custom models, roles

Author: mwunderl

docs-source/appliance-buttons.md

@@ -18,9 +18,9 @@ To reset the device, use the following button combinations\. A short press is 1
 
 **Reset operations**
 + **To shut down the appliance** – Short press power\. Starts a shutdown sequence that takes about 10 seconds\.
-+ **To restore the latest software image** – Short press reset\.
-+ **To restore the factory software image** – Long press reset\.
-+ **To restore the factory software image and delete all configuration files and applications** – Long press power and reset\.
++ **To restore the latest software image** – Shut down the appliance, and then short press reset\.
++ **To restore the factory software image** – Shut down the appliance, and then long press reset\.
++ **To restore the factory software image and delete all configuration files and applications** – Shut down the appliance, and then long press power and reset\.
 
 The network LED has the following states:
 

docs-source/applications-models.md

@@ -12,6 +12,7 @@ Whether you import a model from SageMaker or from Amazon S3, the name of the Ama
 
 **Topics**
 + [Sample model](#applications-models-sample)
++ [Building a custom model](#applications-models-custom)
 + [Using models in code](#applications-models-using)
 + [Training models](#applications-models-training)
 
@@ -24,6 +25,24 @@ This guide uses a sample object detection model\. The sample model uses the obje
 
 To get started with the sample model, see [Deploying the AWS Panorama sample application](gettingstarted-deploy.md)\.
 
+## Building a custom model<a name="applications-models-custom"></a>
+
+You can use models that you build in PyTorch, Apache MXNet, and TensorFlow in AWS Panorama applications\. As an alternative to building and training models in SageMaker, you can use a trained model or build and train your own model with a supported framework and export it in a local environment or in Amazon EC2\.
+
+**Note**  
+For details about the framework versions and file formats supported by SageMaker Neo, see [Supported Frameworks](https://docs.aws.amazon.com/sagemaker/latest/dg/neo-supported-devices-edge-frameworks.html) in the Amazon SageMaker Developer Guide\.
+
+The repository for this guide provides a sample application that demonstrates this workflow for a Keras model in TensorFlow `SavedModel` format\. It uses TensorFlow 1\.15 and can run locally in a virtual environment or in a Docker container\. The sample app also includes templates and scripts for building the model on an Amazon EC2 instance\.
+
+****
++ [Custom model sample application](https://github.com/awsdocs/aws-panorama-developer-guide/blob/main/sample-apps/custom-model)
+
+![\[\]](http://docs.aws.amazon.com/panorama/latest/dev/images/sample-custom-model.png)
+
+AWS Panorama uses SageMaker Neo to compile models for use on the AWS Panorama Appliance\. For each framework, use the [format that's supported by SageMaker Neo](https://docs.aws.amazon.com/sagemaker/latest/dg/neo-compilation-preparing-model.html), package the model in a `.tar.gz` archive, and store it in an Amazon S3 bucket that AWS Panorama can access\.
+
+For more information, see [Compile and Deploy Models with Neo ](https://docs.aws.amazon.com/sagemaker/latest/dg/neo.html) in the Amazon SageMaker Developer Guide\.
+
 ## Using models in code<a name="applications-models-using"></a>
 
 On the appliance, model files are stored in a folder named after the model resource that you create in the AWS Panorama console when you [create an application](gettingstarted-deploy.md#gettingstarted-deploy-create)\. The application code uses the directory name to reference the model and load it with the AWS Panorama Application SDK\.
@@ -56,11 +75,11 @@ For example, the following initialization code loads a model named `my-model`\.
 
 ## Training models<a name="applications-models-training"></a>
 
-When you a model, use images from the target environment, or from a test environment that closely resembles the target environment\. Consider the following factors that can affect model performance:
+When you train a model, use images from the target environment, or from a test environment that closely resembles the target environment\. Consider the following factors that can affect model performance:
 
 ****
 + **Lighting** – The amount of light that is reflected by a subject determines how much detail the model has to analyze\. A model trained with images of well\-lit subjects might not work well in a low\-light or backlit environment\.
 + **Resolution** – The input size of a model is typically fixed at a resolution between 224 and 512 pixels wide in a square aspect ratio\. Before you pass a frame of video to the model, you can downscale or crop it to fit the required size\.
-+ **Image distortion** – A camera's focal length and lens shape can cause images to exhibit distortion away from the center of the frame\. The position of a camera also determines which features of a subject are visible\. For example, an overhead camera with a wide angle lens will show the top of a subject when its in the center of the frame, and a skewed view of the subject's side as it moves farther away from center\.
++ **Image distortion** – A camera's focal length and lens shape can cause images to exhibit distortion away from the center of the frame\. The position of a camera also determines which features of a subject are visible\. For example, an overhead camera with a wide angle lens will show the top of a subject when it's in the center of the frame, and a skewed view of the subject's side as it moves farther away from center\.
 
 To address these issues, you can preprocess images before sending them to the model, and train the model on a wider variety of images that reflect variances in real\-world environments\. If a model needs to operate in a lighting situations and with a variety of cameras, you need more data for training\. In addition to gathering more images, you can get more training data by creating variations of your existing images that are skewed or have different lighting\.

docs-source/security-dataprotection.md

@@ -10,7 +10,7 @@ For data protection purposes, we recommend that you protect AWS account credenti
 + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3\.
 + If you require FIPS 140\-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint\. For more information about the available FIPS endpoints, see [Federal Information Processing Standard \(FIPS\) 140\-2](http://aws.amazon.com/compliance/fips/)\.
 
-We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free\-form fields such as a **Name** field\. This includes when you work with AWS Panorama or other AWS services using the console, API, AWS CLI, or AWS SDKs\. Any data that you enter into AWS Panorama or other services might get picked up for inclusion in diagnostic logs\. When you provide a URL to an external server, don't include credentials information in the URL to validate your request to that server\.
+We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free\-form fields such as a **Name** field\. This includes when you work with AWS Panorama or other AWS services using the console, API, AWS CLI, or AWS SDKs\. Any data that you enter into tags or free\-form fields used for names may be used for billing or diagnostic logs\. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server\.
 
 **Topics**
 + [Encryption in transit](#security-privacy-intransit)
@@ -30,7 +30,7 @@ The contents of the configuration archive, which includes the appliance's privat
 
 Other settings, such as camera stream credentials \(username and password\) are encrypted at rest in AWS\. Settings are decrypted prior to transport and sent to the appliance over TLS\.
 
-To store your models securely in Amazon S3, you can use server\-side encryption with a key that Amazon S3 manages, or one that you provide\. For more information, see [Protecting data using encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html) in the Amazon Simple Storage Service Developer Guide\.
+To store your models securely in Amazon S3, you can use server\-side encryption with a key that Amazon S3 manages, or one that you provide\. For more information, see [Protecting data using encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html) in the Amazon Simple Storage Service User Guide\.
 
 When you author application code in AWS Lambda, Lambda encrypts the function code by default\. For more information, see [Data protection in AWS Lambda ](https://docs.aws.amazon.com/lambda/latest/dg/security-dataprotection.html) in the AWS Lambda Developer Guide\.
 

docs-source/security-iam-awsmanpol.md

@@ -4,7 +4,7 @@ To add permissions to users, groups, and roles, it is easier to use AWS managed
 
 AWS services maintain and update AWS managed policies\. You can't change the permissions in AWS managed policies\. Services occasionally add additional permissions to an AWS managed policy to support new features\. This type of update affects all identities \(users, groups, and roles\) where the policy is attached\. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available\. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions\.
 
-Additionally, AWS supports managed policies for job functions that span multiple services\. For example, the **ReadOnlyAccess** AWS managed policy provides read\-only access to all AWS services and resources\. When a service launches a new feature, AWS adds read\-only permissions for new operations and resources\. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*\.
+Additionally, AWS supports managed policies for job functions that span multiple services\. For example, the **ViewOnlyAccess** AWS managed policy provides read\-only access to many AWS services and resources\. When a service launches a new feature, AWS adds read\-only permissions for new operations and resources\. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*\.
 
 AWS Panorama provides the following managed policies\. For the full contents and change history of each policy, see the linked pages in the IAM console\.
 

docs-source/security-iam.md

@@ -53,7 +53,7 @@ IAM roles with temporary credentials are useful in the following situations:
 + **Cross\-account access** – You can use an IAM role to allow someone \(a trusted principal\) in a different account to access resources in your account\. Roles are the primary way to grant cross\-account access\. However, with some AWS services, you can attach a policy directly to a resource \(instead of using a role as a proxy\)\. To learn the difference between roles and resource\-based policies for cross\-account access, see [How IAM roles differ from resource\-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html) in the *IAM User Guide*\.
 + **Cross\-service access** –  Some AWS services use features in other AWS services\. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3\. A service might do this using the calling principal's permissions, using a service role, or using a service\-linked role\. 
   + **Principal permissions** –  When you use an IAM user or role to perform actions in AWS, you are considered a principal\. Policies grant permissions to a principal\. When you use some services, you might perform an action that then triggers another action in a different service\. In this case, you must have permissions to perform both actions\. To see whether an action requires additional dependent actions in a policy, see [Actions, Resources, and Condition Keys for AWS Panorama](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awspanorama.html) in the *Service Authorization Reference*\. 
-  + **Service role** –  A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf\. Service roles provide access only within your account and cannot be used to grant access to services in other accounts\. An IAM administrator can create, modify, and delete a service role from within IAM\. For more information, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*\. 
+  + **Service role** –  A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf\. An IAM administrator can create, modify, and delete a service role from within IAM\. For more information, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*\. 
   + **Service\-linked role** –  A service\-linked role is a type of service role that is linked to an AWS service\. The service can assume the role to perform an action on your behalf\. Service\-linked roles appear in your IAM account and are owned by the service\. An IAM administrator can view, but not edit the permissions for service\-linked roles\. 
 + **Applications running on Amazon EC2** –  You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests\. This is preferable to storing access keys within the EC2 instance\. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance\. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials\. For more information, see [Using an IAM role to grant permissions to applications running on Amazon EC2 instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) in the *IAM User Guide*\.