User's Guide: Preparing Your S3 Bucket for Confidential AI

Fortanix Confidential AI allows you to bring your own S3 bucket and use it as input to the Confidential AI flow. To prepare your input data for Confidential AI and keep them secure we propose the following steps:

1. File format
   • For tabular data: Use the csv file format to store your data and include headers as the first line of your CSV file. These headers can be later used to indicate the features and target of your AI workloads.
   • For image data: compress all of your images into a single tar.gz file.
2. Data encryption: This step is optional but recommended to ensure end-to-end encryption. Fortanix Confidential AI currently supports AES-256-GCM encryption. You can use the provided Python script to encrypt your file and get the encryption key in the format that Confidential AI expects.
   • Generate a key: ./aes_256_gcm.py gen_key -k <key-file>
   • Encrypt: ./aes_256_gcm.py encrypt -i <input-file> -o <output-file> -k <key-file>
   • Decrypt: ./aes_256_gcm.py decrypt -i <input-file> -o <output-file> -k <key-file>
3. Upload file: Upload your file to your S3 bucket.
4. Set CORS policies: To allow Confidential AI to access your bucket, set a CORS policy to your bucket:
   1. Navigate to your S3 console.
   2. Select your bucket.
   3. Click the Permissions tab.
   4. Click Edit on the "Cross-origin resource sharing (CORS)" section.
   5. Set your CORS policy, for example:

   [
       {
           "AllowedHeaders": [
               "*"
           ],
           "AllowedMethods": [
               "GET",
               "HEAD"
           ],
           "AllowedOrigins": [
               "https://ccm.fortanix.com"
           ],
           "ExposeHeaders": []
       }
   ]
   

5. Create a Confidential AI dataset by providing your S3 URL, Access Key Id, Secret Key, and (optionally) Encryption key - the hex string stored in <key-file> (Step 2 above).