Update July 8 – The customer managed applications I mention in the article below while not available in the console for an account level instance of IAM Identity Center, seems to be available via API and can be configured by following the steps mentioned in this article. I am waiting comment from AWS if this is intended.
I have spent a bit of time digging into Q for Business lately, and there are bunch of caveats that you probably should know about. The service was only GA at the end of April 2024 so these limitations are probably to be expected but I did not see this all documented in one place so thats why I am writing it up – hopefully to save you time!
For the past year and a half GenAI has been a buzzword – and sometimes quite dubious uses of the technology out there. I was initially sceptical to be honest, but this year I have changed my mind. The technology is moving incredibly fast and I feel that combining appropriate guardrails and providing relevant business data and context, GenAI is a tool like all the other tools available that can help you make your job more efficient. You still need to be an SME – that will not change. However having a second pair of GenAI eyes on things you do whether it is coding, research, writing, etc can only be a good thing as long as you review and interpret the results to make sure they make sense.
Initially I was a bit meh about Amazon Q for Business (QfB). But with recent advances and the service going GA I think its a great tool with lots of promise. Especially considering AWS have been playing GenAI catchup for the best part of 18 months or so.
Firstly what is QfB? QfB is effectively a managed Large Language Model (LLM) and Retrieval Augmentation Generation (RAG) system all in one. What does this mean for you as an end user or administrator? It means you can import any data you like from pretty much any information storage system you have data stored in and be able to ask it questions and hopefully get reasonable answers with sources listed. You do not have to worry about choosing an LLM, setting up your own RAG and Vector DB combo, etc. There are two flavours – Business Lite and Business Pro. Compare the options here. Lite is very basic and limited but good enough to get a feel for the service.
You literally point your QfB app at your data sources, and they are automatically imported and indexed for you and you can very quickly start asking the documents questions. Obviously the downside is that you have limited control on the indexing and RAG options, and zero control over which backend LLM that is used. However AWS appear to be adding new features very quickly such as admin controls and guardrails, and I just noticed scanned PDF support was added to the supported document types in just the last week.
QfB is exposed to users via a web experience integrated with IAM Identity Center. This is not an optional step. IAM identity Center is required. The web experience is configured as an Identity Center application that exposes a URL that looks something like this:
https://ta6kxxx.chat.qbusiness.us-west-2.on.aws
Your users authenticate to this endpoint and can ask their questions via a standard UI.
There is the option of building your own custom web experience by using your corporate IdP and your own website look and feel and utilise the APIs. A good starter is in github or a really nice example on querying an Athena table by generating the query and executing it is in this repo.
Now comes the caveats:
- As of July 2024, QfB is supported in only two regions. us-west-2 and us-east-1. Your IAM Identity Center needs to be deployed to the same region as you are running QfB in. So for Australians, we are out of luck for now.
- IAM Identity Center can be an organisation or account level instance but the same region rule applies. If your organisational instance of IAM Identity Center is in one of the unsupported Q regions, then you can create an Account level instance of IAM Identity Center as long as you have allowed this from the existing organisation identity center.
- Account level IAM Identity Center is generally good enough for trying out QfB unless you want to implement a customised web experience. For this you need to create a custom application within Identity Center and this is ONLY supported on an organisational instance of IAM Identity Center for now. A custom application allows you to setup identity federation with your corporate IdP by using a Trusted Token Issuer. In my interpretation of the documentation it says this is supported on account level instances in member accounts but I have it confirmed this is not supported yet so I hope this is supported soon or they fix the docs.
- Finally, for the custom web experience or being able to use certain API calls even via the CLI an external IdP is required. You cannot rely on just an identity store within IAM Identity Centre as you need to request identity aware AWS Sig v4 credentials for the authenticated user on whose behalf the API call is being made. If you do not do this and use regular (even Administrator level) AWS credentials for a restricted API such as ChatSync, you get this error
An error occurred (AccessDeniedException) when calling the ChatSync operation: User is not authorized for this service call.
So I leave you with a video showing the AWS demo of the data insights custom web app which takes a plain text query about AWS costs and returns the Athena friendly query and actually executes it. This small example goes to show when QfB becomes more widely available, integrating these sorts of experiences in your line of business applications will become much easier. As it allows a much more user friendly way of making relevant data available to the people who need it without necessarily having a data analyst to interpret the business user request.
