Enhance enterprise productivity for your LLM solution by becoming an Amazon Q Business data accessor

Since amazon Q Business became generally available in 2024, customers have used this fully managed, generative ai-powered assistant to enhance their productivity and efficiency. The assistant enables users to answer questions, generate summaries, create content, and complete tasks using enterprise data.

Today’s workforce faces significant application overload. According to Gartner, the average desk worker now uses 11 applications to complete their tasks, up from just 6 in 2019. A typical workflow might involve checking messages in Slack, reviewing project status in Smartsheet, accessing datasets in amazon Simple Storage Service (amazon S3) buckets, and verifying opportunities in Salesforce. amazon Q Business addresses this challenge through its built-in index system, which you can populate with your data. This index connects to over 40 built-in data sources, including SharePoint, Confluence, and Smartsheet.

By configuring an index with these data connectors, you can quickly access answers to questions, generate summaries and content, and complete tasks by using the expertise and information stored across various data sources and enterprise systems within your organization.

Though these applications might exist in isolation, data remains the common thread among them. Independent software vendors (ISVs) are exploring ways to build their own generative ai applications to deliver results for their customers, and as with other generative ai applications, data plays a key role in its success. But what if ISVs could also access the data stored and organized in customers’ amazon Q Business indexes to further enhance their own applications? This is why AWS announced the amazon Q index for ISVs at AWS re:Invent 2024.

The amazon Q index for ISVs is a capability that enables ISVs to access customers’ enterprise data through the amazon Q index to enhance their software as a service (SaaS) solutions with generative ai experiences. This feature became generally available in December 2024 and includes partnerships with ISVs like Asana, Miro, PagerDuty, and Zoom. The service enables ISVs to use customers’ Retrieval Augmented Generation (RAG) data in a novel approach compared to traditional connector-based data source integration. The service includes key features such as a multi-tenancy isolation within the amazon Q index and direct API access through the Retrieval API for headless amazon Q Business implementation. These capabilities support authenticated user experiences and enable ISVs to enrich their own generative ai applications and enhance end-user experiences.

In this post, we demonstrate how to enhance enterprise productivity for your large language model (LLM) solution by using the amazon Q index for ISVs.

Solution overview

How does an ISV’s access to customers’ amazon Q index data work? The process involves three simple steps:

1. The ISV registers with AWS a data accessor.
2. The customer adds that ISV as a data accessor to enable access to their index.
3. The ISV can then query the customer’s index through API requests.

The following diagram illustrates how the data accessor role works.

In the following sections, we explain how an ISV can become a data accessor, enabling them to access customers’ amazon Q index data safely and securely.

ISV becoming a data accessor for amazon Q Business

A data accessor is an ISV who has registered with AWS and is authorized to use their customers’ amazon Q index for their LLM solution. amazon Q Business customers can add ISVs as data accessors to their amazon Q Business application environment and underlying amazon Q index. This includes amazon Q customers selecting which data sources and end-users can retrieve data, and granting ISVs cross-account access to their amazon Q index based on those permissions.

The following screenshot shows the data accessor setup page on the amazon Q Business console.

Now let’s go through the steps to make your software solution an amazon Q Business data accessor.

Submit an interest form on the amazon Q index

The initial step is to submit your company information through an <a target="_blank" href="https://pages.awscloud.com/amazon-q-ISV-interest.html” target=”_blank” rel=”noopener”>interest form. Then one of our business representatives will reach out to you through email for a more in-depth discussion.

Share information to AWS

After the ISV is in contact with an AWS representative to begin the onboarding process, the next step is to prepare and share the following information with AWS for registration as a data accessor. For more details, see Information to be provided to the amazon Q Business team. AWS will use this information to set up your organization as a data accessor:

• Display name – The name that will appear on the data accessor page on the amazon Q Business console.
• Icon image – An image (in .svg format) that displays your application logo for amazon Q Business customers to identify and select.
• Redirect URL – The redirect URL for the OAuth authorization code flow. This is your application URL that will receive the authentication code after users authenticate to the amazon Q index through the customer’s OIDC provider (configured by the amazon Q Business administrator). For more details, see Retrieving data from a customer’s amazon Q index using the SearchRelevantContent API.
• IAM role – The AWS Identity and Access Management (IAM) role created by the ISV that is granted permissions to access the customer’s amazon Q Business application when the customer creates a data accessor. For ISVs to interact with the customer account’s amazon Q Business service and API, specific roles with permissions and policies must be created in IAM. This IAM role is granted access as a data accessor when the customer account provides access to their amazon Q Business index.

To configure the above IAM role, complete the following steps:

1. On the IAM console, create a new policy as shown in the following screenshot.
   • This IAM policy grants data accessors four essential permissions (SearchRelevantContent, CreateTokenWithIAM, Decrypt, and SetContext) that enable the ISV to securely search and retrieve content from a customer’s amazon Q index. The policy applies to the relevant resources and verifies proper authentication, encryption handling, and security context management for cross-account access.
   • 
2. Create an IAM role with the trust policy shown in the following screenshot.
   • This trust policy enables your ISV application’s IAM role (specified by ${your_application_iam_role}) to assume the role and set security context through the sts:AssumeRole and sts:SetContext permissions. It’s a crucial security configuration that establishes trust between your ISV application and customer’s amazon Q Business, allowing your application to securely access customer data while maintaining proper authentication and authorization boundaries.Replace ${your_application_iam_role} with the IAM role of the component that is making the SearchRelevantContent API request. For example, if an AWS Lambda function is making the call, use the Lambda function’s role (for example, arn:aws:iam::xxxxxxxx:role/LambdaExecutionRole). If you’re making the call from your IAM account, use the role assigned to that user.
   • 
3. Add the policy you created to the IAM role permissions.
   • 
4. Finish creating the role and copy the amazon Resource Name (ARN) of the IAM role that you will need to share with the AWS team.
   • 

The process for AWS to add your ISV as a data accessor typically takes 1–3 weeks to complete. While waiting, you should prepare a testing environment that acts as a customer with an amazon Q Business application running. This will allow you to test the end-to-end experience, from adding a data accessor to making SearchRelevantContent API requests from your application to the test account’s amazon Q index. Refer to Accessing a customer’s amazon Q index as a data accessor using cross-account access for more details.

Customer enablement of data accessor

After the ISV has become an approved data accessor for amazon Q Business, the next step involves the customer enabling your ISV application to access their amazon Q index. This process is straightforward, but involves important security configurations that verify proper access control and data protection. When customers add your ISV as a data accessor, it establishes a secure cross-account access mechanism that allows your application to make SearchRelevantContent API requests to their amazon Q index while maintaining strict security protocols. Let’s explore how customers can enable your ISV as a data accessor and understand the underlying processes that make this secure integration possible.

Customers begin by opening the amazon Q Business console. On the Applications page, they can navigate to the ISV application, where they will find a list of AWS approved ISVs available as data accessors.

When adding a data accessor, customers can configure specific data source access permissions and user group settings through an intuitive interface.

What happens when a customer adds your ISV data accessor

When a data accessor is added, the system automatically triggers two important changes. This section explains the underlying process that enables your ISV to make cross-account API requests when a customer adds your ISV as a data accessor.

The following occurs in the customer’s account:

1. The ISV’s data accessor is added as an application in the customer’s AWS IAM Identity Center, an AWS centralized service for managing user identities and access across AWS accounts and applications.
   • Through this integration with the amazon Q Business application, the customer can use IAM Identity Center to control which users can access the application using single sign-on (SSO), making it straightforward to manage user permissions and access securely from one central location. This application assignment process makes sure that only authorized users within the customer’s organization can access the application through IAM Identity Center authentication and authorization controls.
     
2. The qbusiness:content:access scope, which allows reading content from the amazon Q Business application, is granted to the ISV’s IAM role, enabling the data accessor (ISV) to use the end-user’s identity to access the customer’s amazon Q Business application.
   • When the amazon Q Business application receives a SearchRelevantContent API call from this role, it checks if the qbusiness:content:access scope is granted to the API requester (the data accessor).
     
3. The user access is scoped based on the selections made during the creation of the data accessor. This allows the customer to control which content the ISV can access.

Conclusion

In this post, we explained how to add an amazon Q Business data accessor. The process creates a secure, controlled environment where ISVs can access customer data through amazon Q Business. This system verifies proper authentication and authorization while allowing customers to maintain control over which content ISVs can access. The combination of IAM Identity Center integration and specific permission scoping provides a robust security framework for cross-account access.

As organizations continue to seek innovative ways to use their data with generative ai, becoming an amazon Q Business data accessor opens new possibilities for ISVs to enhance their enterprise solutions. This capability not only strengthens the value proposition of ISV solutions, but also helps enterprises maximize their investment in amazon Q Business. As we move forward, we expect to see more innovative use cases emerge as ISVs use this powerful integration to create enhanced productivity solutions for their customers. To get started on your journey as a data accessor, visit amazon Q capabilities to support software providers.

About the Authors

Takeshi Kobayashi is a Senior ai/ML Solutions Architect within the amazon Q Business team, responsible for developing advanced ai/ML solutions for enterprise customers. With over 14 years of experience at amazon in AWS, ai/ML, and technology, Takeshi is dedicated to leveraging generative ai and AWS services to build innovative solutions that address customer needs. Based in Seattle, WA, Takeshi is passionate about pushing the boundaries of artificial intelligence and machine learning technologies.

Rohan Mittal is a Senior Technical Program Manager within the AWS Partner Organization, responsible for driving key strategic initiatives within the Organization. With nearly a decade of expertise in Cloud Computing, Rohan is dedicated to harnessing cutting-edge technology and cloud solutions to address the most complex challenges facing today’s enterprise customers. Based in Washington DC, Rohan enjoys golfing and hanging out with his daughter in his free time.

Siddhant Gupta is a Software Development Manager on the amazon Q team based in Seattle, WA. He is driving innovation and development in cutting-edge ai-powered solutions.

Akhilesh Amara is a Software Development Engineer on the amazon Q team based in Seattle, WA. He is contributing to the development and enhancement of intelligent and innovative ai tools.