Prerequisites for Amazon Q Apps - Amazon Q Business

Prerequisites for Amazon Q Apps

Before using Amazon Q Apps, make sure that you do the following:

  • Set up your identity provider – For web experience users to create and run their own Amazon Q Apps within a broader Amazon Q Business application environment, they must be recognized by either IAM Identity Center or AWS Identity and Access Management (IAM). These users can continue to authenticate either directly through IAM Identity Center, or through an existing enterprise identity provider connected to IAM Identity Center or IAM (like Okta, Microsoft Entra ID, and Ping Identity, among others). When users attempt to use an Amazon Q Business web experience, Amazon Q Apps authorizes their actions based on the user and group information it gathers from IAM Identity Center or IAM.

    To set up IAM Identity Center, see Enable single sign-on access to your AWS applications (Application admin role) in the IAM Identity Center User Guide . You need to complete this step before creating an Amazon Q Business application environment and using Amazon Q Apps. For a list of supported enterprise identity providers and how to connect them to your IAM Identity Center instance, see Manage an external identity provider in the IAM Identity Center User Guide.

    To set up AWS Identity and Access Management, see Get started with IAM in the AWS Identity and Access Management User Guide. You need to complete setting up and connecting an identity provider to an IAM instance before creating an Amazon Q Business application environment and using Amazon Q Apps. For a list of supported enterprise identity providers and how to connect them to your IAM instance, see Identity providers and federation in the AWS Identity and Access Management User Guide. For an example of how to set up an Amazon Q Business application environment with IAM federation using Okta as an example, see Configuring an Amazon Q Business application using IAM Federation.

    Important

    As of July 1, 2024, Amazon Q Apps are available only to Amazon Q Business Pro users. Amazon Q Business Lite users will no longer be able to create, run, or view Q Apps. To access, Q Apps, Lite users must upgrade to Amazon Q Business Pro.

    As of August 30, 2024, all Amazon Q Apps created by Lite users who did not upgrade their account to Amazon Q Business Pro have been deleted.

  • Finish the Amazon Q Business setup – Complete setting up Amazon Q Business and create an Amazon Q Business application environment integrated with either IAM Identity Center or AWS Identity and Access Management. Configuring the application environment is necessary so that you can allow users to manage their own Amazon Q Apps. Also, include a retriever and, optionally, a data source connector.

  • Create an IAM role – Configure an AWS Identity and Access Management (IAM) access role (permissions policy) for the deployed web experience for your broader application environment, including permissions for Amazon Q Apps. The admin can use the Amazon Q Business console to create the required IAM role for users as part of the configuration steps. To view and modify the required IAM access role with set permissions and optional permissions for web experience users to view and specify approved data sources with Amazon Q Apps, see the IAM role for web experience users.

    Note

    If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new Amazon Q Apps permissions for your users to have access to use the permissions to view and specify approved data sources and other future features in Q Apps.

  • Quotas (formerly known as limits) — There are set maximum quotas for Amazon Q Apps. For information about these quotas, see Quotas.