Public health organizations need access to data insights that they can quickly act upon, especially in times of health emergencies, when data needs to be updated multiple times daily. For example, during the COVID-19 pandemic, access to timely data insights was critically important for public health agencies worldwide as they coordinated emergency response efforts. Up-to-date information and analysis empowered organizations to monitor the rapidly changing situation and direct resources accordingly.
This is the second post in this series; we recommend that you read this first post before diving deep into this solution. In our first post, Enable data collaboration among public health agencies with AWS Clean Rooms – Part 1 , we showed how public health agencies can create AWS Clean Room collaborations, invite other stakeholders to join the collaboration, and run queries on their collective data without either party having to share or copy underlying data with each other. As mentioned in the previous blog, AWS Clean Rooms enables multiple organizations to analyze their data and unlock insights they can act upon, without having to share sensitive, restricted, or proprietary records.
However, public health organizations leaders and decision-making officials don’t directly access data collaboration outputs from their Amazon Simple Storage Service (Amazon S3) buckets. Instead, they rely on up-to-date dashboards that help them visualize data insights to make informed decisions quickly.
To ensure these dashboards showcase the most updated insights, the organization builders and data architects need to catalog and update AWS Clean Rooms collaboration outputs on an ongoing basis, which often involves repetitive and manual processes that, if not done well, could delay your organization’s access to the latest data insights.
Manually handling repetitive daily tasks at scale poses risks like delayed insights, miscataloged outputs, or broken dashboards. At a large volume, it would require around-the-clock staffing, straining budgets. This manual approach could expose decision-makers to inaccurate or outdated information.
Automating repetitive workflows, validation checks, and programmatic dashboard refreshes removes human bottlenecks and help decrease inaccuracies. Automation helps ensure continuous, reliable processes that deliver the most current data insights to leaders without delays, all while streamlining resources.
In this post, we explain an automated workflow using AWS Step Functions and Amazon QuickSight to help organizations access the most current results and analyses, without delays from manual data handling steps. This workflow implementation will empower decision-makers with real-time visibility into the evolving collaborative analysis outputs, ensuring they have up-to-date, relevant insights that they can act upon quickly
The following reference architecture illustrates some of the foundational components of clean rooms query automation and publishing dashboards using AWS services. We automate running queries using Step Functions with Amazon EventBridge schedules, build an AWS Glue Data Catalog on query outputs, and publish dashboards using QuickSight so they automatically refresh with new data. This allows public health teams to monitor the most recent insights without manual updates.
The architecture consists of the following components, as numbered in the preceding figure:
- A scheduled event rule on EventBridge triggers a Step Functions workflow.
- The Step Functions workflow initiates the run of a query using the
StartProtectedQueryAWS Clean Rooms API. The submitted query runs securely within the AWS Clean Rooms environment, ensuring data privacy and compliance. The results of the query are then stored in a designated S3 bucket, with a unique protected query ID serving as the prefix for the stored data. This unique identifier is generated by AWS Clean Rooms for each query run, maintaining clear segregation of results.
- When the AWS Clean Rooms query is successfully complete, the Step Functions workflow calls the AWS Glue API to update the location of the table in the AWS Glue Data Catalog with the Amazon S3 location where the query results were uploaded in Step 2.
- Amazon Athena uses the catalog from the Data Catalog to query the information using standard SQL.
- QuickSight is used to query, build visualizations, and publish dashboards using the data from the query results.
For this walkthrough, you need the following:
Launch the CloudFormation stack
In this post, we provide a CloudFormation template to create the following resources:
- An EventBridge rule that triggers the Step Functions state machine on a schedule
- An AWS Glue database and a catalog table
- An Athena workgroup
- Three S3 buckets:
- For AWS Clean Rooms to upload the results of query runs
- For Athena to upload the results for the queries
- For storing access logs of other buckets
- A Step Functions workflow designed to run the AWS Clean Rooms query, upload the results to an S3 bucket, and update the table location with the S3 path in the AWS Glue Data Catalog
- An AWS Key Management Service (AWS KMS) customer-managed key to encrypt the data in S3 buckets
- AWS Identity and Access Management (IAM) roles and policies with the necessary permissions
To create the necessary resources, complete the following steps:
- Choose Launch Stack:
- Enter cleanrooms-query-automation-blog for Stack name.
- Enter the membership ID from the AWS Clean Rooms collaboration you created in Part 1 of this series.
- Choose Next.
- Choose Next again.
- On the Review page, select I acknowledge that AWS CloudFormation might create IAM resources.
- Choose Create stack.
After you run the CloudFormation template and create the resources, you can find the following information on the stack Outputs tab on the AWS CloudFormation console:
- AthenaWorkGroup – The Athena workgroup
- EventBridgeRule – The EventBridge rule triggering the Step Functions state machine
- GlueDatabase – The AWS Glue database
- GlueTable – The AWS Glue table storing metadata for AWS Clean Rooms query results
- S3Bucket – The S3 bucket where AWS Clean Rooms uploads query results
- StepFunctionsStateMachine – The Step Functions state machine
Test the solution
The EventBridge rule named
cleanrooms_query_execution_Stepfunctions_trigger is scheduled to trigger every 1 hour. When this rule is triggered, it initiates the run of the
CleanRoomsBlogStateMachine-XXXXXXX Step Functions state machine. Complete the following steps to test the end-to-end flow of this solution:
- On the Step Functions console, navigate to the state machine you created.
- On the state machine details page, locate the latest query run.
The details page lists the completed steps:
- The state machine submits a query to AWS Clean Rooms using the
startProtectedQueryAPI. The output of the API includes the query run ID and its status.
- The state machine waits for 30 seconds before checking the status of the query run.
- After 30 seconds, the state machine checks the query status using the
getProtectedQueryAPI. When the status changes to SUCCESS, it proceeds to the next step to retrieve the AWS Glue table metadata information. The output of this step contains the S3 location to which the query run results are uploaded.
- The state machine retrieves the metadata of the AWS Glue table named patientimmunization, which was created via the CloudFormation stack.
- The state machine updates the S3 location (the location to which AWS Clean Rooms uploaded the results) in the metadata of the AWS Glue table.
- After a successful update of the AWS Glue table metadata, the state machine is complete.
- On the Athena console, switch the workgroup to CustomWorkgroup.
- Run the following query:
Visualize the data with QuickSight
Now that you can query your data in Athena, you can use QuickSight to visualize the results. Let’s start by granting QuickSight access to the S3 bucket where your AWS Clean Rooms query results are stored.
Grant QuickSight access to Athena and your S3 bucket
First, grant QuickSight access to the S3 bucket:
- Sign in to the QuickSight console.
- Choose your user name, then choose Manage QuickSight.
- Choose Security and permissions.
- For QuickSight access to AWS services, choose Manage.
- For Amazon S3, choose Select S3 buckets, and choose the S3 bucket named
cleanrooms-query-execution-results -XX-XXXX-XXXXXXXXXXXX(XXXXX represents the AWS Region and account number where the solution is deployed).
- Choose Save.
Create your datasets and publish visuals
Before you can analyze and visualize the data in QuickSight, you must create datasets for your Athena tables.
- On the QuickSight console, choose Datasets in the navigation pane.
- Choose New dataset.
- Select Athena.
- Enter a name for your dataset.
- Choose Create data source.
- Choose the AWS Glue database
cleanrooms_patientdband select the table
- Select Directly query your data.
- Choose Visualize.
- On the Analysis tab, choose the visual type of your choice and add visuals.
Complete the following steps to clean up your resources when you no longer need this solution:
- Manually delete the S3 buckets and the data stored in the bucket.
- Delete the CloudFormation templates.
- Delete the QuickSight analysis.
- Delete the data source.
In this post, we demonstrated how to automate running AWS Clean Rooms queries using an API call from Step Functions. We also showed how to update the query results information on the existing AWS Glue table, query the information using Athena, and create visuals using QuickSight.
The automated workflow solution delivers real-time insights from AWS Clean Rooms collaborations to decision makers through automated checks for new outputs, processing, and Amazon QuickSight dashboard refreshes. This eliminates manual handling tasks, enabling faster data-driven decisions based on latest analyses. Additionally, automation frees up staff resources to focus on more strategic initiatives rather than repetitive updates.
Contact the public sector team directly to learn more about how to set up this solution, or reach out to your AWS account team to engage on a proof of concept of this solution for your organization.
About AWS Clean Rooms
AWS Clean Rooms helps companies and their partners more easily and securely analyze and collaborate on their collective datasets—without sharing or copying one another’s underlying data. With AWS Clean Rooms, you can create a secure data clean room in minutes, and collaborate with any other company on the AWS Cloud to generate unique insights about advertising campaigns, investment decisions, and research and development.
The AWS Clean Rooms team is continually building new features to help you collaborate. Watch this video to learn more about privacy-enhanced collaboration with AWS Clean Rooms.
About the Authors
Venkata Kampana is a Senior Solutions Architect in the AWS Health and Human Services team and is based in Sacramento, CA. In that role, he helps public sector customers achieve their mission objectives with well-architected solutions on AWS.
Jim Daniel is the Public Health lead at Amazon Web Services. Previously, he held positions with the United States Department of Health and Human Services for nearly a decade, including Director of Public Health Innovation and Public Health Coordinator. Before his government service, Jim served as the Chief Information Officer for the Massachusetts Department of Public Health.