Build a Generative AI-Powered Assistant Using Amazon Q for Enterprise Systems
Amazon Q Business is a generative-AI powered assistant that you can tailor to your enterprise data needs. It can answer questions, provide summaries, generate content, and complete tasks using data from authorized sources with references, for scenarios such as IT, HR, and benefits support.
Published Jul 15, 2024
In this blog, I will provide an overview of Amazon Q Business, a scalable and secure enterprise solution. I will also show you how to set it up easily. This blog is for intermediate or advanced readers with a who have full knowledge of how to use AWS services.
You can get fast, precise, and appropriate answers to your business questions with Amazon Q Business, in a secure and private way. You can also perform actions using built-in or custom plugins. It honors your existing access control based on user permissions. It links to more than 40 common enterprise applications and document repositories. It allows administrators to set up guardrails to tailor and regulate responses. It simplifies daily tasks with user-generated lightweight applications.
Make sure to examine the pricing model of Amazon Q Business thoroughly before configuring it because it has other costs besides Q licenses such as index, S3 and others. Amazon Q Business is expensive for long-term PoC setup. Price link: https://aws.amazon.com/q/business/pricing/
To begin with, setting up Infrastructure is necessary for using Amazon Q Business application.
- Require AWS account with administrator access
- Download the CloudFormation template to your local computer
- Select region you want to create Amazon Q Business application and open the AWS Management Console for AWS CloudFormation
- Select Create stack with New resources, then choose Template is ready, Upload a template file, click on Choose file and then upload the Cloudformation template you downloaded, and click Next. Your screen will look similar to the screenshot below.
- On the Specify stack details screen, choose a stack name and if in the previous section, you determined you need IDC instance to be created and your AWS account is not managed by AWS Organizations, then change
CreateIDC
parameteryes
. If not leaveCreateIDC
parameter asno
. Leave all the other parameters unchanged. Your screen will look similar to the screenshot below. Select Next. - For users who need IDC to be enabled:
- Select Next on the Configure stack options page
- Next page check I acknowledge that AWS CloudFormation might create IAM resources. as seen in the screenshot below and then click Submit
- It takes 5-10 minutes for the CloudFormation stack to complete creation, after which it will look like the screenshot below
- Select the Outputs tab and you will see a screen similar to the screenshot below with IDC instance Arn and S3 Bucket URL
- Download the CloudFormation templateto your local computer
- Open the AWS Management Console for AWS CloudFormation
- Select Create stack with New resources, then choose Template is ready, Upload a template file, click on Choose file and then upload the Cloudformation template you downloaded, and click Next. Your screen will look similar to the screenshot below
- On the Specify stack details screen, choose a stack name, and add CDEBucketName from the S3BucketUrl shown in the Outputs of your previous CloudFormation stack. Your screen will look similar to the screenshot below. Select Next
- Select Next on the Configure stack options page
- check I acknowledge that AWS CloudFormation might create IAM resources. as seen in the screenshot below and then click Submit
- It takes 5-10 minutes for the CloudFormation stack to complete creation, after it finished, select the Outputs tab and you will see a screen similar to the screenshot below with CDE relevant resources
- Download the sample data fileto your local computer, and unzip it
- Get S3BucketUrl in the Outputs of your CloudFormation stack
- From the unzipped sample data on your local computer, edit whitepapers_acl.json in the EQ subfolder, replace NAME-OF-DATASOURCE-S3-BUCKET with the name of your S3 bucket, and then save it
- Browse your S3 bucket and upload unzip Data folder. See below screenshots
- Mac computer, remove the .DS_Store files
- Repeat same steps for the EQ folder
- Open the AWS Management Console for IAM Identity Center
- From the left navigation bar click on Users and click Add user button and add a few users see below screenshot
- Next click on Groups and click Create group and create a few groups see below screenshot
- Disable MFA navigate to Settings, select Authentication tab
- Under Multi-factor authentication click Configure button. From the configure window > MFA settings section, select Never (disabled), and click Save changes
- Navigate to Users page and select the user for whom password is required. Example, select
John Doe
, and click Reset password located at the top right of the user information page - Select Generate a one-time password and share the password with the user, and click Reset password
- Copy and store the temporary password generated
- To change the temporary password, open the AWS access portal URL in a new Private, Incognito or InPrivate (Edge) web browser window. In the sign-in page, enter the user name (
john_doe
), and click Next - Repeat same steps to reset all users' password
- Browse AWS Mangement COnsole for Amazon Q, browser open the Amazon Q Business console in us-east-1 or Amazon Q Business console in us-west-2
- Click on Get started. It will open the Applications screen for Amazon Q
- Click on Create application
- Give the application a name
- Select Create and use a new service role (SR) and optionally, update the auto-generated role name
- Review the Connect Application to IAM Identity Center for IDC instance binding and click Create
- On the Select retriever screen, select Use native retriever, leave the other selections as they are and click Next
- On the Connect data sources screen you will see a number of options. At this time the Upload docs option is disabled, since the retriever index is still being created.**** Leave everything default and click Next
- Add groups and users screen, will configure user subscription and access for the application. First, for Web experience service access select Create and use a new service role
- Next click on Add Groups and users, select Assign existing users and groups, click Next and click Get Started
- In the Assign users and groups window use the search box to find users and groups by name. For the workshop users, type "AllUsers" in the search box and select "AllUsers" group from the drop down
- Click Assign to add the group to the application
- From the Groups tab select the newly added group
AllUsers
, click the Choose Subscription, selectQ Business Pro
and click on the tick button - Click
Create Application
- You should now see a screen similar to the one below
- Click on the application name
- From the application details page, click Web experience settings tab and note down the Deployed URL. You will use this URL for chatting with Amazon Q Business
- You have successfully created an Amazon Q Business application!
- Configure Upload files, Web crawler connector and Amazon S3 connectors
- Download and save these sample files to your computer
- Go to the Amazon Q Business console you set up before
- Add data source. In the Add data source screen, notice that Upload files button is now enabled. Click on it
- On the Upload documents screen, click the Choose files button
- Click Done. Now you will see an updated application details screen as below. Observe the Uploaded files in the Data sources area and the updated Document count. Please note that updating the document counts can take a few minutes
- Copy the Deployed URL located under Web Experience tab in the application detail page, and open the URL is a private web browser instance to start a conversation. Use anyone of the user name (eg. john_doe) setup in IDC to sign-in
- Now ask a question
What should a client do to file an insurance claim due to flood damage?
- Click on the Sources, button. See detail
- Ask another question and composing an email message with the conversation summary in this case
- Now you started having conversations with the GenAI assistant you built using Amazon Q
- Go to the application details page and click on Add data source button
- Select Web crawler
- Provide a Data source name
- Select Source URLs and provide Source URLs
https://en.wikipedia.org/wiki/Yosemite_National_Park
&https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html
. For Authentication section, leave the default of No authentication selected, and there is no need to provide any details to the optional Web proxy section, as we are crawling a public URL - For IAM role, select Create a new service role (Recommended)
- In the Sync scope section, we will reduce the scope to index fewer number of documents to complete the ingestion quickly. Select Sync range to Sync domains with subdomains only, set the Crawl depth to 0 and Maximum links per page to 1
- For Sync run schedule set the Frequency to Run on demand from the pull down menu and click Add data source
- After the data source is created, click on Sync now to start data source sync. Note that the data source sync takes 10-15 minutes to complete
- Sample question: Where is Yosemite national park located?, When was it founded?, What are the important points to see there?
- Sample question: Whats the best time to visit Yosemite?, What are the flora and fauna found there?
- Another sample question: Create a flyer for Yosemite visitors based on this conversation
Congratulations you have successfully indexed pages from a URL using web crawler method
- Open the URL of the s3bucket in a new browser tab. Note the name of the S3 bucket
- Click on the Data/ folder and observe the sub folders underneath
- Go back to the root of the S3 bucket and then click on the EQ/ folder
- Select Amazon S3
- Give a Data source name
- For IAM role, select Create a new service role (Recommended). This will auto populate the Role name
- In Sync scope, in the field Enter the data source location
- In the AWS Management Console for S3, browse to the S3 bucket you are using as a data source and click on the folder called EQ, click on the file whitepapers_acl.json, and then copy its URI
- Go back to the browser tab where you were configuring the data source to Amazon Q application, and expand Advanced settings. In Access control list configuration file location - optional paste the S3 URI of whitepapers_acl.json you copied in the previous step
- Open Attachment regex patterns, add Data/ in Prefix and click Add
- For Sync mode leave the default setting of Full sync, and for Sync run schedule select the Frequency as Run on demand from the pull down menu**.** Leave default the rest and click Add data source
- After the data source is created, click on Sync now start data source sync. It will take up to 10-15 minutes
- After data source sync is completed, when you go to the application details page, and then click on the name of the data source you just created
- With three different data sources configured
- Assigned users to different groups as below
- pat_candella - SA (group of solutions architects)
- mateo_jackson - DB_SME_SA (group of database subject matter expert solutions architects)
- john_doe - ML_SME_SA (group of machine learning subject matter expert solutions architects)
- mary_major - (does not belong to any of these groups)
- martha_rivera - Admins (group of administrators)
- Under Data/ you must see subfolders Best_Practices, General, Security, Well_Architected, Machine_Learning and Databases
- Below sample ACL configuration will assign the users have different access permissions based on the groups they belong to
- Everyone can access Best_Practices and General documents
- Members of SA group can access Best_Practices, General, Security and Well_Architected documents
- Members of ML_SME_SA group can access Best_Practices, General, Security, Well_Architected and Machine_Learning documents
- Members of DB_SME_SA group can access Best_Practices, General, Security, Well_Architected and Databases documents
- Members of Admins group can access all the documents
- Here is sample ACL file and need to replace NAME-OF-DATASOURCE-S3-BUCKET with your data source bucket name
- Please do experiment with more conversations with Amazon Q logged in as different users and observe how the responses are based only on those documents, the logged in user has permission to access