AWS Security ChangesHomeSearch

AWS amazonq medium security documentation change

Service: amazonq · 2025-04-11 · Security-related medium

File: amazonq/latest/qbusiness-ug/gmail-user-management.md

Summary

Added detailed documentation about Gmail connector's content types, permission inheritance, ACL indexing, change management, and failure handling with fail-close approach

Security assessment

Explicitly documents security controls including permission inheritance, ACL synchronization, and fail-close approach that skips documents during permissions errors rather than exposing them. Mentions security-critical failure handling mechanisms.

Diff

diff --git a/amazonq/latest/qbusiness-ug/gmail-user-management.md b/amazonq/latest/qbusiness-ug/gmail-user-management.md
index 3c46ddcf0..92326a568 100644
--- a//amazonq/latest/qbusiness-ug/gmail-user-management.md
+++ b//amazonq/latest/qbusiness-ug/gmail-user-management.md
@@ -13 +13 @@ When you connect an Gmail data source to Amazon Q Business, Amazon Q Business cr
-The user IDs are mapped as follows:
+The Gmail connector for Amazon Q Business crawls 2 primary content types: messages (email along with metadata such as subject, from, or to) and attachments. Each email messsage (in sent and inbox) and its respective attachments is considered as a separate documents with distinct document IDs. Currently, the connector cannot associate an attachment with its parent message, even though attachments inherit permissions from parent messages.
@@ -15 +15 @@ The user IDs are mapped as follows:
-  * `_user_id` – User IDs exist in Gmail on files where there are set access permissions. They're mapped from the user emails as the IDs in Gmail.
+**Permission Inheritance** : ACLs for messages are set based on user email addresses. Attachments automatically inherit permissions from parent email message.
@@ -16,0 +17 @@ The user IDs are mapped as follows:
+**ACL indexing** : Individual user synchronization is supported based on email addresses, and domain-wide access is supported using service account authentication.
@@ -17,0 +19 @@ The user IDs are mapped as follows:
+**Change Management** : ACL changes are supported in both Full Crawl and Incremental or Change Log modes
@@ -18,0 +21 @@ The user IDs are mapped as follows:
+**Failure handling** The connector implements a fail-close approach for API failures, with rate limiting handled through queue-based wait time with exponential backoff. When permissions issues occur, documents are skipped from ingestion rather than being made publicly accessible.