Data encryption for Amazon Q Business
Amazon Q Business supports encryption at rest using a customer supplied symmetric AWS KMS key when provided, or uses an AWS-owned AWS KMS key if no customer managed key is provided. Amazon Q Business also uses HTTPS protocol for data in transit.
Important
Amazon Q does not support asymmetric KMS keys. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.
Encryption at rest
Amazon Q Business provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys. Sensitive customer data includes both questions and answers in the Amazon Q Business web experience and the documents uploaded to Amazon Q Business index.
The Amazon Q Business uses the questions and answers to know the conversation context and to provide you with the best answer. The conversation data is automatically removed once the conversation is deleted or is inactive. For more information, see Conversation management. The uploaded documents are used by Amazon Q Business to retrieve them at runtime to answer your questions.
-
AWS owned keys – Amazon Q Business uses these keys by default to automatically encrypt sensitive customer data. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see AWS owned keys in the AWS Key Management Service Developer Guide.
Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.
While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer managed key when you create your resources:
-
AWS KMS key (KMS) – Amazon Q supports the use of symmetric customer managed keys that you create, own, and manage to add a second layer of encryption over the existing AWS owned encryption.
In Amazon Q Business, you configure KMS keys when you create an Amazon Q Business application environment. The same KMS key is used to encrypt data for the application environment you create and any child resources under the application environment (for example, an Amazon Q Business index). However, KMS keys are not supported for the Amazon Q Business Starter index. So, if you use a KMS key with your application environment, you won't be able to use an Amazon Q Business Starter index for it. To use KMS keys, you must choose either an Amazon Q Business Enterprise index or an Amazon Kendra retriever for your application environment.
Important
Amazon Q does not support asymmetric KMS keys. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.
Because you have full control of this layer of encryption, you can perform such tasks as:
-
Establishing and maintaining key policies
-
Establishing and maintaining IAM policies and grants
-
Enabling and disabling key policies
-
Rotating key cryptographic material
-
Adding tags
-
Creating key aliases
-
Scheduling keys for deletion
For more information, see customer managed key in the AWS Key Management Service Developer Guide.
Note
If you have created your Amazon Q Business application environment using AWS KMS and then you want to migrate to using customer managed key (CMK), you will have to re-create your application environment.
Topics
How Amazon Q Business uses grants in AWS KMS
Amazon Q Business requires a grant to use your customer managed key. When you create a Amazon Q Business application environment resource encrypted with a customer managed key, Amazon Q creates a grant on your behalf by sending a CreateGrant request to AWS KMS. Grants in AWS KMS are used to give Amazon Q Business access to a KMS key in a customer account.
Amazon Q Business requires the grant to use your customer managed key for the following internal operations:
-
Send DescribeKey requests to AWS KMS to verify that the symmetric customer managed key ID entered when creating application environment is valid.
-
Send GenerateDataKeyWithoutPlainText requests to AWS KMS to generate data keys encrypted by your customer managed key.
-
Send Decrypt requests to AWS KMS to decrypt the encrypted data keys so that they can be used to encrypt your data.
You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Amazon Q Business won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data.
Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.
Important
Amazon Q does not support asymmetric KMS keys. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.
To create a symmetric customer managed key
Follow the steps for Creating symmetric customer managed key in the AWS Key Management Service Developer Guide.
Key policy
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see Managing access to customer managed keys in the AWS Key Management Service Developer Guide.
To use your customer managed key with your Amazon Q Business resources, the following API operations must be permitted in the key policy:
-
kms:CreateGrant – Adds a grant to a customer managed key. Grants control access to a specified KMS key,which allows access to grant operation Amazon Q Business requires. For more information about Using Grants, see the AWS Key Management Service Developer Guide.
This allows Amazon Q Business to do the following:
-
Call
GenerateDataKeyWithoutPlainText
to generate an encrypted data key and store it, because the data key isn't immediately used to encrypt. -
Call
Decrypt
to use the stored encrypted data key to access encrypted data. -
Set up a retiring principal to allow the service to
RetireGrant
.
-
-
kms:DescribeKey – Provides the customer managed key details to allow Amazon Q to validate the key.
The following are policy statement examples you can add for Amazon Q Business
"Statement": [{ "Sid": "Allow access to principals authorized to use Amazon Q", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Admin" }, "Action": [ "kms:DescribeKey", "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "qbusiness.region.amazonaws.com", "kms:CallerAccount": "111122223333" } } }, { "Sid": "Allow access for key administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "kms:*" ], "Resource": "arn:aws:kms:region:111122223333:key/key_ID" }, { "Sid": "Allow read-only access to key metadata to the account", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "kms:Describe*", "kms:Get*", "kms:List*", "kms:RevokeGrant" ], "Resource": "*" } ]
For more information about specifying permissions in a policy and troubleshooting key access, see the AWS Key Management Service Developer Guide
Specifying customer managed key for Amazon Q Business
You can specify a customer managed key as a second layer encryption for your Amazon Q Business application environment resource.
When you create your application environment, you can specify the data key by entering a KMS ID, which Amazon Q Business uses to encrypt the identifiable personal data stored by the application environment.
KMS ID – A key identifier for an AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN.
Any resources you create under your Amazon Q Business application environment will be encrypted with the same key.
Monitoring your encryption keys for Amazon Q
When you use an AWS KMS customer managed key with your Amazon Q Business resources, you can use AWS CloudTrail or Amazon CloudWatch Logs to track requests that Amazon Q Business sends to AWS KMS.
The following examples are AWS CloudTrail events for CreateGrant
,
GenerateDataKey
, Decrypt
, and DescribeKey
to
monitor KMS operations called by Amazon Q Business to access data encrypted by your
customer managed key.
Encryption in transit
Amazon Q Business uses the HTTPS protocol to communicate with your client application environment. It uses HTTPS and AWS signatures to communicate with other services on your application environment's behalf. .