Every once and a while I get to have some pretty interesting conversations and almost all of them seem to revolve around Generative AI right now. Just a few weeks ago I was asked what AWS service(s) I would use to build a AI chat bot grounded in private data and having spent some time playing with Amazon Bedrock I immediately thought, this is easy. Just setup Amazon Bedrock add a Knowledge base and throw together a simple Chat UI. The service walks you through most these steps and quick search across github.com will surely uncover a Chat UI ready to go. I mean you could even just use the AWS sample here.
https://github.com/aws-samples/bedrock-claude-chat
This then got me thinking, If its so quick and easy to use Amazon Bedrock, then why do we have Amazon Q ? What use cases would I preference this over Bedrock and is it faster? Of course, me being the curious architect I am, I figured I better give this new service a try and see if its faster than doing this with Amazon Bedrock !!
So what is Amazon Q? – Well based on Amazon’s website Amazon Q is a lot of things…..
Amazon Q generates code, tests, debugs, and has multistep planning and reasoning capabilities that can transform and implement new code generated from developer requests. Amazon Q also makes it easier for employees to get answers to questions across business data….
A deeper look shows that Amazon Q is an umbrella term used to describe 2 products and 3 different service integrations. Lets take a quick look at each;
Products
Amazon Q Business – Amazon Q Business is a generative AI–powered assistant that can answer questions, provide summaries, generate content, and securely complete tasks based on data and information in your enterprise systems
Amazon Q Developer – Amazon Q Developer assists developers and IT professionals with all their tasks—from coding, testing, and upgrading applications, to diagnosing errors, performing security scanning and fixes, and optimizing AWS resources.
Service Integrations
Amazon Q for Quicksight – With Amazon Q in QuickSight, customers get a Generative BI assistant that allows business analysts to use natural language to build BI dashboards in minutes and easily build visualizations and complex calculations.
Amazon Q for Connect – Amazon Q in Connect uses the real-time conversation with the customer along with relevant company content to automatically recommend what to say or what actions an agent should take to better assist customers.
Amazon Q for AWS Supply Chain – Using Amazon Q in AWS Supply Chain (coming soon), inventory managers, supply and demand planners, and others will be able to ask and get intelligent answers about what is happening in their supply chain, why it is happening, and what actions to take. They will also be able to explore what-if scenarios to understand the trade-offs between different supply chain choices.
So the choice here isn’t exactly straight forward and quite frankly a little confusing. In my case, I want to build a chat bot that is grounded in some S3 data based on my technical standards, so this best aligns with the Amazon Q business option. At this point you may be thinking, wait… isn’t this just Amazon’s Bedrock + Knowledge base and the short answer is yes. Both services produce the same outcome, although Amazon Q business makes this arguably ‘simpler’ for users to build. If your interested in understanding more about Amazon Bedrock and Knowledge bases, you can read my previous post below.
Using Amazon Bedrock Knowledge Bases to power up sports stats
Before moving along, we need to take a minute to explore why this is ‘SIMPLER’.
The main difference here is that in Amazon Bedrock, AWS provides access to the low level service primitives and APIs associated with managing and interfacing with Large Language Models (LLM) and assumes the developer will take care of model selection, user authentication, the user interface (UI) and build all the necessary back end service integrations associated with RAG (Retrieval Augmented Generation), whereas Amazon Q for business is much more opinionated and makes most of these decisions for you. Arguably this means these products are targeted at very different audiences, significantly lowering the bar for businesses to build Generative AI powered chat bots.
And there in lies the a primary distinction between these services and forms arguably to most significant selection criteria when evaluating Amazon Q vs Amazon Bedrock. Do I want or need control of the low level aspects of my chat bot. If the answer is NO, then Amazon Q for Business is likely a very solid starting point.
The other key differentiator is that Amazon Q also comes with a library of data source integrations to choose from (40 + at the time of this writing) which again makes it faster to build your GenAI chat bot application. I’m feeling somewhat lazy today so lets see if Amazon Q can do a decent job of this for us. Lets build our first app.
Building your first Amazon Q App
The first thing you’ll notice when you search for Amazon Q in the AWS console, is that the confusing product labeling rears its head again to catch you out. The various options for Amazon Q make this step more confusing than it needs to be and ill save you banging your head on the desk and remind you to look for the Amazon Q for Business option.
If you managed to navigate to the Amazon Q for Business console without my guidance above, then your firstly smarter than I and secondly recommend you apply for my job immediately. This caught me out the first time and I ended up in the Amazon Q portal where you assign subscriptions. This is not the right starting point.
Next you will need to select one of the 2 supported regions (US-WEST-2 or US_EAST-1)
Assuming your on the Amazon Q for business console, you might be tempted to press the ‘Create Application’ button and get started but I implore you to STOP. just for a min. We need to talk about user Authentication!!!
Prerequisites
What, wait, you said Amazon Q does this for us ? – Amazon Q does take care of the user authentication aspects of your app, but in order to handle this, it assumes the following prerequisites have been completed.
1. You have an instance of IAM Identity Center already running in your account
2. You have configured IAM Identity Center Users and Groups
If you haven’t deployed an IAM Identity Access instance in your account the Amazon Q for business console will through up some warning banners telling you as much, so its time to stop and take a look at the following article to get this setup.
Once this is configured, I strongly suggest you create a Group and a User in IAM Identity Access Center as we will need this later on and doing it during the app creation process is a painful fragmented experience.
You have been warned !!
Step 1 – Create Application
The first step in creating your app is to give it a name, determine the service integration and encryption options and configure your authentication source.
Name – give your app a descriptive name I used ‘my-nerdy-app‘
Service Access – There are 3 options available for Service access. Create a new SLR, create a new SR or select an existing SLR or SR. If this is the first application then you will need to choose to create a new role. AWS provides you with 2 options here. You can allow Amazon-Q to manage the IAM Service role on your behalf via the SLR option or you can create a customer managed IAM role with access to the services it needs. The difference is subtle but worth calling out.
For our use case lets go with the Amazon-Q managed option and select the Create and use a new service-linked role (SLR)
Encryption – AWS provides a blurb here that all Amazon Q for business data is encrypted with the service key, but if you would like to the a Customer Managed key then you can click the ‘customize encryption settings’ checkbox and provide the ARN of your KMS key here. I’m going to leave the default AWS encryption in place.
Authentication – Here’s where things get interesting. Prior to August 2024, Amazon Q required you to have your IAM Identity Access center instance deployed in one of the 2 supported regions. This is no longer the case and if you have deployed IAM Identity Access Center in a region other than use-east-1 or us-west-2 then you need to select the Advanced IAM Identity Center settings and enable the ‘cross region calls to access service resources toggle’. Without doing this you will not be able to proceed and a warning will be displayed stating that your app cannot connect to IAM Identity Center.
Tags – Finally you can optionally choose to add a Application or web experience tag to your application.
If you’ve followed all the steps correctly you should be able to click the [Create] button to move onto configuring the app settings.
Step 2 – Select Retriever
In step 2 we need to configure the retriever settings and set the desired index capacity required for our data. This is akin to setting up RAG in Amazon Bedrock with Knowledge bases.
Retrievers – As you can see we have 2 options here. Use Native Retriever or Use Existing Retriever. The native retriever is what we want for our application as it supports all the predefined data sources and doesn’t require us to have an established Amazon Kendra instance deployed with existing data. Select Native retriever.
Index provisioning – Next we select the desired index capacity we need. As you can see from the descriptions we have ‘Enterprise‘ which is a multi-AZ deployment and supports scaling up to millions of documents or we have ‘Starter‘ which is a single AZ deployment and can scale to 100,000 documents. Lets use the ‘Starter‘ option as we should always be frugal and only use what we need.
number of units – Next we need to specify the number of units we need. This can be an integer between 1- 50. This is very easy decision and should be left at 1 unless you have more than 20,000 documents to crawl and index.
Tags – Finally you can optionally choose to add a Retriever or Index tag to your application. I’m leaving this out
If you’ve followed all the steps correctly you should be able to click the [Next] button to move onto configuring the data sources settings.
Step 3 – Data Sources
In step 3 we need to configure a data source to use as our private data and as you can see, there are quite a few options to choose from. Thankfully AWS promotes the most popular options at the top being S3, Web Crawler and Upload Files. In this blog lets go with S3 as this is likely to be the most common data source people will use and I happen to have an S3 bucket full of documented standards id like to use as my knowledge base.
SYNC Scope
Advanced Settings
The advanced settings can be left alone for our use case and ill likely cover these in a later post to provide examples of how this data is applied to our chat bot. Right now lets just understand that these settings allow more granular control of the documents to crawl and who should have or more importantly, be Denied access to these documents.
Step 4 – Add Groups and Users
In the final step we need to add users or groups to our application and create the IAM Role for the portal to use. Lets start with the User access.
To add Users and or Groups, start by clicking the [Add groups and users] button.
This will open a new window where you can select to create a new user or group or assign an existing one. At the time of writing, if you create a new user you need to navigate to IAM Identity center and enable the user outside of this setup wizard, which I found painful hence why I asked you to create a user or group as part of the IAM Identity Access installation steps. Lets select ‘Assign existing users and groups’ and click [Next]
Start typing your User or Group name in the search window and select the appropriate resource. You should now be able to click the [Assign] button.
It might take 30 seconds or so, but the user or group should now be listed and we can move onto the last step
Web experience service access – This last option creates a Service Access Role which allows the user interface to call the Amazon Q application. We want the setup wizard to create this for us so lets select the ‘create and use new service role’ and the final button [Create Application]
Testing the Application
After a min or so you should be returned to the Amazon Q for Business page and see your new Amazon Q application listed in the Applications table. Before we test things out, let first make sure our data source is synchronized. To do this click the name of the Amazon Q application to open the chatbot’s settings.
Next scroll down to data source section and select the radio button next to the data source name. Click the [Sync Now] button. This forces a synchronization and prevents us having to wait the hr for the automatic crawl/index process to complete. This might take some time, depending on how much data you have your S3 bucket, so be prepared to grab a drink or go off and do something else.
You will know when the job is finished as the ‘current sync status’ will display ‘Complete’ and you should see a timestamp next to the ‘last sync time’. Lets go a test our application.
Click the Applications option in left hand navigation pane to go back to the list of applications and click the ‘Web Experience URL’ associated with our new app.
With some luck you should be presented with a login box where you can enter the username and click [Next]
Enter your password and click [Login]. After a few seconds your Amazon Q application should load and you should be able to enter in a query to test its knowledge.
In my case I’ve grounded my Amazon Q chat bot with the technical standards around Compute choice and my resource tagging strategy, so lets ask it a question like…..
What is the minimum and maximum number of characters i’m allowed to use in my resource tags?.
And like magic i get the following response….
According to the data source, the maximum number of characters allowed for a tag key or value is 63 characters. Specifically, the documents state that “Length of key: Maximum 63 Characters” and “Length of value: Maximum 63 Characters” .The data source also mentions that the allowed characters for tags are “Alphanumeric only” . Additionally, the documents state that the tags should be “Lowercase only” .
Amazing isn’t it. My chat bot understands natural language and can retrieve relevant information across my processed documents to answer my question. Whats better is i built this without writing a single line of code or deploying a single resource myself.
Conclusion
In this blog post I demonstrated how Amazon Q was able to solve a use case of building a Question and Answer chat bot, grounded in my own private data. Whats more is that Amazon Q is very easy to setup and while its quite opinionated and requires a few prerequisite steps to get things going, its a lot easier and faster than developing the same thing in Amazon Bedrock. I do honestly think your mileage will vary significantly when using Amazon Q as, its bare bones features and opinionated approach, may not suit most businesses, however if your looking for a easy GUI based no code approach to building Q&A bots, You probably cant do this any faster. In my case the ‘Q’ in Amazon Q for Business does stand for QUICK !!.
3502
0
October 31, 2024
