Skip to main content
AI for Work connects with Amazon Q to extend enterprise search beyond the platform’s native connectors. This lets you use your existing Amazon Q Business index — its data sources, security model, and user authentication — without duplicating infrastructure.

Key Benefits

BenefitDescription
Data SovereigntyData stays indexed within AWS — no partner cloud storage required
Unified SearchAccess 90+ enterprise connectors (platform connectors and Amazon Q connectors), including AWS and non-AWS systems
Agentic ActionsAutomate workflows — schedule meetings, update records, generate presentations — with search context
Flexible RoutingAI-driven intent recognition routes queries to the right retriever
SecurityEnd-to-end encryption at rest and in transit, with granular cross-account access control
Single Sign-OnUsers authenticate once in AI for Work; Amazon Q access is handled transparently via Trusted Token Issuer (TTI)

Amazon Q vs. Native RAG Search

Native Search (RAG)Amazon Q
Connectors70+ connectors with custom connector support40+ connectors
ControlFull control over ingestion, extraction, and retrieval configurationManaged, standardized indexing
Best forTeams needing fine-grained customization and experimentationTeams prioritizing simplicity and enterprise-grade accuracy out of the box

Integration Modes

Amazon Q integrates with the platform in two ways:
ModeWhen to Use
**Enterprise Knowledge**Amazon Q Index is your primary knowledge source; it becomes the default fallback for all workspace queries that don’t match a specific agent
**Search Agent**Amazon Q is one of several search indices; it activates based on query context and intent recognition

Prerequisites

Before starting, ensure your AWS environment includes:
  • Read access to your Amazon Q Business application
  • Retriever access permissions
  • AWS IAM Identity Center integration permissions
  • Cross-account access permissions (if applicable)

Getting Started

Enterprise Knowledge

Use this mode when Amazon Q Index is your primary knowledge source and most enterprise connectors link to it.
  1. Navigate to Enterprise Knowledge
    • Log in to the Admin Console.
    • Select Enterprise Knowledge from the left navigation pane.
    Enterprise Knowledge navigation
  2. Create a new configuration
    • Click ConfigureCreate New.
    • Choose Amazon Q as the knowledge source type.
    Create new configuration
  3. Configure basic settings
    FieldDescription
    Source NameA unique, descriptive identifier for this knowledge source
    DescriptionA clear explanation of the source content and purpose
  4. Record the Tenant ID
    • Copy the displayed Tenant ID.
    • You will need this ID during AWS data accessor setup.
    Tenant ID
  5. Enter AWS connection details
    FieldDescription
    Application IDUnique identifier of your Amazon Q Business application
    Retriever IDUnique identifier of your Amazon Q Business retriever
    Access Resource Name (ARN)Resource identifier for secure access to Amazon Q
    Application LocationAWS region hosting your Amazon Q Business application
    IDC LocationAWS region hosting your AWS Identity Center instance
  6. Save and activate
    • Click Save to store the configuration.
    • Mark the source as Active to enable it as the default knowledge source for queries.
    Save and activate
Enterprise Knowledge configured within a specific workspace becomes the default source for all users in that workspace. Select Enterprise Workspace during initial setup if you want all users in the organization to have access.

Search Agent

Use this mode when integrating Amazon Q alongside other search indices, or when you want to control query routing through agent description and intent.
  1. Create a search agent
    • Navigate to the Search Agents section and click Create.
    Search Agents section
    • Enter an Agent Name and Purpose. This description guides the platform when routing relevant queries to this agent.
    Agent name and purpose
    • Select Amazon Q as the Index type.
    Select Amazon Q index type
  2. Record the Tenant ID
    • Copy the Tenant ID from the configuration screen.
    • You will need this during AWS data accessor setup.
    Tenant ID in Search Agent
  3. Enter AWS integration details
    FieldDescription
    Application IDUnique identifier of your Amazon Q Business application
    Retriever IDUnique identifier of your Amazon Q Business retriever
    Access Resource Name (ARN)Resource identifier for secure access to Amazon Q
    Application LocationAWS region hosting your Amazon Q Business application
    IDC LocationAWS region hosting your AWS Identity Center instance

Configure the Amazon Q Business Application

This is a one-time setup that creates a secure connection between your Identity Provider (IdP) and AWS Identity Center using Trusted Token Issuer (TTI), allowing AI for Work to access your Amazon Q index. For reference, see the AWS configuration blog.

Step 1: Set Up a Trusted Token Issuer in IAM Identity Center

  1. Open the IAM Identity Center console (ensure IAM Identity Center is already enabled).
  2. Go to SettingsAuthentication tab.
  3. Under Trusted token issuers, click Create trusted token issuer.
  4. Configure the following:
    FieldValue
    Issuer URLhttps://work.kore.ai — must match the iss claim in the JWT
    Display NameA descriptive name for identification
    User AttributesMap attributes per your organization’s requirements
  5. Save the configuration and confirm the TTI was created successfully. TTI configuration

Step 2: Configure Audience Claims

  1. Verify that the aud claim in the IdP-issued token matches your Amazon Q application’s audience requirement in IAM Identity Center.
  2. Update claim mappings in the IdP admin interface as needed.
  3. Confirm attribute mapping is established between your external IdP and AWS Identity Center. Audience claims configuration

Step 3: Add and Assign Users in IAM Identity Center

  1. Add users in your external IdP and provision them with the mapped attributes from Step 1.
  2. Authenticate users — the external IdP issues tokens that users exchange through IAM Identity Center for Amazon Q API credentials.
  3. Assign users or groups (if required by your access policies):
    • Navigate to IAM Identity CenterApplications[Your Q App].
    • Select Assign Users/Groups and complete the assignment.
    User assignment

Step 4: Set Up the Q Business Application

  1. Create a new Q Business Application or open an existing one in the AWS console.
  2. Add all users who need search access within the Q Business application. Q Business application

Step 5: Add Data Sources to the Amazon Q Index

  1. In the Q Business application, create an index by adding the relevant data sources.
  2. Add data sources such as Google Drive, JIRA, Amazon S3, or other enterprise systems.
  3. Configure each data source connection following the AWS documentation. Data sources

Step 6: Add Kore.ai as a Data Accessor

This step completes the integration by registering Kore.ai as a data accessor using the Tenant ID from the platform.
  1. In the Q Business Application console, go to Data AccessorsAdd Data Accessor.
  2. Select Kore.ai from the available options. Add data accessor
  3. In the External ID field, paste the Tenant ID from your Platform configuration screen. External ID configuration
  4. Configure the Trusted Token Issuer — use an existing TTI or create a new one.
  5. Set Data Source Access permissions:
    OptionDescription
    All data sourcesGrants Kore.ai access to all current and future data sources
    Specific data sourcesLimits access to selected data sources only
    Data source access permissions
  6. Set User Access permissions:
    OptionDescription
    All UsersGrants access to all users (ensure they are added to the application)
    Specific UsersLimits access to selected individual users
  7. Copy the Data Accessor Details from the AWS console and paste them into your Platform configuration screen to complete the integration. Complete integration

Technical Reference

Architecture

[AI for Work Platform] ↔ [Amazon Q Index] ↔ [Enterprise Data Sources]

[AWS IAM / STS]  ↔  [IAM Identity Center (TTI)]
ComponentRole
AI for Work PlatformManages user interactions, business logic, and query routing
Amazon Q IndexStores vector embeddings and document metadata
AWS IAM / STSHandles authentication and credential brokering
IAM Identity Center (TTI)Exchanges IdP OIDC tokens for temporary AWS credentials
Components communicate over HTTPS using RESTful APIs signed with AWS Signature Version 4 (SigV4). The platform routes each query to either Kore’s native retrievers or Amazon Q Index based on predefined routing rules. Amazon Q responses include relevant document snippets with source references — not complete documents — for security and performance. Integration architecture

Security and Authentication

AI for Work uses the TTI (Trusted Token Issuer) model for Amazon Q authentication. This lets organizations use OIDC-compliant external IdPs without issuing separate AWS credentials to each user. Authentication flow:
  1. The user authenticates with their organization’s IdP, which issues a signed OIDC token.
  2. AI for Work presents the token to AWS IAM Identity Center.
  3. IAM Identity Center verifies the token’s validity, issuer, and claims against the pre-configured TTI.
  4. If valid, IAM Identity Center issues temporary AWS credentials scoped to Amazon Q index operations.
  5. AI for Work uses these credentials to query Amazon Q index APIs.
This approach enables cross-organizational SSO, granular permission mapping, and centralized identity management outside of AWS — in compliance with enterprise security and governance requirements.