Introduction

In today’s business landscape, organizations look for ways to extract insights from their growing data assets and rely on their file server infrastructure to store, manage, and share critical data. The volume and complexity of data creates challenges to maximize its value. Companies need a new strategy to overcome these obstacles.

Amazon Q Business uses Generative AI to help organizations extract value from their enterprise data. Through built-in connectors, it indexes content from different data sources to provide AI-powered answers, summaries, and task automation. This helps teams quickly analyze data patterns and generate insights, ultimately improving decision-making and operational efficiency across the organization.

Organizations use Amazon FSx for Windows File Server to store their data. In this post, we will show how to use Amazon Q Business generative AI tool to search and analyze data stored in Amazon FSx file systems. You will learn how to leverage Amazon Q’s AI capabilities to extract insights from your documents and enhance decision making using natural language queries.

Solution overview

Figure 1 – Amazon Q Business FSx for Windows data source connection solution architecture.

As seen in Figure 1, ensuring the confidentiality, integrity, and availability of data is of utmost importance. To achieve this, the Amazon Q Business connector for FSx for Windows employs a robust security framework that uses existing user identities, roles, and permissions. You achieve this through implementing identity crawling and access control lists (ACLs) on the connector using secure credentials managed by AWS Secrets Manager. To prevent over-exposure of sensitive data, the solution enforces the principle of least privilege, allowing users to access the data for which they have received explicit permissions.

In environments where Microsoft products exist, it is a normal practice to store user and group objects in Microsoft Active Directory. To facilitate permission-based filtering of query responses, Amazon Q Business synchronizes user and group information from Active Directory into AWS IAM Identity Center. With this configuration, the solution enforces fine-grained access controls and provides filtered responses honoring the user’s permissions.

The Amazon FSx (Windows) connector ingests document content, NTFS metadata, and local FSx for Windows file permissions to provide a comprehensive understanding of data access controls. When a user submits a query to Amazon Q Business, the solution filters the response enforcing the user’s permissions. This ensures that sensitive data is accessible only to authorized users and groups.

Prerequisites

The following prerequisites are necessary to test this solution.

We assume you have a working Amazon FSx for Windows file server in an AWS account. If you don’t have the required operational environment, use this AWS CloudFormation template, which includes AWS Managed AD, Amazon FSx for Windows file system, and management instances. Running the template will require approximately 60 minutes.

Skip step 1 if you are using the AWS CloudFormation template to deploy the Amazon FSx environment.

1. You don’t have a working Amazon FSx for Windows file server environment in AWS. Use our guide to deploy Amazon FSx Windows for file server manually. This guide includes the required steps to get started with Amazon FSx file system. You will deploy AWS Managed AD and One Amazon Elastic Compute Cloud (EC2) Windows instance with Remote server administrative tools (RSAT). With this instance, you will manage users in AWS Managed AD.
2. Once you have the Amazon FSx working environment, make sure the Amazon FSx file system security group allows SMB traffic. In addition, create a couple of shared folders with sample finance documents, as seen in Figure 15.
3. AWS IAM Identity Center is a requirement for Amazon Q Business for managing end user access to your Amazon Q Business application. We recommend enabling and pre-configuring an IAM Identity Center instance before creating your Amazon Q Business application. IAM Identity Center comes with multi-factor authentication (MFA) turned on by default (you can turn it off for testing).
4. We are using AWS Managed AD as a source of truth for AWS IAM Identity center. This means to sync users and groups from AWS Managed AD to AWS Identity Center which you use inside Amazon Q business at the time of application configuration. Use the Manage user access tab from Amazon Q Business application console to add user or group subscriptions in Amazon Q Business as reference in Figure 6.
5. Secrets must have access to the Amazon FSx for Windows file server. Make sure you add the user IDs and passwords to AWS Secret Manager. Do this manually or generate secrets while configuring the FSx (Windows) connector, which permits direct authentication and integration with Amazon Q Business.

Note: While this solution uses AWS Managed AD with Amazon FSx for Windows and AWS IAM Identity Center integration, self-managed AD remains a viable integration alternative.

Walkthrough

Create & Configure the Amazon Q Business application and FSx (Windows) connector.

1. Sign in to the Amazon Q Business console.
2. Select Create application as referenced in Figure 2.

Figure 2 – Creating an application in the Amazon Q Business console.

3. On the Create application page, enter the following information:
   1. Application name, a name for your Amazon Q Business application environment for identification.
   2. Outcome, select Web experience to create a web experience.

Figure 3 – Amazon Q Business create application wizard.

4. For Access management method, choose IAM Identity Center (recommended).
   As illustrated in figure 4,
   1. If you have both an IAM Identity Center organization instance and an account instance configured, the page will detect your instances automatically.
   2. If you’ve connected a pre-configured IAM Identity Center instance that already has users and groups, Amazon Q Business detects those users and groups.

Figure 4 – Amazon Q Business Access management Configuration.

5. For Application details, Amazon Q Business uses the following default configuration settings for your application. Configure Application service access section as seen in figure 5.
   1. Select Create and use a new service-linked role (SLR) for your application.
   2. On Encryption, leave unchecked. Amazon Q Business will create an AWS owned AWS Key Management Service (KMS) key to encrypt your data.
   3. For Web experience service access, choose Create and use new service-link role (SLR)

Figure 5 – Application service access and Web experience setting configuration.

6. To create your application, choose Create and open web experience. It will take a few minutes to complete. To manage Amazon Q Business user subscriptions to an application environment, Open the Amazon Q Business application console and then add users using the manage user access tab from IAM Identity center as reference in Figure 6.

Note: When you create an application, you need to add IAM Identity Center users and groups to your Amazon Q Business application for access. After you add users or groups to an application environment, you can then assign and choose subscription tiers for each user or group.

Figure 6 – Amazon Q Business application console.

Connecting to FSx for Windows file server shares using FSx (Windows) connector.

Now you will use the Data sources page to connect to FSx for Windows file server and to add an Index. A data source allows you to combine data from different places into one central index for your Amazon Q Business application. Amazon Q Business stores and organizes data in an index. An Index refers to the collection of enterprise data and content that Amazon Q search and reference when answering queries.

Adding an index

1. From the left navigation menu, choose Data sources.
2. From the Data sources page, choose Add index.
3. From the Add index page, choose Create a new index and enter the following information (see figure 6):
   1. In Name your index with a unique identifier, for Index name, input a name for your Amazon Q Business application.
   2. In Index provisioning, choose between Enterprise and Starter index types based on your use case. We will use Enterprise.
   3. For Number of units, choose the number of index units you need, e.g.,5.
      Note: Amazon Q Business charges you based on the document capacity that you choose. Enterprise indexes support up to 50 units. Starter indexes support up to 5 units. Each unit contains 20,000 documents or 200 MB, whichever limit is reached first.
      

      Figure 7 – Create a new index for retrieving responses from data sources.

4. To create your index and retriever, choose Add an index.

Configuring the Amazon FSx (Windows) connector.

1. From the Data sources page, choose Add data source, then on the Add data sources page, from Data sources, search for FSx. Select the Amazon FSx (Windows) data source for your Amazon Q application, as illustrated in Figure 8.
   

   Figure 8 – Amazon Q Business data source options.

2.  Then Choose request the access. It will open a new browser page to Contact AWS to request access to the connector. Click on Technical Support, Follow the steps to request the access by opening a support case.
3. Once the support case gets resolved and you have access to the FSx (Windows) connector, enter the following information on the Amazon FSx (Windows)data source page:
   1. For Data source name, name your data source for easy tracking.
   2. In Source, for Amazon FSx file system ID, select your file system ID
   3. For Authorization, Amazon Q Business automatically checks access control lists (ACLs) to ensure users receive information from documents for which they have authorization to view.
   4. For Authentication, enter the following information for your AWS Secrets Manager secret.
      1. Secret name, a name for your secret.
      2. For User name, enter the username for Amazon FSx Active Directory account from secret manager
      3. For Password, enter the password for the Amazon FSx Active Directory account from secret manager.
   5. Choose Save.

Figure 9 – Amazon Q Business data source authentication with Secret manager.

Configure Amazon VPC and Security group associated with your FSx deployment.

Figure 10 – Amazon Q Business data source Amazon VPC and Security group configuration.

4. In the IAM role section, choose an existing IAM role or create an IAM role to access your repository credentials and index content. You can find more information on our article IAM role for Amazon FSx ( Windows) connector.

Figure 11 – Amazon Q Business data source IAM role configuration.

5. For Sync scope, choose Select entities and choose All (or specify the combination of items to sync) and choose a sync option based on your needs (on demand or at a frequency of your choice). For our scenario, Full Sync mode and Daily Sync Schedule.
6. Keep other settings with their default values. Then choose Add data source.
7. After the data source is ready, choose Sync now to start crawling and indexing the Amazon FSx shared folders. When the sync job finishes, your data source is ready to use.

Figure 12 – Amazon Q Business data source status.

8. In Data source details, choose Sync now to allow Amazon Q Business to begin synchronizing (crawling and indexing) data from your data source. When the job finishes, your data source is ready to use.

Amazon Q Business Application Web URL

Users access the Amazon Q Business application using a deployed URL that is available after you create the application. You will find this URL in the Web experience settings, as shown in Figure 13.

Figure 13 – Amazon Q Business Web URL to access Q business application.

Test the solution

Now that we have completed the Amazon Q Business and Amazon FSx for Windows integration configuration with successful sync status , let’s test the configuration.

Figure 14 – Amazon Q Business data source sync status.

Example Scenario

The finance administrator wants to know a summary of the financial performance from the past three years.

The organization uses Amazon FSx for Windows file server to host and manage documents for different departments, including Human Resources, Finance, and others. As a best practice, organizations use a user access framework within SMB Shares. Organizations assign active directory permissions to users based on their roles within a structured access framework. Team members access their department’s specific documents; for example, human resources staff view HR documents but do not access finance files. The Finance department stores financial documents related to the company’s performance over the past three years, as shown in Figure 15. This document screenshot is for illustration.

Figure 15 – Amazon FSx Share documents info.

A Finance team member has to summarize the company’s financial performance. They use the natural language prompt (NLP) in Amazon Q AI assistant to know a summary of the financial performance for the past 3 years. To do this, login to Amazon Q Business application using the finance admin and IT admin AD credentials. Ask the following question to see the results from AI assistant.

Question: Provide me with a summary of our financial performance for the past three years.

Access the Amazon Q Business Web URL to launch the application, as seen in Figure 13. It will prompt you to enter your user id and password. Login with Finance admin AD account, Example, SP_Gary (finance admin) and ask question as reference in Figure 16.

Figure 16 – Amazon Q AI assistance query response using Finance admin access.

Access Amazon Q Business Web URL to launch deployed application and login with IT admin account.

Now login with IT admin example, John (IT Admin) to test whether he successfully uses the Amazon Q AI assistant to retrieve data related to the finance department. Because of access controls, John receives no search results, as shown in Figure 17. This is because of the restricted permissions that prohibit access to finance related information from users in other departments.

Figure 17 – Amazon Q AI assistant query response using IT admin access.

This example illustrates the capability of the Finance administrator (Gary) to effectively summarize the financial performance of the company from last three years. The user leverages a natural language prompt and retrieves the financial information from documents in an Amazon FSx file share, as specified in the designated source location. However, the IT administrator, John, didn’t get the desired results because of insufficient permissions.

This is one example scenario you can use for different departments, such as marketing, HR, and IT, by deploying the Amazon Q Business application in a manner tailored to specific use cases.

Note: Amazon Q Business, by default, incorporates administrative controls and guardrails, ensuring a secure user experience.

Cleanup

Configuring AWS services from this post will provision resources which incur cost. It is a best practice to delete configurations and resources that you are no longer using so that you do not incur unintended charges.

1. Delete the Amazon Q Business application from the Amazon Q Business console. Navigate to your application, select the specific web experience you want to delete, and then choose Delete within the application settings. You also have the AWS CLI command “delete-web-experience” to achieve the same result. Finally, delete the data source.
2. Delete CloudFormation if using template from prerequisite section, Clean up AWS Managed AD, EC2 management server, Delete Secrets, If deployed for blog purpose, as opposed to production use.

Conclusion

In this blog post, we demonstrated how to configure Amazon Q Business to securely access and analyze enterprise data from Amazon FSx for Windows file server using least-privilege access controls. By enabling AI-powered natural language queries of your organization’s data, teams can quickly gain insights and make informed decisions while maintaining data security. This post encourages you to explore how Amazon Q Business enhance your team’s productivity and efficiency through its capabilities. In this instance, the Amazon Q Business application can can further be enhanced by connecting it to more data sources, like your content repositories, business applications and collaboration tools.

Try this solution with your own use case, and let us know about your experience in the comments section.

To learn more about the AWS services

• Amazon Q – Generative AI Assistance
• Amazon Q Business
• Supported data connector
• Connect Amazon Q Business to Microsoft SharePoint Online
• Harness Amazon Q Business power with Microsoft SharePoint
• Amazon Q Business pricing

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.