AWS Public Sector Blog
Securing Amazon Q Business Web Experiences with AWS Amplify and AWS WAF
Public sector agencies often need to provide information and services to citizens without needing authentication. At the same time, these agencies must make sure that their digital services remain secure, compliant, and reliable. Amazon Q Business embedded web experiences, when integrated with AWS Amplify, offer a powerful solution for delivering AI-powered conversational interfaces to unauthenticated users while maintaining robust security controls.
This post explores how public sector organizations can use Amazon Q Business anonymous web experiences within AWS Amplify applications to enhance citizen services while implementing security best practices.
Architecture overview
Figure 1. Architecture diagram showing AWS Amplify, Amazon Q Business, AWS WAF, Amazon S3, AWS Secrets Manager, and Amazon CloudWatch components and their connections.
The architecture combines several services from Amazon Web Services (AWS) to create a secure, scalable solution:
- Amplify serves as the hosting platform for your web application.
- Amazon Q Business provides AI-powered assistance through anonymous web experiences.
- AWS WAF protects against common web vulnerabilities.
- Amazon Simple Storage Service (Amazon S3) stores content that Amazon Q Business can access.
- AWS Secrets Manager securely manages configuration details needed for service integration.
- Amazon CloudWatch provides monitoring and logging capabilities.
This architecture enables unauthenticated users to interact with an AI assistant that can access approved public information while implementing infrastructure security best practices.
Benefits for public sector agencies
1. Enhanced citizen services
Public sector agencies can now provide AI-powered assistance to citizens without needing them to create accounts or authenticate. Amazon Q Business applications support anonymous access, enabling unauthenticated user interactions with the Amazon Q generative AI assistant.
This capability is particularly valuable for public sector use cases, such as citizen information portals, public service guidance, frequently asked questions about government programs, and eligibility information for public assistance.
Amazon Q Business web experiences can be customized to match your agency’s branding and style guidelines. You can customize text elements (title, subtitle, welcome message, and sample prompts) and visual themes (logo, colors, and fonts) to create a cohesive experience that aligns with your organization’s brand identity.
Figure 2. Screenshot of a customized Amazon Q Business web experience interface.
2. Comprehensive security controls
Security is crucial for public sector applications. The architecture implements multiple security layers:
AWS WAF integration
The direct integration of AWS Amplify with AWS WAF provides robust protection. You can configure a web access control list (web ACL) that allows, blocks, or monitors web requests based on customizable security rules and conditions.
Figure 3. Amplify console showing AWS WAF integration is enabled for application protection.
AWS WAF can track various traffic characteristics such as client IP addresses, User Agent strings, URI paths, JA3 and JA4 Fingerprints (for TLS client fingerprinting), request headers and body content, and query string parameters.
This integration helps protect against SQL injection attacks, cross-site scripting (XSS), distributed denial-of-service (DDoS) attacks, bots, content scrapers, and unauthorized access based on geographic location.
Secure credential management
AWS Secrets Manager provides secure storage for the Amazon Q Business application ID and web experience ID needed in the integration between Amplify and Amazon Q Business. Secrets Manager encrypts these identifiers at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS).
When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.
IAM permissions and resource access control
Proper IAM configuration is critical for securing Amazon Q Business integrations. The solution requires two distinct IAM roles with specific permissions:
The Amplify Compute Role enables server-side operations and uses a trust policy that allows only the amplify.amazonaws.com service to assume the role, limiting server-side execution to AWS Amplify.
Trust Policy:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: amplify.amazonaws.com
Action: sts:AssumeRole
Permissions Policy:
Policies:
- PolicyName: AmplifyComputePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
# ... CloudWatch Logs, Secrets Manager, and KMS permissions ...
# CreateAnonymousWebExperienceUrl requires both application and web-experience resources
- Effect: Allow
Action: qbusiness:CreateAnonymousWebExperienceUrl
Resource:
- !Sub arn:${AWS::Partition}:qbusiness:${AWS::Region}:${AWS::AccountId}:application/${QBusinessApp.ApplicationId}
- !Sub
- arn:${AWS::Partition}:qbusiness:${AWS::Region}:${AWS::AccountId}:application/${QBusinessApp.ApplicationId}/web-experience/${WebExperienceId}
- WebExperienceId: !Select
- 1
- !Split
- "|"
- !Ref QBusinessWebExperience
This dual-resource requirement limits permissions to the specific application and web experience, following the principle of least privilege.
Allowed websites configuration
Amazon Q Business provides an important security control through its allowed websites configuration. This feature restricts your web experience so it can only be embedded on approved websites, preventing unauthorized use. You must configure the base URLs (for example https://example.com) of websites where the Amazon Q Business web experience is permitted to run. This domain restriction mechanism helps protect against cross-site embedding attacks and unauthorized access to your Amazon Q Business resources.
3. Controlled access to information
While providing anonymous access, agencies maintain complete control over what information is accessible. Amazon Q Business limits the API operations available for anonymous access applications to only those necessary for core functionality: Chat, ChatSync, and PutFeedback. This API restriction is an important security control that reduces the attack surface by limiting the operations that can be performed on anonymous applications. Restricting the available API operations minimizes the risk of unintended access while still providing the essential functionality needed for citizen interactions.
4. Streamlined deployment and management
AWS Amplify streamlines the deployment process, making it simpler for public sector IT teams to implement and maintain the solution. Server-side rendering (SSR) enhances security for Amazon Q Business embedded experiences in several ways:
- API calls are made from the server rather than the client browser, thus reducing exposure of application logic.
- Server configuration data is designed to remain on the server-side.
- Server-side code can implement more security checks before rendering content.
- The attack surface is reduced by minimizing client-side processing requirements.
Amplify Hosting also supports AWS Identity and Access Management (IAM) roles for server-side rendered applications. This provides developers with an alternative to storing long-lived credentials in environment variables or on the client-side.
Implementation considerations
When implementing this solution, public sector agencies should consider the following:
1. Content management strategy
Carefully plan what information is made available through Amazon Q Business. Remember that for anonymous access applications, data sources added to your application will be publicly accessible without user authentication.
Figure 4. Amazon Q Business configuration warning message with the anonymous access setting enabled.
Theme and branding
Amazon Q Business allows extensive customization of the web experience to align with your agency’s visual identity. The default interface includes several elements that can be modified to match your organization’s branding requirements.
Figure 5. Diagram of the Amazon Q Business Web Experience landing page highlighting customizable elements including logo, title, subtitle, and sample prompts.
Figure 6. Diagram of the Amazon Q Business Web Experience chat interface showing customizable elements during an active conversation.
These customization options help support a consistent look and feel with your agency’s other digital services, helping to build trust with users.
2. Session management
The preview URL for the web experience is for one-time use only and has to be regenerated every time. This URL must be accessed within five minutes of creation. When it is accessed, the session remains active for the configured duration.
When using Amazon Q Business with anonymous access enabled, you must use the CreateAnonymousWebExperienceUrl API operation to generate new sessions. The following is an example of how to implement this with the AWS SDK for JavaScript:
import { QBusinessClient, CreateAnonymousWebExperienceUrlCommand } from '@aws-sdk/client-qbusiness';
const client = new QBusinessClient({ region: 'us-east-1' });
const command = new CreateAnonymousWebExperienceUrlCommand({
applicationId: 'your-application-id',
webExperienceId: 'your-web-experience-id',
sessionDurationInMinutes: 60 # Valid range is 15-60 minutes
});
const response = await client.send(command);
const anonymousUrl = response.anonymousUrl;
When you have the anonymous URL, you can embed it in an iframe using server-side rendering:
<iframe id="qbusiness-iframe" src="${anonymousUrl}" style="min-width: 450px;"></iframe>
3. Security configuration
Implement AWS WAF rules appropriate for your specific application. You can create rules to allow or block requests based on various conditions and patterns.
Figure 7. Screenshot of AWS WAF rules configuration panel showing security settings for Amazon Q Business embedded applications.
AWS WAF has a comprehensive rule set that can be customized to protect your Amazon Q Business embedded application. WAF also provides rate-based rules to help prevent abuse and managed rule groups that address common vulnerabilities.
4. Monitoring and analytics
Set up monitoring to track usage patterns and detect potential security issues. AWS WAF provides visibility into HTTP traffic, which can help identify and respond to unusual activity.
Amazon Q Business Insights provides visibility into how users are interacting with your assistant through aggregated analytics. The dashboard displays metrics such as active users, total conversations, query volume, and feedback trends. All of this helps you understand usage patterns and improve the content available to citizens.
Figure 8. Amazon Q Business Insights dashboard displaying usage metrics including conversations, queries, and feedback trends.
Amazon CloudWatch Logs can be used to monitor Amazon Q Business user conversations. You can deliver user conversations and response feedback to CloudWatch Logs for analysis. These logs can help you do the following:
- Identify common user queries and pain points
- Monitor the quality of responses
- Identify system-generated messages that might contain hallucinations
- Generate custom dashboards and reports to track key metrics
CloudWatch Logs Insights allows you to run queries against your logs. For example, you can search for specific patterns in user messages:
fields @timestamp, @message, @logStream, @log
| filter user_message like /property taxes/
Figure 9. CloudWatch Logs Insights showing Generative AI-generated summary of Amazon Q Business conversations based on query results.
CloudWatch Logs Insights also offers natural language summarization capabilities that can transform complex query results into clear, concise summaries. This helps you quickly identify issues and gain actionable insights from your log data.
Technical implementation
The solution uses a server-side rendering approach with Express.js to securely generate anonymous web experience URLs. The following is a high-level flow of how the solution works:
Figure 10. Sequence diagram showing request flow between user browser, AWS Amplify, AWS Secrets Manager, and Amazon Q Business API.
This approach provides the following security benefits:
- The Amazon Q Business application ID and web experience ID are stored in Secrets Manager and never exposed to the client.
- All API calls happen server-side using IAM roles with least privilege permissions.
- Session management is handled automatically through server-side logic.
- The application can be protected by AWS WAF rules.
For a complete implementation example, check out our GitHub repository with sample code and deployment instructions.
Conclusion
Combining Amazon Q Business anonymous web experiences with AWS Amplify and implementing appropriate security controls enables public sector agencies to provide AI-powered assistance to citizens without authentication barriers while maintaining robust security. This architecture enables agencies to enhance digital services, improve citizen experiences, and maintain compliance with security requirements.
The solution demonstrates the commitment of AWS to helping public sector organizations innovate securely and efficiently. Following the implementation considerations outlined in this post enables agencies to confidently deploy secure, AI-enhanced citizen services using the combination of Amazon Q Business anonymous web experiences and Amplify.
Next Steps
To review the technical solution for this blog, see the GitHub repository for this post. For further reading and resources, explore the following links.
Resources
- Explore the Amazon Q Business documentation to learn more about implementing anonymous web experiences
- Boost team productivity with Amazon Q Business Insights
- Build public-facing generative AI applications using Amazon Q Business for anonymous users
- Empowering the public sector with Amazon Q Business: Best practices for security, efficiency, and scalability
- Firewall support for AWS Amplify hosted sites