Amazon Q Enterprise just lately added help for directors to switch the default entry management listing (ACL) crawling function for knowledge supply connectors.
Amazon Q Enterprise is a completely managed, AI powered assistant with enterprise-grade safety and privateness options. It consists of over 40 knowledge supply connectors that crawl and index paperwork. By default, Amazon Q Enterprise indexes ACL data connected to paperwork together with the paperwork themselves and makes use of this to filter chat responses primarily based on the person’s doc entry. With this new function, you possibly can allow or disable ACL crawling as required by their enterprise use case.
This put up introduces the brand new ACL toggle function for Amazon Q Enterprise, which you need to use to allow or disable ACL crawling. We’ll discover use circumstances for disabling ACLs and focus on safely allow or disable ACL crawling.
Overview of entry management listing crawling
Amazon Q Enterprise knowledge supply connectors assist crawl varied knowledge sources to gather and index content material in Amazon Q Enterprise for quick discovery and retrieval when answering person queries. These knowledge sources usually include paperwork with totally different classifications corresponding to public, inner public, personal, and confidential. To supply fine-grained management over entry rights, you possibly can connect ACLs to paperwork, permitting you to specify totally different ranges of entry for varied customers or teams. To confirm that Amazon Q Enterprise respects entry management insurance policies and that customers solely obtain responses for content material they’re approved to entry, the information supply connectors mechanically crawl for entry permissions related to the content material, person identifiers, and teams.
The previous determine illustrates the Amazon Q Enterprise knowledge supply crawler with ACL crawling enabled. Because the connector retrieves content material from the information supply, it examines the related ACL and compiles a listing of customers and teams with learn permissions for every doc. The connector additionally collects person identifiers, that are saved within the Amazon Q Enterprise person retailer for fast matching throughout question execution. Each the ACL and content material are optimized and saved within the Amazon Q Enterprise index storage, enabling safe and environment friendly retrieval when answering person queries. For extra data on the person retailer, see Understanding Amazon Q Enterprise Consumer Retailer.
When to disable ACL crawling?
ACL crawling builds a security-aware index that respects entry management insurance policies within the main knowledge supply. This course of helps preserve knowledge privateness and entry management required for regulatory compliance, ensuring that delicate data isn’t inadvertently uncovered by way of person question outcomes. It supplies a scalable mechanism to deal with giant quantities of content material whereas sustaining consistency between the precise entry controls on the information and what’s discoverable by way of search. Due to these benefits, ACL crawling is strongly really helpful for all knowledge sources. Nevertheless, there are some circumstances once you may must disable it. The next are some the reason why you may disable ACL crawling.
Internally public content material
Organizations usually designate sure knowledge sources as internally public, together with HR insurance policies, IT data bases, and wiki pages. As an illustration, an organization may allocate a complete Microsoft SharePoint web site for insurance policies accessible to all workers, classifying it as internal-public. In such circumstances, crawling ACLs for permissions that embrace all workers will be pricey and create pointless overhead. Turning off ACL crawling is likely to be advantageous in these situations.
Knowledge supply accommodates irreconcilable identities
Amazon Q Enterprise requires all customers to authenticate with an enterprise-approved id supplier (IdP). After profitable authentication, Amazon Q Enterprise makes use of the IdP-provided person identifier to match towards the person identifier fetched from the information supply throughout ACL crawling. This course of validates person entry to content material earlier than retrieving it for question responses.
Nevertheless, due to legacy points corresponding to mergers and acquisitions, knowledge supply configuration limitations, or different constraints, the first person identifier from the IdP may differ from the one within the knowledge supply. This discrepancy can stop Amazon Q Enterprise from retrieving related content material from the index and answering person queries successfully.
In such circumstances, it is likely to be essential to disable ACL crawling and use different choices. These embrace implementing attribute filters or constructing devoted restricted purposes with entry restricted to particular audiences and content material. For extra data on attribute filters, see Filtering chat responses utilizing doc attributes.
Use case-driven focused deployments
As a completely managed service, Amazon Q Enterprise will be shortly deployed in a number of situations for scoped down focused use circumstances. Examples embrace an HR bot in Slack or an AI assistant for buyer help brokers in a contact middle. As a result of these AI assistants is likely to be deployed for a restricted viewers, and the listed content material is likely to be usually out there to all customers with utility entry, ACL crawling will be turned off.
Observe of warning
Amazon Q Enterprise can not implement entry controls if ACL crawling is disabled. When ACL crawling is disabled for a knowledge supply, listed content material in that supply will likely be thought of accessible to customers with entry to the Amazon Q Enterprise utility. Subsequently, disabling ACL crawling must be carried out with warning and due diligence. The next are some really helpful finest practices:
- Notify knowledge supply content material homeowners and directors of your intent to disable ACL crawling and procure their approval beforehand.
- If relevant, take into account implementing different choices corresponding to attribute filtering to limit content material retrieval or deploying a scoped-down, use-case-driven deployment to a restricted viewers.
- Keep a call doc that clearly articulates the explanations for disabling ACL crawling, the scope of affected content material, and precautions taken to stop indexing of delicate data.
Observe: As a precaution, you can not disable ACL crawling for an present Amazon Q Enterprise knowledge supply that already has ACL crawling enabled. To disable ACL crawling, you will need to delete the information supply and recreate it. You’ll be able to solely disable ACL crawling in the course of the knowledge supply creation course of, and this requires an account administrator to grant permission for disabling ACL crawling when configuring the information supply.
Procedures for configuring ACL crawling
Amazon Q Enterprise ACL crawling helps defend your knowledge. Amazon Q Enterprise supplies safeguards to assist directors and builders mitigate by chance disabling ACL crawling. On this part, we’ll cowl how one can enable or deny the ACL crawling disable function, discover procedures to allow or disable ACL crawling, clarify monitor logs for ACL crawling configuration adjustments, and troubleshoot frequent points.
Personas for configuring ACL crawling
ACL crawling configuration usually entails a number of roles, relying in your organizational construction. To maximise safeguards, it’s really helpful that these roles are crammed by totally different people. For sooner deployments, determine the required personnel inside your group earlier than beginning the mission and guarantee they collaborate to finish the configuration. Listed below are the frequent roles wanted for ACL crawling configuration:
- AWS account administrator – An AWS account administrator is a person with full entry to AWS providers and the power to handle IAM assets and permissions within the account. They will create and handle organizations, enabling centralized administration of a number of AWS accounts.
- Amazon Q Enterprise administrator – An Amazon Q Enterprise administrator is often a person or function accountable for managing and configuring the Amazon Q Enterprise service. Their duties embrace creating and optimizing Amazon Q Enterprise indexes, organising guardrails, and tuning relevance. Additionally they arrange and preserve connections to numerous knowledge sources that Amazon Q Enterprise will index, corresponding to Amazon Easy Storage Service (Amazon S3) buckets, SharePoint, Salesforce, and Confluence.
Stipulations for ACL crawling
- Amazon Q Enterprise utility.
- Amazon Q Enterprise knowledge supply connector that helps ACL crawling configuration.
- Knowledge supply authentication that meets the permissions required for crawling content material and ACLs.
Course of to disallow the choice to disable ACL crawling
By default, the choice to disable ACL crawling is enabled for an account. AWS account directors can disallow this function by organising an account-level coverage. It’s really helpful to configure an express deny for manufacturing accounts by default. The next under reveals the related actions in relation to the personas concerned within the configuration course of.
Directors can connect the IAM motion qbusiness:DisableAclOnDataSource to the Amazon Q Enterprise administrator person or function coverage to disclaim or enable the choice to disable ACL crawling. The instance IAM coverage code snippet that follows demonstrates arrange an express deny.
Observe that even when the choice to disable ACL crawling is denied, the person interface may not grey out this selection. Nevertheless, if you happen to try and create a knowledge supply with this selection disabled, it should fail the validation examine, and Amazon Q Enterprise won’t create the information supply.
Course of to disable ACL crawling for a knowledge supply connector
Earlier than organising a knowledge supply connector with ACL crawling disabled in your Amazon Q Enterprise utility deployment, just be sure you don’t have any delicate content material within the knowledge supply or have applied controls to assist stop unintended content material publicity. Confirm that the information supply connector helps the choice to disable ACL crawling. Notify data custodians, content material homeowners, and knowledge supply directors of your intent to disable ACL crawling and procure their documented approvals, if crucial. In case your account administrator has explicitly denied the choice to disable ACL crawling, request momentary permission. After you have got secured all approvals and exceptions, create a brand new knowledge supply with ACL crawling disabled and sync the information. With ACL crawling disabled, Amazon Q Enterprise customers will be capable of uncover data and procure solutions from the listed paperwork by way of this connector. Notify the account administrator to revert the account coverage again to explicitly denying the disable ACL crawling choice. The method and interplay between totally different roles are proven within the following chart.
The next is an summary of the process to create a knowledge supply with ACL crawling disabled utilizing AWS Console:
- Navigate to the Amazon Q Enterprise console.
- Choose the Amazon Q Enterprise utility that you simply need to add a knowledge supply connector to.
- Select Add knowledge supply within the Knowledge sources part and choose the specified connector.
- Replace the connector configuration data. See Connecting Amazon Q Enterprise knowledge sources for configuration particulars.
- Within the Authorization part, select Disable ACLs and examine the acknowledgment to just accept the dangers of disabling ACL crawling.
- Full the remaining connector configuration and select Save.
- Sync the information supply.
Observe: You can’t disable ACL crawling for an present knowledge supply connector that was created with ACL crawling enabled. You have to create a brand new knowledge supply connector occasion with ACL disabled and delete the older occasion that has ACL crawling enabled.
Course of to allow ACL crawling for a knowledge supply connector
Creating a knowledge supply connector with ACL crawling enabled is really helpful and doesn’t require further enable itemizing from AWS account directors. To allow ACL crawling, you comply with steps much like disabling ACLs as described within the earlier part. When configuring the information supply connector utilizing the console, select Allow ACLs within the Authorization part to create a connector with ACL crawling enabled. You too can allow ACL crawling at any time for an present knowledge supply connector that was created with this selection disabled. Sync the information supply connector for the ACL enforcement to take impact. Amazon Q Enterprise customers can solely question and procure solutions from paperwork to which they’ve entry within the authentic knowledge supply.
It’s necessary to evaluation that the information supply administrator has arrange the required permissions correctly, ensuring that the crawler has permission to crawl for ACLs within the knowledge supply earlier than enabling ACL crawling. Yow will discover the required permissions within the prerequisite part of the connector in Connecting Amazon Q Enterprise knowledge sources. The next reveals the method for organising a knowledge supply connector with ACL crawling enabled.
Logging and monitoring the ACL crawling configuration
Amazon Q Enterprise makes use of AWS CloudTrail for logging API calls associated to ACL crawling configuration. You’ll be able to monitor the CloudTrail log for CreateDataSource and UpdateDataSource API calls to determine ACL crawling-related adjustments made to knowledge supply configuration. For a whole listing of Amazon Q Enterprise APIs which are logged to CloudTrail, see Logging Amazon Q Enterprise API calls utilizing AWS CloudTrail.
Directors can configure Amazon CloudWatch alarms to generate automated alert notifications if ACL crawling is disabled for a knowledge supply connector, permitting them to provoke corrective motion. For step-by-step directions on organising CloudWatch alarms primarily based on CloudTrail occasions, see How do I exploit CloudWatch alarms to observe CloudTrail occasions.
The instance CloudWatch alarm code snippet that follows reveals the filter sample for figuring out occasions associated to disabling ACL crawling in a knowledge supply connector.
Suggestions for troubleshooting
When configuring Amazon Q Enterprise knowledge supply connectors, you may sometimes encounter points. The next are some frequent errors and their attainable resolutions.
Not approved to disable ACL crawling
When creating a brand new knowledge supply connector with ACL crawling disabled, you may see an error message stating not approved to carry out: qbusiness:DisableAclOnDataSource as proven within the following picture.
This error signifies that your administrator has explicitly denied the choice to disable ACL crawling in your AWS account. Contact your administrator to allow-list this motion in your account. For extra particulars, see the Course of to disable ACL crawling for a knowledge supply connector part earlier on this put up.
Knowledge supply connection errors
Knowledge supply connectors may additionally fail to hook up with your knowledge supply or crawl knowledge. In such circumstances, confirm that Amazon Q Enterprise can attain the information supply by way of the general public web or by way of a VPC personal community. See Connecting Amazon Q Enterprise knowledge sources to be sure that your knowledge supply authentication has the permissions wanted to crawl content material and ACLs, if enabled.
Id and ACL mismatch errors
Lastly, after efficiently syncing knowledge with ACL crawling enabled, some customers may nonetheless be unable to get solutions to queries, despite the fact that the related paperwork had been listed. This challenge generally happens when the person lacks entry to the listed content material within the authentic knowledge supply, or when the person id obtained from the information supply doesn’t match the sign-in id. To troubleshoot such ACL mismatch points, look at the information supply sync report. For extra data, see Introducing document-level sync studies: Enhanced knowledge sync visibility in Amazon Q Enterprise.
Key concerns and suggestions
Given the affect that disabling ACL crawling can have on content material safety, take into account these restrictions and finest practices when disabling ACL crawling in Amazon Q Enterprise knowledge supply connectors:
- ACL crawling enablement is a one-way management mechanism. After it’s enabled, you can not disable it. This helps stop by chance disabling ACL crawling in manufacturing environments.
- Preserve ACL crawling enabled by default and disable it just for the subset of knowledge supply connectors that require it.
- If crucial, take into account splitting the indexing of a knowledge supply by organising a number of knowledge supply connectors and limiting ACL crawling disablement to a smaller content material phase. Use the doc
Inclusion and Exclusionfunction of knowledge supply connectors to outline the indexing scope. - When ACL crawling is disabled due to irreconcilable identities, take into account different choices. These embrace implementing attribute filters, limiting entry to the Amazon Q Enterprise utility, and organising guardrails.
- As a safety finest observe, AWS Organizations and account directors ought to add a service management coverage to
explicitly deny the qbusiness:DisableAclOnDataSourcepermission for all accounts. Grant this permission solely when requested by an Amazon Q Enterprise administrator. After configuring a knowledge supply connector with ACL crawling disabled, revert to an express deny. Use a ticketing system to keep up a file of exception approvals. For extra data, see <hyperlink>. - At present, disabling ACL crawling is on the market for restricted connectors, together with ServiceNow, Confluence, SharePoint, Jira, Google Drive, OneDrive, Salesforce, Zendesk, GitHub, MS Groups, and Slack. For the newest listing of connectors that help disabling ACL crawling, see Connecting Amazon Q Enterprise knowledge sources.
Clear up
To keep away from incurring further prices, be sure to delete any assets created on this put up.
- To delete any knowledge supply created in Amazon Q Enterprise, comply with the directions in Deleting an Amazon Q Enterprise knowledge supply connector to delete the identical.
- To delete any Amazon Q Enterprise utility created, comply with the directions in Deleting an utility.
Conclusion
Amazon Q Enterprise knowledge supply connector ACL crawling is a necessary function that helps organizations construct, handle, and scale safe AI assistants. It performs a vital function in implementing regulatory and compliance insurance policies and defending delicate content material. With the introduction of a self-service function to disable ACL crawling, Amazon Q Enterprise now supplies you extra autonomy to decide on deployment choices that fit your group’s enterprise wants. To start out constructing safe AI assistants with Amazon Q Enterprise, discover the Getting began information.
Concerning the Authors
Rajesh Kumar Ravi, a Senior Options Architect at Amazon Internet Companies, focuses on constructing generative AI options utilizing Amazon Q Enterprise, Amazon Bedrock, and Amazon Kendra. He helps companies worldwide implement these applied sciences to reinforce effectivity, innovation, and competitiveness. An achieved expertise chief, Rajesh has expertise creating modern AI merchandise, nurturing the builder group, and contributing to new concepts. Exterior of labor, he enjoys strolling and brief mountaineering journeys.
Meenakshisundaram Thandavarayan works for AWS as an AI/ML Specialist. He has a ardour to design, create, and promote human-centered knowledge and analytics experiences. Meena focuses on creating sustainable methods that ship measurable, aggressive benefits for strategic prospects of AWS. Meena is a connector and design thinker and strives to drive enterprise to new methods of working by way of innovation, incubation, and democratization.
Amit Choudhary is a Product Supervisor for Amazon Q Enterprise connectors. He likes to construct merchandise that make it simple for patrons to make use of privacy-preserving applied sciences (PETs) corresponding to differential privateness
Keerthi Kumar Kallur is a Software program Growth Engineer at AWS. He’s a part of the Amazon Q Enterprise crew and labored on varied options with prospects. In his spare time, he likes to do outside actions corresponding to mountaineering and sports activities corresponding to volleyball.
