If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q Business resource. When you call the CreateDataSource operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role while creating your data source.
Note
To learn how to create an IAM role, see Create a role to delegate permissions to an AWS service.
When you use an Amazon S3 bucket as a data source, you must provide a role that has permissions to:
-
Access your Amazon S3 bucket.
-
Permission to access the
BatchPutDocumentandBatchDeleteDocumentAPI operations in order to ingest documents. -
Permission to access the Principal Store APIs needed to ingest access control and identity information from documents.
To allow Amazon Q to use an Amazon S3 bucket as a data source, use the following role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsAmazonQToGetObjectfromS3",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{input_bucket_name}}/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{account_id}}"
}
}
},
{
"Sid": "AllowsAmazonQToListS3Buckets",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{{input_bucket_name}}"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{account_id}}"
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
},
{
"Sid": "AllowsAmazonQToCallPrincipalMappingAPIs",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
}
]
}If the documents in the Amazon S3 bucket are encrypted, you must provide the following permissions to use the AWS KMS key to decrypt the documents:
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
}If you are using an Amazon VPC, you must add the following VPC access permissions to your policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsAmazonQToGetObjectfromS3",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{input_bucket_name}}/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{account_id}}"
}
}
},
{
"Sid": "AllowsAmazonQToListS3Buckets",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{{input_bucket_name}}"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{account_id}}"
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
},
{
"Sid": "AllowsAmazonQToCallPrincipalMappingAPIs",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteENI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateDeleteENI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToConnectToVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}To allow Amazon Q to assume a role, use the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsAmazonQToAssumeRoleForServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}Additional IAM permissions are necessary to sync data in near-real time:
Amazon Q Business leverages EventBridge, a serverless event bus that receives events from AWS services like Amazon Amazon S3. Additional permissions on the data source role need to be provided to allow Amazon Q to manage EventBridge and configure Amazon S3 to send notifications through EventBridge. The necessary additional permissions are:
{
"Sid" : "EventBridgePermissionsForQBusinessManagedRule",
"Effect" : "Allow",
"Action" : [
"events:EnableRule",
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource" : [
"arn:aws:events:*:*:rule/AmazonQManagedRule*"
]
},
{
"Sid": "AllowsAmazonQToUpdateS3NotificationConfiguration",
"Effect": "Allow",
"Action": [
"s3:GetBucketNotification",
"s3:PutBucketNotification"
],
"Resource": ["arn:aws:s3:::[YOUR_BUCKET_NAME]"]
}
Update your Amazon S3 bucket policy to sync data in near-real time if you restrict Amazon S3 bucket access.
Amazon Q Business establishes a private connection to an Amazon S3 bucket within AWS’s network to directly fetch Amazon S3 files in near-real time. This solution optimizes performance and eliminates your VPC data transfer costs while maintaining data privacy and security.
If your have an Amazon S3 bucket policy to allow access only through your VPC, update the bucket policy of your Amazon S3 bucket to explicitly allow access by Amazon Q Business:
-
Add a statement explicitly to allow Amazon Q's Service Principal:
qbusiness.amazonaws.com -
If you have a Deny statement, add a Condition to exclude Amazon Q's Service Principal.
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Allow-Q-Business-Accessing-This-Bucket",
"Effect": "Allow",
"Principal": {"Service": "qbusiness.amazonaws.com"},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[YOUR_BUCKET_NAME]",
"arn:aws:s3:::[YOUR_BUCKET_NAME]/*"
]
},
{
"Sid": "Bucket-VPC-access-control",
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::[YOUR_BUCKET_NAME]",
"arn:aws:s3:::[YOUR_BUCKET_NAME]/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "[vpc-id]",
"aws:PrincipalServiceName": "qbusiness.amazonaws.com"
}
}
}
]
}
