AWS amazonq documentation change
Summary
Added documentation about required IAM permissions for EventBridge integration and S3 bucket policy updates to enable near-real-time data syncing with security considerations
Security assessment
The changes document security configurations (IAM permissions and S3 bucket policies) required for proper access control, but there's no evidence of addressing a specific vulnerability or incident
Diff
diff --git a/amazonq/latest/qbusiness-ug/s3-iam-role.md b/amazonq/latest/qbusiness-ug/s3-iam-role.md index 7f2d35d61..4cc8d3424 100644 --- a//amazonq/latest/qbusiness-ug/s3-iam-role.md +++ b//amazonq/latest/qbusiness-ug/s3-iam-role.md @@ -270,0 +271,85 @@ When you use an Amazon S3 bucket as a data source, you must provide a role that +**Additional IAM permissions are necessary to sync data in near-real time:** + +Amazon Q Business leverages EventBridge, a serverless event bus that receives events from AWS services like Amazon Amazon S3. Additional permissions on the data source role need to be provided to allow Amazon Q to manage EventBridge and configure Amazon S3 to send notifications through EventBridge. The necessary additional permissions are: + + + { + "Sid" : "EventBridgePermissionsForQBusinessManagedRule", + "Effect" : "Allow", + "Action" : [ + "events:EnableRule", + "events:DeleteRule", + "events:DescribeRule", + "events:DisableRule", + "events:ListRules", + "events:ListTargetsByRule", + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets" + ], + "Resource" : [ + "arn:aws:events:*:*:rule/AmazonQManagedRule*" + ] + }, + { + "Sid": "AllowsAmazonQToUpdateS3NotificationConfiguration", + "Effect": "Allow", + "Action": [ + "s3:GetBucketNotification", + "s3:PutBucketNotification" + ], + "Resource": ["arn:aws:s3:::[YOUR_BUCKET_NAME]"] + } + + +**Update your Amazon S3 bucket policy to sync data in near-real time if you restrict Amazon S3 bucket access.** + +Amazon Q Business establishes a private connection to an Amazon S3 bucket within AWS’s network to directly fetch Amazon S3 files in near-real time. This solution optimizes performance and eliminates your VPC data transfer costs while maintaining data privacy and security. + +If your have an Amazon S3 bucket policy to allow access only through your VPC, update the bucket policy of your Amazon S3 bucket to explicitly allow access by Amazon Q Business: + + * Add a statement explicitly to allow Amazon Q's Service Principal: `qbusiness.amazonaws.com` + + * If you have a Deny statement, add a Condition to exclude Amazon Q's Service Principal. + + + + + + { + "Version": "2012-10-17", + "Id": "Policy1415115909152", + "Statement": [ + { + "Sid": "Allow-Q-Business-Accessing-This-Bucket", + "Effect": "Allow", + "Principal": {"Service": "qbusiness.amazonaws.com"}, + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::[YOUR_BUCKET_NAME]", + "arn:aws:s3:::[YOUR_BUCKET_NAME]/*" + ] + }, + { + "Sid": "Bucket-VPC-access-control", + "Effect": "Deny", + "Principal": "*", + "Action": "*", + "Resource": [ + "arn:aws:s3:::[YOUR_BUCKET_NAME]", + "arn:aws:s3:::[YOUR_BUCKET_NAME]/*" + ], + "Condition": { + "StringNotEquals": { + "aws:SourceVpc": "[vpc-id]", + "aws:PrincipalServiceName": "qbusiness.amazonaws.com" + } + } + } + ] + } + +