Globally, many organizations have essential enterprise information dispersed amongst varied content material repositories, making it tough to entry this data in a streamlined and cohesive method. Making a unified and safe search expertise is a major problem for organizations as a result of every repository accommodates a variety of doc codecs and entry management mechanisms.
Amazon Kendra is an clever enterprise search service that permits customers to look throughout completely different content material repositories. Clients are answerable for authenticating and authorizing customers to achieve entry to their search software, and Amazon Kendra allows safe seek for enterprise functions, ensuring that the outcomes of a consumer’s search question solely embody paperwork the consumer is permitted to learn. Amazon Kendra can simply validate the id of particular person customers in addition to consumer teams who carry out searches with the addition of safe search tokens. By including consumer tokens for safe search, performing access-based filtered searches in Amazon Kendra is simplified and secured. You possibly can securely go consumer entry data within the question payload as a substitute of utilizing attribute filters to perform this. With this characteristic, Amazon Kendra can validate the token data and robotically apply it to the search outcomes for correct and safe access-based filtering.
Amazon Kendra helps token-based consumer entry management utilizing the next token sorts:
- Open ID
- JWT with a shared secret
- JWT with a public key
- JSON
Beforehand, we noticed an indication of token-based user access control in Amazon Kendra with Open ID. On this put up, we reveal token-based consumer entry management in Amazon Kendra with JWT with a shared secret. JWT, or JSON Internet Token, is an open customary used to share safety data between a shopper and a server. It accommodates encoded JSON objects, together with a set of claims. JWTs are signed utilizing a cryptographic algorithm to make sure that the claims can’t be altered after the token is issued. JWTs are helpful in eventualities concerning authorization and knowledge trade.
JWTs include three components separated by dots (.):
- Header – It accommodates components like sort of the token, which is JWT, the signing algorithm getting used, corresponding to HMAC SHA256 or RSA, and an elective key identifier.
- Payload – This accommodates a number of key-value pairs, known as claims, that are issued by the id supplier. Along with a number of claims referring to the issuance and expiration of the token, the token may also comprise details about the person principal and tenant.
- Signature – To create the signature half, you’re taking the encoded header, the encoded payload, a secret, the algorithm specified within the header, and signal that.
Subsequently, a JWT seems like the next:
The next is a pattern header:
The next is the pattern payload:
The JWT is created with a secret key, and that secret secret is personal to you, which suggests you’ll by no means reveal that to the general public or inject it contained in the JWT. Whenever you obtain a JWT from the shopper, you may confirm the JWT with the key key saved on the server. Any modification to the JWT will end in verification (JWT validation) failure.
This put up demonstrates the pattern use of a JWT utilizing a shared entry key and its utilization to safe Amazon Kendra indexes with entry controls. In manufacturing, you employ a safe authentication service supplier of your selection and based mostly in your necessities to generate JWTs.
To study extra about JWTs, confer with Introduction to JSON Web Tokens.
Resolution overview
Just like the post with Open ID, this resolution is designed for a set of customers and teams to make search queries to a doc repository, and outcomes are returned solely from these paperwork which can be approved for entry inside that group. The next desk outlines which paperwork every consumer is permitted to entry for our use case. The paperwork getting used on this instance are a subset of AWS public paperwork.
Person | Group | Doc Sort Approved for Entry |
Visitor | . | Blogs |
Patricia | Buyer | Blogs, consumer guides |
James | Gross sales | Blogs, consumer guides, case research |
John | Advertising | Blogs, consumer guides, case research, analyst studies |
Mary | Options Architect | Blogs, consumer guides, case research, analyst studies, whitepapers |
The next diagram illustrates the creation of a JWT with a shared entry key to manage entry to customers to the particular paperwork within the Amazon Kendra index.
When an Amazon Kendra index receives a question API name with a consumer entry token, it validates the token utilizing a shared secret key (saved securely in AWS Secrets Manager) and will get parameters corresponding to username and teams within the payload. The Amazon Kendra index filters the search outcomes based mostly on the saved Entry Management Record (ACL) and the knowledge acquired within the consumer’s JWT. These filtered outcomes are returned in response to the question API name made by the appliance.
Stipulations
In an effort to comply with the steps on this put up, ensure you have the next:
Generate a JWT with a shared secret key
The next pattern Java code exhibits create a JWT with a shared secret key utilizing the open-source jsonwebtoken package deal. In manufacturing, you may be utilizing a safe authentication service supplier of your selection and based mostly in your necessities to generate JWTs.
We go the username and teams data as claims within the payload, signal the JWT with the shared secret, and generate a JWT particular for that consumer. Present a 256 bit string as your secret and retain the worth of the base64 URL encoded shared secret to make use of in a later step.
Create an Amazon Kendra index with a JWT shared secret
For directions on creating an Amazon Kendra index, confer with Creating an index. Be aware down the AWS Identity and Access Management (IAM) position that you just created through the course of. Present the position entry to the S3 bucket and Secrets and techniques Supervisor following the principle of least privilege. For instance insurance policies, confer with Example IAM identity-based policies. After you create the index, your Amazon Kendra console ought to appear to be the next screenshot.
Full the next steps so as to add your secret:
- On the Amazon Kendra console, navigate to the Person entry management tab in your index element web page.
- Select Edit settings.
- As a result of we’re implementing token-based entry management, choose Sure beneath Entry management settings.
- Underneath Token configuration, select JWT with shared secret for Token sort.
- For Sort of secret, select New.
- For Secret identify, enter
AmazonKendra-jwt-shared-secret
or any identify of your selection. - For Key ID, enter the important thing ID to match your JWT that you just created within the pattern Java code.
- For Algorithm, select the HS256 algorithm.
- For Shared secret, enter your retained base64 URL encoded secret generated from the Java code beforehand.
- Select Save secret.
The key will now be saved in Secrets and techniques Supervisor as a JSON Internet Key Set (JWKS). You possibly can find it on the Secrets and techniques Supervisor console. For extra particulars, confer with Using a JSON Web Token (JWT) with a shared secret.
- Broaden the Superior configuration part.
On this step, we arrange the consumer identify and teams that shall be extracted from JWT claims and matched with the ACL when the signature is legitimate.
- For Username¸ enter username.
- For Teams, enter teams.
- Depart the elective fields as default.
- Select Subsequent, then select Replace.
Put together your S3 bucket as an information supply
To organize an S3 bucket as an information supply, create an S3 bucket. Within the terminal with the AWS Command Line Interface (AWS CLI) or AWS CloudShell, run the next instructions to add the paperwork and metadata to the information supply bucket:
The paperwork being queried are saved in an S3 bucket. Every doc sort has a separate folder: blogs, case-studies, analyst-reports, user-guides, and white-papers. This folder construction is contained in a folder named Knowledge. Metadata information together with the ACLs are in a folder named Meta.
We use the Amazon Kendra S3 connector to configure this S3 bucket as the information supply. When the information supply is synced with the Amazon Kendra index, it crawls and indexes all paperwork in addition to collects the ACLs and doc attributes from the metadata information. To study extra about ACLs utilizing metadata information, confer with Amazon S3 document metadata. For this instance, we use the customized attribute DocumentType
to indicate the kind of the doc. After the add, your S3 bucket construction ought to appear to be the next screenshot.
To set the customized attribute DocumentType
, full the next steps:
- Select your Kendra index and select Side definition within the navigation pane.
- Select Add discipline.
- For Area identify, enter
DocumentType
. - For Knowledge sort, select String.
- Select Add.
Now you may ingest paperwork from the bucket you created to the Amazon Kendra index utilizing the S3 connector. For full directions, confer with Ingesting Documents through the Amazon Kendra S3 Connector.
- Within the Configure sync settings part, for Enter the information supply location, enter your S3 bucket (
s3://kendra-demo-bucket/
). - For Metadata information prefix folder location, enter
Meta/
. - Broaden Extra configuration.
- On the Embody patterns tab, for Prefix, enter
Knowledge/
.
For extra details about supported connectors, see Connectors.
- Select Subsequent, then Subsequent once more, then Replace.
- Anticipate the information supply to be created, then choose the information supply and select Sync now.
The information supply sync can take 10–quarter-hour to finish. When your sync is full, Final sync standing ought to present as Profitable.
Question an Amazon Kendra index
To run a take a look at question in your index, full the next steps:
- On the Amazon Kendra console, select Search listed content material within the navigation pane.
- Broaden Check question with an entry token.
- Select Apply token.
- We are able to generate a JWT for the consumer and group. On this instance, we create a JWT for the
AWS-SA
group. We change username as Mary and teams asAWS-SA
within the JWT era step. - Enter the generated token and select Apply.
Primarily based on the ACL, we must be outcomes from all of the folders: blogs, consumer guides, case research, analyst studies, and whitepapers.
Equally, when logged in as James from the AWS-Gross sales
group and passing the corresponding JWT, now we have entry to solely blogs, consumer guides, and case research.
We are able to additionally search the index as a visitor with out passing a token. The visitor is simply in a position to entry contents within the blogs folder.
Experiment utilizing different queries you may consider whereas logged in as completely different customers and teams and observe the outcomes.
Clear up
To keep away from incurring future prices, clear up the assets you created as a part of this resolution. To delete the Amazon Kendra index and S3 bucket created whereas testing the answer, confer with Cleanup. To delete the Secrets and techniques Supervisor secret, confer with Delete an AWS Secrets Manager secret.
Conclusion
On this put up, we noticed how Amazon Kendra can carry out safe searches that solely return search outcomes based mostly on consumer entry. With the addition of a JWT with a shared secret key, we will simply validate the id of particular person customers in addition to consumer teams who carry out searches. This related strategy might be prolonged to a JWT with a public key. To study extra, confer with Using a JSON Web Token (JWT) with a shared secret.
Concerning the Authors
Nitin Eusebius is a Sr. Enterprise Options Architect at AWS with over 18 years of expertise in Software program Engineering and Enterprise Structure. He works with clients on serving to them construct well-architected functions on the AWS platform. He’s obsessed with fixing know-how challenges and serving to clients with their cloud journey.
Kruthi Jayasimha Rao is a Associate Options Architect with a spotlight in AI and ML. She gives technical steering to AWS Companions in following greatest practices to construct safe, resilient, and extremely out there options within the AWS Cloud.
Ishaan Berry is a Software program Engineer at Amazon Internet Companies, engaged on Amazon Kendra, an enterprise search engine. He’s obsessed with safety and has labored on key elements of Kendra’s Entry Management options over the previous 2 years.
Akash Bhatia is a Principal Options architect with AWS. His present focus helps enterprise clients obtain their enterprise outcomes by way of architecting and implementing modern and resilient options at scale. He has been working in know-how for over 15 years at firms starting from Fortune 100 to start-ups in Manufacturing, Aerospace and Retail verticals.