Setting up for Amazon Q Business - Amazon Q Business

Setting up for Amazon Q Business

Before you begin using Amazon Q Business for the first time, complete the following tasks.

Initial AWS account setup

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account
  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user
  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create a user with administrative access
  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to a user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the user with administrative access
  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Assign access to additional users
  1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

    For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

  2. Assign users to a group, and then assign single sign-on access to the group.

    For instructions, see Add groups in the AWS IAM Identity Center User Guide.

(Optional) Install the AWS CLI

The AWS Command Line Interface (AWS CLI) is a unified developer tool for managing AWS services, including Amazon Q.

  1. To install the AWS CLI, follow the instructions in Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

  2. To configure the AWS CLI and set up a profile to call the AWS CLI, follow the instructions in Configuring the AWS CLI in the AWS Command Line Interface User Guide.

  3. To confirm that the AWS CLI profile is configured, run the following command:

    aws configure ––profile default

    If your profile has been configured correctly, you will see output similar to the following:

    AWS Access Key ID [****************52FQ]: AWS Secret Access Key [****************xgyZ]: Default region name [us-west-2]: Default output format [json]:
  4. To verify that the AWS CLI is configured for use with Amazon Q, run the following commands:

    aws qbusiness help

    If the AWS CLI is configured correctly, you will see a list of the supported AWS CLI commands for Amazon Q, Amazon Q runtime, and Amazon Q events.

(Optional) Set up the AWS SDKs

Download and install the AWS SDKs that you want to use. This guide provides examples for Python. For information about other AWS SDKs, see Tools for Amazon Web Services.

The package for the Python SDK is called Boto3.

Before you run the following Python commands, you must first download and install Python 3.6 or later for your operating system. Support for Python 3.5 and earlier is deprecated.

If you don't have pip included in your Python Scripts directory, you can download get-pip.py and store this in your Scripts directory. You can also set your Python directory as a Path or environment variable using a terminal program.

To install Python, complete the following steps:

# Install the latest Boto3 release via pip pip install boto3 # You can install a specific version of Boto3 for compatibility reasons # Install Boto3 version 1.0 specifically pip install boto3==1.0.0 # Make sure Boto3 is no older than version 1.15.0 pip install boto3>=1.15.0 # Avoid versions of Boto3 newer than version 1.15.3 pip install boto3<=1.15.3

To use Boto3, you must set up authentication credentials for your AWS account using the IAM console.

Consider AWS Regions and endpoints

An endpoint is a URL that's the entry point for a web service. Each endpoint is associated with a specific AWS Region.

If you use a combination of the Amazon Q console, the AWS CLI, and the Amazon Q SDKs, pay attention to their default Regions. All Amazon Q components of a given application must be created in the same Region. Examples of a component include a retriever, an index, and a chat experience. To understand why this is important, see Considerations for choosing an AWS Region in the IAM Identity Center User Guide.

The IAM Identity Center instance that you use to manage end users for your Amazon Q Business application must be created in the same region as your Amazon Q Business application.

For regions and endpoints supported by Amazon Q Business, see Service quotas for Amazon Q Business.

Set up required permissions

If you use Amazon Q through the AWS Management Console, required permissions are added on your behalf.

To use Amazon Q as an IAM user on the AWS CLI, or AWS SDK, you must attach the following permissions to allow Amazon Q to create and manage resources on your behalf:

{ "Version": "2012-10-17", "Statement": [{ "Action": "qbusiness:*", "Effect": "Allow", "Resource": "*" }] }

For a complete list of IAM roles for Amazon Q, see IAM roles for Amazon Q.

Enable and configure an IAM Identity Center instance

Amazon Q Business integrates with IAM Identity Center as a gateway to manage user access to your Amazon Q Business application.

When you use IAM Identity Center as the user access manager for your Amazon Q application, we recommend enabling and pre-configuring an IAM Identity Center instance before you begin to create your Amazon Q application. If you do so, Amazon Q automatically detects—and connects to—your already configured IAM Identity Center instance.

If you're planning to use IAM Identity Center to connect your Amazon Q application to an Active Directory (AD) or external identity provider, creating a local IAM Identity Center instance and configuring it before you configure an Amazon Q application is recommended.

If you don't have an IAM Identity Center instance configured, and you want to use IAM Identity Center as your identity provider, you can also choose to create, connect, and minimally configure an IAM Identity Center instance for your Amazon Q application as part of the Amazon Q application creation process from the Amazon Q console.

You can add users to your IAM Identity Center instance from the Amazon Q console. When you add a new user to IAM Identity Center from the Amazon Q Business console, you need to make sure that the user is enabled for console access in your IAM Identity Center instance and their email ID is verified before they can log in to your Amazon Q web experience to chat. By default, a new user added to IAM Identity Center from the Amazon Q console isn't enabled. For more information on enabling users in IAM Identity Center, see Adding users in the IAM Identity Center User Guide.

You can't add groups to an IAM Identity Center instance from the Amazon Q console. If you want to add groups, Amazon Q will redirect you to the IAM Identity Center console to configure groups. To avoid this, you can configure groups in your IAM Identity Center instance before you create your Amazon Q app. Any groups already configured will be auto-detected by the Amazon Q console.

Note

Your IAM Identity Center instance must be created in the same region as your Amazon Q Business application. To understand why this is important, see Considerations for choosing an AWS Region in the IAM Identity Center User Guide. For regions supported by Amazon Q Business, see Service quotas for Amazon Q Business.

Important

Starting April 30, 2024, all new applications will need to use IAM Identity Center directly to manage user access. No new applications can be created using the legacy identity management flow. All existing Amazon Q applications will need to migrate to using IAM Identity Center for user management by July 31, 2024. We recommend you integrate any new application you're creating directly with IAM Identity Center.