Construct personal and safe enterprise generative AI apps with Amazon Q Enterprise and AWS IAM Identification Heart
As of April 30, 2024 Amazon Q Business is generally available. Amazon Q Business is a conversational assistant powered by generative artificial intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties primarily based on data in your enterprise programs. Your workers can entry enterprise content material securely and privately utilizing internet functions constructed with Amazon Q Enterprise. The success of those functions relies on two key elements: first, that an end-user of the appliance is simply capable of see responses generated from paperwork they’ve been granted entry to, and second, that every person’s dialog historical past is personal, safe, and accessible solely to the person.
Amazon Q Enterprise operationalizes this by validating the id of the person each time they entry the appliance in order that the appliance can use the end-user’s id to limit duties and solutions to paperwork that the person has entry to. This consequence is achieved with a mixture of AWS IAM Identity Center and Amazon Q Enterprise. IAM Identification Heart shops the person id, is the authoritative supply of id data for Amazon Q Enterprise functions, and validates the person’s id once they entry an Amazon Q Enterprise utility. You may configure IAM Identification Heart to make use of your enterprise id supplier (IdP)—resembling Okta or Microsoft Entra ID—because the id supply. Amazon Q Enterprise makes positive that entry management lists (ACLs) for enterprise paperwork being listed are matched to the person identities supplied by IAM Identification Heart, and that these ACLs are honored each time the appliance calls Amazon Q Enterprise APIs to reply to person queries.
On this put up, we present how IAM Identification Heart acts as a gateway to steer person identities created by your enterprise IdP because the id supply, for Amazon Q Enterprise, and the way Amazon Q Enterprise makes use of these identities to reply securely and confidentially to person queries. We use an instance of a generative AI worker assistant constructed with Amazon Q Enterprise, show learn how to set it as much as solely reply utilizing enterprise content material that every worker has permissions to entry, and present how workers are capable of converse securely and privately with this assistant.
Resolution overview
The next diagram reveals a high-level structure of how the enterprise IdP, IAM Identification Heart occasion, and Amazon Q Enterprise utility work together with one another to allow an authenticated person to securely and privately work together with an Amazon Q Enterprise utility utilizing an Amazon Q Enterprise internet expertise from their internet browser.
When utilizing an exterior IdP resembling Okta, customers and teams are first provisioned within the IdP after which mechanically synchronized with the IAM Identification Heart occasion utilizing the SCIM protocol. When a person begins the Amazon Q Enterprise internet expertise, they’re authenticated with their IdP utilizing single sign-on, and the tokens obtained from the IdP are utilized by Amazon Q Enterprise to validate the person with IAM Identification Heart. After validation, a chat session is began with the person.
The pattern use case on this put up makes use of an IAM Identification Heart account occasion with its id supply configured as Okta, which is used because the IdP. Then we ingest content material from Atlassian Confluence. The Amazon Q Business built-in connector for Confluence ingests the native customers and teams configured in Confluence, in addition to ACLs for the areas and paperwork, to the Amazon Q Enterprise utility index. These customers from the information supply are matched with the customers configured within the IAM Identification Heart occasion, and aliases are created in Amazon Q Business User Store for proper ACL enforcement.
Conditions
To implement this resolution for the pattern use case of this put up, you want an IAM Identification Heart occasion and Okta id supplier as id supply. We offer extra details about these sources on this part.
IAM Identification Heart occasion
An Amazon Q Enterprise utility requires an IAM Identity Center instance to be related to it. There are two varieties of IAM Identification Heart situations: an organization instance and an account instance. Amazon Q Enterprise functions can work with both kind of occasion. These situations retailer the person identities which might be created by an IdP, in addition to the teams to which the customers belong.
For manufacturing use instances, an IAM Identification Heart group occasion is really useful. The benefit of a corporation occasion is that it may be utilized by an Amazon Q Enterprise utility in any AWS account in AWS Organizations, and also you solely pay as soon as for a person in your organization, you probably have a number of Amazon Q Enterprise functions unfold throughout a number of AWS accounts and you employ group occasion. Many AWS enterprise clients use Organizations, and have IAM Identification Heart group situations related to them.
For proof of idea and departmental use instances, or in conditions when an AWS account just isn’t a part of an AWS Group and also you don’t need to create a brand new AWS group, you should utilize an IAM Identification Heart account occasion to allow an Amazon Q Enterprise utility. On this case, solely the Amazon Q Enterprise utility configured within the AWS account through which the account occasion is created will have the ability to use that occasion.
Amazon Q Enterprise implements a per-user subscription price. A person is billed just one time if they’re uniquely identifiable throughout completely different accounts and completely different Amazon Q Enterprise functions. For instance, if a number of Amazon Q Enterprise functions are inside a single AWS account, a person that’s uniquely recognized by an IAM Identification Heart occasion tied to this account will solely be billed one time for utilizing these functions. In case your group has two accounts, and you’ve got an organization-level IAM Identification Heart occasion, a person who’s uniquely recognized within the organization-level occasion might be billed just one time despite the fact that they entry functions in each accounts. Nevertheless, you probably have two account-level IAM Identification Heart situations, a person in a single account can’t be recognized as the identical person in one other account as a result of there isn’t a central id. Which means the identical person might be billed twice. We due to this fact advocate utilizing organization-level IAM Identification Heart situations for manufacturing use instances to optimize prices.
In each these instances, the Amazon Q Enterprise utility must be in the identical AWS Area because the IAM Identification Heart occasion.
Identification supply
For those who already use an IdP resembling Okta or Entra ID, you’ll be able to proceed to make use of your most popular IdP with Amazon Q Enterprise functions. On this case, the IAM Identification Heart occasion is configured to make use of the IdP as its id supply. The customers and person teams from the IdP may be automatically synced to the IAM Identity Center instance using SCIM. Many AWS enterprise clients have already got this configured for his or her IAM Identification Heart group occasion. For extra details about all of the supported IdPs, see Getting started tutorials. The method is comparable for IAM Identification Heart group situations and account situations.
AWS IAM Identification Heart occasion configured with Okta because the id supply
The next screenshot reveals the IAM Identification Heart utility configured in Okta, and the customers and teams from the Okta configuration assigned to this utility.
The next screenshot reveals the IAM Identification Heart occasion person retailer after configuring Okta because the id supply. Right here the person and group data is mechanically provisioned (synchronized) from Okta into IAM Identification Heart utilizing the System for Cross-domain Identification Administration (SCIM) v2.0 protocol.
Configure an Amazon Q Enterprise utility with IAM Identification Heart enabled
Full the next steps to create an Amazon Q Enterprise utility and allow IAM Identification Heart:
- On the Amazon Q Enterprise console, select Create utility.
- For Utility identify, enter a reputation.
- Except you might want to change the AWS Identity and Access Management (IAM) function for the appliance or customise encryption settings, maintain the default settings.
- Select Create.
- On the Choose retriever web page, until you need to configure a preexisting Amazon Kendra index as a retriever, or you might want to configure storage items for greater than 20,000 paperwork, you’ll be able to proceed with the default settings.
- Select Subsequent.
For extra details about Amazon Q Enterprise retrievers, consult with Creating and selecting a retriever for an Amazon Q Business application.
- On the Join information sources web page, for Knowledge sources, select Confluence.
The next directions show learn how to configure the Confluence data source. These might differ for different information sources.
- For Knowledge supply identify, enter a reputation.
- For Supply¸ choose Confluence Cloud.
- For Confluence URL, enter the Confluence URL.
- For Authentication, choose Primary authentication.
- For AWS Secrets and techniques Supervisor secret, select an AWS Secrets Manager secret.
- For Digital Personal Cloud, select No VPC.
- For IAM function, select Create a brand new service function.
- For Position identify¸ both go along with the supplied identify or edit it in your new function.
- For Sync scope, choose the contents to sync.
- For Sync mode, choose Full sync.
- For Frequency, select Run on demand.
- For Area mappings, go away the defaults.
- Select Add information supply.
- Select Subsequent.
- On the Add teams and customers web page, select Add teams and customers.
- Within the pop-up window, select Get began.
- Seek for customers primarily based on their show identify or teams, then select the person or group you need to add to the appliance.
- Add extra customers as wanted.
- Select Assign.
- You will notice the next display screen:
- Select subscription for every person by clicking on the Select subscription pull down after which deciding on the test mark.
- After selecting subscription for all of the customers, your display screen will look as under. Except you need to change the service function, select Create utility.
After the appliance is created, you will note the appliance settings web page, as proven within the following screenshot.
Worker AI assistant use case
As an example how one can construct a safe and personal generative AI assistant in your workers utilizing Amazon Q Enterprise functions, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new workers, Mateo Jackson and Mary Main, have joined the corporate on two completely different tasks, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been advised to get assist from the worker AI assistant for any questions associated to their new workforce member actions and their advantages.
The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q utility used to run the situations for this put up is configured with a knowledge supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by workers. The instance makes use of three Confluence areas: AnyOrgApp Challenge, ACME Challenge Area, and AJ-DEMO-HR-SPACE. The entry permissions for these areas are as follows:
- AJ-DEMO-HR-SPACE – All workers, together with Mateo and Mary
- AnyOrgApp Challenge – Staff assigned to the undertaking together with Mateo
- ACME Challenge Area – Staff assigned to the undertaking together with Mary
Let’s take a look at how Mateo and Mary expertise their worker AI assistant.
Each are supplied with the URL of the worker AI assistant internet expertise. They use the URL and sign up to the IdP from the browsers of their laptops. Mateo and Mary each need to learn about their new workforce member actions and their fellow workforce members. They ask the identical inquiries to the worker AI assistant however get completely different responses, as a result of every has entry to separate tasks. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the correct is for Mary Main. Mateo will get details about the AnyOrgApp undertaking and Mary will get details about the ACME undertaking.
Mateo chooses Sources below the query about workforce members to take a better take a look at the workforce member data, and Mary selecting Sources below the query for brand spanking new workforce member onboarding actions. The next screenshots present their up to date views.
Mateo and Mary need to discover out extra about the advantages their new job gives and the way the advantages are relevant to their private and household conditions.
The next screenshot reveals that Mary asks the worker AI assistant questions on her advantages and eligibility.
Mary also can consult with the supply paperwork.
The next screenshot reveals that Mateo asks the worker AI assistant completely different questions on his eligibility.
Mateo seems on the following supply paperwork.
Each Mary and Mateo first need to know their eligibility for advantages. However after that, they’ve completely different inquiries to ask. Though the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with worker AI assistant are personal and private. The reassurance that their dialog historical past is personal and may’t be seen by another person is crucial for the success of a generative AI worker productiveness assistant.
Clear up
For those who created a brand new Amazon Q Enterprise utility to check out the combination with IAM Identification Heart, and don’t plan to make use of it additional, unsubscribe and take away assigned customers from the appliance and delete it in order that your AWS account doesn’t accumulate prices.
To unsubscribe and take away customers go to the appliance particulars web page and choose Handle entry and subscriptions.
Choose all of the customers, after which use the Edit button to decide on Unsubscribe and take away as proven under.
Delete the appliance after eradicating the customers, going again to the appliance particulars web page and deciding on Delete.
Conclusion
For enterprise generative AI assistants such because the one proven on this put up to achieve success, they need to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise and IAM Identification Heart present an answer that authenticates every person and validates the person id at every step to implement entry management together with privateness and confidentiality.
To attain this, IAM Identification Heart acts as a gateway to sync person and group identities from an IdP (resembling Okta), and Amazon Q Enterprise makes use of IAM Identification Heart-provided identities to uniquely establish a person of an Amazon Q Enterprise utility (on this case, an worker AI assistant). Doc ACLs and native customers arrange within the information supply (resembling Confluence) are matched up with the person and group identities supplied by IAM Identification Heart. At question time, Amazon Q Enterprise solutions questions from customers using solely these paperwork that they’re supplied entry to by the doc ACLs.
If you wish to know extra, check out the Amazon Q Business launch blog post on AWS News Blog, and consult with Amazon Q Business User Guide. For extra data on IAM Identification Heart, consult with the AWS IAM Identity Center User Guide.
Concerning the Authors
Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service workforce at AWS. Abhinav works with AWS clients and companions to assist them construct generative AI options on AWS.
Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embrace person id administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.