Amazon Q Business Overview
- Amazon Q Business is a fully managed, generative AI-powered enterprise assistant built on Amazon Bedrock that answers questions, provides summaries, generates content, and completes tasks based on enterprise data.
- Provides permissions-aware responses with citations from enterprise data sources for use cases such as IT helpdesk, HR, benefits, and compliance.
- Supports Retrieval Augmented Generation (RAG) — combining enterprise knowledge retrieval with LLM-powered response generation.
- Integrates with 40+ data source connectors, built-in and custom plugins, and Amazon Q Apps for citizen-developed AI applications.
- Available through a web experience, browser extensions (Chrome, Firefox, Edge), Slack, and Microsoft Teams integrations.
- Important: Amazon Q Business will no longer be open to new customers starting July 31, 2026. Existing customers remain fully supported. AWS recommends migrating to Amazon Quick for similar and enhanced capabilities.
Amazon Q Business Architecture

Core Components
- Application
- Top-level container that encapsulates the entire Q Business deployment.
- Each application has its own configuration, data sources, plugins, guardrails, and web experience.
- Linked to an IAM Identity Center instance or IAM Federation for user authentication.
- Supports both authenticated (IAM Identity Center/IAM Federation) and anonymous access modes.
- Index
- Stores and organizes ingested enterprise documents for retrieval.
- Two index types available:
- Starter Index — runs in 1 AZ, ideal for proof-of-concept; includes 20,000 documents or 200 MB extracted text capacity and 100 hours connector usage.
- Enterprise Index — runs across 3 AZs for high availability; same base capacity with support for customer managed key (CMK) encryption.
- Capacity can be scaled by adding additional index units.
- Retriever
- Responsible for fetching relevant documents from the index to answer user queries.
- Two retriever options:
- Native Retriever — built-in retriever managed by Amazon Q Business with semantic search capabilities.
- Amazon Kendra Retriever — uses an existing Amazon Kendra index for retrieval, ideal for organizations already using Kendra with advanced search tuning.
- Data Sources
- Connectors that crawl, ingest, and synchronize enterprise content into the index.
- Support scheduled sync (incremental and full) to keep index current.
- Crawl Access Control Lists (ACLs) by default for document-level security.
- Web Experience
- Managed chat interface for end users to interact with Amazon Q Business.
- Customizable with organization branding, visual themes, and conversation starters.
- Supports single sign-on (SSO) via IAM Identity Center.
- Can be embedded directly into applications and websites.
How RAG Works in Q Business
- User submits a natural language query through the web experience or integration.
- The retriever searches the index for relevant enterprise documents.
- ACLs are evaluated to ensure the user has permission to access retrieved documents.
- Retrieved documents (with citations) are passed to the underlying LLM.
- The LLM generates a comprehensive, contextual response grounded in enterprise data.
- Response is returned with source citations for verification.
Data Source Connectors
- Amazon Q Business provides 40+ pre-built connectors to synchronize data from enterprise content repositories.
- Connectors can be scheduled for automatic sync (full or incremental) to keep the index up-to-date.
- All connectors crawl ACLs by default to maintain document-level security.
Cloud Storage & File Systems
| Connector | Description |
|---|---|
| Amazon S3 | Indexes documents stored in S3 buckets. Supports PDF, HTML, Word, PowerPoint, Excel, CSV, and text files. Configurable with prefix filters. |
| Amazon FSx for Windows | Indexes documents from FSx Windows file shares with NTFS ACL support. |
| Box | Crawls files, folders, comments, and tasks from Box enterprise accounts. |
| Dropbox | Indexes files, paper documents, and shared folders from Dropbox Business accounts. |
| Google Drive | Crawls Google Docs, Sheets, Slides, PDFs, and shared drives with Google Workspace ACL support. |
| Microsoft OneDrive | Indexes personal and shared files from Microsoft 365 OneDrive accounts. |
Collaboration & Productivity
| Connector | Description |
|---|---|
| Confluence (Cloud) | Crawls spaces, pages, blogs, comments, and attachments from Atlassian Confluence Cloud. |
| Confluence (Server) | Indexes on-premises Confluence Server/Data Center instances. |
| Microsoft SharePoint (Cloud) | Crawls sites, document libraries, lists, and pages from SharePoint Online with Microsoft 365 ACLs. |
| Microsoft SharePoint Server | Supports SharePoint Server 2016, 2019, and Subscription Edition for on-premises deployments. |
| Microsoft Teams | Indexes channel messages, files, wikis, and meeting notes from Teams. |
| Slack | Crawls public and private channel messages, threads, and shared files. |
| Smartsheet | Indexes sheets, reports, and dashboards from Smartsheet workspaces. |
| Quip | Crawls documents, spreadsheets, and chat threads from Salesforce Quip (legacy connector). |
Communication & Email
| Connector | Description |
|---|---|
| Gmail | Indexes email messages and attachments from Google Workspace Gmail accounts. |
| Google Calendar (Preview) | Crawls calendar events and descriptions from Google Workspace. |
| Microsoft Exchange | Indexes emails, calendar events, contacts, and attachments from Exchange Online. |
Project Management & ITSM
| Connector | Description |
|---|---|
| Jira | Crawls issues, projects, comments, attachments, and worklogs from Jira Cloud. |
| ServiceNow Online | Indexes knowledge articles, incidents, catalog items, and attachments from ServiceNow. |
| Zendesk | Crawls tickets, articles, comments, and community posts from Zendesk. |
| Asana (Preview) | Indexes tasks, projects, and comments from Asana workspaces. |
CRM & Business Applications
| Connector | Description |
|---|---|
| Salesforce Online | Crawls knowledge articles, accounts, cases, opportunities, feeds, and custom objects. |
Source Code & Development
| Connector | Description |
|---|---|
| GitHub (Cloud) | Indexes repositories, issues, pull requests, READMEs, and wiki pages from GitHub.com. |
| GitHub (Server) | Crawls on-premises GitHub Enterprise Server instances. |
Web & Custom
| Connector | Description |
|---|---|
| Amazon Q Web Crawler | Crawls and indexes content from specified websites with configurable depth and URL filters. |
| Custom Data Source Connector | Enables integration with any data source using the Amazon Q Business API. Developers push documents programmatically via BatchPutDocument API. |
Database Connectors (via Custom Connector)
- Database sources like MySQL, PostgreSQL, and Oracle can be integrated using the Custom Data Source Connector.
- Developers extract data from databases, format as documents, and push to Q Business via the BatchPutDocument API.
- Supports any structured data source that can be programmatically accessed.
Plugins & Actions
- Plugins enable Amazon Q Business users to perform actions in third-party applications directly from the chat interface.
- Users can create tickets, update records, send notifications, and query application data using natural language.
- Plugins are only available with the Pro subscription tier.
- Amazon Q Business supports 50+ action types across built-in and custom plugins.
Built-in Plugins
| Plugin | Capabilities |
|---|---|
| Jira Cloud | Create issues, update status, add comments, assign tickets, search issues, transition workflows |
| ServiceNow | Create/update incidents, search knowledge base, manage change requests, catalog items |
| Zendesk | Create/update tickets, search articles, manage users, add comments |
| Salesforce | Create/update cases, search accounts and contacts, manage opportunities |
| PagerDuty | Create/acknowledge/resolve incidents, manage on-call schedules, escalation policies |
| Smartsheet | Create/update rows, search sheets, manage attachments, update cells |
Custom Plugins
- Custom plugins allow integration with any third-party application using an OpenAPI schema definition.
- Steps to create a custom plugin:
- Define an OpenAPI 3.0 specification describing the API endpoints, parameters, and responses.
- Configure authentication (OAuth 2.0, API key, or no auth).
- Upload the schema to Amazon Q Business and configure the plugin.
- Amazon Q Business automatically discovers available actions from the schema.
- Use cases: submit time-off requests, send meeting invites, query internal APIs, trigger CI/CD pipelines.
- Custom plugins support OAuth 2.0 authorization code flow for secure per-user authentication.
Chat Orchestration
- Amazon Q Business automatically orchestrates end user chat requests across configured plugins and data sources.
- Determines whether a query requires knowledge retrieval, plugin action execution, or both.
- Enables multi-step workflows combining data retrieval and actions in a single conversation.
Amazon Q Apps
- Amazon Q Apps enables users to build lightweight, purpose-built AI applications without any coding — empowering citizen developers.
- Available exclusively to Pro subscription users (since July 1, 2024).
- Users create Q Apps directly from the web experience interface using natural language descriptions or by converting chat conversations into reusable apps.
App Builder
- Q Apps are composed of cards — modular building blocks that define inputs, processing, and outputs:
- Text Input Card — accepts user text input
- File Upload Card — allows file uploads (up to 10 MB per card)
- Query Card — sends a prompt to the LLM with optional enterprise data context
- Output Card — displays generated responses
- Cards can be connected in sequence to create multi-step workflows.
- Apps can leverage enterprise data sources configured in the Q Business application.
Sharing & Permissions
- Private sharing — share apps with specific users within the Q Business application environment.
- Library publishing — publish apps to the organization’s app library for broader discovery.
- App creators control visibility and access at a granular level.
- Administrators can enable/disable Q Apps at the application level.
Data Collection
- Q Apps support data collection forms that allow shared apps to collect structured data from multiple users.
- Useful for surveys, feedback collection, intake forms, and structured workflows.
Example Use Cases
- Meeting summary generator — upload meeting notes, get action items and summaries
- RFP response assistant — input requirements, generate proposal drafts from company knowledge
- Onboarding checklist app — guide new hires through company policies and procedures
- Competitive analysis tool — input competitor info, get insights from internal research documents
Admin Controls & Guardrails
- Amazon Q Business provides configurable guardrails (chat controls) to manage and control the end user chat experience.
- Controls are organized into global controls and topic-level controls.
Global Controls
- Response source controls — specify whether responses use:
- Enterprise data only (strict RAG mode)
- Enterprise data + LLM model knowledge (when enterprise data lacks answers)
- Blocked phrases — define specific words or phrases that Amazon Q Business must never include in responses.
- File upload control — enable or disable end user file uploads during chat sessions.
- Chat personalization — control whether responses are personalized using IAM Identity Center user attributes (address, job info).
- Chat orchestration — enable/disable automatic routing of requests across plugins and data sources.
- Hallucination detection — enable automatic checking and correction of responses for inconsistencies.
- Global controls cannot be created or deleted — only updated.
Topic-Level Controls
- Define natural language topics that Amazon Q Business should handle in specific ways.
- For each topic, configure:
- Topic description — natural language description of the topic area
- Example user messages — sample queries that fall under this topic
- Response behavior:
- Allow responses from enterprise data only
- Allow responses from enterprise data + model knowledge
- Block the topic entirely (refuse to answer)
- Custom response message — provide a specific response for blocked topics
- Topic controls can be scoped to specific users and groups for fine-grained governance.
Blocked Topics
- Administrators can block entire topics to prevent the assistant from discussing sensitive subjects.
- Common blocked topics: competitor information, executive compensation, unreleased products, legal opinions.
- When a blocked topic is detected, Q Business returns the configured custom response message.
Access Control & Security
- Amazon Q Business implements defense-in-depth security with multiple layers of access control.
- Built on Amazon Bedrock, inheriting automated abuse detection and responsible AI controls.
IAM Identity Center Integration
- AWS IAM Identity Center (recommended) provides centralized identity management for Q Business.
- Supports single sign-on (SSO) with external identity providers (Okta, Azure AD, Ping Identity, etc.).
- Manages user subscriptions, group memberships, and application access centrally.
- Enables automatic subscription deduplication across multiple Q Business applications sharing the same Identity Center instance.
- IAM Federation (alternative) — supports OIDC and SAML identity providers for organizations not using Identity Center.
Document-Level Security (ACL Crawling)
- Amazon Q Business crawls Access Control Lists (ACLs) from data sources by default.
- Maps source system users/groups to IAM Identity Center identities via a User Store.
- Ensures users only receive answers from documents they have permission to access in the source system.
- ACL crawling supports:
- User-level permissions
- Group-level permissions
- Inherited permissions (folder hierarchies)
- Once ACL crawling is enabled, it cannot be disabled — this is a permanent setting.
- Documents without ACL entries are accessible to all authenticated users by default.
Encryption
- Encryption at rest — all data in the index is encrypted using AWS KMS keys.
- Customer Managed Keys (CMK) — supported with Enterprise index type for full key control.
- Encryption in transit — all communications use TLS 1.2+.
- Data source credentials stored securely in AWS Secrets Manager.
Network Security
- Amazon Q Business supports VPC endpoints (AWS PrivateLink) for private connectivity.
- Data source connections can traverse VPCs for on-premises connectors.
- All API calls are logged in AWS CloudTrail for auditing.
Subscription Management
- Amazon Q Business uses a per-user subscription model with charges for both user subscriptions and index capacity.
User Subscription Tiers
| Feature | Lite Plan ($3/user/month) | Pro Plan ($20/user/month) |
|---|---|---|
| Ideal for | Enterprise-wide deployment, frontline workers | Knowledge workers, power users |
| Q&A on knowledge bases | ✅ With citations | ✅ With citations |
| Q&A on LLM knowledge | ❌ | ✅ |
| File upload to chat | ✅ | ✅ |
| Content generation | ❌ | ✅ |
| Amazon Q Apps | ❌ | ✅ |
| Built-in plugins | ❌ | ✅ |
| Custom plugins | ❌ | ✅ |
| Slack/Teams integrations | Browser extensions only | ✅ Full integrations |
| QuickSight integration | ❌ | ✅ Reader Pro |
| Chat orchestration | ❌ | ✅ |
| Web experience (SSO) | ✅ | ✅ |
| Permissions-aware responses | ✅ | ✅ |
Index Pricing
| Index Type | Pricing | Included Capacity |
|---|---|---|
| Starter | $0.14/hour per unit | 20,000 docs or 200 MB text, 100 hrs connector usage |
| Enterprise | $0.264/hour per unit | 20,000 docs or 200 MB text, 100 hrs connector usage + CMK support |
Subscription Billing Details
- Charges start only after first use by the user.
- Subscriptions are prorated when created or upgraded (based on remaining days in the month).
- Cancellations and downgrades are not prorated — they apply at the start of the next billing month.
- AWS deduplicates subscriptions across Q Business applications sharing the same IAM Identity Center instance — each user is charged only once at their highest subscription level.
- For IAM Federation, users are charged once per IAM Identity Provider.
Amazon Q Business vs Bedrock Knowledge Bases vs Amazon Kendra
| Feature | Amazon Q Business | Bedrock Knowledge Bases | Amazon Kendra |
|---|---|---|---|
| Primary Purpose | Enterprise AI assistant (turnkey RAG + actions) | Managed RAG for custom AI applications | Intelligent enterprise search |
| Target User | Business users & admins (no-code) | Developers building AI apps | Developers & search admins |
| Built-in Chat UI | ✅ Web experience, browser extensions | ❌ (requires custom UI) | ❌ (search UI only, needs custom chat) |
| Data Connectors | 40+ managed connectors | S3, Confluence, SharePoint, Web Crawler, Google Drive, OneDrive | 30+ managed connectors |
| Retrieval Method | Native or Kendra retriever | Vector search (OpenSearch, Pinecone, etc.) | Semantic + keyword search |
| LLM Integration | Built-in (managed by AWS) | Choose any Bedrock FM | Requires custom LLM integration |
| Plugins/Actions | ✅ Built-in + custom (OpenAPI) | ✅ Via Bedrock Agents | ❌ |
| Citizen Developer Apps | ✅ Q Apps | ❌ | ❌ |
| Access Control | ACL crawling, IAM Identity Center | Metadata filtering | ACL crawling, token-based |
| Admin Guardrails | ✅ Topic controls, blocked phrases | ✅ Bedrock Guardrails (separate) | ❌ (search-level only) |
| Pricing Model | Per user/month + index capacity | Per KB storage + retrieval queries | Per index hour + connector usage |
| Best For | Rapid enterprise AI assistant deployment | Custom RAG applications with specific FMs | Enterprise search with NLP ranking |
| Availability Status | Closing to new customers July 31, 2026 (migrate to Amazon Quick) | GA, actively developed | Closing to new customers (migrate to Quick) |
Use Cases
Internal Knowledge Base
- Connect company wikis, SharePoint, Confluence, and file shares to provide instant answers about policies, procedures, and institutional knowledge.
- Reduce time employees spend searching across multiple systems.
- Maintain permissions — users only see information they’re authorized to access.
IT Helpdesk
- Index IT documentation, runbooks, and knowledge articles from ServiceNow.
- Use plugins to create/update tickets directly from the chat interface.
- Automate common L1 support queries (password resets, VPN setup, software installation guides).
- Escalate complex issues by creating tickets with pre-populated context.
HR Assistant
- Answer employee questions about benefits, PTO policies, expense procedures, and onboarding.
- Connect to HR systems via plugins for actions like submitting time-off requests.
- Reduce HR ticket volume by providing instant self-service answers.
- Use topic-level controls to block sensitive HR topics (individual salaries, disciplinary actions).
Customer Support (Internal)
- Equip support agents with instant access to product documentation, troubleshooting guides, and customer history.
- Reduce average handle time by surfacing relevant solutions in real-time.
- Create Zendesk/Salesforce tickets with full context directly from the assistant.
Compliance & Legal Q&A
- Index regulatory documents, compliance policies, audit reports, and legal guidelines.
- Provide rapid answers about compliance requirements with document citations.
- Use guardrails to ensure responses don’t constitute legal advice (blocked topic with custom message).
- Maintain strict access controls — only compliance team members can access sensitive regulatory documents.
Migration to Amazon Quick
- AWS announced that Amazon Q Business will no longer accept new customers starting July 31, 2026.
- Existing customers remain fully supported with bug fixes and security updates, but no new features.
- AWS recommends migrating to Amazon Quick — the next evolution of Q Business with enhanced capabilities.
- Amazon Quick provides:
- Quick Flows — workflow automation (replacing Q Apps)
- QuickSight integration — structured data analysis and visualization
- Quick Research — in-depth analysis and expert insights
- Spaces — unified knowledge management
- MCP (Model Context Protocol) — open standard for connecting to external tools and data sources
- Migration path: Use Bring Your Own Index (BYOI) to connect existing Q Business index to Quick without disrupting current operations.
- Q Apps must be manually migrated to Quick Flows.
- Guardrails and User Store configurations are not included in BYOI — must be recreated in Quick.
AWS Certification Exam Practice Questions
Question 1: A company wants to deploy Amazon Q Business for their 5,000 employees. Frontline workers need basic Q&A access, while 200 knowledge workers need full capabilities including content generation and plugins. What is the most cost-effective subscription approach?
- Subscribe all 5,000 users to Pro plan
- Subscribe 4,800 users to Lite plan and 200 users to Pro plan
- Subscribe all users to Lite plan and upgrade on request
- Use anonymous access for all users to avoid subscription costs
Show Answer
Answer: B –
Explanation: The Lite plan ($3/user/month) provides Q&A on knowledge bases with citations and permissions-aware responses, sufficient for frontline workers. The Pro plan ($20/user/month) adds content generation, plugins, Q Apps, and integrations needed by knowledge workers. This gives $14,400/month for Lite users + $4,000/month for Pro users = $18,400/month vs. $100,000/month for all Pro.
Question 2: An organization uses Amazon Q Business with documents stored across SharePoint, Confluence, and S3. A user asks a question, but receives no answer despite the information existing in Confluence. What is the MOST likely cause?
- The Confluence connector has not completed its sync schedule
- The user does not have ACL permissions to access the Confluence document
- Amazon Q Business does not support Confluence as a data source
- The Enterprise index type is required for multiple data sources
Show Answer
Answer: B –
Explanation: Amazon Q Business crawls ACLs by default and provides permissions-aware responses. If a user doesn’t have access to a document in the source system (Confluence), Q Business will not include that document in its response, even if the information exists. Option A is possible but less likely if the connector is configured for regular syncs.
Question 3: A company wants to prevent Amazon Q Business from answering questions about competitor pricing and executive compensation. Which feature should the administrator configure?
- IAM policies to restrict user access
- Global controls with blocked phrases
- Topic-level controls with blocked topic behavior
- Remove all documents mentioning competitors from data sources
Show Answer
Answer: C –
Explanation: Topic-level controls allow administrators to define natural language topics (e.g., “competitor pricing,” “executive compensation”) and configure blocked behavior with custom response messages. Global blocked phrases only block specific words/phrases in responses, not entire topics. Topic-level controls provide more comprehensive governance over sensitive subjects.
Question 4: A development team wants Amazon Q Business users to create Jira tickets directly from the chat interface when they encounter issues. Which component is needed?
- Jira data source connector
- Jira built-in plugin
- Custom data source connector with Jira API
- Amazon Q Apps with Jira integration
Show Answer
Answer: B –
Explanation: The Jira built-in plugin enables users to perform actions (create issues, update status, add comments) in Jira directly from the Q Business chat interface. The Jira data source connector is for indexing/reading Jira content, not performing actions. Plugins enable write operations while connectors enable read/index operations.
Question 5: An organization is evaluating whether to use Amazon Q Business or Amazon Bedrock Knowledge Bases for their enterprise AI assistant. They need a turnkey solution with built-in chat UI, 40+ data connectors, no-code setup, and citizen developer app capabilities. Which service best fits their requirements?
- Amazon Bedrock Knowledge Bases with custom UI
- Amazon Q Business
- Amazon Kendra with custom LLM integration
- Amazon Bedrock Agents with Confluence connector
Show Answer
Answer: B –
Explanation: Amazon Q Business provides all requested capabilities: built-in web experience chat UI, 40+ managed data connectors, no-code admin setup, and Q Apps for citizen developers. Bedrock Knowledge Bases requires custom UI development and has fewer native connectors. Kendra provides search but not a conversational AI assistant. Q Business is the fully managed turnkey enterprise AI assistant solution.
Frequently Asked Questions
What is Amazon Q Business?
Amazon Q Business is a fully managed generative AI assistant for enterprises. It connects to 40+ data sources (SharePoint, Confluence, Salesforce, etc.), understands your company’s information, and provides accurate answers with citations while respecting existing access controls.
How much does Amazon Q Business cost?
Q Business Lite costs $3/user/month (Q&A and search only). Q Business Pro costs $20/user/month (includes plugins, actions, Q Apps, and advanced features). There’s also a per-index-unit and document storage charge.
What is the difference between Q Business and Bedrock Knowledge Bases?
Q Business is a ready-to-use enterprise assistant with built-in web UI, 40+ connectors, plugins, and admin controls. Bedrock Knowledge Bases is a developer building block for custom RAG applications that you integrate into your own apps via API.