This Guidance helps you deploy search functionality powered by HAQM Kendra. For many organizations, critical business information is scattered across multiple content repositories, making it challenging for employees to access and securely share the right information. HAQM Kendra helps manage access to documents through token-based user access. HAQM Kendra also supports search filtering based on user access tokens and document access control lists (ACLs). Search results return links and a short description to original document repositories. Access control to full documents remain enforced by the access policies of the original repository.
Architecture Diagram
Step 1
HAQM Kendra crawls and indexes documents from an HAQM Simple Storage Service (HAQM S3) bucket and collects the ACLs and document attributes from the metadata files.
Step 2
The HAQM Cognito user pool authenticates registered users. The HAQM Cognito identity pool authorizes the application to use HAQM Kendra and HAQM S3.
Step 3
Configure user access control of the HAQM Kendra index to use the HAQM Cognito user pool as an Open ID provider.
Step 4
AWS Amplify builds and deploys the application code that will be used for web application hosting.
Step 5
Your user authenticates and logs in to the application to perform a query.
Step 6
The application sends the user’s access token (provided by the HAQM Cognito user pool) to the HAQM Kendra index. The HAQM Kendra index decrypts the access token using the HAQM Cognito user pool signing URL and gets parameters such as cognito:username and cognito:groups associated with the user.
Step 7
The HAQM Kendra index filters the search results based on the stored ACLs and the information received in the user access token. These filtered results are returned in response to the query API call that the application makes.
Step 1
HAQM Kendra crawls and indexes documents from an HAQM Simple Storage Service (HAQM S3) bucket and collects the ACLs and document attributes from the metadata files.
Step 2
The HAQM Cognito user pool authenticates registered users. The HAQM Cognito identity pool authorizes the application to use HAQM Kendra and HAQM S3.
Step 3
Configure user access control of the HAQM Kendra index to use the HAQM Cognito user pool as an Open ID provider.
Step 4
AWS Amplify builds and deploys the application code that will be used for web application hosting.
Step 5
Your user authenticates and logs in to the application to perform a query.
Step 6
The application sends the user’s access token (provided by the HAQM Cognito user pool) to the HAQM Kendra index. The HAQM Kendra index decrypts the access token using the HAQM Cognito user pool signing URL and gets parameters such as cognito:username and cognito:groups associated with the user.
Step 7
The HAQM Kendra index filters the search results based on the stored ACLs and the information received in the user access token. These filtered results are returned in response to the query API call that the application makes.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
HAQM Kendra uses HAQM CloudWatch Logs to give insight into the operation of data sources. HAQM Kendra logs process details for the documents as they are indexed. It logs errors from data sources that occur while documents are being indexed. CloudWatch Logs can be used to monitor, store, and access the log files. CloudWatch Logs Insights and anomaly detection can be used to continuously analyze metrics of systems and applications, determine normal baselines, and surface anomalies with minimal user intervention.
-
SecurityRead the Security whitepaper
HAQM Cognito helps manage, authenticate, and authorize web application end-users. This architecture uses HAQM Cognito’s identity pool to authorize the web application to use only HAQM Kendra and HAQM S3. The web application is not allowed to access any other services. Additionally, this architecture uses AWS CloudFormation templates to deploy resources to the AWS Cloud. These templates reduce the risk of human error associated with manual configuration or management.
-
ReliabilityRead the Reliability whitepaper
The enterprise version of an HAQM Kendra index by default is highly available within a Region. When you start with HAQM Kendra Enterprise Edition, you get a base capacity of 100,000 searchable documents and up to 8,000 queries per day.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
HAQM CloudFront reduces latency when delivering web applications. During deployment of this architecture, you should make sure that all the services (e.g., HAQM Kendra, HAQM Cognito, CloudFront) required for the architecture are available in your chosen Region for deployment.
-
Cost OptimizationRead the Cost Optimization whitepaper
This architecture uses Amplify which applies serverless technologies to host front-end and back-end services for web applications. Amplify scales up with high volumes of users and then scales back down as user volumes decrease, helping to manage costs.
-
SustainabilityRead the Sustainability whitepaper
Web applications hosted by Amplify scale based on user demand of the web application, helping ensure the most efficient use of energy resources.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
Related Content
Building a secure search application with access controls using HAQM Kendra
HAQM Kendra is a highly accurate and easy-to-use intelligent search service powered by machine learning (ML). HAQM Kendra supports search filtering based on user access tokens that are provided by your search application, as well as document access control lists (ACLs) collected by the HAQM Kendra connectors.
This post demonstrates token-based user access control in HAQM Kendra with Open ID.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running HAQM EC2 instances or using HAQM S3 storage.