AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-08-13 · Documentation medium

File: amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md

Summary

Added architecture overview and clarified authentication workflows for custom applications

Security assessment

Significantly expands documentation about secure authentication flows using SigV4, IAM Identity Center, and external IdPs. While security-focused, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md b/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
index cefbeb6d1..92cfa928f 100644
--- a//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
+++ b//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
@@ -5 +5 @@
-PrerequisitesOne-time setupWorkflow for each API call session for an authenticated user
+Using APIs to create an applicationPrerequisitesOne-time setupWorkflow for custom application backend API calls for an authenticated user
@@ -8,0 +9,4 @@ PrerequisitesOne-time setupWorkflow for each API call session for an authenticat
+###### Important
+
+**This documentation is for developers building custom applications that integrate with Amazon Q Business APIs.** These instructions help you create a trusted backend component in your custom application that can make authenticated API calls on behalf of your users. This is NOT for the built-in Amazon Q Business web experience — that handles authentication automatically through the AWS console.
+
@@ -16,0 +21,25 @@ This page provides an overview of the workflows needed to obtain AWS Sig V4 cred
+## Architecture overview
+
+The following diagram shows how your custom application components interact with AWS services to make authenticated API calls:
+
+![Sequence diagram showing a 12-step authentication flow for Amazon Q Business custom applications. The flow shows an end user accessing a custom app frontend, which requests Amazon Q Business data from the trusted backend. The backend exchanges tokens with an external IdP, IAM Identity Center, and AWS STS to obtain SigV4 credentials for authenticated API calls to Amazon Q Business APIs.](/images/amazonq/latest/qbusiness-ug/images/qbusiness-sigv4-authentication-flow.png)
+
+**Key components:**
+
+  * **Custom app frontend** : Your user-facing application (web, mobile, etc.)
+
+  * **Custom app trusted backend** : Your server-side component that handles AWS API calls
+
+  * **External IdP** : Your identity provider (Okta, Azure AD, etc.)
+
+  * **IAM Identity Center** : AWS service that manages identity federation
+
+  * **Amazon Q Business APIs** : The APIs your application calls (`Chat`, `SearchRelevantContent`, etc.)
+
+
+
+
+###### Note
+
+Your custom application's backend component must implement this authentication flow. End users interact with your frontend, which communicates with your trusted backend to make Amazon Q Business API calls.
+
@@ -23 +52 @@ This page provides an overview of the workflows needed to obtain AWS Sig V4 cred
-  * Workflow for each API call session for an authenticated user
+  * Workflow for custom application backend API calls for an authenticated user
@@ -236 +265 @@ JSON
-## Workflow for each API call session for an authenticated user
+## Workflow for custom application backend API calls for an authenticated user