AWS amazonq medium security documentation change
Summary
Updated documentation to clarify Microsoft OneDrive connector's ACL handling, permission inheritance, identity synchronization, and failure management. Added details about permission types (Read-only, Preview, Edit) and fail-close approach for permission errors.
Security assessment
The changes explicitly describe security mechanisms including permission translation into ACLs, permission inheritance handling, and a fail-close approach to prevent unauthorized access when permission issues occur. The addition of 'fail-close' specifically addresses security by ensuring documents with permission errors are not made public.
Diff
diff --git a/amazonq/latest/qbusiness-ug/onedrive-user-management.md b/amazonq/latest/qbusiness-ug/onedrive-user-management.md index f90fd22a8..ffb64d7b4 100644 --- a//amazonq/latest/qbusiness-ug/onedrive-user-management.md +++ b//amazonq/latest/qbusiness-ug/onedrive-user-management.md @@ -11 +11 @@ Amazon Q Business supports crawling ACLs for document security by default. -When you connect an Microsoft OneDrive data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Microsoft OneDrive instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end user's document access level. +The Microsoft OneDrive connector for Amazon Q Business crawls files, including documents, spreadsheets, presentations, and notes, as the primary content type. It supports various file formats and integrates directly with Microsoft Office apps. @@ -13 +13 @@ When you connect an Microsoft OneDrive data source to Amazon Q Business, Amazon -A Microsoft OneDrive data source returns section and page information from OneDrive access control list (ACL) entities. Amazon Q uses the OneDrive tenant domain to connect to the OneDrive instance and can filter based on section name, page type, file name, file type and file contents. +**Roles/permissions** : The Microsoft OneDrive connector translates Microsoft OneDrive permissions into ACLs that are compatible with Amazon Q Business. The basic permissions include: @@ -15 +15 @@ A Microsoft OneDrive data source returns section and page information from OneDr -For standard objects, the `_user_id` and `_group_id` are used as follows: + * Read-only Access: users can view @@ -17 +17 @@ For standard objects, the `_user_id` and `_group_id` are used as follows: - * `_user_id` – Your Microsoft OneDrive user email ID is mapped to the `_user_id` field. + * Preview Access: users can view but cannot download @@ -19 +19 @@ For standard objects, the `_user_id` and `_group_id` are used as follows: - * `_group_id` – Your Microsoft OneDrive group email is mapped to the `_group_id` field. + * Edit: users can modify content @@ -24,11 +24 @@ For standard objects, the `_user_id` and `_group_id` are used as follows: -###### Note - -Query responses based on AD Group ACLs are not supported for Microsoft OneDrive. - -For more information, see: - - * [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) - - * [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler) - - * [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) +**Permission Inheritance** : The Microsoft OneDrive connector is designed to detect and handle hierarchical content organization. In Microsoft OneDrive files and subfolders inherit permissions from parent folders by default. Permissions can be customized at sub-folder and file levels. In this case, the ACLs are a union of the parent ACLs and child ACLs. @@ -35,0 +26 @@ For more information, see: +**Identity Crawling** : Individual user and group synchronization is supported, including federated groups. Users and groups are synced using email IDs (each group in Active Directory will have email assigned to it). @@ -36,0 +28 @@ For more information, see: +**Change Management >**: ACL changes are supported in Change Log Mode, ensuring that items added, updated, or deleted since the last crawl are indexed. Any changes to access or permissions of groups or users for any entity will be captured. @@ -37,0 +30 @@ For more information, see: +**Failure handling** : The connector implements a fail-close approach, meaning that if there are permission-related issues or API failures, the document is skipped from ingestion rather than being made publicly accessible.