Amazon Q Business – Enterprise AI Assistant Guide

Amazon Q Business Overview

  • Amazon Q Business is a fully managed, generative AI-powered enterprise assistant built on Amazon Bedrock that answers questions, provides summaries, generates content, and completes tasks based on enterprise data.
  • Provides permissions-aware responses with citations from enterprise data sources for use cases such as IT helpdesk, HR, benefits, and compliance.
  • Supports Retrieval Augmented Generation (RAG) — combining enterprise knowledge retrieval with LLM-powered response generation.
  • Integrates with 40+ data source connectors, built-in and custom plugins, and Amazon Q Apps for citizen-developed AI applications.
  • Available through a web experience, browser extensions (Chrome, Firefox, Edge), Slack, and Microsoft Teams integrations.
  • Important: Amazon Q Business will no longer be open to new customers starting July 31, 2026. Existing customers remain fully supported. AWS recommends migrating to Amazon Quick for similar and enhanced capabilities.

Amazon Q Business Architecture

Amazon Q Business Architecture

Core Components

  • Application
    • Top-level container that encapsulates the entire Q Business deployment.
    • Each application has its own configuration, data sources, plugins, guardrails, and web experience.
    • Linked to an IAM Identity Center instance or IAM Federation for user authentication.
    • Supports both authenticated (IAM Identity Center/IAM Federation) and anonymous access modes.
  • Index
    • Stores and organizes ingested enterprise documents for retrieval.
    • Two index types available:
      • Starter Index — runs in 1 AZ, ideal for proof-of-concept; includes 20,000 documents or 200 MB extracted text capacity and 100 hours connector usage.
      • Enterprise Index — runs across 3 AZs for high availability; same base capacity with support for customer managed key (CMK) encryption.
    • Capacity can be scaled by adding additional index units.
  • Retriever
    • Responsible for fetching relevant documents from the index to answer user queries.
    • Two retriever options:
      • Native Retriever — built-in retriever managed by Amazon Q Business with semantic search capabilities.
      • Amazon Kendra Retriever — uses an existing Amazon Kendra index for retrieval, ideal for organizations already using Kendra with advanced search tuning.
  • Data Sources
    • Connectors that crawl, ingest, and synchronize enterprise content into the index.
    • Support scheduled sync (incremental and full) to keep index current.
    • Crawl Access Control Lists (ACLs) by default for document-level security.
  • Web Experience
    • Managed chat interface for end users to interact with Amazon Q Business.
    • Customizable with organization branding, visual themes, and conversation starters.
    • Supports single sign-on (SSO) via IAM Identity Center.
    • Can be embedded directly into applications and websites.

How RAG Works in Q Business

  1. User submits a natural language query through the web experience or integration.
  2. The retriever searches the index for relevant enterprise documents.
  3. ACLs are evaluated to ensure the user has permission to access retrieved documents.
  4. Retrieved documents (with citations) are passed to the underlying LLM.
  5. The LLM generates a comprehensive, contextual response grounded in enterprise data.
  6. Response is returned with source citations for verification.

Data Source Connectors

  • Amazon Q Business provides 40+ pre-built connectors to synchronize data from enterprise content repositories.
  • Connectors can be scheduled for automatic sync (full or incremental) to keep the index up-to-date.
  • All connectors crawl ACLs by default to maintain document-level security.

Cloud Storage & File Systems

Connector Description
Amazon S3 Indexes documents stored in S3 buckets. Supports PDF, HTML, Word, PowerPoint, Excel, CSV, and text files. Configurable with prefix filters.
Amazon FSx for Windows Indexes documents from FSx Windows file shares with NTFS ACL support.
Box Crawls files, folders, comments, and tasks from Box enterprise accounts.
Dropbox Indexes files, paper documents, and shared folders from Dropbox Business accounts.
Google Drive Crawls Google Docs, Sheets, Slides, PDFs, and shared drives with Google Workspace ACL support.
Microsoft OneDrive Indexes personal and shared files from Microsoft 365 OneDrive accounts.

Collaboration & Productivity

Connector Description
Confluence (Cloud) Crawls spaces, pages, blogs, comments, and attachments from Atlassian Confluence Cloud.
Confluence (Server) Indexes on-premises Confluence Server/Data Center instances.
Microsoft SharePoint (Cloud) Crawls sites, document libraries, lists, and pages from SharePoint Online with Microsoft 365 ACLs.
Microsoft SharePoint Server Supports SharePoint Server 2016, 2019, and Subscription Edition for on-premises deployments.
Microsoft Teams Indexes channel messages, files, wikis, and meeting notes from Teams.
Slack Crawls public and private channel messages, threads, and shared files.
Smartsheet Indexes sheets, reports, and dashboards from Smartsheet workspaces.
Quip Crawls documents, spreadsheets, and chat threads from Salesforce Quip (legacy connector).

Communication & Email

Connector Description
Gmail Indexes email messages and attachments from Google Workspace Gmail accounts.
Google Calendar (Preview) Crawls calendar events and descriptions from Google Workspace.
Microsoft Exchange Indexes emails, calendar events, contacts, and attachments from Exchange Online.

Project Management & ITSM

Connector Description
Jira Crawls issues, projects, comments, attachments, and worklogs from Jira Cloud.
ServiceNow Online Indexes knowledge articles, incidents, catalog items, and attachments from ServiceNow.
Zendesk Crawls tickets, articles, comments, and community posts from Zendesk.
Asana (Preview) Indexes tasks, projects, and comments from Asana workspaces.

CRM & Business Applications

Connector Description
Salesforce Online Crawls knowledge articles, accounts, cases, opportunities, feeds, and custom objects.

Source Code & Development

Connector Description
GitHub (Cloud) Indexes repositories, issues, pull requests, READMEs, and wiki pages from GitHub.com.
GitHub (Server) Crawls on-premises GitHub Enterprise Server instances.

Web & Custom

Connector Description
Amazon Q Web Crawler Crawls and indexes content from specified websites with configurable depth and URL filters.
Custom Data Source Connector Enables integration with any data source using the Amazon Q Business API. Developers push documents programmatically via BatchPutDocument API.

Database Connectors (via Custom Connector)

  • Database sources like MySQL, PostgreSQL, and Oracle can be integrated using the Custom Data Source Connector.
  • Developers extract data from databases, format as documents, and push to Q Business via the BatchPutDocument API.
  • Supports any structured data source that can be programmatically accessed.

Plugins & Actions

  • Plugins enable Amazon Q Business users to perform actions in third-party applications directly from the chat interface.
  • Users can create tickets, update records, send notifications, and query application data using natural language.
  • Plugins are only available with the Pro subscription tier.
  • Amazon Q Business supports 50+ action types across built-in and custom plugins.

Built-in Plugins

Plugin Capabilities
Jira Cloud Create issues, update status, add comments, assign tickets, search issues, transition workflows
ServiceNow Create/update incidents, search knowledge base, manage change requests, catalog items
Zendesk Create/update tickets, search articles, manage users, add comments
Salesforce Create/update cases, search accounts and contacts, manage opportunities
PagerDuty Create/acknowledge/resolve incidents, manage on-call schedules, escalation policies
Smartsheet Create/update rows, search sheets, manage attachments, update cells

Custom Plugins

  • Custom plugins allow integration with any third-party application using an OpenAPI schema definition.
  • Steps to create a custom plugin:
    1. Define an OpenAPI 3.0 specification describing the API endpoints, parameters, and responses.
    2. Configure authentication (OAuth 2.0, API key, or no auth).
    3. Upload the schema to Amazon Q Business and configure the plugin.
    4. Amazon Q Business automatically discovers available actions from the schema.
  • Use cases: submit time-off requests, send meeting invites, query internal APIs, trigger CI/CD pipelines.
  • Custom plugins support OAuth 2.0 authorization code flow for secure per-user authentication.

Chat Orchestration

  • Amazon Q Business automatically orchestrates end user chat requests across configured plugins and data sources.
  • Determines whether a query requires knowledge retrieval, plugin action execution, or both.
  • Enables multi-step workflows combining data retrieval and actions in a single conversation.

Amazon Q Apps

  • Amazon Q Apps enables users to build lightweight, purpose-built AI applications without any coding — empowering citizen developers.
  • Available exclusively to Pro subscription users (since July 1, 2024).
  • Users create Q Apps directly from the web experience interface using natural language descriptions or by converting chat conversations into reusable apps.

App Builder

  • Q Apps are composed of cards — modular building blocks that define inputs, processing, and outputs:
    • Text Input Card — accepts user text input
    • File Upload Card — allows file uploads (up to 10 MB per card)
    • Query Card — sends a prompt to the LLM with optional enterprise data context
    • Output Card — displays generated responses
  • Cards can be connected in sequence to create multi-step workflows.
  • Apps can leverage enterprise data sources configured in the Q Business application.

Sharing & Permissions

  • Private sharing — share apps with specific users within the Q Business application environment.
  • Library publishing — publish apps to the organization’s app library for broader discovery.
  • App creators control visibility and access at a granular level.
  • Administrators can enable/disable Q Apps at the application level.

Data Collection

  • Q Apps support data collection forms that allow shared apps to collect structured data from multiple users.
  • Useful for surveys, feedback collection, intake forms, and structured workflows.

Example Use Cases

  • Meeting summary generator — upload meeting notes, get action items and summaries
  • RFP response assistant — input requirements, generate proposal drafts from company knowledge
  • Onboarding checklist app — guide new hires through company policies and procedures
  • Competitive analysis tool — input competitor info, get insights from internal research documents

Admin Controls & Guardrails

  • Amazon Q Business provides configurable guardrails (chat controls) to manage and control the end user chat experience.
  • Controls are organized into global controls and topic-level controls.

Global Controls

  • Response source controls — specify whether responses use:
    • Enterprise data only (strict RAG mode)
    • Enterprise data + LLM model knowledge (when enterprise data lacks answers)
  • Blocked phrases — define specific words or phrases that Amazon Q Business must never include in responses.
  • File upload control — enable or disable end user file uploads during chat sessions.
  • Chat personalization — control whether responses are personalized using IAM Identity Center user attributes (address, job info).
  • Chat orchestration — enable/disable automatic routing of requests across plugins and data sources.
  • Hallucination detection — enable automatic checking and correction of responses for inconsistencies.
  • Global controls cannot be created or deleted — only updated.

Topic-Level Controls

  • Define natural language topics that Amazon Q Business should handle in specific ways.
  • For each topic, configure:
    • Topic description — natural language description of the topic area
    • Example user messages — sample queries that fall under this topic
    • Response behavior:
      • Allow responses from enterprise data only
      • Allow responses from enterprise data + model knowledge
      • Block the topic entirely (refuse to answer)
    • Custom response message — provide a specific response for blocked topics
  • Topic controls can be scoped to specific users and groups for fine-grained governance.

Blocked Topics

  • Administrators can block entire topics to prevent the assistant from discussing sensitive subjects.
  • Common blocked topics: competitor information, executive compensation, unreleased products, legal opinions.
  • When a blocked topic is detected, Q Business returns the configured custom response message.

Access Control & Security

  • Amazon Q Business implements defense-in-depth security with multiple layers of access control.
  • Built on Amazon Bedrock, inheriting automated abuse detection and responsible AI controls.

IAM Identity Center Integration

  • AWS IAM Identity Center (recommended) provides centralized identity management for Q Business.
  • Supports single sign-on (SSO) with external identity providers (Okta, Azure AD, Ping Identity, etc.).
  • Manages user subscriptions, group memberships, and application access centrally.
  • Enables automatic subscription deduplication across multiple Q Business applications sharing the same Identity Center instance.
  • IAM Federation (alternative) — supports OIDC and SAML identity providers for organizations not using Identity Center.

Document-Level Security (ACL Crawling)

  • Amazon Q Business crawls Access Control Lists (ACLs) from data sources by default.
  • Maps source system users/groups to IAM Identity Center identities via a User Store.
  • Ensures users only receive answers from documents they have permission to access in the source system.
  • ACL crawling supports:
    • User-level permissions
    • Group-level permissions
    • Inherited permissions (folder hierarchies)
  • Once ACL crawling is enabled, it cannot be disabled — this is a permanent setting.
  • Documents without ACL entries are accessible to all authenticated users by default.

Encryption

  • Encryption at rest — all data in the index is encrypted using AWS KMS keys.
  • Customer Managed Keys (CMK) — supported with Enterprise index type for full key control.
  • Encryption in transit — all communications use TLS 1.2+.
  • Data source credentials stored securely in AWS Secrets Manager.

Network Security

  • Amazon Q Business supports VPC endpoints (AWS PrivateLink) for private connectivity.
  • Data source connections can traverse VPCs for on-premises connectors.
  • All API calls are logged in AWS CloudTrail for auditing.

Subscription Management

  • Amazon Q Business uses a per-user subscription model with charges for both user subscriptions and index capacity.

User Subscription Tiers

Feature Lite Plan ($3/user/month) Pro Plan ($20/user/month)
Ideal for Enterprise-wide deployment, frontline workers Knowledge workers, power users
Q&A on knowledge bases ✅ With citations ✅ With citations
Q&A on LLM knowledge
File upload to chat
Content generation
Amazon Q Apps
Built-in plugins
Custom plugins
Slack/Teams integrations Browser extensions only ✅ Full integrations
QuickSight integration ✅ Reader Pro
Chat orchestration
Web experience (SSO)
Permissions-aware responses

Index Pricing

Index Type Pricing Included Capacity
Starter $0.14/hour per unit 20,000 docs or 200 MB text, 100 hrs connector usage
Enterprise $0.264/hour per unit 20,000 docs or 200 MB text, 100 hrs connector usage + CMK support

Subscription Billing Details

  • Charges start only after first use by the user.
  • Subscriptions are prorated when created or upgraded (based on remaining days in the month).
  • Cancellations and downgrades are not prorated — they apply at the start of the next billing month.
  • AWS deduplicates subscriptions across Q Business applications sharing the same IAM Identity Center instance — each user is charged only once at their highest subscription level.
  • For IAM Federation, users are charged once per IAM Identity Provider.

Amazon Q Business vs Bedrock Knowledge Bases vs Amazon Kendra

Feature Amazon Q Business Bedrock Knowledge Bases Amazon Kendra
Primary Purpose Enterprise AI assistant (turnkey RAG + actions) Managed RAG for custom AI applications Intelligent enterprise search
Target User Business users & admins (no-code) Developers building AI apps Developers & search admins
Built-in Chat UI ✅ Web experience, browser extensions ❌ (requires custom UI) ❌ (search UI only, needs custom chat)
Data Connectors 40+ managed connectors S3, Confluence, SharePoint, Web Crawler, Google Drive, OneDrive 30+ managed connectors
Retrieval Method Native or Kendra retriever Vector search (OpenSearch, Pinecone, etc.) Semantic + keyword search
LLM Integration Built-in (managed by AWS) Choose any Bedrock FM Requires custom LLM integration
Plugins/Actions ✅ Built-in + custom (OpenAPI) ✅ Via Bedrock Agents
Citizen Developer Apps ✅ Q Apps
Access Control ACL crawling, IAM Identity Center Metadata filtering ACL crawling, token-based
Admin Guardrails ✅ Topic controls, blocked phrases ✅ Bedrock Guardrails (separate) ❌ (search-level only)
Pricing Model Per user/month + index capacity Per KB storage + retrieval queries Per index hour + connector usage
Best For Rapid enterprise AI assistant deployment Custom RAG applications with specific FMs Enterprise search with NLP ranking
Availability Status Closing to new customers July 31, 2026 (migrate to Amazon Quick) GA, actively developed Closing to new customers (migrate to Quick)

Use Cases

Internal Knowledge Base

  • Connect company wikis, SharePoint, Confluence, and file shares to provide instant answers about policies, procedures, and institutional knowledge.
  • Reduce time employees spend searching across multiple systems.
  • Maintain permissions — users only see information they’re authorized to access.

IT Helpdesk

  • Index IT documentation, runbooks, and knowledge articles from ServiceNow.
  • Use plugins to create/update tickets directly from the chat interface.
  • Automate common L1 support queries (password resets, VPN setup, software installation guides).
  • Escalate complex issues by creating tickets with pre-populated context.

HR Assistant

  • Answer employee questions about benefits, PTO policies, expense procedures, and onboarding.
  • Connect to HR systems via plugins for actions like submitting time-off requests.
  • Reduce HR ticket volume by providing instant self-service answers.
  • Use topic-level controls to block sensitive HR topics (individual salaries, disciplinary actions).

Customer Support (Internal)

  • Equip support agents with instant access to product documentation, troubleshooting guides, and customer history.
  • Reduce average handle time by surfacing relevant solutions in real-time.
  • Create Zendesk/Salesforce tickets with full context directly from the assistant.

Compliance & Legal Q&A

  • Index regulatory documents, compliance policies, audit reports, and legal guidelines.
  • Provide rapid answers about compliance requirements with document citations.
  • Use guardrails to ensure responses don’t constitute legal advice (blocked topic with custom message).
  • Maintain strict access controls — only compliance team members can access sensitive regulatory documents.

Migration to Amazon Quick

  • AWS announced that Amazon Q Business will no longer accept new customers starting July 31, 2026.
  • Existing customers remain fully supported with bug fixes and security updates, but no new features.
  • AWS recommends migrating to Amazon Quick — the next evolution of Q Business with enhanced capabilities.
  • Amazon Quick provides:
    • Quick Flows — workflow automation (replacing Q Apps)
    • QuickSight integration — structured data analysis and visualization
    • Quick Research — in-depth analysis and expert insights
    • Spaces — unified knowledge management
    • MCP (Model Context Protocol) — open standard for connecting to external tools and data sources
  • Migration path: Use Bring Your Own Index (BYOI) to connect existing Q Business index to Quick without disrupting current operations.
  • Q Apps must be manually migrated to Quick Flows.
  • Guardrails and User Store configurations are not included in BYOI — must be recreated in Quick.

AWS Certification Exam Practice Questions

Question 1: A company wants to deploy Amazon Q Business for their 5,000 employees. Frontline workers need basic Q&A access, while 200 knowledge workers need full capabilities including content generation and plugins. What is the most cost-effective subscription approach?

  1. Subscribe all 5,000 users to Pro plan
  2. Subscribe 4,800 users to Lite plan and 200 users to Pro plan
  3. Subscribe all users to Lite plan and upgrade on request
  4. Use anonymous access for all users to avoid subscription costs
Show Answer

Answer: B –

Explanation: The Lite plan ($3/user/month) provides Q&A on knowledge bases with citations and permissions-aware responses, sufficient for frontline workers. The Pro plan ($20/user/month) adds content generation, plugins, Q Apps, and integrations needed by knowledge workers. This gives $14,400/month for Lite users + $4,000/month for Pro users = $18,400/month vs. $100,000/month for all Pro.

Question 2: An organization uses Amazon Q Business with documents stored across SharePoint, Confluence, and S3. A user asks a question, but receives no answer despite the information existing in Confluence. What is the MOST likely cause?

  1. The Confluence connector has not completed its sync schedule
  2. The user does not have ACL permissions to access the Confluence document
  3. Amazon Q Business does not support Confluence as a data source
  4. The Enterprise index type is required for multiple data sources
Show Answer

Answer: B –

Explanation: Amazon Q Business crawls ACLs by default and provides permissions-aware responses. If a user doesn’t have access to a document in the source system (Confluence), Q Business will not include that document in its response, even if the information exists. Option A is possible but less likely if the connector is configured for regular syncs.

Question 3: A company wants to prevent Amazon Q Business from answering questions about competitor pricing and executive compensation. Which feature should the administrator configure?

  1. IAM policies to restrict user access
  2. Global controls with blocked phrases
  3. Topic-level controls with blocked topic behavior
  4. Remove all documents mentioning competitors from data sources
Show Answer

Answer: C –

Explanation: Topic-level controls allow administrators to define natural language topics (e.g., “competitor pricing,” “executive compensation”) and configure blocked behavior with custom response messages. Global blocked phrases only block specific words/phrases in responses, not entire topics. Topic-level controls provide more comprehensive governance over sensitive subjects.

Question 4: A development team wants Amazon Q Business users to create Jira tickets directly from the chat interface when they encounter issues. Which component is needed?

  1. Jira data source connector
  2. Jira built-in plugin
  3. Custom data source connector with Jira API
  4. Amazon Q Apps with Jira integration
Show Answer

Answer: B –

Explanation: The Jira built-in plugin enables users to perform actions (create issues, update status, add comments) in Jira directly from the Q Business chat interface. The Jira data source connector is for indexing/reading Jira content, not performing actions. Plugins enable write operations while connectors enable read/index operations.

Question 5: An organization is evaluating whether to use Amazon Q Business or Amazon Bedrock Knowledge Bases for their enterprise AI assistant. They need a turnkey solution with built-in chat UI, 40+ data connectors, no-code setup, and citizen developer app capabilities. Which service best fits their requirements?

  1. Amazon Bedrock Knowledge Bases with custom UI
  2. Amazon Q Business
  3. Amazon Kendra with custom LLM integration
  4. Amazon Bedrock Agents with Confluence connector
Show Answer

Answer: B –

Explanation: Amazon Q Business provides all requested capabilities: built-in web experience chat UI, 40+ managed data connectors, no-code admin setup, and Q Apps for citizen developers. Bedrock Knowledge Bases requires custom UI development and has fewer native connectors. Kendra provides search but not a conversational AI assistant. Q Business is the fully managed turnkey enterprise AI assistant solution.

Frequently Asked Questions

What is Amazon Q Business?

Amazon Q Business is a fully managed generative AI assistant for enterprises. It connects to 40+ data sources (SharePoint, Confluence, Salesforce, etc.), understands your company’s information, and provides accurate answers with citations while respecting existing access controls.

How much does Amazon Q Business cost?

Q Business Lite costs $3/user/month (Q&A and search only). Q Business Pro costs $20/user/month (includes plugins, actions, Q Apps, and advanced features). There’s also a per-index-unit and document storage charge.

What is the difference between Q Business and Bedrock Knowledge Bases?

Q Business is a ready-to-use enterprise assistant with built-in web UI, 40+ connectors, plugins, and admin controls. Bedrock Knowledge Bases is a developer building block for custom RAG applications that you integrate into your own apps via API.

References

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.