Enhance Workforce Productivity with Amazon Q Business IAM Federation
Amazon Q Business is a conversational assistant powered by generative artificial intelligence (AI) that enhances workforce productivity by answering questions and completing tasks based on information in your enterprise systems, which each user is authorized to access. If you want to use Amazon Q Business to build enterprise generative AI applications, and have yet to adopt organization-wide use of AWS IAM Identity Center, you can use Amazon Q Business IAM Federation to directly manage user access to Amazon Q Business applications from your enterprise identity provider (IdP), such as Okta or Ping Identity.
Building Secure and Private Generative AI Applications
AWS recommends using AWS Identity Center if you have a large number of users in order to achieve a seamless user access management experience for multiple Amazon Q Business applications across many AWS accounts in AWS Organizations. However, if you prefer using IAM Federation, this post provides a guide on how you can use Amazon Q Business IAM Federation for user access management of your Amazon Q Business applications.
Solution Overview
To implement this solution, you create an IAM identity provider for SAML or IAM identity provider for OIDC based on your IdP application integration. When creating an Amazon Q Business application, you choose and configure the corresponding IAM identity provider. The Amazon Q Business application uses the IAM identity provider configuration to validate the user identity when responding to requests by an authenticated user.
Architecture
Amazon Q Business IAM Federation requires federating the user identities provisioned in your enterprise IdP such as Okta or Ping Identity account using Federation with IAM. The authentication workflow involves steps where the client application makes authentication requests to the IdP on behalf of the user, and the IdP responds with identity or access tokens. The client application uses these credentials to make API calls to Amazon Q Business.
How Subscriptions Work with Amazon Q Business IAM Federation
For applications that use IAM Identity Center, AWS de-duplicates subscriptions across all Amazon Q Business applications accounts, charging each user only one time for their highest subscription level. On the other hand, with IAM Federation, users subscribed to Amazon Q Business applications will be charged based on the SAML or OIDC IAM identity provider they share.
Limitations
At the time of writing, Amazon Q Business IAM Federation has limitations such as not supporting OIDC for Google and Microsoft Entra ID, and not having a built-in mechanism to validate a user’s membership to federated groups defined in the enterprise IdP.
Guidelines to Choosing a User Access Mechanism
Consider the Federation Type, AWS Account Type, Amazon Q Business Subscription Billing Scope, Supported Identity Source, and Other Considerations when choosing a user access mechanism for your Amazon Q Business applications.
Prerequisites
To implement the solution, you need an Okta account and should create application integrations for either OIDC or SAML mode. You also need to set up an IAM identity provider for SAML or OIDC to create and configure your Amazon Q Business applications.
Employee AI Assistant Use Case
Illustrating how you can build a secure and private generative AI assistant for your employees, the post provides a use case scenario for Mateo Jackson and Mary Major, new employees who interact with the employee AI assistant to access information relevant to their projects and benefits.
Clean Up
If you don’t plan to use the Amazon Q Business application further, you can unsubscribe, remove automatically subscribed users, and delete it to avoid accumulating costs in your AWS account.
Conclusion
Integrating Amazon Q Business with IAM Federation provides a secure and private solution for building generative AI applications that respect access control and assure privacy and confidentiality for every employee. By following the guidelines and using the IAM identity providers, you can create effective workforce productivity tools with Amazon Q Business.
About the Authors
Abhinav Jawadekar and Venky Nagapudi are part of the Amazon Q Business team at AWS, working on helping customers and partners build generative AI solutions on AWS. Their expertise lies in user identity management and enhancing AI accuracy and helpfulness.