Amazon Q Enterprise not too long ago added help for directors to switch the default entry management listing (ACL) crawling characteristic for knowledge supply connectors.
Amazon Q Enterprise is a totally managed, AI powered assistant with enterprise-grade safety and privateness options. It contains over 40 knowledge supply connectors that crawl and index paperwork. By default, Amazon Q Enterprise indexes ACL data connected to paperwork together with the paperwork themselves and makes use of this to filter chat responses primarily based on the person’s doc entry. With this new characteristic, you may allow or disable ACL crawling as required by their enterprise use case.
This put up introduces the brand new ACL toggle characteristic for Amazon Q Enterprise, which you need to use to allow or disable ACL crawling. We’ll discover use instances for disabling ACLs and focus on methods to safely allow or disable ACL crawling.
Overview of entry management listing crawling
Amazon Q Enterprise knowledge supply connectors assist crawl numerous knowledge sources to gather and index content material in Amazon Q Enterprise for quick discovery and retrieval when answering person queries. These knowledge sources usually comprise paperwork with totally different classifications resembling public, inside public, personal, and confidential. To supply fine-grained management over entry rights, you may connect ACLs to paperwork, permitting you to specify totally different ranges of entry for numerous customers or teams. To confirm that Amazon Q Enterprise respects entry management insurance policies and that customers solely obtain responses for content material they’re licensed to entry, the information supply connectors routinely crawl for entry permissions related to the content material, person identifiers, and teams.
The previous determine illustrates the Amazon Q Enterprise knowledge supply crawler with ACL crawling enabled. Because the connector retrieves content material from the information supply, it examines the related ACL and compiles an inventory of customers and teams with learn permissions for every doc. The connector additionally collects person identifiers, that are saved within the Amazon Q Enterprise person retailer for fast matching throughout question execution. Each the ACL and content material are optimized and saved within the Amazon Q Enterprise index storage, enabling safe and environment friendly retrieval when answering person queries. For extra data on the person retailer, see Understanding Amazon Q Enterprise Consumer Retailer.
When to disable ACL crawling?
ACL crawling builds a security-aware index that respects entry management insurance policies within the main knowledge supply. This course of helps preserve knowledge privateness and entry management required for regulatory compliance, ensuring that delicate data isn’t inadvertently uncovered by person question outcomes. It supplies a scalable mechanism to deal with giant quantities of content material whereas sustaining consistency between the precise entry controls on the information and what’s discoverable by search. Due to these benefits, ACL crawling is strongly advisable for all knowledge sources. Nonetheless, there are some circumstances while you would possibly must disable it. The next are some the explanation why you would possibly disable ACL crawling.
Internally public content material
Organizations usually designate sure knowledge sources as internally public, together with HR insurance policies, IT information bases, and wiki pages. As an illustration, an organization would possibly allocate a complete Microsoft SharePoint website for insurance policies accessible to all staff, classifying it as internal-public. In such instances, crawling ACLs for permissions that embody all staff might be expensive and create pointless overhead. Turning off ACL crawling may be advantageous in these eventualities.
Knowledge supply comprises irreconcilable identities
Amazon Q Enterprise requires all customers to authenticate with an enterprise-approved id supplier (IdP). After profitable authentication, Amazon Q Enterprise makes use of the IdP-provided person identifier to match in opposition to the person identifier fetched from the information supply throughout ACL crawling. This course of validates person entry to content material earlier than retrieving it for question responses.
Nonetheless, due to legacy points resembling mergers and acquisitions, knowledge supply configuration limitations, or different constraints, the first person identifier from the IdP would possibly differ from the one within the knowledge supply. This discrepancy can stop Amazon Q Enterprise from retrieving related content material from the index and answering person queries successfully.
In such instances, it may be essential to disable ACL crawling and use various choices. These embody implementing attribute filters or constructing devoted restricted purposes with entry restricted to particular audiences and content material. For extra data on attribute filters, see Filtering chat responses utilizing doc attributes.
Use case-driven focused deployments
As a totally managed service, Amazon Q Enterprise might be rapidly deployed in a number of cases for scoped down focused use instances. Examples embody an HR bot in Slack or an AI assistant for buyer help brokers in a contact heart. As a result of these AI assistants may be deployed for a restricted viewers, and the listed content material may be usually out there to all customers with software entry, ACL crawling might be turned off.
Notice of warning
Amazon Q Enterprise can’t implement entry controls if ACL crawling is disabled. When ACL crawling is disabled for an information supply, listed content material in that supply will probably be thought-about accessible to customers with entry to the Amazon Q Enterprise software. Due to this fact, disabling ACL crawling ought to be performed with warning and due diligence. The next are some advisable finest practices:
- Notify knowledge supply content material homeowners and directors of your intent to disable ACL crawling and acquire their approval beforehand.
- If relevant, contemplate implementing various choices resembling attribute filtering to limit content material retrieval or deploying a scoped-down, use-case-driven deployment to a restricted viewers.
- Keep a choice doc that clearly articulates the explanations for disabling ACL crawling, the scope of affected content material, and precautions taken to forestall indexing of delicate data.
Notice: As a precaution, you can not disable ACL crawling for an current Amazon Q Enterprise knowledge supply that already has ACL crawling enabled. To disable ACL crawling, you will need to delete the information supply and recreate it. You possibly can solely disable ACL crawling throughout the knowledge supply creation course of, and this requires an account administrator to grant permission for disabling ACL crawling when configuring the information supply.
Procedures for configuring ACL crawling
Amazon Q Enterprise ACL crawling helps shield your knowledge. Amazon Q Enterprise supplies safeguards to assist directors and builders mitigate by accident disabling ACL crawling. On this part, we’ll cowl how one can permit or deny the ACL crawling disable characteristic, discover procedures to allow or disable ACL crawling, clarify methods to monitor logs for ACL crawling configuration modifications, and troubleshoot frequent points.
Personas for configuring ACL crawling
ACL crawling configuration sometimes entails a number of roles, relying in your organizational construction. To maximise safeguards, it’s advisable that these roles are crammed by totally different people. For quicker deployments, determine the mandatory personnel inside your group earlier than beginning the mission and guarantee they collaborate to finish the configuration. Listed here are the frequent roles wanted for ACL crawling configuration:
- AWS account administrator – An AWS account administrator is a person with full entry to AWS providers and the power to handle IAM assets and permissions within the account. They will create and handle organizations, enabling centralized administration of a number of AWS accounts.
- Amazon Q Enterprise administrator – An Amazon Q Enterprise administrator is often a person or function answerable for managing and configuring the Amazon Q Enterprise service. Their duties embody creating and optimizing Amazon Q Enterprise indexes, organising guardrails, and tuning relevance. Additionally they arrange and preserve connections to numerous knowledge sources that Amazon Q Enterprise will index, resembling Amazon Easy Storage Service (Amazon S3) buckets, SharePoint, Salesforce, and Confluence.
Conditions for ACL crawling
- Amazon Q Enterprise software.
- Amazon Q Enterprise knowledge supply connector that helps ACL crawling configuration.
- Knowledge supply authentication that meets the permissions required for crawling content material and ACLs.
Course of to disallow the choice to disable ACL crawling
By default, the choice to disable ACL crawling is enabled for an account. AWS account directors can disallow this characteristic by organising an account-level coverage. It’s advisable to configure an specific deny for manufacturing accounts by default. The next under reveals the related actions in relation to the personas concerned within the configuration course of.
Directors can connect the IAM motion qbusiness:DisableAclOnDataSource to the Amazon Q Enterprise administrator person or function coverage to disclaim or permit the choice to disable ACL crawling. The instance IAM coverage code snippet that follows demonstrates methods to arrange an specific deny.
Notice that even when the choice to disable ACL crawling is denied, the person interface may not grey out this feature. Nonetheless, when you try to create an information supply with this feature disabled, it can fail the validation examine, and Amazon Q Enterprise won’t create the information supply.
Course of to disable ACL crawling for an information supply connector
Earlier than organising an information supply connector with ACL crawling disabled in your Amazon Q Enterprise software deployment, just remember to don’t have any delicate content material within the knowledge supply or have applied controls to assist stop unintended content material publicity. Confirm that the information supply connector helps the choice to disable ACL crawling. Notify data custodians, content material homeowners, and knowledge supply directors of your intent to disable ACL crawling and acquire their documented approvals, if crucial. In case your account administrator has explicitly denied the choice to disable ACL crawling, request short-term permission. After you’ve secured all approvals and exceptions, create a brand new knowledge supply with ACL crawling disabled and sync the information. With ACL crawling disabled, Amazon Q Enterprise customers will be capable of uncover information and acquire solutions from the listed paperwork by this connector. Notify the account administrator to revert the account coverage again to explicitly denying the disable ACL crawling possibility. The method and interplay between totally different roles are proven within the following chart.
The next is an summary of the process to create an information supply with ACL crawling disabled utilizing AWS Console:
- Navigate to the Amazon Q Enterprise console.
- Choose the Amazon Q Enterprise software that you simply need to add an information supply connector to.
- Select Add knowledge supply within the Knowledge sources part and choose the specified connector.
- Replace the connector configuration data. See Connecting Amazon Q Enterprise knowledge sources for configuration particulars.
- Within the Authorization part, select Disable ACLs and examine the acknowledgment to just accept the dangers of disabling ACL crawling.
- Full the remaining connector configuration and select Save.
- Sync the information supply.
Notice: You can not disable ACL crawling for an current knowledge supply connector that was created with ACL crawling enabled. You need to create a brand new knowledge supply connector occasion with ACL disabled and delete the older occasion that has ACL crawling enabled.
Course of to allow ACL crawling for an information supply connector
Creating an information supply connector with ACL crawling enabled is advisable and doesn’t require further permit itemizing from AWS account directors. To allow ACL crawling, you observe steps just like disabling ACLs as described within the earlier part. When configuring the information supply connector utilizing the console, select Allow ACLs within the Authorization part to create a connector with ACL crawling enabled. It’s also possible to allow ACL crawling at any time for an current knowledge supply connector that was created with this feature disabled. Sync the information supply connector for the ACL enforcement to take impact. Amazon Q Enterprise customers can solely question and acquire solutions from paperwork to which they’ve entry within the authentic knowledge supply.
It’s necessary to evaluation that the information supply administrator has arrange the required permissions correctly, ensuring that the crawler has permission to crawl for ACLs within the knowledge supply earlier than enabling ACL crawling. You will discover the required permissions within the prerequisite part of the connector in Connecting Amazon Q Enterprise knowledge sources. The next reveals the method for organising an information supply connector with ACL crawling enabled.
Logging and monitoring the ACL crawling configuration
Amazon Q Enterprise makes use of AWS CloudTrail for logging API calls associated to ACL crawling configuration. You possibly can monitor the CloudTrail log for CreateDataSource and UpdateDataSource API calls to determine ACL crawling-related modifications made to knowledge supply configuration. For a whole listing of Amazon Q Enterprise APIs which can be logged to CloudTrail, see Logging Amazon Q Enterprise API calls utilizing AWS CloudTrail.
Directors can configure Amazon CloudWatch alarms to generate automated alert notifications if ACL crawling is disabled for an information supply connector, permitting them to provoke corrective motion. For step-by-step directions on organising CloudWatch alarms primarily based on CloudTrail occasions, see How do I take advantage of CloudWatch alarms to watch CloudTrail occasions.
The instance CloudWatch alarm code snippet that follows reveals the filter sample for figuring out occasions associated to disabling ACL crawling in an information supply connector.
Suggestions for troubleshooting
When configuring Amazon Q Enterprise knowledge supply connectors, you would possibly often encounter points. The next are some frequent errors and their potential resolutions.
Not licensed to disable ACL crawling
When creating a brand new knowledge supply connector with ACL crawling disabled, you would possibly see an error message stating not licensed to carry out: qbusiness:DisableAclOnDataSource as proven within the following picture.
This error signifies that your administrator has explicitly denied the choice to disable ACL crawling on your AWS account. Contact your administrator to allow-list this motion on your account. For extra particulars, see the Course of to disable ACL crawling for an information supply connector part earlier on this put up.
Knowledge supply connection errors
Knowledge supply connectors may additionally fail to connect with your knowledge supply or crawl knowledge. In such instances, confirm that Amazon Q Enterprise can attain the information supply by the general public web or by a VPC personal community. See Connecting Amazon Q Enterprise knowledge sources to be sure that your knowledge supply authentication has the permissions wanted to crawl content material and ACLs, if enabled.
Id and ACL mismatch errors
Lastly, after efficiently syncing knowledge with ACL crawling enabled, some customers would possibly nonetheless be unable to get solutions to queries, although the related paperwork have been listed. This subject generally happens when the person lacks entry to the listed content material within the authentic knowledge supply, or when the person id obtained from the information supply doesn’t match the sign-in id. To troubleshoot such ACL mismatch points, look at the information supply sync report. For extra data, see Introducing document-level sync studies: Enhanced knowledge sync visibility in Amazon Q Enterprise.
Key issues and suggestions
Given the impression that disabling ACL crawling can have on content material safety, contemplate these restrictions and finest practices when disabling ACL crawling in Amazon Q Enterprise knowledge supply connectors:
- ACL crawling enablement is a one-way management mechanism. After it’s enabled, you can not disable it. This helps stop by accident disabling ACL crawling in manufacturing environments.
- Maintain ACL crawling enabled by default and disable it just for the subset of knowledge supply connectors that require it.
- If crucial, contemplate splitting the indexing of an information supply by organising a number of knowledge supply connectors and limiting ACL crawling disablement to a smaller content material phase. Use the doc
Inclusion and Exclusioncharacteristic of knowledge supply connectors to outline the indexing scope. - When ACL crawling is disabled due to irreconcilable identities, contemplate various choices. These embody implementing attribute filters, limiting entry to the Amazon Q Enterprise software, and organising guardrails.
- As a safety finest apply, AWS Organizations and account directors ought to add a service management coverage to
explicitly deny the qbusiness:DisableAclOnDataSourcepermission for all accounts. Grant this permission solely when requested by an Amazon Q Enterprise administrator. After configuring an information supply connector with ACL crawling disabled, revert to an specific deny. Use a ticketing system to take care of a report of exception approvals. For extra data, see . - At present, disabling ACL crawling is accessible for restricted connectors, together with ServiceNow, Confluence, SharePoint, Jira, Google Drive, OneDrive, Salesforce, Zendesk, GitHub, MS Groups, and Slack. For the newest listing of connectors that help disabling ACL crawling, see Connecting Amazon Q Enterprise knowledge sources.
Clear up
To keep away from incurring further fees, ensure you delete any assets created on this put up.
- To delete any knowledge supply created in Amazon Q Enterprise, observe the directions in Deleting an Amazon Q Enterprise knowledge supply connector to delete the identical.
- To delete any Amazon Q Enterprise software created, observe the directions in Deleting an software.
Conclusion
Amazon Q Enterprise knowledge supply connector ACL crawling is an important characteristic that helps organizations construct, handle, and scale safe AI assistants. It performs an important function in implementing regulatory and compliance insurance policies and defending delicate content material. With the introduction of a self-service characteristic to disable ACL crawling, Amazon Q Enterprise now supplies you extra autonomy to decide on deployment choices that fit your group’s enterprise wants. To begin constructing safe AI assistants with Amazon Q Enterprise, discover the Getting began information.
In regards to the Authors
Rajesh Kumar Ravi, a Senior Options Architect at Amazon Internet Providers, makes a speciality of constructing generative AI options utilizing Amazon Q Enterprise, Amazon Bedrock, and Amazon Kendra. He helps companies worldwide implement these applied sciences to reinforce effectivity, innovation, and competitiveness. An achieved expertise chief, Rajesh has expertise growing modern AI merchandise, nurturing the builder group, and contributing to new concepts. Exterior of labor, he enjoys strolling and brief mountain climbing journeys.
Meenakshisundaram Thandavarayan works for AWS as an AI/ML Specialist. He has a ardour to design, create, and promote human-centered knowledge and analytics experiences. Meena focuses on growing sustainable techniques that ship measurable, aggressive benefits for strategic clients of AWS. Meena is a connector and design thinker and strives to drive enterprise to new methods of working by innovation, incubation, and democratization.
Amit Choudhary is a Product Supervisor for Amazon Q Enterprise connectors. He likes to construct merchandise that make it simple for patrons to make use of privacy-preserving applied sciences (PETs) resembling differential privateness
Keerthi Kumar Kallur is a Software program Growth Engineer at AWS. He’s a part of the Amazon Q Enterprise workforce and labored on numerous options with clients. In his spare time, he likes to do outside actions resembling mountain climbing and sports activities resembling volleyball.
