Data encryption for Amazon Q Business - Amazon Q Business

Data encryption for Amazon Q Business

Amazon Q Business supports encryption at rest using an AWS KMS key that's owned by AWS. Amazon Q also uses HTTPS protocol for data in transit.


Amazon Q does not support asymmetric KMS keys. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.

Encryption at rest

Amazon Q Business provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys. Sensitive customer data includes both questions and answers in the Amazon Q web experience and the documents uploaded to Amazon Q index.

The Amazon Q uses the questions and answers to know the conversation context and to provide you with the best answer. The conversation data is automatically removed once the conversation is deleted or is inactive. For more information, see Conversation management. The uploaded documents are used by Amazon Q to retrieve them at runtime to answer your questions.

  • AWS owned keys – Amazon Q uses these keys by default to automatically encrypt sensitive customer data. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see AWS owned keys in the AWS Key Management Service Developer Guide.

    Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.

    While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer managed key when you create your resources:

  • Customer managed keys (CMK) – Amazon Q does not currently support the use of customer managed keys for any new applications configured after April 30, 2024. Existing Amazon Q Business applications configured using the legacy identity management flow and already using CMK will continue to support CMK.

Encryption in transit

Amazon Q Business uses the HTTPS protocol to communicate with your client application. It uses HTTPS and AWS signatures to communicate with other services on your application's behalf. .