions Architect at AWS
Sphia Sadek – Solutions Architect at AWS

ASI and AWS see the future of complex global operations

Bernard Asare — Mon, 06 Apr 2026 13:31:40 +0000

The US national airspace system (NAS) is one of the most complex operational environments in the world. Every day, over 47,000 aircraft move through shared airspace, navigating volatile weather, dense traffic flows, space launches, and constraints in real time. A storm cell, a ground stop, or a delayed decision in one region can rapidly ripple across the country.

The cost of being late—or wrong—is measured in millions of dollars, mounting delays, wasted fuel, and compounding operational risk. Many of the systems used to manage the NAS were designed for a slower era. Built to report what has already happened, they struggle to integrate fragmented data or anticipate how today’s decisions might shape the system tomorrow. As complexity accelerates and disruptions propagate faster, reactive decision-making is no longer sufficient.

Air Space Intelligence (ASI) is an American AI company leading transformation and delivering mission-critical decision-making systems to the aviation, defense, logistics, and energy organizations operating in these dynamic, complex environments.

In collaboration with Amazon Web Services (AWS), which provides secure, resilient, highly scalable cloud infrastructure essential for high system availability and mission success, ASI is transforming how the aviation industry manages uncertainty, optimizes operations, and reliably maintains safety at scale.

The challenge: Managing the NAS at scale

The NAS operates as a vast interconnected network where individual decisions ripple across the system. Weather cells forming over the Atlantic Ocean impact transcontinental routes hours later. A ground stop at a major airport creates cascading delays nationwide. Military training exercises require rapid airspace reconfiguration. Each element affects every other, creating a web of dependencies that traditional solutions struggle to capture.

Airlines collectively operate 25,000–30,000 daily flights across the NAS, each requiring precise coordination between pilots, dispatchers, air traffic controllers (ATC), and command centers. The aviation industry has historically relied on fragmented systems and manual processes that react to disruptions rather than anticipating them.

ASI’s solution unifies both data and stakeholders into a common, predictive view of the NAS, facilitating coordinated, collaborative decision-making that anticipates impacts before they cascade across the system.

“What makes our solution unique is how it enables seamless collaboration across the entire operational ecosystem,” explains Bernard Asare, senior vice president of civil aviation at ASI. “Pilots, dispatchers, and traffic managers view the same integrated real-time and predicted pictures and make coordinated decisions.”

AWS provides system reliability for mission-critical operations

Managing the complexity of the NAS is only part of the challenge. Security, reliability, resilience, and availability are nonnegotiable. Decisions directly impact safety, national security, and critical infrastructure, leaving no room for downtime or degraded performance.

ASI’s infrastructure is built on AWS to meet these demands. It uses Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Compute Cloud (Amazon EC2) for scalable compute, Amazon Simple Storage Service (Amazon S3) for data storage, Amazon Relational Database Service (Amazon RDS) for databases, and Amazon Bedrock for AI training and inference. This architecture is built for multi-Availability Zone resilience, with stateless applications and automated scaling using Amazon EKS and Karpenter to maintain uninterrupted operations under variable load.

“AWS enables ASI to securely build, deploy, and operate high-availability, mission-critical AI platforms that support continuous, uninterrupted operations,” says Jon Varsanik, ASI’s vice president of platform engineering. “Its global infrastructure allows us to scale across commercial cloud and AWS GovCloud (US) environments while maintaining security and resilience.”

ASI’s solution protects sensitive aviation and defense data through sophisticated AWS security controls including encryption at rest and in transit, least-privilege IAM policies with mandatory multi-factor authentication (MFA) for administrative access, and network isolation using Amazon Virtual Private Cloud (Amazon VPC) with private subnets. For defense customers, the solution operates in AWS GovCloud (US) environments certified for Department of Defense (DoD) Impact Levels (ILs) 4–6 and Federal Risk and Authorization Management Program (FedRAMP) compliance.

The ASI solution predicts the future to proactively optimize operations today

ASI’s solution represents a shift in how the aviation industry approaches operational decision-making. Rather than treating each flight as an isolated event, the solution provides thorough, predictive situational awareness across the NAS. By ingesting, fusing, and contextualizing over 150 real-time data streams including Federal Aviation Administration (FAA) System Wide Information Management (SWIM) data, National Weather Service forecasts, MIT Lincoln Laboratory weather, military airspace status, and operational constraints, ASI creates a unified operational picture that facilitates proactive, system-wide optimization.

For each of the data streams, ASI invested heavily in understanding scope, quality, and what Asare calls the “temperament” of the data. This supports the solution’s ability to provide predictive capabilities 8 to 12 hours into the future, which means decision-makers such as traffic managers, ATC coordinators, dispatchers, and pilots can anticipate and mitigate disruptions before they cascade through the system. AI models power critical capabilities throughout the solution, such as predicting taxi times based on weather and congestion patterns, forecasting how traffic flows might evolve around convective weather, and optimizing routes to balance efficiency across the airspace rather than between individual flights. ASI uses Amazon Bedrock for custom model training, refinement, and inference, delivering AI-driven decision support every few minutes.

Airline operations at scale

ASI’s solution supports operations for major US airlines, including United Airlines, Delta Air Lines, and Alaska Airlines, helping them drive significant time and fuel savings.

“Literally both the dispatchers and pilots are looking at the same picture of the weather, the airspace, and the same route recommendations,” Asare says. “Nowhere in the industry do you have pilots and dispatchers viewing the same picture and making decisions together.”

By continuously monitoring system-wide conditions across the NAS, ASI helps airlines anticipate choke points before they cascade into delays. When convective weather disrupts major airspace corridors such as traffic flows stretching from Texas to New York, teams can use ASI’s technology to make proactive traffic flow management decisions, respond faster to minimize diversions, and support dispatchers on the day of operations.

U.S. Department of Defense

As a dual-use commercial-off-the-shelf (COTS) technology, ASI’s solution has been rapidly adapted to support mission-critical operations within the DoD. In a matter of months, ASI deployed its commercial capabilities into secure AWS GovCloud (US) environments meeting IL 4, 5, and 6 security requirements, which means defense organizations can field advanced decision support systems at mission speed.

Across the DoD, ASI supports the dynamic mission replanning and predictive command and control (C2) of air assets. It serves as a critical facilitator of the logistics kill chain, supporting the success of multimodal contested logistics in globally distributed, capacity-constrained environments. Joint stakeholders can use the solution to anticipate disruptions and coordinate decisions across domains and combatant commands, including U.S. Indo-Pacific Command (INDOPACOM), U.S. Northern Command (USNORTHCOM), and U.S. Transportation Command (USTRANSCOM).

“The speed at which ASI delivered operational capability into secure environments changes how the department can deploy advanced decision support systems,” says Mark Lepczyk, president of ASI Federal.

Looking ahead: Transform your mission-critical operations

ASI is expanding its decision support capabilities to serve the FAA’s modernization initiatives, defense operations, and critical infrastructure sectors including energy and logistics. ASI and AWS are also exploring agentic AI workflows and advanced optimization techniques on Amazon Bedrock to further improve decision speed and scale. Organizations facing similar operational complexity can use more secure, resilient infrastructure from AWS to build predictive systems that anticipate disruptions before they cascade.

Learn more about building mission-critical AI systems on AWS

Amazon Bedrock for custom AI model training and inference
AWS GovCloud (US) for defense and regulated workloads
AWS security best practices for protecting sensitive operational data
Contact AWS to discuss your operational intelligence requirements

AI and cloud innovation create the airports of the future

Bob Kwik — Thu, 02 Apr 2026 13:14:53 +0000

AI can redefine the way air travel and airports work. Agentic AI—capable of autonomous decision-making and action—has increased that potential. The payoff could be significant, but so is the implementation challenge.

Airports are among the most complex environments in the world. These mini cities operate around the clock and coordinate thousands of passengers, staff, and systems.

For airport operators, the challenge is how to harness new technologies like AI and now agentic AI to improve passenger experiences and grow revenues. The AI in aviation market is forecast to exceed USD $4 billion by 2032.

This is a highly regulated and complex sector, creating an implementation challenge. The AI Adoption Alliance is a collaborative initiative designed to accelerate responsible AI deployment. The alliance, between Amazon Web Services (AWS), the Cities Today Institute, Zensors AI, and NVIDIA, helps airport operators navigate data governance, legacy integration, and use case evaluation to support AI adoption.

AI addresses airports’ big data challenge

It’s important to work backwards from the problem you want to solve. That usually means starting with the passenger experience or operational improvement. Identify the business value that could be unlocked, then experiment and test with new or proven technologies to find the best solution for your airport. When you’ve established a positive impact, implement that technology at scale.

Airports’ interdependent systems add up to a big data challenge that AI can address, as Nick Woods, managing director of CAVU, founded by Manchester Airports Group (MAG), explains in our AWS paper on the future of intelligent air travel. He says, “AI agents give us the ability to break down those processes into the smallest composable elements and then get them to work together in a streamlined way.”

He describes three core journeys: the passenger, the aircraft, and the luggage journey. Within each, AI can optimize check-in, security, boarding, runway, and control tower operations. By focusing on these journeys, airports can target high-impact areas for AI-driven improvement.

AI transforms passenger experience

The top three AI use cases for airports worldwide are cybersecurity, customer service, and passenger processing. Agentic AI is advancing these applications further, enhancing efficiency, delivering proactive support, and creating personalized experiences that radically improve air travel.

At Aena, the world’s largest airport operator, the “Oli” assistant helps passengers with connections, document verification, and entertainment. Accessible through familiar platforms such as WhatsApp, Facebook, or WeChat, Oli’s real-time support is not only easy to use, it extends seamlessly to airlines and partner airports. Vinci Airports, which manages more than 70 airports in 14 countries, has tested a conversational AI assistant at Lyon Airport capable of understanding natural speech and responding contextually to complex passenger queries. Meanwhile, Air Canada uses Amazon Rekognition for biometric identity verification with 99.9% accuracy, speeding up the boarding process. At Rome’s Fiumicino Airport, Aeroporti di Roma created a smart helper called Virtual Assistant that answers travelers’ questions about flights, baggage, and airport services through WhatsApp and their website—like having a friendly airport guide in your pocket. This AI assistant, powered by Amazon Bedrock and developed by the AWS Generative AI Innovation Center and Storm Reply, talks to passengers in their own language and helps them find their way around one of Europe’s busiest airports.

Operational and revenue benefits

AI transforms how airports operate. One of their biggest challenges is that airport capacity is in constant flux. Accurately forecasting the day-to-day realities of air travel with predictive analytics can have an immediate impact on the bottom line.

At Riyadh Airport, an AI-enabled baggage-handling system developed with AWS cut unexpected failures by up to 50% and reduced repair times by 60%. Brussels Airport uses AI-powered demand forecasting to optimize check-in, border control, and baggage handling. At Rome Fiumicino Airport, Italy, the operator Aeroporti di Roma (ADR) uses ApronAi from Assaia to reduce aircraft turnaround delays, assigning staff based on actual events rather than pre-planned schedules.

At San Sebastián Airport, a combination of AI, drones, and a private 5G network detect foreign object debris (FOD) on the runway, a safety-critical issue that is time-consuming to rectify. At Gatwick, Veovo is building an Integrated Airport Control (IAC) System that can predict challenges in real time. The system provides live situational awareness using aggregated flight, passenger, and transport data. It sends recommendations to security, immigration, airlines, ground staff, air traffic control, and management to help them make coordinated, better-informed decisions.

The agentic AI journey to autonomous airports

AI in aviation is evolving from AI-supported to AI-managed experiences and operations. This next phase, powered by agentic AI, will drive autonomous coordination across complex airport systems. Agentic AI is potentially a breakthrough technology to support airport operations. Analytical AI is good at forecasting, but it’s not so powerful in decision support in a highly complex environment where you need to ask many different stakeholders what their status is and determine what the impact could be. This is where AI agents come into play.

For example, in the case of a delayed flight, the AI agent detects an issue, reallocates the stand, notifies passengers, dispatches ground handlers, and can even direct autonomous wheelchairs to meet the arrival. These capabilities are already being tested within an industry embracing a culture of experimentation and collaboration. As systems will eventually start coordinating themselves, this will change the role of airport staff. Instead of reacting to situations, people will focus on forward planning and refining the underlying rules and policies that drive AI automation, using their real-world experience to continuously improve the system.

Manchester Airports Group developed an AI-powered digital colleague to automate workforce absence management across thousands of employees in around-the-clock airport operations, using Amazon Bedrock foundation models (FMs) and Model Context Protocol (MCP) to process text and speech interactions with over 90% accuracy while maintaining compliance with employment regulations through built-in guardrails. The serverless solution automatically validates absence requests against company policies and updates rostering systems in real time, reducing operational costs and freeing HR staff to focus on complex employee relations issues rather than routine administrative tasks. This implementation demonstrates how agentic AI architectures can transform labor-intensive processes in regulated, safety-critical environments while maintaining the consistency and reliability required for airport operations.

The aviation industry is on a path towards creating resilient, efficient, and environmentally conscious airports through measured integration of AI technologies. It’s an evolution that will reimagine air travel—unlocking the efficiencies that operators need and the travel experience that passengers expect.

To learn more, read How AI and autonomous systems shape airports of the future. To learn about the AI-powered digital colleague, watch this AWS re:Invent 2025 session.

AWS Supply Chain solutions for nonprofit organizations

Joshua Lacy — Tue, 31 Mar 2026 16:21:08 +0000

Although millions of people worldwide face food insecurity, a hidden challenge undermines relief efforts. Nonprofit organizations often can’t track whether their meal packages actually reach those in need. Packages need to move through international borders, regional warehouses, and remote distribution centers, and organizations operate with limited visibility into their own supply chains. They struggle to answer three fundamental questions that directly impact their mission: Where are our resources right now? Who exactly is receiving our aid? And are our packages actually reaching their intended destinations, or are they being intercepted along the way?

The consequences of these visibility gaps extend far beyond operational inefficiency. Food waste increases when distribution centers receive shipments they don’t need while others run short. Resources fail to reach the most vulnerable populations when packages are diverted or intercepted. Without granular data on deliveries and recipients, organizations can’t demonstrate their impact to donors or optimize their operations to serve more people with the same resources.

Organizations such as Action Against Hunger have expressed the need for better control over their supply chain data to understand which packages are intercepted, who is receiving their meal packages, and whether those packages are adequate for the health needs of recipients. Similarly, Operation BBQ Relief has identified the need for real-time visibility into meal supplies across different on-ground sites to identify which locations are running out of meals and which have surplus inventory that could be redistributed elsewhere.

This post explores how nonprofits can use AWS Supply Chain services to gain real-time visibility into their supply chains, reduce waste, and confirm that meals are reaching their intended recipients.

Understanding the nonprofit supply chain problem

Traditional supply chain management systems were designed for commercial enterprises with different priorities and resources. These systems often assume stable infrastructure, predictable demand patterns, and substantial budgets for implementation and maintenance. Nonprofits operate in a fundamentally different environment. They manage multitier distribution networks that span international shipments, regional warehouses, and local distribution points, often in areas affected by natural disasters or chronic instability. They must make real-time decisions during crisis response situations while working with severe resource constraints that limit investment in expensive proprietary systems.

The accountability requirements add another layer of complexity. Nonprofits must demonstrate impact to donors, maintain transparency with beneficiaries, and comply with regulatory requirements across multiple jurisdictions. They need to track not only the movement of goods but also the individuals and communities they serve. And they need to respect privacy while operating with limited technical infrastructure in remote or disaster-affected areas.

AWS services for supply chain management

Amazon Web Services (AWS) provides a comprehensive set of services that nonprofits can combine with AWS Partner solutions to create an end-to-end supply chain management system tailored to their specific needs. Rather than implementing a one-size-fits-all commercial system, organizations can build a flexible framework that addresses their specific challenges through three key capabilities.

Real-time inventory visibility

Nonprofits can eliminate food waste and prevent shortages by gaining instant visibility into inventory levels across their entire distribution network. Distribution centers often operate with limited visibility into current stock levels, leading to inefficient allocation decisions and unnecessary food waste. Organizations can use AWS IoT Core and Amazon Quick Sight to create real-time inventory dashboards that provide visibility across their entire distribution network.

Organizations can deploy Internet of Things (IoT) sensors or implement QR code scanning systems that field workers use to record when shipments arrive, when packages are distributed, and when stock levels change. This data streams to AWS IoT Core for processing and storage, creating a continuous flow of information about inventory status across the entire network.

Amazon Quick Sight transforms this raw data into actionable insights through interactive dashboards. Supply chain managers can visualize inventory levels at each location, track consumption rates to predict when reorders are needed, and identify distribution centers approaching capacity or running low on stock. The system can automatically alert managers when inventory falls below threshold levels or when packages are approaching expiration dates, enabling proactive decision-making that reduces waste and prevents shortages.

End-to-end package tracking

Organizations can create accountability at every step of the distribution pipeline by implementing comprehensive tracking systems using AWS services combined with mobile applications. When meal packages move through multiple handoffs with limited visibility, organizations can’t verify that deliveries reached their intended destinations or identify where interceptions occurred.

The solution begins with assigning unique identifiers to shipments and individual packages. Organizations implement these identifiers as QR codes or radio frequency identification (RFID) tags that travel with the packages throughout their journey. At each checkpoint in the distribution pipeline, field workers use mobile applications to scan packages and record their location, condition, and status. This creates a digital chain of custody that documents every handoff and movement.

Amazon DynamoDB stores the tracking data, providing fast, scalable access to package status information. Supply chain managers can query the system to see exactly where any package is located, review its complete movement history, and identify any gaps or anomalies in the expected route. Field workers can use mobile applications to record delivery information and capture recipient details, creating a complete picture of who received aid and when.

Through this end-to-end visibility, organizations can generate chain-of-custody reports that demonstrate accountability to donors and regulatory bodies. More importantly, it helps identify patterns that indicate potential interception points or process bottlenecks, allowing organizations to strengthen their distribution networks and confirm resources reach those in need.

Impact analytics and optimization

Organizations can transform operational data into strategic insights by building analytics capabilities using Amazon Quick Sight and AWS analytics services. Without detailed analytics on who receives aid and where bottlenecks occur, organizations can’t optimize their operations or demonstrate their impact effectively.

The analytics framework aggregates data from inventory systems, tracking applications, and delivery records to create a comprehensive view of supply chain performance. Organizations can analyze patterns in recipient demographics, delivery locations, and distribution efficiency. They can identify inefficiencies such as unnecessary distribution centers, suboptimal routes, or locations that consistently experience shortages or surpluses.

These insights enable concrete improvements. Organizations can calculate metrics on food waste reduction by comparing inventory levels with distribution patterns. They can measure the effectiveness of interception prevention efforts by analyzing gaps in the chain of custody. They can generate donor reports that show direct impact on individuals and communities, complete with demographic information and geographic distribution of aid.

Advanced analytics capabilities enable predictive modeling that forecasts demand based on historical patterns, seasonal variations, and emerging crisis situations. This means that organizations can position inventory proactively, reducing response times and supplying resources to where they’re needed most.

Implementation considerations

When modernizing supply chain operations, nonprofits should approach implementation thoughtfully. By starting with a pilot program at one or two distribution centers, organizations can validate the approach, identify challenges, and demonstrate value before rolling out organization wide. This incremental approach reduces risk and enables learning from early experiences.

The AWS Partner Network offers solutions designed specifically for supply chain management that can accelerate implementation and provide industry-specific functionality. These partners bring expertise in nonprofit operations and can help organizations navigate the technical and operational challenges of modernization.

Mobile-first design is critical for success. Field workers often operate in areas with limited or intermittent connectivity, so solutions must work offline and synchronize data when connectivity becomes available. This continues tracking and inventory management even in challenging environments.

Data privacy and sovereignty require careful attention when collecting recipient information. Organizations must implement appropriate safeguards to protect personal data and comply with data protection regulations across all jurisdictions where they operate. AWS provides comprehensive security and compliance capabilities, including support for 143 security standards and compliance certifications, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), General Data Protection Regulation (GDPR), and Federal Information Processing Standard (FIPS) 140-2, that help organizations meet these requirements regardless of where they operate.

Finally, training and change management deserve significant investment. New tracking systems and processes represent a substantial change for field staff who might be accustomed to paper-based systems or informal tracking methods. Comprehensive training programs and ongoing support mean that staff can effectively use new tools and understand how their data entry contributes to the organization’s mission.

Measuring success

Organizations implementing AWS services for supply chain management should track metrics that demonstrate both operational improvements and mission impact. Operational efficiency metrics include reduction in food waste, improved inventory turnover rates, and faster response times when crises emerge. These metrics demonstrate the business value of modernization and help justify continued investment.

Accountability metrics focus on supply chain integrity. Organizations should measure the percentage of packages tracked end-to-end, the reduction in reported interceptions, and the completeness of chain-of-custody documentation. These metrics demonstrate transparency to donors and regulatory bodies.

Impact visibility metrics connect supply chain operations to mission outcomes. Organizations should track the number of individuals served with verified delivery, demographic insights on beneficiaries, and geographic distribution of aid. These metrics tell the story of organizational impact in concrete, verifiable terms.

Cost savings metrics demonstrate financial stewardship. By measuring reduced waste, optimized distribution routes, and improved resource allocation, organizations can show donors that modernization investments generate returns that enable serving more people with the same resources.

Getting started

Nonprofits interested in modernizing their supply chain operations can begin with a structured assessment of their current state. Documenting existing supply chain processes, identifying specific pain points, and quantifying data gaps creates a baseline for measuring improvement and helps prioritize modernization efforts.

With this assessment complete, organizations should define specific requirements for tracking, visibility, and analytics capabilities. These requirements should reflect both immediate operational needs and longer-term strategic goals for supply chain optimization and impact measurement.

Exploring AWS services for supply chain management helps organizations understand what’s possible and identify approaches that fit their specific context. Engaging with AWS account teams or the AWS for Nonprofits program provides access to expertise and resources that can accelerate the planning process. AWS for Nonprofits offers credits, training, and technical guidance specifically designed to help nonprofit organizations use cloud technology for their missions.

By planning a pilot program, organizations can validate their approach with limited risk and investment. A well-designed pilot focuses on a specific distribution center or supply chain segment, implements core capabilities, and measures results against clear success criteria. The lessons learned from this pilot inform the broader rollout strategy.

Conclusion

Supply chain modernization is not only about technology—it’s about helping ensure that every meal reaches someone in need. Organizations combating food insecurity deserve access to the same sophisticated tools used by commercial enterprises. AWS is committed to supporting nonprofit organizations through programs such as AWS for Nonprofits, making these capabilities accessible, scalable, and designed to grow with organizational missions.

By gaining visibility into inventory levels, tracking packages throughout the distribution pipeline, and analyzing operations to identify optimization opportunities, nonprofits can reduce waste, prevent interceptions, and serve more people with the same resources. Organizations can use the data generated by modern supply chain systems to demonstrate their impact with precision and transparency, strengthening relationships with donors and beneficiaries alike.

The path to supply chain modernization begins with a single step. Whether that step is assessing current processes, engaging with AWS to explore solutions, or launching a pilot program at one distribution center, the journey toward greater visibility, accountability, and impact is within reach for nonprofit organizations committed to combating food insecurity.

Ready to get started? To learn more about how AWS supports nonprofit organizations, visit AWS for Nonprofits. To discuss your supply chain modernization needs, contact your AWS account team or the AWS Public Sector team.

Supporting GSA CUI protection requirements with AWS

Paul Keastead — Tue, 31 Mar 2026 14:11:49 +0000

Federal contractors handling Controlled Unclassified Information (CUI) for the General Services Administration (GSA) face a critical reality when the updated security requirements are required to maintain your contracts. The stakes extend beyond business; inadequate CUI protection compromises sensitive government operations and US national interests. The recently updated GSA IT Security Procedural Guide CIO-IT Security-21-112 Revision 1 (January 2026) aligns with NIST SP 800-171 Revision 3 and sets the bar for protecting CUI in nonfederal systems.

Amazon Web Services (AWS) provides security services specifically designed to help you address these requirements efficiently. This compliance guide for federal contractors, GSA vendors, compliance officers, and cloud architects responsible for implementing CUI protection controls shows you how.

Understanding the GSA CUI protection framework

The GSA CUI protection framework represents a comprehensive approach to safeguarding sensitive but unclassified government information throughout its lifecycle. Federal contractors must understand both the regulatory foundation and the specific technical controls required to support compliance. This framework builds upon decades of federal information security policy while adapting to modern cloud computing environments and emerging threats.

The regulatory landscape for CUI protection rests on several key authorities that work together to create a unified security posture:

Executive Order 13556 establishes the foundational CUI program and designates National Archives and Records Administration (NARA) as the executive agent
32 CFR Part 2002 provides the implementing regulations for the CUI program across federal agencies
NIST SP 800-171 Rev 3 defines the 97 core security requirements for protecting CUI in nonfederal systems
GSA CIO-IT Security-21-112 Rev 1 tailors these requirements specifically for GSA contractors and vendors
DFARS 252.204-7012 mandates CUI protection requirements for Department of Defense contractors

Understanding the specific CUI categories you handle is essential for implementing appropriate controls. The CUI Registry maintains the authoritative list of CUI categories and subcategories, each with specific handling requirements. Common categories GSA contractors encounter include:

Procurement and acquisition information – Includes source selection data, contractor proposals, and pre-decisional procurement documents that could provide unfair competitive advantage if disclosed
Privacy information – Personally identifiable information (PII) collected or maintained by GSA, including employee records, contractor personnel data, and citizen information from government services
Information systems information – System architecture documentation, security plans, and technical specifications that could reveal vulnerabilities if compromised
Critical infrastructure security information – Details about government facilities, IT systems, and operational technologies that support essential government functions

AWS services mapped to GSA requirements

The following sections demonstrate how specific AWS services support GSA CUI protection requirements. Each control area maps to built-in AWS capabilities that federal contractors can implement to support compliance while maintaining operational efficiency. Rather than requiring custom-built solutions or extensive third-party tools, AWS provides purpose-built services that align with NIST SP 800-171 Rev 3 controls. The implementation examples include both infrastructure as code (IaC) templates and verification scripts to help you operationalize these controls in your environment. By understanding these mappings, you can design compliant architectures from the ground up and demonstrate security control implementation during GSA audits and assessments.

Access control

To enforce approved authorizations for logical access to CUI system resources and establish managed remote access, AWS Identity and Access Management (IAM) provides access control capabilities including granular permissions, IAM roles for cross-account access, IAM groups for organizing users, permission boundaries, and service control policies (SCPs) for organization-wide controls.

Use IAM Access Analyzer to identify unintended access. Implement AWS Organizations with SCPs for multi-account governance. For secure remote access, Session Manager, a capability of AWS Systems Manager, provides audit logging and IAM integration without requiring open inbound ports. Amazon Virtual Private Cloud (Amazon VPC) supports network segmentation with tiered subnets for different security zones.

The following Terraform configuration demonstrates how to establish network segmentation for CUI workloads by creating an isolated virtual private cloud (VPC) with dedicated subnets that enforce logical separation between security zones:

# Terraform example for network segmentation
resource "aws_vpc" "cui_vpc" {
  cidr_block           = "[IP_ADDRESS]"
  enable_dns_hostnames = true
  enable_dns_support   = true
  
  tags = {
    Name        = "CUI-Production-VPC"
    Environment = "Production"
    Compliance  = "GSA-CUI"
  }
}

resource "aws_subnet" "private_cui" {
  vpc_id            = aws_vpc.cui_vpc.id
  cidr_block        = "10.0.10.0/24"
  availability_zone = "us-east-1a"
  
  tags = {
    Name     = "CUI-Data-Subnet"
    DataType = "CUI"
  }
}

Multi-factor authentication

To implement multi-factor authentication (MFA) for access to privileged and non-privileged accounts, AWS IAM Identity Center provides centralized identity management with built-in MFA support and integration with corporate identity providers. For application-level MFA, Amazon Cognito offers user pools with MFA enforcement and adaptive authentication.

There are several MFA methods with varying levels of assurance. Hardware time-based one-time password (TOTP) tokens represent the preferred method due to their resistance to phishing and interception attacks. Mobile authenticator applications using TOTP algorithms (such as Authy) and Fast Identity Online 2 (FIDO2) security keys with Web Authentication (WebAuthn) compatibility are also approved for production use. However, Short Message Service (SMS) one-time password (OTP) methods face restrictions due to their vulnerability to SIM-swapping and interception attacks, and email-based OTP isn’t recommended because it lacks phishing resistance.

To verify ongoing MFA compliance across your IAM user base, use the following Python script, which audits IAM users and identifies accounts lacking MFA device enrollment:

# Verify MFA compliance across IAM users
import boto3

def verify_mfa_enabled():
    iam = boto3.client('iam')
    users = iam.list_users()['Users']
    non_compliant_users = []
    
    for user in users:
        mfa_devices = iam.list_mfa_devices(
            UserName=user['UserName']
        )
        if not mfa_devices['MFADevices']:
            non_compliant_users.append(user['UserName'])
    
    return non_compliant_users

Vulnerability monitoring and scanning

The GSA requires that you monitor and scan for vulnerabilities periodically and remediate within defined timeframes. Amazon Inspector provides automated vulnerability scanning for Amazon Elastic Compute Cloud (Amazon EC2) and container workloads with Common Vulnerability Scoring System (CVSS) scoring. AWS Security Hub aggregates security findings with automated compliance checks and integration with AWS and partner services. For containers, Amazon Elastic Container Registry (Amazon ECR) provides scan-on-push capability and CVE database updates.

The following table illustrates GSA remediation timeframes.

Critical (internet-facing)	15 days
Critical or high	30 days
Moderate	90 days
Low	180 days

The following AWS CloudFormation template creates a custom AWS Config rule that triggers noncompliance alerts when critical vulnerabilities exceed 15 days or when high-severity findings exceed 30 days without remediation:

# AWS Config Rule for vulnerability compliance
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  VulnerabilityComplianceRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: inspector-findings-compliance
      Description: Monitor critical vulnerabilities
      Source:
        Owner: AWS
        SourceIdentifier: INSPECTOR_FINDINGS_ACTIVE
      InputParameters:
        criticalThreshold: 15
        highThreshold: 30

Boundary protection

The GSA requires that you monitor and control communications at external and key internal interfaces. AWS Network Firewall provides stateful inspection, intrusion detection and prevention, and domain filtering. AWS WAF includes AWS Managed Rules, rate-based rules for distributed denial of service (DDoS) mitigation, and custom rules. A defense-in-depth approach uses network access control lists (network ACLs) for subnet-level filtering, security groups for instance-level access control, and VPC Flow Logs for traffic monitoring.

The recommended architecture is for internet traffic to flow through AWS WAF, to the Application Load Balancer, through AWS Network Firewall, to application servers, and finally to the CUI database in Amazon Relational Database Service (Amazon RDS) in the data subnet.

Transmission and storage confidentiality

The GSA requires that you implement cryptographic mechanisms to prevent unauthorized disclosure during transmission and storage.

AWS Key Management Service (AWS KMS) provides FIPS 140-2 validated cryptographic modules, customer managed keys, automatic key rotation, and cross-account key sharing. AWS Certificate Manager (ACM) provides SSL/TLS certificates with automatic renewal. Amazon Simple Storage Service (Amazon S3) supports server-side encryption with AWS KMS keys (SSE-KMS). Amazon RDS provides encryption at rest using AWS KMS and SSL/TLS for data in transit.

The following table illustrates encryption requirements.

At rest	Amazon S3, Amazon EBS, Amazon RDS	AES-256 with AWS KMS
In transit (external)	In transit (external) ALB, CloudFront	TLS 1.2+
In transit (internal)	Amazon VPC	TLS 1.2+ or VPN
Database	Amazon RDS, Amazon DynamoDB	AWS KMS and SSL

Flaw remediation

The GSA requires that you identify, report, and correct system flaws and install security-relevant updates within defined timeframes. Patch Manager, a capability of AWS Systems Manager provides automated patching with customizable patch baselines, scheduled maintenance windows, and compliance reporting.

The following CloudFormation template establishes a weekly patching schedule that runs every Sunday at 2 AM, providing a 4-hour maintenance window with automatic approval for critical security patches:

# Patch Manager Maintenance Window
Resources:
  PatchMaintenanceWindow:
    Type: AWS::SSM::MaintenanceWindow
    Properties:
      Name: CUI-System-Patching
      Schedule: cron(0 2 ? * SUN *)
      Duration: 4
      Cutoff: 1
      
  PatchBaseline:
    Type: AWS::SSM::PatchBaseline
    Properties:
      Name: CUI-Critical-Security-Patches
      OperatingSystem: AMAZON_LINUX_2
      ApprovalRules:
        PatchRules:
          - ApproveAfterDays: 0
            ComplianceLevel: CRITICAL

AWS Lambda functions can automate remediation by triggering patch installations through Systems Manager.

Unsupported system components

The GSA requires that you replace system components when support is no longer available. AWS Config rules can detect end-of-life (EOL) software by evaluating instances against an EOL database and initiating remediation. AWS Systems Manager Inventory tracks installed software versions with integration to AWS Config for compliance monitoring.

Continuous monitoring with AWS

GSA requires quarterly, annual, and triennial deliverables. AWS services can help automate reporting.

For quarterly deliverables, you can use vulnerability scanning reports such as Amazon Inspector findings exported to Amazon S3, AWS Security Hub reports, and AWS Config compliance snapshots. For plan of action and milestones (POA&M) updates, integrate with AWS Service Catalog for tracking and custom dashboards in Amazon Quick Sight.

You can build an automated compliance dashboard using a three-layer architecture: AWS Security Hub, AWS Config, Amazon Inspector, and AWS CloudTrail feed data into Amazon S3; Amazon Athena queries the structured data; and Amazon Quick Sight visualizes compliance status.

Implement these steps to enable continuous monitoring:

1. Enable Security Hub with the NIST 800-171 standard to aggregate findings from AWS Config, Amazon Inspector, and IAM Access Analyzer.
2. Configure daily exports from Security Hub and AWS Config to Amazon S3 with date-based partitioning.
3. Create Athena tables mapped to your Amazon S3 structure with calculated fields linking findings to NIST 800-171 control families.
4. Build Quick Sight dashboards showing:

Overall compliance score and trends
Control family status with drill-down capability
Vulnerability remediation tracker against GSA deadlines
POA&M progress with responsible parties

5. Schedule quarterly reports using Quick Sight email with PDF exports for GSA.
The following Athena query demonstrates how to calculate monthly compliance percentages by NIST 800-171 control, identifying which controls require immediate attention based on their failure rates:

# Sample Athena Query
SELECT
    DATE_TRUNC('month', updatedat) AS report_month,
    compliance_control_id,
    compliance_control_title,
    COUNT(DISTINCT finding_id) AS total_findings,
    ROUND(100.0 * SUM(CASE WHEN compliance_status = 'PASSED' THEN 1 ELSE 0 END) / COUNT(*), 2) AS compliance_percentage
FROM security_hub_findings
WHERE standard_name = 'NIST-800-171'
    AND updatedat >= DATE_ADD('month', -3, CURRENT_DATE)
GROUP BY 1, 2, 3
ORDER BY compliance_percentage ASC;

Conclusion

Implementing GSA CUI protection requirements can feel overwhelming, but breaking the process into discrete phases makes it manageable. Start with foundational identity and governance controls, then layer on network security, data protection, and vulnerability management capabilities. Each phase builds upon the previous one, creating defense in depth for your CUI workloads. Complete the documentation phase in parallel as you implement technical controls.

GSA’s updated CUI protection requirements aren’t optional; they’re the gateway to maintaining your federal contracting business and fulfilling your responsibility to protect sensitive government operations. Organizations that fail to implement these controls risk contract termination and compromise critical government functions.

AWS provides the security services, proven infrastructure, and compliance expertise you need to address these requirements. From IAM and Security Hub to Amazon Inspector and AWS KMS, AWS offers purpose-built capabilities that federal contractors trust to protect their most sensitive workloads. With comprehensive AWS compliance programs, you’re building on a foundation designed for government security requirements.

The GSA guidance is in effect. Explore AWS Artifact for compliance documentation, and engage with AWS security specialists who understand federal requirements.

Next steps

To learn more about NIST 800-171 and AWS compliance capabilities, explore these resources:

Contact AWS Security Assurance Services – Speak to a trusted advisor regarding GSA CUI protection requirements
AWS Compliance Center – Access AWS compliance reports and certifications through AWS Artifact
AWS Well-Architected Framework: Security pillar – Review security best practices on AWS
Operational Best Practices for NIST 800 171 – Sample mapping between the NIST 800-171 and AWS managed Config rules

Advancing the defense system lifecycle with digital engineering on AWS

Jenifer Wang — Thu, 26 Mar 2026 18:07:46 +0000

The United States (US) Department of War (DoW) is embarking on a transformative journey through digital engineering. Their aim is to improve decision-making, accelerate delivery, and enhance collaboration throughout a system’s lifecycle. To implement this approach, they are working with Amazon Web Services (AWS), which provides secure, high performance computing (HPC), scalable storage, and advanced networking to support modeling, simulation, and the computational demands of digital engineering at scale. AWS offers specialized HPC instances, petabyte-scale storage, and low-latency networking to run complex simulations, iterate on digital models, and maintain authoritative sources of truth throughout a system’s lifecycle.

The DoW Digital Engineering Strategy defines digital engineering as “an integrated digital approach that uses authoritative sources of system data and models as a continuum across disciplines to support lifecycle activities from concept through disposal.” Digital engineering modernizes traditional engineering by using three foundational technologies: model-based systems engineering (MBSE), digital threads, and digital twins. These technologies create a single source of truth across all functional disciplines. The field is now extended to incorporate artificial intelligence and machine learning (AI/ML), data analytics, and augmented reality (AR) and virtual reality (VR), all linked through digital threads. This integrated approach delivers a comprehensive mission and program solution built on consistent source systems and data, eliminating fragmented, siloed implementations that hinder enterprise-wide scalability and interoperability.

AWS provides infrastructure that enables mission and program teams to build and manage their own digital engineering environments with secure, scalable computing resources and tools. This resource supplier relationship delivers value through cost efficiency, simplified management, reliable failover, and streamlined infrastructure operations. With AWS, organizations can rapidly validate MBSE models, build and maintain digital twins, and connect data through a unified digital thread across the entire program lifecycle. These capabilities accelerate system delivery to the field while reducing total lifecycle costs.

In this post, we provide a detailed walkthrough for building a secure and scalable digital engineering environment on AWS.

Solution overview

The reference architecture for our digital engineering solution presents a comprehensive cloud infrastructure designed for workloads with robust security and networking requirements. The architecture is organized into several key accounts and virtual private clouds (VPCs), each serving specific functions. It incorporates security best practices through multiple layers of network segmentation, dedicated security services, and separate accounts for different functions. The solution architecture shown in the following diagram provides the blueprint for our entire implementation approach. The diagram shows some enterprise shared services tools (directory services, single sign-on, collaboration tools, license servers, and package and container repositories) in the shared services account, network security capabilities including next-generation firewall and intrusion detection and prevention systems in the network account, and virtual desktop infrastructure for modeling, computational analysis, and simulation software in the end users and desktops account, and digital engineering workloads requiring parallel clustering, HPC, and AI/ML and analytics in the digital engineering workload account.

Figure 1: Baseline infrastructure for digital engineering on AWS GovCloud (US)

To help defense and regulated organizations successfully implement this architecture, we’ve developed a methodical approach that breaks down the implementation into three strategic phases. Each phase builds upon the previous one, ensuring a robust and compliant foundation while progressively adding digital engineering capabilities:

Building a foundational blueprint
Extending the blueprint for digital engineering
Tailoring the blueprint for mission outcomes

Building a foundational blueprint

AWS workloads for DoW customers require appropriate security authorization and compliance certification. AWS GovCloud (US) integrate security from the ground up, providing controls and services that protect sensitive workloads at scale with minimal operational overhead. Through our extensive experience hosting the DoW workload, we’ve developed proven architectures and solutions to accelerate customer adoption journey.

The Landing Zone Accelerator (LZA) is a pre-built and widely adopted AWS solution for managing and governing multi-account environments with highly regulated workloads and complex compliance requirements. The LZA provides the foundation to support MBSE, digital threads, and digital twins. Our approach uses the AWS Prescriptive Guidance: Secure Cloud Computing Architecture (SCCA) on AWS for US Department of Defense as the foundation for creating an Impact Level 4 (IL4) and Impact Level (IL5) compliant cloud infrastructure.

Let’s walk through the key components of this foundational architecture:

AWS GovCloud (US) Regions fulfill the US government’s specific regulatory and compliance requirements.
Direct connectivity to the on-premises networks is achieved through AWS Direct Connect and virtual private gateway associations.
The management account is the privileged account providing AWS administrative and organizational tools such as AWS Organizations.
The audit account features centralized security and compliance monitoring tools.
The log archive provides immutable storage for centralized log aggregation. AWS delivers the underlying storage infrastructure with strong durability and retention capabilities.
The network account consists of security and network services providing network perimeter protection while using AWS Transit Gateway, which acts as a hub to control network routing.
The shared services account serves your enterprise identity management, licensing, software package management, container repositories, collaboration tools, and more.

This architecture is shown in the following diagram.

Figure 2: SCCA for US DoD reference architecture on AWS

With this secure, compliant foundation established, we can now extend the architecture with specialized capabilities tailored specifically for digital engineering workloads.

Extending the blueprint for digital engineering

With the secure SCCA foundation in place, we now add three specialized accounts essential for a complete digital engineering environment:

Shared services account – Extending to include data and model repositories
End users account – Delivers virtual desktop experiences
Digital engineering workload account – Hosts modeling and simulation environments

The account separation by function is critical because it enforces least privilege access, isolates workload risks from infrastructure services, and enables independent scaling and compliance controls for each function.

Shared services account

The shared services account plays a crucial role in streamlining operations and maintaining consistency across an organization’s AWS infrastructure while providing the flexibility of extending their existing infrastructures and investment.

This centralized hub offers three types of tools:

Collaboration – Enterprise engineering and product teams require integrated suites of tools for efficient collaboration, including source code repositories, container registries, product lifecycle management systems, and model repositories—all deployed following guidance for secure collaboration on AWS. These tools are deployed on AWS compute and managed service resources, providing scalability and reliability.
License management – Managing software licenses across multiple departments, projects, and accounts can be a complex and costly challenge. AWS License Manager helps organizations manage software licenses in AWS and on-premises environments, reducing the risk of noncompliance and fine-tuning costs. For vendor-specific licensing needs, enterprises can also consider third-party solutions to complement their license management strategy.
Identity and access management – The shared services account centralizes AWS Identity and Access Management (IAM) for AWS resources and supports integration with corporate identity providers. Organizations can use their existing Active Directory, Lightweight Directory Access Protocol (LDAP) services, or AWS Directory Service for user authentication. This centralized approach provides consistent access control across the AWS environment.

The following figure illustrates the detailed architecture for the shared services account.

Figure 3: Shared services account for collaboration

End users account

The end users account provides virtual desktop infrastructure (VDI) that delivers role-based secure access to digital engineering tools and resources. With VDI, users can access powerful computing resources and specialized applications from any location while maintaining strict security controls. With account separation, VDI resources connect securely to cross-account services such as the shared services account without giving users direct access to the underlying infrastructure.

The end users account provides two virtual desktop capabilities

Amazon WorkSpaces provides fully managed virtual desktop solutions, including application streaming so users can access applications through a web browser, and Desktop as a Service (DaaS) for provisioning virtual Windows or Amazon Linux desktops—all without managing complex on-premises VDI infrastructure.
Research and Engineering Studio (RES) orchestrates secure virtual desktop environments through a seamless web portal where users can access Windows and Linux desktops for scientific research, product design, engineering simulations, and data analysis using their existing corporate credentials.

The following diagram illustrates the detailed architecture for the end users account.

Figure 4: End users account for virtual desktop experiences

Digital engineering workload account

The digital engineering workload account functions as the dedicated environment for transforming physical systems into virtual models. This account provides digital engineering capabilities to optimize design and enhance decision-making, using integrated data architecture to support engineering, logistics, testing, and manufacturing operations while converting raw data into engineering insights, simulations, and actionable results through multiple processing layers.

Let’s examine each processing layer in detail:

Data ingestion handles the collection and transfer of data from multiple sources into the cloud environment, supporting both real-time streaming and batch processing.
Workflow orchestration coordinates and automates the complex data processing tasks, providing efficient and reliable execution of data pipelines.
Data storage refers to repositories where data has been ingested, processed, and stored for organizational use, such as databases, data lakes, or data warehouses. These storage systems maintain information in specific formats optimized for defined organizational functions or processes.
Compute clusters enable high-performance processing for intensive computational tasks and simulations.
Data lake (destination of data) is a centralized repository that stores all types of data (structured, semi-structured, and unstructured) from multiple data sources in its original format, enabling consolidated access for various analytical needs and future processing.
AI/ML and analytics transforms data into actionable insights through AI capabilities such as natural language processing (NLP), computer vision, and deep learning and ML techniques such as predictive modeling, pattern recognition, classification, and regression.

The following diagram illustrates the detailed architecture for the digital engineering workload environment.

Figure 5: Workload account reference architecture

This integrated architecture supports digital engineering practices by enabling data-driven decision-making throughout the system lifecycle. AWS Transit Gateway connects the three accounts, making it possible for users to authenticate through shared services, ability to access virtual desktops in the end users account, and execute workloads that process data and run simulations in the digital engineering workload account.

Tailoring the blueprint for mission outcomes

With the secure foundation and specialized accounts deployed, organizations can now implement flexible mission-specific workflows. Let’s explore how these digital engineering capabilities work together in a practical application that enables real-time predictive maintenance for in-service vehicles.

Here’s how the workflow operates:

1. Data ingestion

AWS IoT Core securely transmits real-time operational data from on-board sensors (such as propulsion systems, gear boxes, dynamic components, or built-in-test equipment) and Amazon Kinesis Data Streams routes that data for processing.
AWS Storage Gateway transfers engineering design data such as computer-aided design (CAD) models, component specifications, or product lifecycle management (PLM) records to Amazon Simple Storage Service (Amazon S3).

2. Workflow management

AWS Step Functions orchestrates the end-to-end workflow, including extract, transform, and load (ETL) pipelines of sensor data, model validation steps for predictive algorithms, and analytics processes for fleet-wide analysis.
AWS Lambda executes discrete processing tasks such as data transformation of raw sensor readings, setup of simulation parameters for different scenarios, and validation checks for maintenance prediction models
Amazon EventBridge schedules regular ETL jobs for historical data analysis and triggers real-time analysis based on incoming sensor data.

3. Simulation processing

AWS Batch executes large-scale fleet simulations, including mission scenarios, deployment schedules, and resupply schedules.
Amazon EMR and Amazon Elastic Compute Cloud (Amazon EC2) process vast amounts of design data for performance analysis and develop optimal deployment strategies or maintenance intervals.

4. Data Lake architecture

Amazon S3 serves as the central repository and authoritative source of truth for the system digital twin data, including complete historical records of operational data, maintenance logs, configuration, parts lists, and design specifications.
AWS Glue Data Catalog enables efficient discovery and preparation of data for various analytics tasks, such as comparing performance across other models in the same weapon system class or analyzing maintenance patterns.

5. Predictive analytics

Amazon SageMaker deploys ML models for:
- Prediction of equipment failure in advance of incidents such as failure of the gear box, propulsion system, or dynamic components.
- Anomaly detection in sensor readings, which could indicate incidents or equipment malfunctions.
- Optimization of maintenance scheduling to reduce unscheduled downtime, automatically adjust inspection intervals, and logically group maintenance tasks.
Amazon Quick Sight delivers real-time dashboards for both operational personnel (such as commanding officers managing weapon system maintenance and supply) and decision-makers (such as fleet commanders managing overall fleet readiness).

The following figure illustrates the architecture for a mission-specific workflow (predictive maintenance).

Figure 6: Predictive maintenance workflow for a DoW in-service vehicle

Conclusion

Digital engineering on AWS transforms the defense system lifecycle through seamless integration, scalability, and innovation, serving as a blueprint for digital transformation success. This post demonstrates the process of building a comprehensive digital engineering environment on AWS, from establishing a secure foundation with Landing Zone Accelerator and SCCA compliance frameworks to extending the architecture with specialized accounts for collaboration, virtual desktop experiences, and workload management.

Backed by AWS Global Infrastructure, robust compliance programs, advanced AI/ML capabilities, and HPC resources, organizations can design, develop, test, and sustain next‑generation defense systems within a fully secure DoW-compliant digital ecosystem. The breadth of AWS service, combined with the expertise of the AWS Partner Network (APN), enables rapid deployment of secure, scalable solutions that reduce costs and shorten development cycles.

As the defense landscape evolves, AWS remains dedicated to supporting your digital engineering transformation. To get started, contact your AWS account team to develop a tailored implementation plan for your organization.

Learn more about digital engineering on AWS

Student attentiveness and engagement analysis in live classrooms with generative AI

Neha Jha — Wed, 25 Mar 2026 22:42:06 +0000

Online learning has revolutionized education, offering broader flexibility and accessibility. However, as many educators have discovered, keeping students engaged in a virtual classroom can be a significant challenge. Students often find it difficult to stay focused with ongoing distractions. Teachers also struggle to gauge attentiveness. As a result, it becomes a pressing need to find innovative ways to keep students actively involved in online live classrooms.

In physical classrooms, teachers use facial cues and student’s expression. By observing these nonverbal signals, teachers can immediately identify whether students are confused, engaged, or losing interest. This helps them manage the classroom in real time, so they know whether to repeat certain concepts or take corrective measures to improve engagement. In online live classrooms, such real-time understanding of students’ understanding and their attentiveness is difficult. Due to network issues or students preferring to leave their cameras off, teachers don’t have a good way to understand the classroom’s vibe.

These are the challenges we’re heard from some of our EdTech customers. We’ve built a sample solution teachers can use to gauge students’ attentiveness and their understanding in online live classrooms. Teachers can see this data in real time and can take corrective measures to build engaging classrooms and better learning outcomes.

The solution relies on shared screen content during online live-classroom instruction. It captures the shared screen at predefined fixed intervals (for example every 1,2 or 5 minutes). It uses Amazon Bedrock, which provides access to generative AI foundation models (FMs) to comprehend the visual screen capture and the content. It then uses a generative AI model to generate polls and quizzes that are shared to all students. These real-time interactions from students are captured and showcased to teachers to provide information on how well students are following the topic. Teachers can evaluate attentiveness in real time and identify disengaged students so they can adjust their teaching strategies appropriately.

The solution addresses multiple edge cases that occur during screen capture, such as when the captured view is obstructed, when displayed content doesn’t align with the day’s lesson topic or core theme, or when the language and medium of instruction are inconsistent with class settings. The sample solution integrates seamlessly with existing live-classroom platforms, making it a flexible and extensible tool for online learning across schools, universities, and other educational institutions.

In this section, we walk you through the steps of this sample solution, which is designed to analyze student engagement and attentiveness in online live classrooms using generative AI. This architecture follows a serverless architecture pattern with an event-driven approach that is built to scale seamlessly with minimal overhead.

The solution follows eight event-driven steps:

Capture a screenshot from the online live classroom
Integrate the captured screenshot with asynchronous processing
Process the captured screenshot with an AWS Lambda function
Generate a content description of the captured screenshot using Amazon Bedrock
Store the content description in Amazon DynamoDB
Generate questions for delivering a quiz or poll
and 8. Delivering the quiz or poll to the live-classroom solution

Capture a screenshot from the online live classroom

This solution uses Amazon Interactive Video Service (Amazon IVS) for streaming and captures screenshots at regular intervals. The sample solution is designed to be flexible and can work with live streaming solutions that allow programmatic screen capture and can store the captures to an Amazon Simple Storage Service (Amazon S3) bucket.

With Amazon IVS you can configure the recording with both low-latency and real-time options. You can capture a screenshot at any interval between 1 to 300 seconds and store them in your Amazon S3 bucket. This demo solution has been configured to capture a screenshot every 30 seconds. The demo solution also configures the Amazon S3 Lifecycle rule to remove all screenshots after 1 day.

Alternatively, Amazon Web Services (AWS) has another open source solution named Amazon IVS UGC platform. It’s a reference application that allows live streaming, user authentication, live chat, and more. You can integrate this sample solution with a user-generated content (UGC) platform application. Refer to GitHub README.md for more details and the installation guide.

Integrate the captured screenshot with asynchronous processing

After the captured screenshot is stored inside the Amazon S3 bucket, we use Amazon S3 Event Notifications to send notifications for all captured screenshots uploaded to the Amazon S3 bucket. This event triggers the next steps of the workflow: processing the screenshot and generating the corresponding transcript and quiz or poll. Every time a captured screenshot is uploaded to Amazon S3, it triggers an event notification, which stores messages in Amazon Simple Queue Service (Amazon SQS) for asynchronous event-driven processing. These events are asynchronously by an AWS Lambda function.

Process the captured screenshot with an AWS Lambda function

The Amazon SQS messages get consumed by AWS Lambda function that handles the entire image processing workflow. It understands what has been presented as part of the captured screenshot, validates whether the extracted content from the captured screenshot is relevant to the topic being taught, and validates whether the content is complete and can be used to generate a quiz or poll.

Generate a content description of the captured screenshot using Amazon Bedrock

AWS Lambda function will use Claude Sonnet 4.0 by Anthropic in Amazon Bedrock to infer a textual description from the captured screenshot. You can choose any large language model (LLM) available on Amazon Bedrock that has vision capability. To set proper context and prepare the LLM, we use the following prompt to generate a description of the captured screenshot, which can be content such as text on a presentation slide or a whiteboard drawing.

This prompt is designed for extracting and assessing cloud computing digital-board content only. Before using this prompt, replace {{expertise}} with your subject:

Prompt: Role: You are a Teaching & Learning Specialist analyzing screenshots of classroom digital-boards to extract educational content.

What to analyze: Focus exclusively on text/content visible on the digital-board. Ignore teacher/students, chat, or anything not written on the board.

Instructions:

Examine the screenshot of the video class.

Extract all educational text exactly as it appears (questions, answers, steps, explanations, diagram labels).

Translate the extracted content into English while preserving meaning and original formatting.

If the content does not relate to {{expertise}}, respond with the single word “irrelevant”.

Do: Preserve exact wording, include every visible educational element.

Don’t: Infer, add details, or describe behavior not written on the board.

Output: Provide only one of the following:

• Summary including only the extracted board content (translated to English), OR

• The single word “irrelevant”.

Store the content description from the captured screen in Amazon DynamoDB

After the content description is generated from the captured screen, it’s important to confirm that the captured screen isn’t a blank or green screen, a welcome or thank you slide, or a slide with content not related to the topic or similar to an already captured description (for example, if you moved back to a previous slide). This helps the solution generate a quiz or poll for only a valid captured screen. These validations are being handled inside AWS Lambda function named LambdaFunctionForQuesAndTranscript. After the screen capture is validated, the function stores it inside Amazon DynamoDB.

Generate questions for delivering the quiz or poll

After storing the content description, the function now generates a quiz or poll using the stored content description. It uses an Amazon Bedrock LLM to generate the quiz or poll and stores it in Amazon DynamoDB. The following is an example prompt for generating a quiz or poll:

Prompt: Role: You are an expert teacher in {{expertise}} designing multiple-choice questions to assess attentiveness and understanding of digital-board content.

When to generate questions: Only when the extracted content clearly relates to {{expertise}}.

Requirements for each question:

• English only

• Exactly one question per item

• Exactly four options (A, B, C, D)

• Only one correct answer

• All choices must be relevant, distinct, and plausible

• Include a brief explanation for the correct answer

Ignore any text written on t-shirts, humans, bold formatting. If the transcript already contains a question, use it directly to form the MCQ; if not, create a new question that aligns with the AWS {{expertise}} concept reflected in the transcript. Only generate questions when the transcript content is related to AWS {{expertise}}.

Each generated question must include four options with one correct answer, ensuring that the options are relevant and logically consistent. Return the output strictly in the following JSON format, and generate questions only in English:

{
"question": "<generated question>",
"options": ["<option 1>", "<option 2>", "<option 3>", "<option 4>"],
"solution": "<correct option>",
"result": "True"
}

The AWS Lambda function also pushes the generated quiz to the Amazon SQS queue to deliver it to students. This approach allows integration with existing solutions by pulling messages from the queue and delivering them to live-classroom solutions.

Delivering the quiz or poll to the live-classroom solution

The AWS Lambda function process the messages from the Amazon SQS queue and sends the generated quiz or poll to the students’ UI. In the sample solution, we’ve integrated logic to deliver questions to the Amazon IVS UGC platform demo solution. However, the AWS Lambda function is extensible and can be customized to integrate with any API integration to connect with your live-class streaming solution.

How to deploy

This is a sample solution designed to help developers get started with a generative AI integration with an online live classroom. It isn’t production ready and will require additional development work to be suitable for production use. It is not intended for production use as-is. Its primary goal is to help developers understand the concepts and approach for integration. By using this solution, you understand and accept its risks and limitations. You’re responsible for any charges incurred while creating and launching your solution.

We’ve published this solution on GitHub at aws-samples/sample-live-class-student-engagement-analysis-with-generative-ai. The published sample solution has a detailed guide for deployment along with the prerequisites needed.

Run the demo

You can try this demo by uploading a captured screenshot to the Amazon S3 bucket that you provided as ScreenCaptureS3Bucket. This will trigger the complete flow of the architecture, and it calls the final Lambda function LambdaFunctionToRecieveUniqueQuestion.

To run the demo, follow these steps:

Navigate to the Amazon S3 console and locate the Amazon S3 bucket created using the AWS Serverless Application Model (AWS SAM). You can use the sample_screenshot image located under the asset folder to test. To upload files to the bucket directory, follow the guide at Uploading objects to a directory bucket in the Amazon S3 User Guide. You must create a folder first and then upload the image.
It will trigger the rest of the flow of the architecture and you will be able to see the processing log of the final Lambda function with the name LambdaFunctionToRecieveUniqueQuestion. To access the log of AWS Lambda function, follow the steps at AWS Lambda Developer Guide > Access function logs using the console.

For more detailed steps, follow this guide.

Run the demo with the Amazon IVS UGC platform

Setting up the Amazon IVS UGC platform demo is optional, but it allows you to explore a fully integrated solution where pop quizzes and questions are displayed to students during the live session, in screenshot like below.

For the prerequisites required to set up the demo, make sure the following tools are installed :

AWS CLI – Installing the AWS CLI version 2
NodeJS – Installing Node.js
Docker – Installing Docker for Amazon IVS UGC platform demo

To configure and deploy the demo, complete the steps in the following guides:

Deploy the demo

Follow Amazon IVS UGC platform integration guide with sample solution.

Follow Amazon IVS UGC platform demo with sample solution for testing purpose.

Cleanup

Most of the solution components are serverless, and there will be lower idle cost of the overall architecture. However, to clean up this sample solution, you need to delete the AWS CloudFormation template using the following command:

sam delete

To clean up the Amazon IVS UGC platform demo, follow the instructions at Backend Teardown.

Conclusion

This solution showcases how generative AI can be used to capture student attentiveness and engagement during online live-classroom instruction. It creates an interactive learning environment that keeps students engaged, giving teachers actionable insights so they can adapt their teaching strategies and ultimately improve learning outcomes. The ability to generate a quiz or poll based on captured screenshots keeps students consistently challenged with relevant content, and the system’s serverless architecture provides seamless scalability on demand with very little overhead.

As online education continues to grow, solutions like these will play a crucial role in integrating virtual learning with traditional classroom experiences. This approach uses an existing solution, and you can engage with AWS partner and your AWS account team to help you customize it for your needs.

How Sphero brings safe, impactful AI to K12 classrooms with Amazon Bedrock

Jackson Platt — Tue, 24 Mar 2026 21:35:51 +0000

Robots are rolling through K12 classrooms as teachers use them for everything from biology and math assignments to language arts lessons. Students program these robots, often in sessions as short as 15 minutes. Getting stuck is part of the learning process, but with class sizes and finite period lengths, waiting for help isn’t always an option. And even when a teacher can get there, troubleshooting code on the spot isn’t simple.

Sphero, a company that creates programmable robots for K12 education, built a generative AI coding assistant into its Sphero Edu app using Amazon Web Services (AWS) to solve that problem. Students don’t type prompts or interact with an open interface. Instead, they tap a single button and receive immediate, focused feedback on their code. That one-click design reduces the risk of unpredictable outputs reaching students, keeping every AI interaction safe, age-appropriate, and focused on learning. It’s an approach that earns teacher trust and addresses the concerns that have made many schools hesitant about AI in the first place.

Thirty kids, 15 robots, and one teacher

Sphero’s current users are mostly elementary and middle school students in third through sixth grade who use Chromebooks, iPads, or tablets to control a small programmable robot using Bluetooth. Teachers use these robots to supplement learning across subjects, from coding exercises to science experiments.

In a typical session, students write a program, run it, and watch what the robot does. If something goes wrong, they try to figure out why. But in a room full of students working at different speeds, there’s no guarantee the teacher can reach everyone before the lesson ends. “Thirty kids in a classroom with 15 robots rolling around—the teacher can only do so much,” said Brian Kellner, vice president of software engineering at Sphero.

Sphero built the AI assistant to fill that gap, helping teachers support more students in the moments that matter and helping students think through challenges more deeply. Rather than giving students the complete answer, it offers hints, explanations, and guided feedback, preserving the trial-and-error learning cycle that makes robotics effective in the first place.

Why safety shaped every design decision

Before Sphero considered how AI could assist students, the team thought about what could go wrong. Schools have strict and varying policies around technology, and Sphero had already seen a school discontinue use of its products after a student-shared program displayed a cartoon sword image that violated a zero-weapon policy. That experience helped shape how Sphero would approach AI, leading the team to a guiding principle for whatever they built: safe, simple, and valuable, in that order.

“As AI settles in schools, we must be cautious about what power we give students and how schools might respond to what AI can do,” said Micah Daby, product manager at Sphero. Kellner agreed: “If we say safe, simple, valuable, we want to be able to stand behind safe.”

Building on an existing AWS foundation

Sphero had been running its infrastructure on AWS for years. When Kellner began exploring AI, the AWS account team helped move the project from broad ideas to a viable first use case. An AWS-funded proof of concept kicked off in April 2025 and validated the technical approach by the end of May. Sphero spent the summer testing and refining prompts with its internal content team, then released the AI assistant in August for the back-to-school season.

“When we first started looking at adding AI to our products, we were not very grounded,” said Kellner. “The AWS account team guided us to experts to help us refine our ideas into something feasible, then helped us define a scope of work for the first phase. That gave us clarity on what we would build and how it would work.”

How the Sphero Edu AI assistant works

The AI space evolves quickly, and Sphero didn’t want to be locked into a single model. Because of this, the team chose Amazon Bedrock for its flexibility. Sphero can update the knowledge base, switch models, and build new features on the same foundation. For a nine-person software team, that manageability matters. “I can go in and change things in the knowledge base and resync it without heavily involving engineers working on other critical needs,” said Daby.

Amazon Bedrock Knowledge Bases is at the core of the AI assistant. Using a Retrieval Augmented Generation (RAG) approach, the AI pulls from a curated set of Sphero documents to generate grounded responses rather than relying on the model alone. The knowledge base draws from Sphero’s programming wiki and internal documents stored in Amazon Simple Storage Service (Amazon S3), covering robot-specific behaviors, hardware limitations, and common student errors. This means the AI can only respond to Sphero robots and programming, and updates sync in about a minute as the team adds new information. When teachers report that a response was inaccurate, Daby can usually fix it by updating the knowledge base directly, keeping the tool grounded in real classroom use.

What students see is a set of one-click features inside the Sphero Edu app. Explain My Program breaks down what their code does in plain language. Code Review checks for errors, including issues students wouldn’t know to look for, like a spin command that is physically impossible for the motor to execute in the given time. Block Help explains any specific block, tailored to whichever robot is connected. A fourth feature gives Sphero’s content team the ability to embed AI hints directly into structured lessons, so students get guided feedback at the right moment without the AI solving the problem for them.

Amazon Bedrock Guardrails handles safety on the backend, filtering both input and output. Because the AI features are one-click, students can’t enter free-form prompts in most of the app. The only variable the AI receives is the student’s program code, which limits the surface area for misuse. Even in the one lesson where students can type short text into speak blocks, the prompts instruct the model to treat that input with extra caution. The team also ran prompt-injection tests and found that the model recognized and ignored these attempts.

Most students get what they need in one click

Since launching in August 2025, the Sphero Edu AI assistant has been accessed more than 15,000 times per week. The most telling metric is how few clicks students make when using it. About 65% of students who use the Explain My Program feature click it one time and return to their lesson with what they need. “They’re in a 15-minute session with their robot, they click, they get some good feedback, and they get on with it,” said Kellner.

In that context, response speed matters. Staging tests showed that Claude Haiku 4.5 by Anthropic in Amazon Bedrock delivered roughly half the response time at about one-third the cost compared to Claude Sonnet 3.7 by Anthropic in Amazon Bedrock. Sphero decided to transition to Claude Haiku, with responses rarely exceeding 15 seconds. Reliability has been strong, too, with the team recording only eight errors over a recent 3-week period.

Teacher feedback has reinforced the approach. At a live webinar, educators said the tool added value without requiring new purchases or additional training. “It’s so cool that students can interact with AI without having the safety issues surrounding entering their own prompts,” said one educator. “It’s an amazing resource for cross-curricular learning.”

Multilingual support, vision capabilities, and what comes next

Sphero is developing a feature that gives students hands-on experience training machine learning (ML) models using sensor data from their robots—for example, training the robot to recognize when it’s shaken and respond with lights or sound. Daby is also working on multilingual support, so the assistant can respond in the student’s language, extending accessibility to non-English speakers. Vision and image processing capabilities are in the early stages of exploration.

For other education technology (EdTech) companies considering AI for K12, Kellner’s advice is straightforward: “Put yourself in the shoes of the teacher. What is a teacher really going to experience with your tool in the classroom? Teachers have a tough job. Finding what works for them is important.”

Sphero’s educator guide goes deeper into how the company approaches student safety, AI literacy, and classroom resources for teaching AI with hands-on robotics. Read Sphero’s guide now or, to learn more about how AWS supports EdTech companies building AI solutions for education, contact the AWS EdTech team.

Read related stories on the AWS Public Sector Blog

Building an identity-verified remote assessment platform on AWS

Mohammed Reda — Mon, 23 Mar 2026 20:55:43 +0000

Universities across the UK conduct tens of thousands of online interviews and exams each year. During a single admissions intake, over 20,000 video interviews were recorded for international applicants, with 1.3% of sessions showing confirmed fraud, including 0.15% involving deepfakes. A survey by the International Center for Academic Integrity (ICAI) found that 2% of students admitted to having someone else complete an exam or assignment on their behalf, confirming that impersonation remains a persistent risk in remote assessments.

The broader academic integrity landscape compounds this challenge. More than 60% of students globally admit to some form of academic dishonesty, and contract cheating services continue to grow. These trends place increasing pressure on institutions to protect the credibility of remote admissions, interviews, and exams without relying solely on manual review.

This pressure coincides with a strategic push to expand the global reach of UK higher education. The UK International Education Strategy sets a target of £40 billion in education exports by 2030 and emphasizes sustainable recruitment of high-quality international students. Meeting that goal requires assessment processes that scale globally while preserving academic integrity and institutional reputation. AI has a key role to play in helping universities conduct remote interviews and exams efficiently without compromising trust.

In this post, we show how to build a secure, scalable assessment platform on Amazon Web Services (AWS) using multi-agent AI and biometric verification to automate identity checks and exam evaluation. The solution uses Amazon Bedrock AgentCore to coordinate specialized agents, Amazon Rekognition for face verification, Amazon Transcribe for speech analysis, and Amazon Textract for identity document extraction. These services are combined with voice-matching models to detect impersonation before and during exams, which reduces fraud risk and enables institutions to assess candidates with greater confidence.

Solution architecture

The platform is built on Amazon Bedrock AgentCore and uses five specialized agents coordinated across three workflows: registration, authentication, and exam execution. The following diagram shows the platform architecture, including the five agents, Amazon Bedrock AgentCore Gateway, and the AWS services they use.

Figure 1: End-to-end architecture connecting the React frontend, five Amazon Bedrock AgentCore agents, AWS Lambda tool functions, and AWS AI services

Registration establishes the user’s verified identity. A single registration agent handles document extraction, voice capture, and account creation across three sequential steps, using Amazon Bedrock AgentCore Memory to maintain context between them. At the end of registration, the user has an Amazon Cognito account with biometric references (face and voice) stored in Amazon Simple Storage Service (Amazon S3).

Authentication verifies the user’s identity before each exam attempt. The authentication agent compares a live face capture against the stored reference using Amazon Rekognition and matches voice samples using a speaker-embedding model. Both checks must pass for the user to proceed.

Exam execution demonstrates a reading proficiency assessment, where the user reads a displayed passage aloud while being recorded. An orchestrator agent coordinates two child agents: a reading test agent that handles transcription and biometric monitoring during the exam and an evaluation agent that scores the reading across multiple dimensions. Reading passages are stored in Amazon DynamoDB and served to the frontend.

The reading assessment is one example of what can be built on this architecture. The modular design allows additional specialized agents to be added for other exam types, such as listening comprehension, writing, coding assessments, or domain-specific evaluations, without modifying the existing registration or authentication flows.

Model flexibility

All agents in this solution are built with the Strands Agents SDK and run on Amazon Bedrock AgentCore Runtime. Each agent can use any foundation model (FM) available through Amazon Bedrock, including first-party models such as Amazon Nova and third-party models such as Claude by Anthropic in Amazon Bedrock. Changing the underlying model requires updating a single configuration parameter—no changes to agent logic or tool integrations are needed.

Tool access through Amazon Bedrock AgentCore Gateway

Rather than each agent invoking AWS services directly, the platform implements tools as AWS Lambda functions and exposes them through the AgentCore Gateway using the Model Context Protocol (MCP). This gives all agents shared access to capabilities, including:

Identity document extraction (Amazon Textract)
Speech transcription (Amazon Transcribe)
Face detection and comparison (Amazon Rekognition)
User account management (Amazon Cognito)
Biometric profile storage and lookup (Amazon DynamoDB)
Voice embedding comparison (Resemblyzer)

The gateway enforces authentication for every tool invocation. Before an agent can access tools, it obtains an OAuth 2.0 token using client credentials that flow through Amazon Cognito. The following example shows how an agent requests a gateway access token:

``` python
def get_gateway_token():
    response = requests.post(
        COGNITO_TOKEN_URL,
        data="grant_type=client_credentials"
             "&client_id={ID}&client_secret={SECRET}&scope={SCOPE}",
        headers={"Content-Type": "application/x-www-form-urlencoded"}
    )
    return response.json()["access_token"]
```

This prevents agents from accessing underlying AWS services directly. The gateway validates every request, acting as a centralized security boundary.

Voice verification

Voice matching uses Resemblyzer, an open source speaker recognition library that generates 256-dimensional neural embeddings from audio recordings. Comparing these embeddings using cosine similarity determines whether two recordings come from the same speaker.

Resemblyzer runs as a Lambda container image on AWS Graviton2 (ARM64) processors. To eliminate cold-start latency, we use provisioned concurrency to keep warm instances available with the voice model preloaded in memory.

Detailed solution flows

The following sections walk through each workflow in detail, including the agent prompts, tool implementations, and key code patterns.

Registration flow

Registration uses a single agent invoked three times by the frontend, with each invocation performing a distinct function:

MODE 1: Extract identity data from an ID document
MODE 2: Collect a spoken security phrase and verify it matches the intended text
MODE 3: Complete account creation

Amazon Bedrock AgentCore Memory maintains conversation context across all three modes. The frontend generates a session ID one time and includes it in all three agent calls. The registration agent saves data from MODE 1 and MODE 2 to memory, then loads that data in MODE 3. The frontend doesn’t store or retransmit sensitive identity information.

Because users don’t yet have an account during registration, the frontend uses an Amazon Cognito identity pool with unauthenticated access enabled. This provides temporary AWS Identity and Access Management (IAM) credentials scoped to two permissions: invoking the registration agent on Amazon Bedrock AgentCore Runtime and calling Amazon API Gateway for Amazon S3 presigned URLs. The frontend signs each agent request using AWS Signature Version 4 (SigV4).

The following prompt instructs the registration agent on how to determine which mode to execute and what tools to call in each case:

```
You are a User Registration Agent.

ROLE: Enroll users with ID verification and biometric capture.

MODE 1 – EXTRACT PASSPORT
When: Only passport_s3_url provided
Steps:
  1. extract_data_from_passport
  2. Extract YEAR from date_of_birth
  3. Build phrase: “My name is FULL_NAME, and I was born in YEAR”

MODE 2 – VERIFY VOICE
When: voice_audio_s3_url + expected_phrase provided
Steps:
  1. verify_spoken_phrase
  2. Return verification result

MODE 3 – COMPLETE REGISTRATION
When: user_id + email provided
Context: Load extraction data from Memory (saved in MODE 1)
Steps:
  1. Load extraction data from Memory
  2. Apply user edits (if data_overrides provided)
  3. extract_face_from_id, create_cognito_user, save_user_profile
```

In MODE 1, the first step of registration, the user uploads a government-issued ID document for identity extraction. The following screenshot shows the Assessment Portal interface for uploading the ID document.

Figure 2: Registration step 1

The user uploads a government-issued ID using an Amazon S3 presigned URL. The registration agent calls the extract_data_from_passport tool through the gateway. The following code shows how the Lambda tool uses Amazon Textract to extract structured fields from the identity document:

```python
# Inside the registration-tools Lambda function
textract_response = textract.analyze_id(
    DocumentPages=[{'Bytes': image_bytes}]
)

extracted_data = {
    "full_name": "",
    "date_of_birth": "",
    "nationality": "",
    "document_number": ""
}

for field in textract_response['IdentityDocuments'][0]['IdentityDocumentFields']:
    field_type = field['Type']['Text']
    field_value = field['ValueDetection']['Text']

    if field_type in ['FIRST_NAME', 'LAST_NAME']:
        extracted_data["full_name"] = (
            extracted_data["full_name"] + " " + field_value
        ).strip()
    elif field_type == 'DATE_OF_BIRTH':
        extracted_data["date_of_birth"] = field_value
    elif field_type == 'COUNTRY':
        extracted_data["nationality"] = field_value
    elif field_type == 'DOCUMENT_NUMBER':
        extracted_data["document_number"] = field_value
```

The agent generates a personalized security phrase from the extracted data (for example, “My name is Jane Doe, and I was born in 1995”), then saves the extraction data and passport Amazon S3 URL to Amazon Bedrock AgentCore Memory. The following code shows how the agent persists state so that later modes can retrieve it:

```python
memory_client.create_event(
    memory_id=MEMORY_ID,
    session_id=session_id,  # Links this to MODE 2 and MODE 3
    messages=[
        (user_request, "USER"),
        (json.dumps({
            "mode": "extraction",
            "data": extracted_data,
            "passport_s3_url": passport_url
        }), "ASSISTANT")
    ]
)
```

In MODE 2, the second registration step, the user records themselves saying the personalized phrase. The frontend uploads the recording to Amazon S3 and invokes the registration agent again with the same session ID. The following screenshot shows the Assessment Portal interface for voice verification.

Figure 3: Registration step 2

The agent calls the verify_spoken_phrase tool, which uses Amazon Transcribe to convert the audio to text and compare it against the expected phrase. The following code shows how the tool starts a transcription job and verifies the spoken content:

```python
# Inside the registration-tools Lambda function
transcribe.start_transcription_job(
    TranscriptionJobName=job_name,
    Media={'MediaFileUri': voice_s3_url},
    MediaFormat='wav',
    LanguageCode='en-US'
)

# Poll until completed, then fetch transcript
transcript_text = get_completed_transcript(job_name)

# Verify that key words from the expected phrase appear in the transcript
expected_words = [w for w in expected_phrase.lower().split() if len(w) > 2]
verified = all(word in transcript_text.lower() for word in expected_words)
```

The following screenshot shows the Assessment Portal interface for voice verification with notification that the voice was verified.

Figure 4: Voice verification confirmed

The agent saves the verification result and voice URL to memory using the same session ID.

In MODE 3, account creation, the frontend invokes the registration agent a third time with only the email and session ID but no identity data. The agent loads all previous data from memory. The following code shows how the agent retrieves the extraction and verification context saved in earlier modes:

```python
events = memory_client.list_events(
    memory_id=MEMORY_ID,
    session_id=session_id,  # Retrieves MODE 1 and MODE 2 data
    max_results=10
)

for event in events:
    if '"mode": "extraction"' in event:
        extracted_data = json.loads(event)['data']
        passport_url = json.loads(event)['passport_s3_url']
    if '"mode": "verification"' in event:
        voice_url = json.loads(event)['voice_s3_url']
```

With data loaded from memory, the agent completes registration by invoking three tools in sequence. The following code shows the face extraction tool, which uses Amazon Rekognition to detect and crop the face from the ID document:

```python
response = rekognition.detect_faces(
    Image={'Bytes': id_image_bytes},
    Attributes=['DEFAULT']
)
bbox = response['FaceDetails'][0]['BoundingBox']

face_image = original_image.crop((left, top, right, bottom))
s3.upload(face_image, f'users/{user_id}/reference_face.jpg')
```

The following code shows the Amazon Cognito account creation tool, which generates a password and creates the user with a permanent password so they can sign in immediately:

```python
password = secrets.token_urlsafe(12) + "Aa1!"

cognito.admin_create_user(
    UserPoolId=USER_POOL_ID,
    Username=email,
    UserAttributes=[
        {'Name': 'email', 'Value': email},
        {'Name': 'name', 'Value': extracted_data['full_name']},
        {'Name': 'email_verified', 'Value': 'true'}
    ],
    TemporaryPassword=password,
    MessageAction='SUPPRESS'
)

cognito.admin_set_user_password(
    UserPoolId=USER_POOL_ID,
    Username=email,
    Password=password,
    Permanent=True
)
```

Finally, the agent saves the user profile to DynamoDB, linking the Amazon Cognito account to the biometric references in Amazon S3. At this point, the user is registered and ready for authentication. The following screenshot shows successful creation of login credentials.

Figure 5: Registration complete

Authentication flow

The following prompt defines the authentication agent’s verification workflow, showing the sequence of tool calls the agent executes for every biometric check:

```
You are a Biometric Verification Agent for secure identity verification.

BIOMETRIC VERIFICATION PROCESS:
1. Call: get_user_profile → Get user_id and reference paths
2. Call: compare_face_with_reference → Face score
3. Call: compare_voice_with_reference → Voice score
4. Check: face match AND voice match → verified = true
5. Call: log_auth_attempt
6. Return verification result with scores
```

To authenticate the password, the user signs in with email and password using an Amazon Cognito user pool. The following code shows the frontend authentication flow:

```javascript
import { signIn, fetchAuthSession } from 'aws-amplify/auth';

const { isSignedIn } = await signIn({
  username: email,
  password: password
});

if (isSignedIn) {
  const session = await fetchAuthSession();
  const idToken = session.tokens?.idToken;
  const cognitoSub = idToken.payload.sub;
}
```

The following screenshot shows the sign-in screen in the Assessment Portal.

Figure 6: Sign-in page

Amazon Cognito returns a JSON web token (JWT) containing the user’s profile information, valid for 1 hour.

To verify the biometric, the user captures a 6-second video saying a security phrase. The frontend extracts a still frame and the audio track, uploads both to Amazon S3, then invokes the authentication agent with the JWT bearer token. The following screenshot shows the Identity Verification screen

Figure 7: Biometric identity verification

The agent executes a four-step workflow through Amazon Bedrock AgentCore Gateway tools:

1. To look up the user profile, the agent converts the cognito_sub from the JWT to the internal user_id by querying a DynamoDB global secondary index. This also returns paths to biometric references from registration.

2. Compare the face with the reference. The following code shows the face comparison logic using the Amazon Rekognition CompareFaces API:

```python
response = rekognition.compare_faces(
    SourceImage={'S3Object': {'Bucket': bucket, 'Name': live_face_key}},
    TargetImage={'S3Object': {'Bucket': bucket, 'Name': reference_face_key}},
    SimilarityThreshold=70
)

similarity = response['FaceMatches'][0]['Similarity']  # 0-100
match = similarity >= 80.0
```

3. To compare the voice with the reference, the agent calls compare_voice_with_reference, which uses the pre-warmed Resemblyzer model described in the Solution architecture section to generate speaker embeddings and calculate cosine similarity. The following Python code shows the voice comparison logic inside the authentication-tools Lambda container:

```python
from resemblyzer import VoiceEncoder, preprocess_wav
from scipy.spatial.distance import cosine

encoder = get_voice_encoder()  # Pre-warmed cache

# Preprocess audio files
ref_wav = preprocess_wav(ref_path)
live_wav = preprocess_wav(live_path)

# Generate 256-dimensional speaker embeddings
ref_embedding = encoder.embed_utterance(ref_wav)
live_embedding = encoder.embed_utterance(live_wav)

# Calculate cosine similarity
similarity = 1 - cosine(ref_embedding, live_embedding)
match = similarity >= 0.60```

4. Log authentication attempt. The following code shows the structured log entry recorded to Amazon CloudWatch for audit purposes:

```python
log_entry = {
    "user_id": user_id,
    "email": email,
    "face_similarity_score": face_score,
    "voice_similarity_score": voice_score,
    "result": "success" if both_passed else "failure",
    "timestamp": datetime.now().isoformat()
}
```

Authentication succeeds only if both face and voice verification pass—an attacker would need to defeat both systems simultaneously. The following screenshot shows the Identity Verified screen with face verification passing at 100% and voice verification passing at 83.3%.

Figure 8: Identity verified

Exam and evaluation flow

The exam workflow demonstrates multi-agent coordination using the orchestrator pattern. When a user starts an English reading test, three agents work together to administer the exam, verify identity, and calculate scores.

First, the passage is retrieved and recorded. The frontend randomly selects a passage ID and retrieves the passage text by calling the select_reading_passage tool directly through Amazon Bedrock AgentCore Gateway using MCP protocol. The following code shows how the frontend issues the MCP tool call to fetch a random passage:

```javascript
const randomPassageId = `passage_${Math.floor(Math.random() * 5) + 1}`;

const mcpResponse = await fetch(gatewayUrl, {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${bearerToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "examination-tools___select_reading_passage",
      "arguments": {"passage_id": randomPassageId}
    }
  })
});
```

The passage is displayed to the user with a brief preview period. The user reads the passage aloud while being recorded, and the video is uploaded to Amazon S3. The passage ID is forwarded to the orchestrator agent so the reading test agent can retrieve the same text for scoring comparison. The following screenshot shows the Reading Test screen with a test in progress.

Figure 9: Reading test in progress

The frontend invokes the orchestrator agent through JWT bearer authentication with the video URL, user ID, and passage ID. The following prompt shows how the orchestrator is instructed to coordinate two child agents in sequence:

```
You are an Exam Orchestrator for English Interview Assessment.

WORKFLOW:
1. Call reading test agent with video URL, user ID, and passage ID
2. Extract transcription details from response
3. Call evaluation agent with transcription data
4. Combine both results into final response
```

The orchestrator delegates all processing to specialized agents and doesn’t perform transcription, biometric checks, or scoring itself. This solution uses the agents as tools pattern from the Strands Agents SDK, where each sub-agent is wrapped as a callable tool. The orchestrator decides when to invoke each agent, the same as it would decide when to call any other tool. The following code shows how the reading test and evaluation agents are defined as tools:

```python
from strands import Agent, tool

  @tool
  def call_reading_test_agent(video_s3_url: str, user_id: str, passage_id: str = None) ->
  dict:
      """Execute reading test (transcribe + biometrics). Returns test data without
  scores."""
      result = invoke_reading_test_agent(video_s3_url, user_id, passage_id)
      return {"status": "success", "content": [{"text": json.dumps(result)}]}

  @tool
  def call_evaluation_agent(transcribed_text: str, original_text: str, words_data: list,
  duration: float, passage_word_count: int) -> dict:
      """Score reading test results. Returns evaluation scores."""
      result = invoke_evaluation_agent(transcribed_text, original_text, words_data,
  duration, passage_word_count)
      return {"status": "success", "content": [{"text": json.dumps(result)}]}

  # Orchestrator treats sub-agents as tools
  agent = Agent(
      system_prompt=ORCHESTRATOR_PROMPT,
      tools=[call_reading_test_agent, call_evaluation_agent],
      model=model
  )
```

The Strands Agents framework supports additional multi-agent patterns, including swarm, graph, workflow, and agent-to-agent (A2A) protocol for distributed communication. For more details, refer to Strands Agents Multi-agent Patterns.

The reading test agent executes six tools in sequence to process the recording. The following prompt defines this workflow:

```
You are a Reading Test Agent.
ROLE: Execute test workflow ONLY. Do NOT calculate scores.

WORKFLOW - EXECUTE ALL 6 TOOLS:
1. select_reading_passage
2. transcribe_reading_audio
3. align_words_to_passage
4. extract_biometric_samples
5. compare_face_with_reference
6. compare_voice_with_reference
```

The following sections describe some of these tools in detail:

Transcription tool – The agent sends the video to Amazon Transcribe, which extracts the audio automatically. The following Python code shows how the tool retrieves word-level confidence scores from the transcription result:

```python
transcribe.start_transcription_job(
    TranscriptionJobName=job_name,
    Media={'MediaFileUri': video_s3_url},
    MediaFormat='webm',
    LanguageCode='en-US'
)

words_data = [{
    'word': item['alternatives'][0]['content'],
    'confidence': float(item['alternatives'][0]['confidence']),
    'start_time': float(item.get('start_time', 0)),
    'end_time': float(item.get('end_time', 0))
} for item in transcript_items if item['type'] == 'pronunciation']
```

Word alignment tool – The agent aligns transcribed words to the original passage using sequence matching. The following Python code shows how every passage word is classified as correct, missing, or low confidence:

```python
import difflib

matcher = difflib.SequenceMatcher(
    None,
    [w.lower() for w in original_text.split()],
    [w.lower() for w in [wd['word'] for wd in words_data]]
)

for i, passage_word in enumerate(original_text.split()):
    passage_word_analysis.append({
        'word': passage_word,
        'position': i + 1,
        'status': determine_status(i, matcher, words_data),
        'confidence': get_confidence(i, matcher, words_data)
    })
```

This shows the status of all passage words, not only words spoken, which prevents gaming.

Biometric extraction tool – The agent extracts a face frame and a 5-second audio segment at random timestamps using FFmpeg. The following Python code shows the random extraction approach:

```python
duration = get_video_duration(video_path)

frame_time = random.uniform(30, duration)
extract_frame_at(video_path, frame_time, output_path)

audio_start = random.uniform(0, duration - 5)
extract_audio_segment(video_path, audio_start, 5, output_path)
```

Because the extraction point is unpredictable, an attacker can’t prerecord the opening of a session and switch partway through—the genuine test-taker must be present for the full duration

Identity verification tool – The agent calls the same face and voice comparison tools used during authentication, checking the randomly extracted samples against registration references. Both must pass.

The orchestrator then calls the evaluation agent with the transcription data. The following prompt defines the scoring workflow:

```
You are an Evaluation Agent for scoring English reading tests.

WORKFLOW:
STEP 1: Call analyze_word_scores(words_data)
STEP 2: Call compare_with_reference(transcribed, original, words_data)
STEP 3: EVALUATE LANGUAGE QUALITY YOURSELF (no tool needed)
  - Grammar (1-5): How naturally was it read?
  - Coherence (1-5): Did the reading flow logically?
STEP 4: Call calculate_final_score with all metrics
```

The agent uses Amazon Bedrock AgentCore Gateway tools for objective metrics—word clarity from Amazon Transcribe confidence scores and reading accuracy using sequence matching—then applies its own foundation model reasoning to assess grammar and coherence. The final score combines accuracy (40%), fluency (25%), speed (15%), grammar (10%), and coherence (10%), mapped to CEFR levels (A1 through C2) and a pass or fail outcome.

The Orchestrator combines responses from both agents and returns a single result to the frontend, which displays the overall score, a breakdown across six scoring dimensions, a word-level analysis grid (green for correct, yellow for low confidence, and red for missing), the CEFR level, and biometric verification status. If biometric verification failed during the exam, results are flagged for manual review. The following screenshot shows the word-level analysis grid.

Figure 10: Word-level analysis grid

Security and data protection

The platform collects biometric data, face images, voice recordings, and exam videos that require careful handling. Amazon S3 lifecycle policies can be configured to automatically delete biometric files after a retention period that aligns with an organization’s compliance and data protection requirements. Data is encrypted at rest and in transit, and all authentication attempts are logged to Amazon CloudWatch for audit purposes.

Access to tools is controlled through the Amazon Bedrock AgentCore Gateway using OAuth 2.0 machine-to-machine authentication. Each agent must obtain a valid token before invoking any tool, and the gateway can restrict which tools are available to specific agents. This prevents an evaluation agent from accessing user account management tools.

Conclusion

Remote assessment fraud is a growing challenge as education and professional development move online. This post demonstrated how to build a scalable, identity-verified assessment platform using Amazon Bedrock AgentCore, combining specialized AI agents, biometric verification, and serverless architecture.

The implementation focuses on English language assessment, but the architecture applies broadly. Professional certification bodies, corporate hiring teams, financial services compliance programs, and healthcare credentialing boards all face similar challenges: verifying that the right person is completing the right assessment. The multi-agent design makes adaptation straightforward—create specialized agents for the new domain, add domain-specific tools to the gateway, and reuse the existing biometric verification components without modification.

To learn more about how Amazon Bedrock AgentCore and generative AI can help your organization build secure, identity-verified assessment systems, contact your AWS account team or contact AWS sales support.