Construct non-public and safe enterprise generative AI apps with Amazon Q Enterprise and AWS IAM Id Middle

As of April 30, 2024 Amazon Q Enterprise is usually obtainable. Amazon Q Enterprise is a conversational assistant powered by generative synthetic intelligence (AI) that enhances workforce productiveness by answering questions and finishing duties primarily based on info in your enterprise techniques. Your staff can entry enterprise content material securely and privately utilizing net functions constructed with Amazon Q Enterprise. The success of those functions is dependent upon two key elements: first, that an end-user of the appliance is simply capable of see responses generated from paperwork they’ve been granted entry to, and second, that every person’s dialog historical past is non-public, safe, and accessible solely to the person.

Amazon Q Enterprise operationalizes this by validating the id of the person each time they entry the appliance in order that the appliance can use the end-user’s id to limit duties and solutions to paperwork that the person has entry to. This consequence is achieved with a mixture of AWS IAM Id Middle and Amazon Q Enterprise. IAM Id Middle shops the person id, is the authoritative supply of id info for Amazon Q Enterprise functions, and validates the person’s id after they entry an Amazon Q Enterprise utility. You possibly can configure IAM Id Middle to make use of your enterprise id supplier (IdP)—similar to Okta or Microsoft Entra ID—because the id supply. Amazon Q Enterprise makes positive that entry management lists (ACLs) for enterprise paperwork being listed are matched to the person identities supplied by IAM Id Middle, and that these ACLs are honored each time the appliance calls Amazon Q Enterprise APIs to answer person queries.

On this submit, we present how IAM Id Middle acts as a gateway to steer person identities created by your enterprise IdP because the id supply, for Amazon Q Enterprise, and the way Amazon Q Enterprise makes use of these identities to reply securely and confidentially to person queries. We use an instance of a generative AI worker assistant constructed with Amazon Q Enterprise, display easy methods to set it as much as solely reply utilizing enterprise content material that every worker has permissions to entry, and present how staff are capable of converse securely and privately with this assistant.

Answer overview

The next diagram reveals a high-level structure of how the enterprise IdP, IAM Id Middle occasion, and Amazon Q Enterprise utility work together with one another to allow an authenticated person to securely and privately work together with an Amazon Q Enterprise utility utilizing an Amazon Q Enterprise net expertise from their net browser.

When utilizing an exterior IdP similar to Okta, customers and teams are first provisioned within the IdP after which robotically synchronized with the IAM Id Middle occasion utilizing the SCIM protocol. When a person begins the Amazon Q Enterprise net expertise, they’re authenticated with their IdP utilizing single sign-on, and the tokens obtained from the IdP are utilized by Amazon Q Enterprise to validate the person with IAM Id Middle. After validation, a chat session is began with the person.

The pattern use case on this submit makes use of an IAM Id Middle account occasion with its id supply configured as Okta, which is used because the IdP. Then we ingest content material from Atlassian Confluence. The Amazon Q Enterprise built-in connector for Confluence ingests the native customers and teams configured in Confluence, in addition to ACLs for the areas and paperwork, to the Amazon Q Enterprise utility index. These customers from the info supply are matched with the customers configured within the IAM Id Middle occasion, and aliases are created in Amazon Q Enterprise Person Retailer for proper ACL enforcement.

Conditions

To implement this resolution for the pattern use case of this submit, you want an IAM Id Middle occasion and Okta id supplier as id supply. We offer extra details about these assets on this part.

IAM Id Middle occasion

An Amazon Q Enterprise utility requires an IAM Id Middle occasion to be related to it. There are two kinds of IAM Id Middle cases: an group occasion and an account occasion. Amazon Q Enterprise functions can work with both sort of occasion. These cases retailer the person identities which can be created by an IdP, in addition to the teams to which the customers belong.

For manufacturing use instances, an IAM Id Middle group occasion is advisable. The benefit of a company occasion is that it may be utilized by an Amazon Q Enterprise utility in any AWS account in AWS Organizations, and also you solely pay as soon as for a person in your organization, when you have a number of Amazon Q Enterprise functions unfold throughout a number of AWS accounts and you utilize group occasion. Many AWS enterprise prospects use Organizations, and have IAM Id Middle group cases related to them.

For proof of idea and departmental use instances, or in conditions when an AWS account is just not a part of an AWS Group and also you don’t need to create a brand new AWS group, you should use an IAM Id Middle account occasion to allow an Amazon Q Enterprise utility. On this case, solely the Amazon Q Enterprise utility configured within the AWS account wherein the account occasion is created will be capable to use that occasion.

Amazon Q Enterprise implements a per-user subscription payment. A person is billed just one time if they’re uniquely identifiable throughout completely different accounts and completely different Amazon Q Enterprise functions. For instance, if a number of Amazon Q Enterprise functions are inside a single AWS account, a person that’s uniquely recognized by an IAM Id Middle occasion tied to this account will solely be billed one time for utilizing these functions. In case your group has two accounts, and you’ve got an organization-level IAM Id Middle occasion, a person who’s uniquely recognized within the organization-level occasion will likely be billed just one time although they entry functions in each accounts. Nevertheless, when you have two account-level IAM Id Middle cases, a person in a single account can’t be recognized as the identical person in one other account as a result of there is no such thing as a central id. Because of this the identical person will likely be billed twice. We subsequently advocate utilizing organization-level IAM Id Middle cases for manufacturing use instances to optimize prices.

In each these instances, the Amazon Q Enterprise utility must be in the identical AWS Area because the IAM Id Middle occasion.

Id supply

Should you already use an IdP similar to Okta or Entra ID, you’ll be able to proceed to make use of your most popular IdP with Amazon Q Enterprise functions. On this case, the IAM Id Middle occasion is configured to make use of the IdP as its id supply. The customers and person teams from the IdP will be robotically synced to the IAM Id Middle occasion utilizing SCIM. Many AWS enterprise prospects have already got this configured for his or her IAM Id Middle group occasion. For extra details about all of the supported IdPs, see Getting began tutorials. The method is comparable for IAM Id Middle group cases and account cases.

AWS IAM Id Middle occasion configured with Okta because the id supply

The next screenshot reveals the IAM Id Middle utility configured in Okta, and the customers and teams from the Okta configuration assigned to this utility.

The next screenshot reveals the IAM Id Middle occasion person retailer after configuring Okta because the id supply. Right here the person and group info is robotically provisioned (synchronized) from Okta into IAM Id Middle utilizing the System for Cross-domain Id Administration (SCIM) v2.0 protocol.

Configure an Amazon Q Enterprise utility with IAM Id Middle enabled

Full the next steps to create an Amazon Q Enterprise utility and allow IAM Id Middle:

1. On the Amazon Q Enterprise console, select Create utility.
2. For Utility identify, enter a reputation.
3. Except you must change the AWS Id and Entry Administration (IAM) position for the appliance or customise encryption settings, maintain the default settings.
4. Select Create.
   
5. On the Choose retriever web page, until you need to configure a preexisting Amazon Kendra index as a retriever, or you must configure storage items for greater than 20,000 paperwork, you’ll be able to proceed with the default settings.
6. Select Subsequent.

For extra details about Amazon Q Enterprise retrievers, confer with Creating and deciding on a retriever for an Amazon Q Enterprise utility.

7. On the Join knowledge sources web page, for Knowledge sources, select Confluence.
   

The next directions display easy methods to configure the Confluence knowledge supply. These could differ for different knowledge sources.

8. For Knowledge supply identify, enter a reputation.
9. For Supply¸ choose Confluence Cloud.
10. For Confluence URL, enter the Confluence URL.
    
11. For Authentication, choose Fundamental authentication.
12. For AWS Secrets and techniques Supervisor secret, select an AWS Secrets and techniques Supervisor secret.
13. For Digital Non-public Cloud, select No VPC.
14. For IAM position, select Create a brand new service position.
15. For Position identify¸ both go along with the supplied identify or edit it to your new position.
    
16. For Sync scope, choose the contents to sync.
    
17. For Sync mode, choose Full sync.
18. For Frequency, select Run on demand.
    
19. For Subject mappings, go away the defaults.
20. Select Add knowledge supply.
    
21. Select Subsequent.
22. On the Add teams and customers web page, select Add teams and customers.
    
23. Within the pop-up window, select Get began.
    
24. Seek for customers primarily based on their show identify or teams, then select the person or group you need to add to the appliance.
    
25. Add extra customers as wanted.
26. Select Assign.
    
27. You will note the next display:
    
28. Select subscription for every person by clicking on the Select subscription pull down after which deciding on the examine mark.
    
29. After selecting subscription for all of the customers, your display will look as under. Except you need to change the service position, select Create utility.
    

After the appliance is created, you will note the appliance settings web page, as proven within the following screenshot.

Worker AI assistant use case

For example how one can construct a safe and personal generative AI assistant to your staff utilizing Amazon Q Enterprise functions, let’s take a pattern use case of an worker AI assistant in an enterprise company. Two new staff, Mateo Jackson and Mary Main, have joined the corporate on two completely different initiatives, and have completed their worker orientation. They’ve been given company laptops, and their accounts are provisioned within the company IdP. They’ve been instructed to get assist from the worker AI assistant for any questions associated to their new group member actions and their advantages.

The corporate makes use of Confluence to handle their enterprise content material. The pattern Amazon Q utility used to run the eventualities for this submit is configured with a knowledge supply utilizing the built-in connector for Confluence to index the enterprise Confluence areas utilized by staff. The instance makes use of three Confluence areas: AnyOrgApp Challenge, ACME Challenge House, and AJ-DEMO-HR-SPACE. The entry permissions for these areas are as follows:

• AJ-DEMO-HR-SPACE – All staff, together with Mateo and Mary
• AnyOrgApp Challenge – Staff assigned to the challenge together with Mateo
• ACME Challenge House – Staff assigned to the challenge together with Mary

Let’s take a look at how Mateo and Mary expertise their worker AI assistant.

Each are supplied with the URL of the worker AI assistant net expertise. They use the URL and register to the IdP from the browsers of their laptops. Mateo and Mary each need to learn about their new group member actions and their fellow group members. They ask the identical inquiries to the worker AI assistant however get completely different responses, as a result of every has entry to separate initiatives. Within the following screenshots, the browser window on the left is for Mateo Jackson and the one on the precise is for Mary Main. Mateo will get details about the AnyOrgApp challenge and Mary will get details about the ACME challenge.

Mateo chooses Sources beneath the query about group members to take a more in-depth take a look at the group member info, and Mary selecting Sources beneath the query for brand new group member onboarding actions. The next screenshots present their up to date views.

Mateo and Mary need to discover out extra about the advantages their new job provides and the way the advantages are relevant to their private and household conditions.

The next screenshot reveals that Mary asks the worker AI assistant questions on her advantages and eligibility.

Mary can even confer with the supply paperwork.

The next screenshot reveals that Mateo asks the worker AI assistant completely different questions on his eligibility.

Mateo appears on the following supply paperwork.

Each Mary and Mateo first need to know their eligibility for advantages. However after that, they’ve completely different inquiries to ask. Despite the fact that the benefits-related paperwork are accessible by each Mary and Mateo, their conversations with worker AI assistant are non-public and private. The reassurance that their dialog historical past is non-public and may’t be seen by every other person is important for the success of a generative AI worker productiveness assistant.

Clear up

Should you created a brand new Amazon Q Enterprise utility to check out the mixing with IAM Id Middle, and don’t plan to make use of it additional, unsubscribe and take away assigned customers from the appliance and delete it in order that your AWS account doesn’t accumulate prices.

To unsubscribe and take away customers go to the appliance particulars web page and choose Handle entry and subscriptions.

Choose all of the customers, after which use the Edit button to decide on Unsubscribe and take away as proven under.

Delete the appliance after eradicating the customers, going again to the appliance particulars web page and deciding on Delete.

Conclusion

For enterprise generative AI assistants such because the one proven on this submit to achieve success, they need to respect entry management in addition to guarantee the privateness and confidentiality of each worker. Amazon Q Enterprise and IAM Id Middle present an answer that authenticates every person and validates the person id at every step to implement entry management together with privateness and confidentiality.

To attain this, IAM Id Middle acts as a gateway to sync person and group identities from an IdP (similar to Okta), and Amazon Q Enterprise makes use of IAM Id Middle-provided identities to uniquely establish a person of an Amazon Q Enterprise utility (on this case, an worker AI assistant). Doc ACLs and native customers arrange within the knowledge supply (similar to Confluence) are matched up with the person and group identities supplied by IAM Id Middle. At question time, Amazon Q Enterprise solutions questions from customers using solely these paperwork that they’re supplied entry to by the doc ACLs.

If you wish to know extra, check out the Amazon Q Enterprise launch weblog submit on AWS Information Weblog, and confer with Amazon Q Enterprise Person Information. For extra info on IAM Id Middle, confer with the AWS IAM Id Middle Person Information.

In regards to the Authors

Abhinav Jawadekar is a Principal Options Architect within the Amazon Q Enterprise service group at AWS. Abhinav works with AWS prospects and companions to assist them construct generative AI options on AWS.

Venky Nagapudi is a Senior Supervisor of Product Administration for Q Enterprise, Amazon Comprehend and Amazon Translate. His focus areas on Q Enterprise embody person id administration, and utilizing offline intelligence from paperwork to enhance Q Enterprise accuracy and helpfulness.