Here is the article in HTML:
Introduction
Amazon Q Business is a conversational assistant powered by generative artificial intelligence (AI) that enhances workforce productivity by answering questions and completing tasks based on information in your enterprise systems, which each user is authorized to access. In this post, we will explore how to use Amazon Q Business IAM Federation to build private and secure enterprise generative AI applications.
Solution Overview
To implement this solution, you create an IAM identity provider for SAML or OIDC based on your IdP application integration. When creating an Amazon Q Business application, you choose and configure the corresponding IAM identity provider. When responding to requests by an authenticated user, the Amazon Q Business application uses the IAM identity provider configuration to validate the user identity.
Architecture
Amazon Q Business IAM Federation requires federating the user identities provisioned in your enterprise IdP such as Okta or Ping Identity account using Federation with IAM. This involves a one-time setup of creating a SAML or OIDC application integration in your IdP account, and then creating a corresponding SAML identity provider or an OIDC identity provider in AWS IAM.
How Subscriptions Work with Amazon Q Business IAM Federation
The way user subscriptions are handled when you use IAM Identity Center vs. IAM Federation is different. For applications that use IAM Identity Center, AWS will de-duplicate subscriptions across all Amazon Q Business applications accounts, and charge each user only one time for their highest subscription level. De-duplication will apply only if the Amazon Q Business applications share the same organization instance of IAM Identity Center.
Employee AI Assistant Use Case
To illustrate how you can build a secure and private generative AI assistant for your employees using Amazon Q Business applications, let’s take a sample use case of an employee AI assistant in an enterprise corporation. Two new employees, Mateo Jackson and Mary Major, have joined the company on two different projects, and have finished their employee orientation. They have been given corporate laptops, and their accounts are provisioned in the corporate IdP.
Clean Up
If you created a new Amazon Q Business application to try out the integration with IAM federation, and don’t plan to use it further, you can unsubscribe, remove automatically subscribed users from the application, and delete it so that your AWS account doesn’t accumulate costs.
Conclusion
For enterprise generative AI assistants such as the one shown in this post to be successful, they must respect access control as well as assure the privacy and confidentiality of every employee. Amazon Q Business achieves this by integrating with IAM Identity Center or with IAM Federation to provide a solution that authenticates each user and validates the user identity at each step to enforce access control along with privacy and confidentiality.
Frequently Asked Questions
Q1: What is Amazon Q Business IAM Federation?
Amazon Q Business IAM Federation is a feature that allows you to build private and secure enterprise generative AI applications using Amazon Q Business.
Q2: How does Amazon Q Business IAM Federation work?
Amazon Q Business IAM Federation uses SAML 2.0 and OIDC IAM identity providers to uniquely identify a user authenticated by the enterprise IdP, and then that user identity is used to match up document ACLs set up in the data source.
Q3: What are the benefits of using Amazon Q Business IAM Federation?
The benefits of using Amazon Q Business IAM Federation include respecting access control, assuring the privacy and confidentiality of every employee, and providing a solution that authenticates each user and validates the user identity at each step to enforce access control along with privacy and confidentiality.
Q4: Can I use Amazon Q Business IAM Federation with IAM Identity Center?
Yes, you can use Amazon Q Business IAM Federation with IAM Identity Center to build private and secure enterprise generative AI applications.
Q5: How do I clean up after using Amazon Q Business IAM Federation?
You can unsubscribe, remove automatically subscribed users from the application, and delete it so that your AWS account doesn’t accumulate costs.
