Amazon Q Business - Security

Previous
Quiz
Next

Cloud security at AWS is the highest priority and Security is a shared responsibility between AWS and you.

In this chapter we are going to learn how to configure Amazon Q Business to meet your security and compliance objectives and also You'll learn to use AWS services to monitor and secure your Amazon Q Business resources.

Data Protection

Secure your AWS account by protecting credentials and setting up individual users with IAM Identity Center or IAM. Following are the way to secure your data:

  • Use multi-factor authentication (MFA) with each account.
  • Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
  • Set up API and user activity logging with AWS CloudTrail.
  • Use AWS encryption solutions, along with all default security controls within AWS services.
  • Use Amazon Macie to discover and secure sensitive data in Amazon S3.
  • If you need FIPS 140-3 validated encryption, Use a FIPS endpoint when accessing AWS through CLI or API.

Amazon VPC Endpoints (AWS PrivateLink)

Interface endpoints are AWS PrivateLink to access Amazon Q Business APIs privately, without an internet gateway, NAT, VPN, or Direct Connect. No public IP addresses needed.

Creating an interface VPC endpoint

You can create an interface endpoint for Amazon Q Business using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI).

Create an interface endpoint for Amazon Q Business using the following service name:

aws.api.region.qbusiness

Use the AWS CLI command with the endpoint-url parameter to specify an interface endpoint to the Amazon Q Business API after creating a VPC endpoint.

aws qbusiness list-applications --endpoint-url https://VPC endpoint

A VPC endpoint is a DNS name generated when creating an interface endpoint, in the format vpce-{ID}-{REGION}.qbusiness.{REGION}.vpce.amazonaws.com.

Enable private DNS to make API requests to Amazon Q Business using its default regional DNS name, e.g., qbusiness.{REGION}.api.aws.

Creating a VPC Endpoint Policy

An endpoint policy is an IAM resource that you can attach to an interface endpoint. An endpoint policy specifies the following information:

  • The principals/authorized users who can perform actions (AWS accounts, IAM users, and IAM roles)
  • The actions that can be performed
  • The resources on which the actions can be performed.

Example: VPC endpoint policy for Amazon Q Business actions.

{
"Statement":[
    {
        "Principal":"*",
        "Effect":"Allow",
        "Action":[
            "qbusiness:*"
        ],
        "Resource":"*"
    }
]
}

Identity & Access Management

IAM Identity and Access Management is an AWS service that securely controls access to AWS resources, managing authentication and authorization, at no additional cost.

  • Audience: AWS Identity and Access Management usage varies based on your role and tasks in Amazon Q. Such as:
    • Service user: If you use the Amazon Q service to do your job, then your administrator provides you with the credentials and permissions that you need.
    • Service administrator: If you're in charge of Amazon Q resources at your company, you probably have full access to Amazon Q.
    • IAM administrator: If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Amazon Q.
  • Authenticating with identities: Authentication is signing in to AWS with your credentials. You need to sign in as the root user, an IAM user, or an IAM role.
  • AWS account root user: When you create an AWS account, you get a main identity with full access to all AWS services and resources. This is called the root user.
  • Federated identity: A federated identity is a user from your company directory, a web provider, or another identity source that accesses AWS services with provided credentials.
  • IAM users and groups: IAM user is an identity in your AWS account with specific permissions for one person or application and An IAM group is an identity that specifies a collection of IAM users.
  • IAM roles: IAM role is an identity in your AWS account with specific permissions, but not tied to a specific person.
    • Federated user access: To assign permissions to a federated identity, you create a role and define permissions for the role.
    • Temporary IAM user permissions: An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task.
    • Cross-account access: You can use an IAM role to allow someone in a different account to access resources in your account.
    • Cross-service access: Some AWS services use features in other AWS services has cross-service access.
    • Applications running on Amazon EC2: Use IAM roles to manage temporary credentials for EC2 instance apps, instead of storing access keys.
  • Managing access using policies: A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Control access in AWS by creating policies and attaching them to identities or resources.
  • Identity-based policies: Identity-based policies are documents that define permissions and can be attached to IAM users, groups, or roles.
  • Resource-based policies: Resource-based policies are rules that define access to a specific resource, such as an IAM role or an Amazon S3 bucket.
  • Access control lists (ACLs): ACLs decide who can access a resource. They're like policies, but in a different format.
  • Other policy types: AWS supports additional, less-common policy types such as Permissions boundaries, Service control policies (SCPs), Session policies.
  • Multiple policy types: When multiple rules apply, it's harder to know what's allowed.

Compliance Validation

AWS compliance depends on data sensitivity, company objectives, and laws. AWS provides the following resources to help with compliance:

  • Security and Compliance Quick Start Guides: These guides help you set up secure and compliant environments on AWS.
  • Architecture for HIPAA Security and Compliance on Amazon Web Services: This whitepaper describes how companies can use AWS to create HIPAA-eligible applications.
  • AWS Compliance Resources: This collection of workbooks and guides might apply to your industry and location.
  • AWS Customer Compliance Guides: These guides outline AWS security best practices and align with NIST, PCI, and ISO frameworks.
  • Evaluating Resources with Rules in the AWS Config Developer Guide: The AWS Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
  • AWS Security Hub: Security Hub gives you a complete view of your AWS security and checks if you're meeting industry standards.
  • Amazon GuardDuty: GuardDuty detects threats to your AWS resources by monitoring for suspicious activity, helping you meet compliance requirements like PCI DSS.
  • AWS Audit Manager: Audit Manager helps you track your AWS usage to simplify risk and compliance management.

Resilience

AWS has a global infrastructure with Regions and Availability Zones. These zones are separate, connected, and redundant, allowing you to build highly available, fault-tolerant, and scalable applications that can automatically switch between zones without downtime.

Infrastructure Security

Amazon Q Business is protected by the AWS global network security procedures. You use AWS published API calls to access Amazon Q Business through the network. Clients must support the following:

  • Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later.
  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman).

Cross-Service Confused Deputy Prevention

The confused deputy problem occurs when a less-privileged entity tricks a more-privileged one into performing an action it's not allowed to do.

Protect against the confused deputy problem by using aws:SourceArn with the full ARN or wildcard characters (*) for unknown portions.

If the aws:SourceArn value doesn't contain the account ID, such as an Amazon S3 bucket ARN, you must use both global condition context keys to limit permissions.

The value of aws:SourceArn must be ResourceDescription.

Use aws:SourceArn and aws:SourceAccount global condition context keys in Amazon Q Business to prevent the confused deputy problem.

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "ConfusedDeputyPreventionExamplePolicy",
        "Effect": "Allow",
        "Principal": {
        "Service": "qbusiness.amazonaws.com"
        },
        "Action": "qbusiness:ActionName",
        "Resource": [
        "arn:aws:qbusiness:::ResourceName/*"
        ],
        "Condition": {
        "ArnLike": {
            "aws:SourceArn": "arn:aws:qbusiness:*:123456789012:*"
        },
        "StringEquals": {
            "aws:SourceAccount": "123456789012"
        }
        }
    }
}

Configuration and Vulnerability Analysis

AWS takes care of basic security tasks, such as updating the operating system and database, configuring firewalls, and recovering from disasters. These tasks have been checked and approved by trusted third parties.

Security Best Practices

Amazon Q Business offers security features to inform your security policies. Follow best practices as guidelines, not a complete solution, and adapt them to your environment.

Apply Principle of Least Privilege

Amazon Q uses IAM roles to control access to applications. Give roles only the necessary permissions for the job, and regularly review and update permissions as your application changes.

Role-Based Access Control (RBAC) Permissions

Administrators should strictly control role-based access control (RBAC) permissions for Amazon Q applications.

Print Page
Previous
Next
Advertisements