Launched on April 30, 2024, Amazon Q Business is a conversational assistant using generative artificial intelligence (AI) to improve workforce productivity by answering queries and completing tasks based on information from your enterprise systems. Employees can access enterprise content securely and privately via web applications developed with Amazon Q Business. The functionality of the system relies on ensuring that application users can only access information they are granted access to and that each user’s conversation history is private, secure, and only accessible to the user.
Amazon Q Business operationalizes this by validating the user’s identity every time they access the application. This is achieved through a combination of AWS IAM Identity Center and Amazon Q Business. IAM validates the user’s identity each time they access an Amazon Q Business application, providing an authoritative source of identity information for these applications.
Amazon Q Business also ensures that access control lists (ACLs) for enterprise documents to be indexed match the user identities provided by IAM Identity Center. These ACLs are honored every time the application calls Amazon Q Business APIs to respond to user queries.
The application can work with an organization instance or an account instance of IAM Identity Center. While the former allows the Amazon Q Business application to be used by any AWS account in AWS Organizations, the latter configures the Amazon Q Business application in an AWS account without the need to create a new AWS organization.
The example of a generative AI employee assistant built with Amazon Q Business shows how the system establishes the user’s identity, validates their access, and responds securely and confidentially to their queries. This example uses an IAM Identity Center account instance with Okta as the identity provider, and Atlassian Confluence as the data source. It demonstrates how the system orchestrates the identities provided by the enterprise identity provider and sets up the employee assistant to respond to only the enterprise content that each employee has permissions to access.
To effectively implement Amazon Q Business, organizations must be familiar with IAM Identity Center instances, organization instances, account instances, and identity source. Similarly, if a company already uses an identity provider (IdP) such as Okta or Entra ID, it can continue using its preferred IdP with Amazon Q Business applications.
In conclusion, for an enterprise generative AI assistant to succeed, it must respect access control and guarantee the privacy and confidentiality of every employee. Amazon Q Business and IAM Identity Center offer a solution that authenticate each user and validate their identity at each stage of interaction, thereby enforcing access control along with privacy and confidentiality.