AWS amazonq medium security documentation change
Summary
Added detailed documentation about Gmail connector's content types, permission inheritance, ACL indexing, change management, and failure handling with fail-close approach
Security assessment
Explicitly documents security controls including permission inheritance, ACL synchronization, and fail-close approach that skips documents during permissions errors rather than exposing them. Mentions security-critical failure handling mechanisms.
Diff
diff --git a/amazonq/latest/qbusiness-ug/gmail-user-management.md b/amazonq/latest/qbusiness-ug/gmail-user-management.md index 3c46ddcf0..92326a568 100644 --- a//amazonq/latest/qbusiness-ug/gmail-user-management.md +++ b//amazonq/latest/qbusiness-ug/gmail-user-management.md @@ -13 +13 @@ When you connect an Gmail data source to Amazon Q Business, Amazon Q Business cr -The user IDs are mapped as follows: +The Gmail connector for Amazon Q Business crawls 2 primary content types: messages (email along with metadata such as subject, from, or to) and attachments. Each email messsage (in sent and inbox) and its respective attachments is considered as a separate documents with distinct document IDs. Currently, the connector cannot associate an attachment with its parent message, even though attachments inherit permissions from parent messages. @@ -15 +15 @@ The user IDs are mapped as follows: - * `_user_id` – User IDs exist in Gmail on files where there are set access permissions. They're mapped from the user emails as the IDs in Gmail. +**Permission Inheritance** : ACLs for messages are set based on user email addresses. Attachments automatically inherit permissions from parent email message. @@ -16,0 +17 @@ The user IDs are mapped as follows: +**ACL indexing** : Individual user synchronization is supported based on email addresses, and domain-wide access is supported using service account authentication. @@ -17,0 +19 @@ The user IDs are mapped as follows: +**Change Management** : ACL changes are supported in both Full Crawl and Incremental or Change Log modes @@ -18,0 +21 @@ The user IDs are mapped as follows: +**Failure handling** The connector implements a fail-close approach for API failures, with rate limiting handled through queue-based wait time with exponential backoff. When permissions issues occur, documents are skipped from ingestion rather than being made publicly accessible.