- Amazon Q Business - Workflow
- Amazon Q Business - Key Concepts
- Amazon Q Business - Subscription Tiers & Index Types
- Amazon Q Business - Service Quotas
- Amazon Q Business - Document Attributes
- Amazon Q Business - Setup
- Amazon Q Business - Identity Center Directory
- Amazon Q Business - Identity Center Integrated Application
- Amazon Q Business - Identity Federation Application
- Amazon Q Business - Data Sources Connectors
- Amazon Q Business - Enhance Application
- Amazon Q Business - Features
- Amazon Q Business - Security
- Amazon Q Business - Monitoring
- Amazon Q Business API Reference
- Amazon Q Business - API Overview
- Amazon Q Business - API References
- Amazon Q Business - Supported Actions
- Amazon Q Business - Supported Data Types
- Amazon Q Business - Common Parameters
- Amazon Q Business - Common Errors
- Amazon Q Developer User Guide
- Amazon Q Developer - Introduction
- Amazon Q Developer - Getting Started
- Amazon Q Developer - On AWS
- Amazon Q Developer - In IDE
- Amazon Q Developer - Command Line
- Amazon Q Developer - Customization
- Amazon Q Developer - Security
- Amazon Q Developer - Monitoring
- Amazon Q Developer - Supported Region & Service Rename
- Amazon Q Developer - Document History
Amazon Q Business - Setup
Amazon Q Business is a smart generative AIpowered assistant can be effectively used by setting up its account. To begin using Amazon Q Business for the first time, follow the steps mentioned below.
Sign Up for an AWS Account
If you do not have an AWS account, complete the following steps to create one.
- Open portal.aws.amazon.com/billing/signup
- Follow the online instructions.
- Sign Up procedure involves receiving a phone call and entering verification code on the phone keypad.
- In Sign Up procedure root user is created automatically that has full access to your AWS account.
- After Sign up, AWS sends you an email to confirm your sign-up and you manage your account by going to https://aws.amazon.com/ and choosing My Account.
Create User with Administrative Access
After Sign Up Secure your main AWS account, add extra security, and create a new user for daily tasks.
Secure AWS Account Root User
You can secure your AWS account root user by following the steps mentioned below:
- Log in to AWS with your email and password as the account owner with AWS Management Console.
- Add extra security by turning on multi-factor authentication (MFA) for your root user.
Configure Administrative Access
You can create a user with administrative access by following the steps mentioned below:
- Firstly, enable IAM Identity Center and for instruction follow the steps below:
- Firstly, sign in to the AWS Management Console. You can do either of the following for this.
- New to AWS (root user): Sign in as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.
- Already using AWS (IAM Credentials): Sign in using your IAM credentials with administrative permissions.
- Open the IAM Identity Center console.
- Under Enable IAM Identity Center, choose Enable with AWS Organizations.
- In IAM Identity Center, grant administrative access to a user and for tutorial see Configure user access with the default IAM Identity Center directory.
Sign in Administrative Access
Follow the steps mentioned below to easily sign in as the user with administrative access:
- Sign in with your IAM Identity Center account using the link sent to your email.
- For signing in IAM Identity Center user follow the steps mentioned below:
- Paste the sign-in URL that has been sent to your email into your browser and press Enter.
- Sign in using your corporate credentials (like a user name and password).
- Check your email for the verification code and paste it into the sign-in page.
- If MFA is enabled for your user in IAM Identity Center, you then authenticate using it.
- After authentication, you can access any AWS account and application that appears in the portal.
- To sign in to the AWS Management Console, Go to the Accounts tab and select the account then choose your role to open the console and for command line or programmatic access, select Access keys.
- To access an application, go to the Applications tab then select the application you want to use.
Note: If your administrator sent you an email one-time password (OTP) and this is your first time signing in, enter that password. After you're signed in, you must create a new password for future sign-ins.
Note: If you don't get a verification code by email, check with your administrator for details about your verification code.
Note: After you sign in, your AWS access portal session is valid for 8 hours. You are required to sign in again after 8 hours.
Assign Access to Additional Users
You can assign access to additional users by following the steps mentioned below:
- Create a permission set in IAM Identity Center that only gives necessary access.
- Add users to a group, then give the group access to single sign-on. To add users to the group, follow the steps below:
- Open the IAM Identity Center console.
- Choose Groups.
- Choose Create group.
- Enter a group name and description is optional.
- Choose Create group.
Note: After you add this group to your Identity Center directory, you can assign single sign-on access to this group.
Consider AWS Regions and Endpoints
An endpoint is a URL that starts a web service and is tied to a specific AWS Region. When using Amazon Q Business, make sure all app components, such as retrievers, indexes, and chat experiences, are created in the same Region.
For regions and endpoints supported by Amazon Q Business, see Service quotas for Amazon Q Business.
Set up Required Permissions
When you use Amazon Q Business through the AWS Management Console, it automatically adds the necessary permissions for you.
To use Amazon Q Business with the AWS CLI or SDK as an IAM user, you need to give it the necessary permissions so it can create and manage resources for you.
{
"Version": "2012-10-17",
"Statement": [{
"Action": "qbusiness:*",
"Effect": "Allow",
"Resource": "*"
}]
}
If you're using a customer managed key, add the following permissions:
"kms:DescribeKey" "kms:CreateGrant"
If you're using IAM Identity Center, add the following permissions:
"sso:CreateApplication" "sso:PutApplicationAuthenticationMethod" "sso:PutApplicationAccessScope" "sso:PutApplicationGrant" "sso:DeleteApplication"
To allow Amazon Q to assign user subscriptions, use the following role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QBusinessSubscriptionPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:UpdateSubscription",
"qbusiness:CreateSubscription",
"qbusiness:CancelSubscription",
"qbusiness:ListSubscriptions"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/subscription/{{subscription_id}}"
]
},
{
"Sid": "QBusinessServicePermissions",
"Effect": "Allow",
"Action": [
"user-subscriptions:UpdateClaim",
"user-subscriptions:CreateClaim",
"organizations:DescribeOrganizations",
"iam:CreateServiceLinkedRole",
"sso-directory:DescribeGroup",
"sso-directory:DescribeUser",
"sso:DescribeApplication",
"sso:DescribeInstance"
],
"Resource": [
"*"
]
}
]
}