- Amazon Q Business - Workflow
- Amazon Q Business - Key Concepts
- Amazon Q Business - Subscription Tiers & Index Types
- Amazon Q Business - Service Quotas
- Amazon Q Business - Document Attributes
- Amazon Q Business - Setup
- Amazon Q Business - Identity Center Directory
- Amazon Q Business - Identity Center Integrated Application
- Amazon Q Business - Identity Federation Application
- Amazon Q Business - Data Sources Connectors
- Amazon Q Business - Enhance Application
- Amazon Q Business - Features
- Amazon Q Business - Security
- Amazon Q Business - Monitoring
- Amazon Q Business API Reference
- Amazon Q Business - API Overview
- Amazon Q Business - API References
- Amazon Q Business - Supported Actions
- Amazon Q Business - Supported Data Types
- Amazon Q Business - Common Parameters
- Amazon Q Business - Common Errors
- Amazon Q Developer User Guide
- Amazon Q Developer - Introduction
- Amazon Q Developer - Getting Started
- Amazon Q Developer - On AWS
- Amazon Q Developer - In IDE
- Amazon Q Developer - Command Line
- Amazon Q Developer - Customization
- Amazon Q Developer - Security
- Amazon Q Developer - Monitoring
- Amazon Q Developer - Supported Region & Service Rename
- Amazon Q Developer - Document History
Amazon Q Developer - Security
Cloud security at AWS is the highest priority and Security is a shared responsibility between AWS and you.
In this chapter we are going to learn how to configure Amazon Q Developer to meet your security and compliance objectives and also You'll learn to use AWS services to monitor and secure your Amazon Q Business resources.
Data Protection
Secure your AWS account by protecting credentials and setting up individual users with IAM Identity Center or IAM. Following are the way to secure your data:
- Use multi-factor authentication (MFA) with each account.
- Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
- Set up API and user activity logging with AWS CloudTrail.
- Use AWS encryption solutions, along with all default security controls within AWS services.
- Use Amazon Macie to discover and secure sensitive data in Amazon S3.
- If you need FIPS 140-3 validated encryption, Use a FIPS endpoint when accessing AWS through CLI or API.
Identity and access management
IAM Identity and Access Management is an AWS service that securely controls access to AWS resources, managing authentication and authorization, at no additional cost.
- Audience: AWS Identity and Access Management usage varies based on your role and tasks in Amazon Q. Such as:
- Service user: If you use the Amazon Q service to do your job, then your administrator provides you with the credentials and permissions that you need.
- Service administrator: If you're in charge of Amazon Q resources at your company, you probably have full access to Amazon Q.
- IAM administrator: If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Amazon Q.
- Authenticating with identities: Authentication is signing in to AWS with your credentials. You need to sign in as the root user, an IAM user, or an IAM role.
- AWS account root user: When you create an AWS account, you get a main identity with full access to all AWS services and resources. This is called the root user.
- Federated identity: A federated identity is a user from your company directory, a web provider, or another identity source that accesses AWS services with provided credentials.
- IAM users and groups: IAM user is an identity in your AWS account with specific permissions for one person or application and An IAM group is an identity that specifies a collection of IAM users.
- IAM roles: IAM role is an identity in your AWS account with specific permissions, but not tied to a specific person.
- Federated user access: To assign permissions to a federated identity, you create a role and define permissions for the role.
- Temporary IAM user permissions: An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task.
- Cross-account access: You can use an IAM role to allow someone in a different account to access resources in your account.
- Cross-service access: Some AWS services use features in other AWS services has cross-service access.
- Applications running on Amazon EC2: Use IAM roles to manage temporary credentials for EC2 instance apps, instead of storing access keys.
- Managing access using policies: A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Control access in AWS by creating policies and attaching them to identities or resources.
- Identity-based policies: Identity-based policies are documents that define permissions and can be attached to IAM users, groups, or roles.
- Resource-based policies: Resource-based policies are rules that define access to a specific resource, such as an IAM role or an Amazon S3 bucket.
- Access control lists (ACLs): ACLs decide who can access a resource. They're like policies, but in a different format.
- Other policy types: AWS supports additional, less-common policy types such as Permissions boundaries, Service control policies (SCPs), Session policies.
- Multiple policy types: When multiple rules apply, it's harder to know what's allowed.
Compliance validation
AWS compliance depends on data sensitivity, company objectives, and laws. AWS provides the following resources to help with compliance:
- Security and Compliance Quick Start Guides: These guides help you set up secure and compliant environments on AWS.
- Architecting for HIPAA Security and Compliance on Amazon Web Services: This whitepaper describes how companies can use AWS to create HIPAA-eligible applications.
- AWS Compliance Resources: This collection of workbooks and guides might apply to your industry and location.
- AWS Customer Compliance Guides: These guides outline AWS security best practices and align with NIST, PCI, and ISO frameworks.
- Evaluating Resources with Rules in the AWS Config Developer Guide: The AWS Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
- AWS Security Hub: Security Hub gives you a complete view of your AWS security and checks if you're meeting industry standards.
Resilience
AWS has a global infrastructure with Regions and Availability Zones. These zones are separate, connected, and redundant, allowing you to build highly available, fault-tolerant, and scalable applications that can automatically switch between zones without downtime.
Infrastructure security
Amazon Q Business is protected by the AWS global network security procedures. You use AWS published API calls to access Amazon Q Business through the network. Clients must support the following:
- Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later.
- Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman).
Amazon VPC endpoints (AWS PrivateLink)
Interface endpoints are AWS PrivateLink to access Amazon Q Business APIs privately, without an internet gateway, NAT, VPN, or Direct Connect. No public IP addresses needed.
Creating an interface VPC endpoint
You can create an interface endpoint for Amazon Q Business using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI).
Create an interface endpoint for Amazon Q Business using the following service name:
com.amazonaws.region.q
A VPC endpoint is a DNS name generated when creating an interface endpoint, in the format q.us-east-1.amazonaws.com.