As of April 30, 2024 Amazon Q Business is generally available. Amazon Q Business is a conversational assistant powered by generative artificial intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties primarily based on data in your enterprise techniques. Your staff can entry enterprise content material securely and privately utilizing internet purposes constructed with Amazon Q Enterprise. The success of those purposes is dependent upon two key components: first, that an end-user of the appliance is simply capable of see responses generated from paperwork they’ve been granted entry to, and second, that every consumer’s dialog historical past is personal, safe, and accessible solely to the consumer.
Amazon Q Enterprise operationalizes this by validating the identification of the consumer each time they entry the appliance in order that the appliance can use the end-user’s identification to limit duties and solutions to paperwork that the consumer has entry to. This end result is achieved with a mix of AWS IAM Identity Center and Amazon Q Enterprise. IAM Id Middle shops the consumer identification, is the authoritative supply of identification data for Amazon Q Enterprise purposes, and validates the consumer’s identification after they entry an Amazon Q Enterprise software. You may configure IAM Id Middle to make use of your enterprise identification supplier (IdP)—similar to Okta or Microsoft Entra ID—because the identification supply. Amazon Q Enterprise makes certain that entry management lists (ACLs) for enterprise paperwork being listed are matched to the consumer identities offered by IAM Id Middle, and that these ACLs are honored each time the appliance calls Amazon Q Enterprise APIs to reply to consumer queries.
On this submit, we present how IAM Id Middle acts as a gateway to steer consumer identities created by your enterprise IdP because the identification supply, for Amazon Q Enterprise, and the way Amazon Q Enterprise makes use of these identities to reply securely and confidentially to consumer queries. We use an instance of a generative AI worker assistant constructed with Amazon Q Enterprise, reveal tips on how to set it as much as solely reply utilizing enterprise content material that every worker has permissions to entry, and present how staff are capable of converse securely and privately with this assistant.
Resolution overview
The next diagram exhibits a high-level structure of how the enterprise IdP, IAM Id Middle occasion, and Amazon Q Enterprise software work together with one another to allow an authenticated consumer to securely and privately work together with an Amazon Q Enterprise software utilizing an Amazon Q Enterprise internet expertise from their internet browser.
When utilizing an exterior IdP similar to Okta, customers and teams are first provisioned within the IdP after which routinely synchronized with the IAM Id Middle occasion utilizing the SCIM protocol. When a consumer begins the Amazon Q Enterprise internet expertise, they’re authenticated with their IdP utilizing single sign-on, and the tokens obtained from the IdP are utilized by Amazon Q Enterprise to validate the consumer with IAM Id Middle. After validation, a chat session is began with the consumer.
The pattern use case on this submit makes use of an IAM Id Middle account occasion with its identification supply configured as Okta, which is used because the IdP. Then we ingest content material from Atlassian Confluence. The Amazon Q Business built-in connector for Confluence ingests the native customers and teams configured in Confluence, in addition to ACLs for the areas and paperwork, to the Amazon Q Enterprise software index. These customers from the info supply are matched with the customers configured within the IAM Id Middle occasion, and aliases are created in Amazon Q Business User Store for proper ACL enforcement.
Conditions
To implement this resolution for the pattern use case of this submit, you want an IAM Id Middle occasion and Okta identification supplier as identification supply. We offer extra details about these assets on this part.
IAM Id Middle occasion
An Amazon Q Enterprise software requires an IAM Identity Center instance to be related to it. There are two forms of IAM Id Middle cases: an organization instance and an account instance. Amazon Q Enterprise purposes can work with both kind of occasion. These cases retailer the consumer identities which can be created by an IdP, in addition to the teams to which the customers belong.
For manufacturing use instances, an IAM Id Middle group occasion is advisable. The benefit of a company occasion is that it may be utilized by an Amazon Q Enterprise software in any AWS account in AWS Organizations, and also you solely pay as soon as for a consumer in your organization, when you’ve got a number of Amazon Q Enterprise purposes unfold throughout a number of AWS accounts and you employ group occasion. Many AWS enterprise prospects use Organizations, and have IAM Id Middle group cases related to them.
For proof of idea and departmental use instances, or in conditions when an AWS account will not be a part of an AWS Group and also you don’t wish to create a brand new AWS group, you need to use an IAM Id Middle account occasion to allow an Amazon Q Enterprise software. On this case, solely the Amazon Q Enterprise software configured within the AWS account during which the account occasion is created will be capable to use that occasion.
Amazon Q Enterprise implements a per-user subscription payment. A consumer is billed just one time if they’re uniquely identifiable throughout completely different accounts and completely different Amazon Q Enterprise purposes. For instance, if a number of Amazon Q Enterprise purposes are inside a single AWS account, a consumer that’s uniquely recognized by an IAM Id Middle occasion tied to this account will solely be billed one time for utilizing these purposes. In case your group has two accounts, and you’ve got an organization-level IAM Id Middle occasion, a consumer who’s uniquely recognized within the organization-level occasion will probably be billed just one time though they entry purposes in each accounts. Nonetheless, when you’ve got two account-level IAM Id Middle cases, a consumer in a single account can’t be recognized as the identical consumer in one other account as a result of there isn’t a central identification. Which means that the identical consumer will probably be billed twice. We subsequently advocate utilizing organization-level IAM Id Middle cases for manufacturing use instances to optimize prices.
In each these instances, the Amazon Q Enterprise software must be in the identical AWS Area because the IAM Id Middle occasion.
Id supply
Should you already use an IdP similar to Okta or Entra ID, you possibly can proceed to make use of your most well-liked IdP with Amazon Q Enterprise purposes. On this case, the IAM Id Middle occasion is configured to make use of the IdP as its identification supply. The customers and consumer teams from the IdP might be automatically synced to the IAM Identity Center instance using SCIM. Many AWS enterprise prospects have already got this configured for his or her IAM Id Middle group occasion. For extra details about all of the supported IdPs, see Getting started tutorials. The method is analogous for IAM Id Middle group cases and account cases.
AWS IAM Id Middle occasion configured with Okta because the identification supply
The next screenshot exhibits the IAM Id Middle software configured in Okta, and the customers and teams from the Okta configuration assigned to this software.
The next screenshot exhibits the IAM Id Middle occasion consumer retailer after configuring Okta because the identification supply. Right here the consumer and group data is routinely provisioned (synchronized) from Okta into IAM Id Middle utilizing the System for Cross-domain Id Administration (SCIM) v2.0 protocol.
Configure an Amazon Q Enterprise software with IAM Id Middle enabled
Full the next steps to create an Amazon Q Enterprise software and allow IAM Id Middle:
- On the Amazon Q Enterprise console, select Create software.
- For Utility title, enter a reputation.
- Except you might want to change the AWS Identity and Access Management (IAM) function for the appliance or customise encryption settings, hold the default settings.
- Select Create.
- On the Choose retriever web page, except you wish to configure a preexisting Amazon Kendra index as a retriever, or you might want to configure storage models for greater than 20,000 paperwork, you possibly can proceed with the default settings.
- Select Subsequent.
For extra details about Amazon Q Enterprise retrievers, seek advice from Creating and selecting a retriever for an Amazon Q Business application.
- On the Join knowledge sources web page, for Knowledge sources, select Confluence.
The next directions reveal tips on how to configure the Confluence data source. These could differ for different knowledge sources.
- For Knowledge supply title, enter a reputation.
- For Supply¸ choose Confluence Cloud.
- For Confluence URL, enter the Confluence URL.
- For Authentication, choose Primary authentication.
- For AWS Secrets and techniques Supervisor secret, select an AWS Secrets Manager secret.
- For Digital Non-public Cloud, select No VPC.
- For IAM function, select Create a brand new service function.
- For Function title¸ both go along with the offered title or edit it to your new function.
- For Sync scope, choose the contents to sync.
- For Sync mode, choose Full sync.
- For Frequency, select Run on demand.
- For Discipline mappings, depart the defaults.
- Select Add knowledge supply.
- Select Subsequent.
- On the Add teams and customers web page, select Add teams and customers.
- Within the pop-up window, select Get began.
- Seek for customers primarily based on their show title or teams, then select the consumer or group you wish to add to the appliance.
- Add extra customers as wanted.
- Select Assign.
- You will notice the next display screen:
- Select subscription for every consumer by clicking on the Select subscription pull down after which deciding on the examine mark.
- After selecting subscription for all of the customers, your display screen will look as beneath. Except you wish to change the service function, select Create software.
After the appliance is created, you will note the appliance settings web page, as proven within the following screenshot.
Worker AI assistant use case
As an example how one can construct a safe and personal generative AI assistant to your staff utilizing Amazon Q Enterprise purposes, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new staff, Mateo Jackson and Mary Main, have joined the corporate on two completely different tasks, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been instructed to get assist from the worker AI assistant for any questions associated to their new workforce member actions and their advantages.
The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q software used to run the situations for this submit is configured with a knowledge supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by staff. The instance makes use of three Confluence areas: AnyOrgApp Venture, ACME Venture House, and AJ-DEMO-HR-SPACE. The entry permissions for these areas are as follows:
- AJ-DEMO-HR-SPACE – All staff, together with Mateo and Mary
- AnyOrgApp Venture – Staff assigned to the challenge together with Mateo
- ACME Venture House – Staff assigned to the challenge together with Mary
Let’s have a look at how Mateo and Mary expertise their worker AI assistant.
Each are supplied with the URL of the worker AI assistant internet expertise. They use the URL and register to the IdP from the browsers of their laptops. Mateo and Mary each wish to find out about their new workforce member actions and their fellow workforce members. They ask the identical inquiries to the worker AI assistant however get completely different responses, as a result of every has entry to separate tasks. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the appropriate is for Mary Main. Mateo will get details about the AnyOrgApp challenge and Mary will get details about the ACME challenge.
Mateo chooses Sources below the query about workforce members to take a better have a look at the workforce member data, and Mary selecting Sources below the query for brand spanking new workforce member onboarding actions. The next screenshots present their up to date views.
Mateo and Mary wish to discover out extra about the advantages their new job presents and the way the advantages are relevant to their private and household conditions.
The next screenshot exhibits that Mary asks the worker AI assistant questions on her advantages and eligibility.
Mary can even seek advice from the supply paperwork.
The next screenshot exhibits that Mateo asks the worker AI assistant completely different questions on his eligibility.
Mateo seems to be on the following supply paperwork.
Each Mary and Mateo first wish to know their eligibility for advantages. However after that, they’ve completely different inquiries to ask. Although the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with worker AI assistant are personal and private. The reassurance that their dialog historical past is personal and may’t be seen by some other consumer is important for the success of a generative AI worker productiveness assistant.
Clear up
Should you created a brand new Amazon Q Enterprise software to check out the mixing with IAM Id Middle, and don’t plan to make use of it additional, unsubscribe and take away assigned customers from the appliance and delete it in order that your AWS account doesn’t accumulate prices.
To unsubscribe and take away customers go to the appliance particulars web page and choose Handle entry and subscriptions.
Choose all of the customers, after which use the Edit button to decide on Unsubscribe and take away as proven beneath.
Delete the appliance after eradicating the customers, going again to the appliance particulars web page and deciding on Delete.
Conclusion
For enterprise generative AI assistants such because the one proven on this submit to achieve success, they have to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise and IAM Id Middle present an answer that authenticates every consumer and validates the consumer identification at every step to implement entry management together with privateness and confidentiality.
To attain this, IAM Id Middle acts as a gateway to sync consumer and group identities from an IdP (similar to Okta), and Amazon Q Enterprise makes use of IAM Id Middle-provided identities to uniquely determine a consumer of an Amazon Q Enterprise software (on this case, an worker AI assistant). Doc ACLs and native customers arrange within the knowledge supply (similar to Confluence) are matched up with the consumer and group identities offered by IAM Id Middle. At question time, Amazon Q Enterprise solutions questions from customers using solely these paperwork that they’re offered entry to by the doc ACLs.
If you wish to know extra, check out the Amazon Q Business launch blog post on AWS News Blog, and seek advice from Amazon Q Business User Guide. For extra data on IAM Id Middle, seek advice from the AWS IAM Identity Center User Guide.
In regards to the Authors
Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service workforce at AWS. Abhinav works with AWS prospects and companions to assist them construct generative AI options on AWS.
Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embody consumer identification administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.