AWS amazonq high security documentation change
Summary
Expanded documentation on Microsoft Teams content structure, identity synchronization, permission inheritance, change management, and failure handling. Added details about ACL crawling, user access revocation, and fail-close approach for permission issues.
Security assessment
Explicitly describes security measures including: case-insensitive identity canonicalization to prevent duplication, access revocation for disabled users, fail-close approach to skip documents with permission errors (preventing unauthorized access), and emphasis on permission inheritance management. These changes directly address access control and data security mechanisms.
Diff
diff --git a/amazonq/latest/qbusiness-ug/teams-user-management.md b/amazonq/latest/qbusiness-ug/teams-user-management.md index 9b70988c5..a2d6dbbe5 100644 --- a//amazonq/latest/qbusiness-ug/teams-user-management.md +++ b//amazonq/latest/qbusiness-ug/teams-user-management.md @@ -11 +11 @@ Amazon Q Business supports crawling ACLs for document security by default. -When you connect an Microsoft Teams data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Microsoft Teams instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end user's document access level. +Microsoft Teams content is categorized into Chats, Channels, and Calendar. Chats support one-on-one and group conversations with attachments, which can be filtered using email domains or regex rules. Channels are structured within Microsoft Teams and can be Standard (open to all team members), Shared (accessible to team members and invited external users), or Private (restricted to specific members). Calendars facilitate meeting scheduling and management, supporting attachments and OneNote tabs. @@ -13 +13 @@ When you connect an Microsoft Teams data source to Amazon Q Business, Amazon Q B -The group and user IDs are mapped as follows: +When you connect a Microsoft Teams data source to Amazon Q Business, Amazon Q Business makes a copy of these resources and creates an index that can be used to respond to user prompts and queries. Additionally, the connector crawls ACL information attached to a document (user and group information) from your Microsoft Teams instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end user's document access level. @@ -15 +15 @@ The group and user IDs are mapped as follows: - * `_tenant_id` – Your Microsoft tenant ID is a globally unique identifier that's necessary to configure each connector instance. Your tenant ID is different from your organization name or domain and can be found in the properties section of your Microsoft account dashboard. +**Identity Crawling** : Amazon Q Business synchronizes both local and federated users/groups. Federated groups are synced outside Amazon Q, and their memberships are not stored. Identities are canonicalized by converting all letters to lowercase to prevent duplication issues, meaning "TestUser" and "testuser" are treated as the same. When a user is deleted, their permissions are not inherited by a newly created user with the same name, ensuring secure access management. Once a user is marked as disabled in Microsoft Teams, after the next sync users will no longer have access to search or retrieve previously crawled data, including calendar meetings. @@ -16,0 +17 @@ The group and user IDs are mapped as follows: +Users can configure the connector to include filters for channel posts and attachments. Team and Channel name can be included and excluded. Also, we can add regular expression to include and exclude filters for attachments. Private channels are restricted to specific members within a team. Shared and private channels have their own ACLs, enabling more granular permission management. @@ -17,0 +19 @@ The group and user IDs are mapped as follows: +**Permission Inheritance** : Chats, Channels and Calendar inherit permissions from the root or the group while attachments inherit from their parent entity (chat, channel, or calendar event). @@ -18,0 +21,5 @@ The group and user IDs are mapped as follows: +**Change Management** : Change Log Mode in Amazon Q Business enables incremental updates by capturing modifications made to content in Microsoft Teams. Instead of re-indexing all documents, it indexes only newly added, updated, or deleted items since the last crawl. Any changes to user or group access permissions are also recorded, ensuring accurate and up-to-date indexing. + +**Failure handling** : The connector follows a fail-close approach, meaning if there are permission-related issues or API failures, affected documents are skipped from ingestion rather than being made publicly accessible. This prevents unauthorized access while maintaining data integrity. + +For more information, see: