As of April 30, 2024 Amazon Q Enterprise is mostly obtainable. Amazon Q Enterprise is a conversational assistant powered by generative synthetic intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties based mostly on info in your enterprise techniques. Your staff can entry enterprise content material securely and privately utilizing net purposes constructed with Amazon Q Enterprise. The success of those purposes will depend on two key elements: first, that an end-user of the applying is barely capable of see responses generated from paperwork they’ve been granted entry to, and second, that every person’s dialog historical past is non-public, safe, and accessible solely to the person.
Amazon Q Enterprise operationalizes this by validating the id of the person each time they entry the applying in order that the applying can use the end-user’s id to limit duties and solutions to paperwork that the person has entry to. This end result is achieved with a mixture of AWS IAM Id Middle and Amazon Q Enterprise. IAM Id Middle shops the person id, is the authoritative supply of id info for Amazon Q Enterprise purposes, and validates the person’s id once they entry an Amazon Q Enterprise utility. You’ll be able to configure IAM Id Middle to make use of your enterprise id supplier (IdP)—corresponding to Okta or Microsoft Entra ID—because the id supply. Amazon Q Enterprise makes certain that entry management lists (ACLs) for enterprise paperwork being listed are matched to the person identities offered by IAM Id Middle, and that these ACLs are honored each time the applying calls Amazon Q Enterprise APIs to answer person queries.
On this put up, we present how IAM Id Middle acts as a gateway to steer person identities created by your enterprise IdP because the id supply, for Amazon Q Enterprise, and the way Amazon Q Enterprise makes use of these identities to reply securely and confidentially to person queries. We use an instance of a generative AI worker assistant constructed with Amazon Q Enterprise, show tips on how to set it as much as solely reply utilizing enterprise content material that every worker has permissions to entry, and present how staff are capable of converse securely and privately with this assistant.
Answer overview
The next diagram reveals a high-level structure of how the enterprise IdP, IAM Id Middle occasion, and Amazon Q Enterprise utility work together with one another to allow an authenticated person to securely and privately work together with an Amazon Q Enterprise utility utilizing an Amazon Q Enterprise net expertise from their net browser.
When utilizing an exterior IdP corresponding to Okta, customers and teams are first provisioned within the IdP after which routinely synchronized with the IAM Id Middle occasion utilizing the SCIM protocol. When a person begins the Amazon Q Enterprise net expertise, they’re authenticated with their IdP utilizing single sign-on, and the tokens obtained from the IdP are utilized by Amazon Q Enterprise to validate the person with IAM Id Middle. After validation, a chat session is began with the person.
The pattern use case on this put up makes use of an IAM Id Middle account occasion with its id supply configured as Okta, which is used because the IdP. Then we ingest content material from Atlassian Confluence. The Amazon Q Enterprise built-in connector for Confluence ingests the native customers and teams configured in Confluence, in addition to ACLs for the areas and paperwork, to the Amazon Q Enterprise utility index. These customers from the info supply are matched with the customers configured within the IAM Id Middle occasion, and aliases are created in Amazon Q Enterprise Person Retailer for proper ACL enforcement.
Stipulations
To implement this resolution for the pattern use case of this put up, you want an IAM Id Middle occasion and Okta id supplier as id supply. We offer extra details about these sources on this part.
IAM Id Middle occasion
An Amazon Q Enterprise utility requires an IAM Id Middle occasion to be related to it. There are two varieties of IAM Id Middle cases: a corporation occasion and an account occasion. Amazon Q Enterprise purposes can work with both kind of occasion. These cases retailer the person identities which might be created by an IdP, in addition to the teams to which the customers belong.
For manufacturing use instances, an IAM Id Middle group occasion is advisable. The benefit of a corporation occasion is that it may be utilized by an Amazon Q Enterprise utility in any AWS account in AWS Organizations, and also you solely pay as soon as for a person in your organization, if in case you have a number of Amazon Q Enterprise purposes unfold throughout a number of AWS accounts and you utilize group occasion. Many AWS enterprise prospects use Organizations, and have IAM Id Middle group cases related to them.
For proof of idea and departmental use instances, or in conditions when an AWS account shouldn’t be a part of an AWS Group and also you don’t wish to create a brand new AWS group, you need to use an IAM Id Middle account occasion to allow an Amazon Q Enterprise utility. On this case, solely the Amazon Q Enterprise utility configured within the AWS account by which the account occasion is created will be capable to use that occasion.
Amazon Q Enterprise implements a per-user subscription charge. A person is billed just one time if they’re uniquely identifiable throughout completely different accounts and completely different Amazon Q Enterprise purposes. For instance, if a number of Amazon Q Enterprise purposes are inside a single AWS account, a person that’s uniquely recognized by an IAM Id Middle occasion tied to this account will solely be billed one time for utilizing these purposes. In case your group has two accounts, and you’ve got an organization-level IAM Id Middle occasion, a person who’s uniquely recognized within the organization-level occasion will probably be billed just one time although they entry purposes in each accounts. Nevertheless, if in case you have two account-level IAM Id Middle cases, a person in a single account can’t be recognized as the identical person in one other account as a result of there isn’t a central id. Which means the identical person will probably be billed twice. We due to this fact suggest utilizing organization-level IAM Id Middle cases for manufacturing use instances to optimize prices.
In each these instances, the Amazon Q Enterprise utility must be in the identical AWS Area because the IAM Id Middle occasion.
Id supply
Should you already use an IdP corresponding to Okta or Entra ID, you possibly can proceed to make use of your most well-liked IdP with Amazon Q Enterprise purposes. On this case, the IAM Id Middle occasion is configured to make use of the IdP as its id supply. The customers and person teams from the IdP could be routinely synced to the IAM Id Middle occasion utilizing SCIM. Many AWS enterprise prospects have already got this configured for his or her IAM Id Middle group occasion. For extra details about all of the supported IdPs, see Getting began tutorials. The method is analogous for IAM Id Middle group cases and account cases.
AWS IAM Id Middle occasion configured with Okta because the id supply
The next screenshot reveals the IAM Id Middle utility configured in Okta, and the customers and teams from the Okta configuration assigned to this utility.
The next screenshot reveals the IAM Id Middle occasion person retailer after configuring Okta because the id supply. Right here the person and group info is routinely provisioned (synchronized) from Okta into IAM Id Middle utilizing the System for Cross-domain Id Administration (SCIM) v2.0 protocol.
Configure an Amazon Q Enterprise utility with IAM Id Middle enabled
Full the next steps to create an Amazon Q Enterprise utility and allow IAM Id Middle:
On the Amazon Q Enterprise console, select Create utility.
For Software title, enter a reputation.
Except you must change the AWS Id and Entry Administration (IAM) function for the applying or customise encryption settings, hold the default settings.
Select Create.
On the Choose retriever web page, except you wish to configure a preexisting Amazon Kendra index as a retriever, or you must configure storage items for greater than 20,000 paperwork, you possibly can proceed with the default settings.
Select Subsequent.
For extra details about Amazon Q Enterprise retrievers, confer with Creating and choosing a retriever for an Amazon Q Enterprise utility.
On the Join knowledge sources web page, for Knowledge sources, select Confluence.
The next directions show tips on how to configure the Confluence knowledge supply. These might differ for different knowledge sources.
For Knowledge supply title, enter a reputation.
For Supply¸ choose Confluence Cloud.
For Confluence URL, enter the Confluence URL.
For Authentication, choose Primary authentication.
For AWS Secrets and techniques Supervisor secret, select an AWS Secrets and techniques Supervisor secret.
For Digital Non-public Cloud, select No VPC.
For IAM function, select Create a brand new service function.
For Position title¸ both go together with the offered title or edit it to your new function.
For Sync scope, choose the contents to sync.
For Sync mode, choose Full sync.
For Frequency, select Run on demand.
For Discipline mappings, depart the defaults.
Select Add knowledge supply.
Select Subsequent.
On the Add teams and customers web page, select Add teams and customers.
Within the pop-up window, select Get began.
Seek for customers based mostly on their show title or teams, then select the person or group you wish to add to the applying.
Add extra customers as wanted.
Select Assign.
You will note the next display screen:
Select subscription for every person by clicking on the Select subscription pull down after which choosing the examine mark.
After selecting subscription for all of the customers, your display screen will look as beneath. Except you wish to change the service function, select Create utility.
After the applying is created, you will note the applying settings web page, as proven within the following screenshot.
Worker AI assistant use case
For instance how one can construct a safe and personal generative AI assistant to your staff utilizing Amazon Q Enterprise purposes, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new staff, Mateo Jackson and Mary Main, have joined the corporate on two completely different initiatives, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been advised to get assist from the worker AI assistant for any questions associated to their new staff member actions and their advantages.
The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q utility used to run the eventualities for this put up is configured with a knowledge supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by staff. The instance makes use of three Confluence areas: AnyOrgApp Undertaking, ACME Undertaking Area, and AJ-DEMO-HR-SPACE. The entry permissions for these areas are as follows:
AJ-DEMO-HR-SPACE – All staff, together with Mateo and Mary
AnyOrgApp Undertaking – Staff assigned to the undertaking together with Mateo
ACME Undertaking Area – Staff assigned to the undertaking together with Mary
Let’s have a look at how Mateo and Mary expertise their worker AI assistant.
Each are supplied with the URL of the worker AI assistant net expertise. They use the URL and register to the IdP from the browsers of their laptops. Mateo and Mary each wish to find out about their new staff member actions and their fellow staff members. They ask the identical inquiries to the worker AI assistant however get completely different responses, as a result of every has entry to separate initiatives. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the precise is for Mary Main. Mateo will get details about the AnyOrgApp undertaking and Mary will get details about the ACME undertaking.
Mateo chooses Sources below the query about staff members to take a better have a look at the staff member info, and Mary selecting Sources below the query for brand spanking new staff member onboarding actions. The next screenshots present their up to date views.
Mateo and Mary wish to discover out extra about the advantages their new job affords and the way the advantages are relevant to their private and household conditions.
The next screenshot reveals that Mary asks the worker AI assistant questions on her advantages and eligibility.
Mary may confer with the supply paperwork.
The next screenshot reveals that Mateo asks the worker AI assistant completely different questions on his eligibility.
Mateo seems to be on the following supply paperwork.
Each Mary and Mateo first wish to know their eligibility for advantages. However after that, they’ve completely different inquiries to ask. Although the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with worker AI assistant are non-public and private. The reassurance that their dialog historical past is non-public and may’t be seen by another person is essential for the success of a generative AI worker productiveness assistant.
Clear up
Should you created a brand new Amazon Q Enterprise utility to check out the combination with IAM Id Middle, and don’t plan to make use of it additional, unsubscribe and take away assigned customers from the applying and delete it in order that your AWS account doesn’t accumulate prices.
To unsubscribe and take away customers go to the applying particulars web page and choose Handle entry and subscriptions.
Choose all of the customers, after which use the Edit button to decide on Unsubscribe and take away as proven beneath.
Delete the applying after eradicating the customers, going again to the applying particulars web page and choosing Delete.
Conclusion
For enterprise generative AI assistants such because the one proven on this put up to achieve success, they need to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise and IAM Id Middle present an answer that authenticates every person and validates the person id at every step to implement entry management together with privateness and confidentiality.
To realize this, IAM Id Middle acts as a gateway to sync person and group identities from an IdP (corresponding to Okta), and Amazon Q Enterprise makes use of IAM Id Middle-provided identities to uniquely establish a person of an Amazon Q Enterprise utility (on this case, an worker AI assistant). Doc ACLs and native customers arrange within the knowledge supply (corresponding to Confluence) are matched up with the person and group identities offered by IAM Id Middle. At question time, Amazon Q Enterprise solutions questions from customers using solely these paperwork that they’re offered entry to by the doc ACLs.
If you wish to know extra, check out the Amazon Q Enterprise launch weblog put up on AWS Information Weblog, and confer with Amazon Q Enterprise Person Information. For extra info on IAM Id Middle, confer with the AWS IAM Id Middle Person Information.
Concerning the Authors
Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service staff at AWS. Abhinav works with AWS prospects and companions to assist them construct generative AI options on AWS.
Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embody person id administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.