Amazon Q Business is a generative AI-powered assistant that answers question, provides summaries, generates content, and securely completes tasks based on enterprise data and information. It connects to company data sources, applications, and internal systems to provide relevant, contextual answers while maintaining organizational security and compliance standards.

Today, we’re excited to announce that Amazon Q Business now supports anonymous user access. With this new feature, you can now create Amazon Q Business applications with anonymous user mode, where user authentication is not required and content is publicly accessible. These anonymous user applications can be used in use cases such as public website Q&A, documentation portals, and customer self-service experiences.

This capability allows guest users to use Amazon Q Business generative AI capabilities to quickly find product information, get technical answers, navigate documentation, and troubleshoot issues. Your public-facing websites, documentation, and support portals can now deliver the same powerful AI-driven assistance that authenticated users receive, creating an experience that enriches the guest user journey across your digital environments.

With this launch, you can seamlessly integrate an anonymous Amazon Q Business application into your websites and web applications through two pathways: either by embedding the ready-to-use web experience into your websites using an iframe for quick deployment, or by using our Chat, ChatSync, and PutFeedback APIs to build completely customized interfaces within your own applications. For anonymous Amazon Q Business applications, we’ve implemented a simple consumption-based pricing model where you’re charged based on the number of Chat or ChatSync API operations your anonymous Amazon Q Business applications make.

In this post, we demonstrate how to build a public-facing generative AI application using Amazon Q Business for anonymous users.

Solution overview

In this solution, we walk you through creating an anonymous Amazon Q Business application using both the AWS Management Console and AWS Command Line Interface (AWS CLI). Our example demonstrates a practical scenario: helping website visitors find information on public-facing documentation websites.

We demonstrate how to test the implementation with sample queries through the built-in web experience URL. The resulting application can be customized and embedded directly into your websites (using the API or the iframe method), providing immediate value for your users.

Prerequisites

To follow along with this post, you will need the following:

• An AWS account.
• At least one Amazon Q Business Pro user that has admin permissions to set up and configure Amazon Q Business. For pricing information, see Amazon Q Business pricing.
• AWS Identity and Access Management (IAM) permissions to create and manage IAM roles and policies.
• Public content to index (documents, FAQs, knowledge base articles) that can be shared with unauthenticated users.
• A supported data source to connect, such as an Amazon Simple Storage Service (Amazon S3) bucket containing your public documents.
• The AWS CLI configured with appropriate permissions (if following the AWS CLI method).

Create an anonymous Amazon Q Business application using the console

In this section, we walk through the steps to implement the solution using the console.

Create an IAM role for the web experience

Before creating your Amazon Q Business application, you will need to set up an IAM role with the appropriate permissions:

1. On the IAM console, choose Roles in the navigation pane and choose Create role.
2. Choose AWS service as the trusted entity
3. Select Amazon Q Business from the service list.
4. Choose Next: Permissions.
5. Create a custom policy or attach the necessary read-only policies, and add permissions for anonymous access.

We strongly recommend that you use a restricted policy for the role, like the one shown in the following screenshot, which will be used to create the web experience for anonymous access application environments.

An example of a restricted role policy for calling the Chat API for anonymous access application environments would be arn:aws:qbusiness:<your-region>:<your-aws-account-id>:application/<your-application-id>.

6. Create an IAM role with a trust policy that allows the Amazon Q Business service principal to assume the role using AWS Security Token Service (AWS STS), specifically scoped to your application’s Amazon Resource Name (ARN) in the designated AWS Region.
   

Create an Amazon Q Business application

Now you’re ready to create your Amazon Q Business application:

1. On the Amazon Q Business console, choose Create application.
2. For Application name, enter a name (for example, SupportDocs-Assistant).
3. For User access, select Anonymous access for this application environment.
4. Select Web experience to create a managed web experience to access the Amazon Q Business application.
   

You will see a notice about consumption-based billing for anonymous Amazon Q Business applications. For more details on pricing, refer to Amazon Q Business pricing.

5. Leave the default service role option unless you have specific requirements.
6. For Encryption, use the default AWS managed key unless you need custom encryption.
7. For Web experience settings, you can use an existing IAM role from your account or authorize Amazon Q Business to generate a new role with appropriate permissions. For this post, we select Use an existing service role and choose the IAM role created earlier (QBusinessAnonymousWebRole).
8. Optionally, customize the web experience title and welcome message.
   
9. Review all your configuration options and choose Create to create the application.

You should see a confirmation that your anonymous access application has been created successfully.

You will find the necessary parameters and details of your Amazon Q Business application on the landing page displayed after successful creation like the following screenshot, which provides comprehensive information about your newly created Amazon Q Business application.

Add data sources

After you create your application, you need to add an index and data sources. To learn more, refer to Index. You will see a pop-up like the following indicating that anonymous access is enabled.

Complete the following steps:

1. From your application dashboard, choose Add index.
2. Name your index (for example, Supportdocs-External) and keep the default settings.
3. Choose Add an index.
   
4. After you create the index, you can add data sources to it.

For our example, we use the Amazon Q Business public documentation as our data source by adding the URL https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/what-is.html. The Web Crawler will automatically index the content from this documentation page, making it searchable through your anonymous Amazon Q Business application.

For more information about Web Crawler configuration options and best practices, refer to Connecting Web Crawler to Amazon Q Business.

5. From your index dashboard, choose Add data source.
6. Enter a name for your data source and optional description.
7. For Source, select Source URLs and enter the URLs of the public websites you want to index.
   
8. For Authentication, select No authentication.
   
9. Configure the sync run schedule and field mappings.
10. Choose Add data source.
    

Alternatively, you can add Amazon S3 as the data source:

1. From your index dashboard, choose Add data source.
2. Select Amazon S3 as the source.
3. Configure your S3 bucket settings (make sure the bucket has public access).
4. Complete the data source creation process.

You must only ingest publicly available data sources without access control lists (ACLs).

Generate an anonymous web experience URL

After your data sources are set up, complete the following steps:

1. From your application dashboard, choose your application.
2. In the Web experience settings section, choose Share one-time URL.
   

The anonymous web experience URL can be shared as a single-use link that must be redeemed and accessed within 5 minutes. After it’s activated, the Amazon Q Business session remains active with a configurable timeout ranging from 15–60 minutes. This enables you to experience the web interface and test its functionality before deploying or offering the anonymous application to guest users.

Test your anonymous Amazon Q Business application

To test the application, choose Preview web experience.

The following screenshot shows the welcome page for your anonymous Amazon Q Business application’s web interface. Let’s begin asking Amazon Q Business some questions about the Amazon Q index.

In the first query, we ask “What is Q index? How is it useful for ISV’s?” The following screenshot shows the response.

In the following query, we ask “How can Q index enrich generative AI experiences for ISVs?”

In our next query, we ask “How is Q index priced?”

Having successfully tested our anonymous Amazon Q Business application through the console, we will now explore how to create an equivalent application using the AWS CLI.

Create your anonymous application using the AWS CLI

Make sure that your AWS CLI is configured with permissions to create Amazon Q Business resources and IAM roles.

Create an IAM role for Amazon Q Business

First, create an IAM role that Amazon Q Business can assume to access necessary resources:

# Create trust policy document
cat > trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "qbusiness.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

# Create IAM role
aws iam create-role 
  --role-name QBusinessAnonymousAppRole 
  --assume-role-policy-document file://trust-policy.json

# Attach necessary permissions
aws iam attach-role-policy 
  --role-name QBusinessAnonymousAppRole

Create an anonymous Amazon Q Business application

Use the following code to create your application:

#bash
aws qbusiness create-application 
--display-name "PublicKnowledgeBase" 
--identity-type ANONYMOUS 
--role-arn "arn:aws:iam:: <ACCOUNT_ID>:role/QBusinessAnonymousAppRole" 
--description "This is the QBiz application for anonymous use-case"

Save the applicationId from the response:

#json

{
  "applicationId": "your-application-id",
  "applicationArn": "arn:aws:qbusiness:region:account-id:application/your-application-id"
}

Create a restrictive policy for anonymous access

We strongly recommend using the following restricted policy for the role that will be used to call the chat APIs for anonymous access application environments. This policy limits actions to only the necessary APIs and restricts access to only your specific application.

Create the IAM role with the following policy:

# Create restrictive policy document
cat > anonymous-access-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "QBusinessConversationPermission",
      "Effect": "Allow",
      "Action": [
        "qbusiness:Chat",
        "qbusiness:ChatSync",
        "qbusiness:PutFeedback"
      ],
      "Resource": "arn:aws:qbusiness:<REGION>:<ACCOUNT_ID>:application/<APPLICATION_ID>"
    }
  ]
}
EOF

# Attach the policy to the role
aws iam put-role-policy 
  --role-name QBusinessAnonymousAppRole 
  --policy-name QBusinessAnonymousAccessPolicy 
  --policy-document file://anonymous-access-policy.json

Create an index

Create an index for your content, then upload documents using the BatchPutDocument API. For step-by-step guidance, see Select Retriever.

Test your anonymous Amazon Q Business application

To demonstrate the chat functionality using the AWS CLI, we uploaded Amazon Q Business documentation in PDF format to our index and tested the application using the following sample queries.

The following is an example chat interaction using the IAM role credentials. We first ask “What is Amazon Q index?”

#1)
#bash
aws qbusiness chat-sync 
  --application-id <APPLICATION_ID> 
  --user-message "What is Amazon Q index?"

The following screenshot shows part of the output from the chat-sync API when executed with our anonymous Amazon Q Business application ID, as shown in the previous command.

Next, we ask “How can Q index enrich generative AI experiences for ISV’s?”

2)
#bash
aws qbusiness chat-sync 
  --application-id <APPLICATION_ID> 
  --user-message "How can Q index enrich generative AI experiences for ISV's?"

The following screenshot shows part of the output from the chat-sync API when executed with our anonymous Amazon Q Business application ID.

Create a web experience for the anonymous web application

Use the following code to create the web experience:

#bash
aws qbusiness create-web-experience 
  --application-id <APPLICATION_ID> 
  --display-name "PublicKnowledgeBaseExperience" 
  --role-arn "arn:aws:iam::<ACCOUNT_ID>:role/QBusinessAnonymousAppRole" 
  --description "Web interface for my anonymous Q Business application"

To generate an anonymous URL, use the following code:

#bash
aws qbusiness create-anonymous-web-experience-url 
  --application-id <APPLICATION_ID> 
  --web-experience-id <WEB_EXPERIENCE_ID>

You can use the web experience URL generated by the preceding command and embed it into your web applications using an iframe.

Considerations

Consider the following when using anonymous access in Amazon Q Business:

• The following are the only chat APIs that support anonymous access application environments:
  • Chat
  • ChatSync
  • PutFeedback
• You should only ingest publicly available data sources without ACLs. Examples of public data sources include:
  • Data from the Amazon Q Business Web Crawler
  • Amazon S3 data without ACLs
• Amazon Q Business applications with anonymous access are billed on a consumption-based pricing model.
• Chat history is not available for anonymous application environments.
• Anonymous users and authenticated users are not supported on the same application environments.
• Plugins are not supported for anonymous application environments.
• Amazon QuickSight integration is not supported for anonymous application

Environments.

• Amazon Q Apps are not supported for anonymous application environments.
• Attachments are not supported for anonymous application environments.
• Admin controls and guardrails are read-only for anonymous application environments, except for blocked words.
• Topic rules using users and groups are not supported for anonymous application

The remaining Amazon Q Business functionality and features remain unchanged.

Clean up

When you are done with the solution, clean up the resources you created.

Conclusion

In this post, we introduced Amazon Q Business anonymous user access mode and demonstrated how to create, configure, and test an anonymous Amazon Q Business application using both the console and AWS CLI. This exciting feature extends enterprise-grade Amazon Q Business generative AI capabilities to your anonymous audiences without requiring authentication, opening up new possibilities for enhancing customer experiences on public websites, documentation portals, and self-service knowledge bases. This feature is available through a consumption pricing model that charges based on actual Chat and Chatsync API usage and index storage costs still applicable.

By following the implementation steps outlined in this post, you can quickly set up an Amazon Q Business application tailored for your external users, secured with appropriate IAM policies, and ready to embed in your end-user-facing applications.

To learn more about this anonymous access feature, see the Amazon Q Business User Guide. For detailed guidance on embedding Amazon Q Business in your web applications, see Add a generative AI experience to your website or web application with Amazon Q embedded. If you’re interested in building completely custom UI experiences with the Amazon Q Business API, check out Customizing an Amazon Q Business web experience.

About the authors

Vishnu Elangovan is a Worldwide Generative AI Solution Architect with over seven years of experience in Applied AI/ML. He holds a master’s degree in Data Science and specializes in building scalable artificial intelligence solutions. He loves building and tinkering with scalable AI/ML solutions and considers himself a lifelong learner. Outside his professional pursuits, he enjoys traveling, participating in sports, and exploring new problems to solve.

Jean-Pierre Dodel is a Principal Product Manager for Amazon Q Business, responsible for delivering key strategic product capabilities including structured data support in Q Business, RAG. and overall product accuracy optimizations. He brings extensive AI/ML and Enterprise search experience to the team with over 7 years of product leadership at AWS.