Simplifying Enterprise Data Access: Implementing Trusted Token Issuer Authentication for Amazon Q Business Data Accessors
Introduction to Trusted Token Issuer (TTI) for Amazon Q
Prerequisites for Implementing TTI Authentication
Solution Overview: The Path to Enhanced Security
Understanding Trusted Token Issuer Authentication
Defining Data Accessors: Roles and Responsibilities
Step-by-Step Guide to Implementing TTI Authentication
Authentication Flow for Accessing Amazon Q Index
Evaluating Authentication Approaches: TTI vs. Authorization Code
Next Steps for Independent Software Vendors (ISVs)
Steps for Enterprises: Enabling TTI-Authenticated Data Accessor
Clean Up Resources: A Guide to Unregistering Data Accessors
Conclusion: The Future of Secure Data Access with Amazon Q
About the Authors
Empowering SaaS Solutions with Amazon Q Business and Trusted Token Issuer Authentication
Since its general availability in 2024, Amazon Q Business (Amazon Q) has revolutionized how independent software vendors (ISVs) enhance their Software as a Service (SaaS) offerings. By providing secure access to customers’ enterprise data via the Amazon Q Business data accessor, ISVs can seamlessly incorporate advanced capabilities into their solutions.
The Game-Changer: Trusted Token Issuer Authorization
One of the pivotal enhancements introduced is the support for trusted identity propagation. With Trusted Token Issuer (TTI) authorization, ISVs acting as data accessors can integrate with the Amazon Q index while adhering to enterprise-grade security protocols.
Previously, accessing the Amazon Q index necessitated authorization code flows with AWS IAM Identity Center integration, creating a cumbersome double authentication process. TTI simplifies this by allowing ISVs to leverage their own OpenID Provider, eliminating the need for repeated logins while upholding rigorous security standards.
This blog post aims to guide you through implementing TTI authentication for data accessors, comparing various authentication options, and providing a step-by-step roadmap for both ISVs and enterprises.
Prerequisites
Before diving into the implementation, ensure you meet these requirements:
- For all users: An AWS account with administrator access and access to Amazon Q Business.
- For ISVs: An OpenID Connect (OIDC) compatible authorization server.
- For enterprises:
- Amazon Q Business administrator access.
- Permissions to create trusted token issuers.
Solution Overview
The solution for implementing TTI authentication is designed to facilitate secure and driven access to data. The process involves:
- ISV registration as a data accessor.
- Customer authorization of the ISV data accessor.
- Secure access by the ISV to the customer’s Amazon Q index.
![Diagram of TTI Authentication Flow]()
Understanding Trusted Token Issuer Authentication
The Trusted Token Issuer (TTI) provides a sophisticated identity integration capability for Amazon Q. It acts as a token exchange API that enables AWS services to make authorization decisions based on the end user’s identity and group memberships. This enhances the ability to enforce security and access controls based on user contexts, thus simplifying the integration process while ensuring robust security compliance.
By allowing the propagation of user identity information into AWS IAM role sessions, TTI offers a streamlined way for organizations to implement nuanced access controls within their Amazon Q deployments.
Understanding Data Accessors
A data accessor is an ISV that has registered with AWS and is authorized to utilize their customers’ Amazon Q index for their Large Language Model (LLM) solutions. Registration involves providing necessary configuration details, including:
- Display name.
- Business logo.
- OpenID Connect (OIDC) configuration details for TTI support.
During registration, ISVs must specify a tenantId, which acts as a unique identifier for their application tenant, critical for maintaining proper customer isolation in multi-tenant environments.
Implementing TTI Authentication for Accessing the Amazon Q Index
To implement TTI authentication, customers must first complete a one-time setup on their Amazon Q Business application. This includes:
- Creating a trusted token issuer with the ISV’s OAuth information to generate a TrustedTokenIssuer (TTI) Amazon Resource Name (ARN).
- Setting up the data accessor with the TTI ARN.
- Confirming the TTI ARN with AWS IAM Identity Center to create a data accessor application.
Once configured, users can access the Amazon Q index through the ISV application, bypassing the need for multiple logins.
Authentication Flow
The authentication process unfolds as follows:
- Users authenticate against the ISV’s identity provider via the ISV application.
- The ISV application receives an ID token generated from the identity provider.
- The application performs an AssumeRole API call to the customer’s AWS IAM Identity Center using the ID token.
- After validation, the AWS IAM Identity Center returns a token that allows access to the Amazon Q index.
Choosing the Right Authentication Approach
When implementing the Amazon Q integration, ISVs face two authentication approaches:
-
Trusted Token Issuer:
- Advantages: Single authentication on the ISV system; streamlined access.
- Considerations: Requires ISVs to maintain an OIDC provider.
-
Authorization Code:
- Advantages: Explicit user consent for each session enhancing control.
- Considerations: Double authentication required.
TTI provides a seamless user experience, facilitating backend-only access without direct interaction. However, ISVs must assess the implications of maintaining their own OIDC authorization server.
Next Steps
For ISVs: Becoming a Data Accessor with TTI Authentication
Getting started with the Amazon Q data accessor registration and TTI authentication involves:
- Providing a display name and business logo for the AWS Management Console.
- Suppling OIDC configuration details (e.g., ClientId).
- Specifying tenantId configurations for customer environments.
For ISVs using Amazon Cognito, retrieve the necessary OIDC configuration as follows:
- OIDC ClientId: Found in the Amazon Cognito console under "Applications".
- Discovery Endpoint URL: Follows the format:
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
For Enterprises: Enabling TTI-authenticated Data Accessor
To enable TTI-authenticated data access, your IT administrator should:
- Create a trusted token issuer using the ISV’s OAuth information.
- Set up the data accessor with the generated TTI ARN.
- Configure appropriate access permissions.
This setup allows users to engage with the Amazon Q index through the ISV’s application, simplifying the user experience while maintaining security protocols.
Clean Up Resources
To avoid unnecessary resource consumption, follow these steps to remove a data accessor:
- Delete the data accessor via the Amazon Q Business console.
- Remove the TTI through the IAM Identity Center console.
Conclusion
The introduction of Trusted Token Issuer authentication for Amazon Q data accessors marks a significant advancement in ISV integration within the Amazon Q Business ecosystem. By facilitating the use of existing OIDC infrastructure, TTI alleviates double authentication issues while enforcing stringent security measures.
This streamlined approach not only enhances user experience but also simplifies the integration process for ISVs creating generative AI solutions.
For more details on integrating with Amazon Q Business and data accessors, refer to the AWS documentation or contact your AWS account team for personalized assistance. Step into the future of enhanced authentication capabilities by visiting the Amazon Q Business console today!
About the Authors
Takeshi Kobayashi is a Senior AI/ML Solutions Architect on the Amazon Q Business team, committed to developing cutting-edge AI/ML solutions for enterprise clients.
Siddhant Gupta is a Software Development Manager on the Amazon Q team, spearheading innovation in AI-powered solutions.
Akhilesh Amara is a Software Development Engineer contributing to the enhancement of intelligent AI tools within the team.