# Data protection in Amazon Q Business Data protection The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Q Business. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. + Use AWS encryption solutions, along with all default security controls within AWS services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Q or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. # Data encryption for Amazon Q Business Data encryption for Amazon Q Business Amazon Q Business supports encryption at rest using a customer supplied symmetric AWS KMS key when provided, or uses an AWS-owned AWS KMS key if no customer managed key is provided. Amazon Q Business also uses HTTPS protocol for data in transit. **Important** Amazon Q does not support asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. **Topics** + [ ## Encryption at rest ](#encryption-rest) + [ ## Encryption in transit ](#encryption-transit) ## Encryption at rest Amazon Q Business provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys. Sensitive customer data includes both questions and answers in the Amazon Q Business web experience and the documents uploaded to Amazon Q Business index. The Amazon Q Business uses the questions and answers to know the conversation context and to provide you with the best answer. The conversation data is automatically removed once the conversation is deleted or is inactive. For more information, see [Conversation management](using-web-experience.md#conversation-mgmt). The uploaded documents are used by Amazon Q Business to retrieve them at runtime to answer your questions. + **AWS owned keys** – Amazon Q Business uses these keys by default to automatically encrypt sensitive customer data. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*. Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements. While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer managed key when you create your resources: + **AWS KMS key (KMS) ** – Amazon Q supports the use of symmetric customer managed keys that you create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. In Amazon Q Business, you configure KMS keys when you create an Amazon Q Business application environment. The same KMS key is used to encrypt data for the application environment you create and any child resources under the application environment (for example, an Amazon Q Business index). However, KMS keys are not supported for the Amazon Q Business Starter index. So, if you use a KMS key with your application environment, you won't be able to use an Amazon Q Business Starter index for it. To use KMS keys, you must choose either an Amazon Q Business Enterprise index or an Amazon Kendra retriever for your application environment. **Important** Amazon Q does not support asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. Because you have full control of this layer of encryption, you can perform such tasks as: + Establishing and maintaining key policies + Establishing and maintaining IAM policies and grants + Enabling and disabling key policies + Rotating key cryptographic material + Adding tags + Creating key aliases + Scheduling keys for deletion For more information, see [customer managed key](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*. **Note** If you have created your Amazon Q Business application environment using AWS KMS and then you want to migrate to using customer managed key (CMK), you will have to re-create your application environment. **Topics** + [ ### How Amazon Q Business uses grants in AWS KMS ](#using-grants-kms) + [ ### Create a customer managed key ](#create-cmk) + [ ### Specifying customer managed key for Amazon Q Business ](#specify-cmk) + [ ### Monitoring your encryption keys for Amazon Q ](#monitoring-cmk-key) ### How Amazon Q Business uses grants in AWS KMS Amazon Q Business requires a [grant](https://docs.aws.amazon.com//kms/latest/developerguide/grants.html) to use your customer managed key. When you create a Amazon Q Business application environment resource encrypted with a customer managed key, Amazon Q creates a grant on your behalf by sending a [CreateGrant](https://docs.aws.amazon.com//kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS. Grants in AWS KMS are used to give Amazon Q Business access to a KMS key in a customer account. Amazon Q Business requires the grant to use your customer managed key for the following internal operations: + Send [DescribeKey](https://docs.aws.amazon.com//kms/latest/APIReference/API_DescribeKey.html) requests to AWS KMS to verify that the symmetric customer managed key ID entered when creating application environment is valid. + Send [GenerateDataKeyWithoutPlainText](https://docs.aws.amazon.com//kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) requests to AWS KMS to generate data keys encrypted by your customer managed key. + Send [Decrypt](https://docs.aws.amazon.com//kms/latest/APIReference/API_Decrypt.html) requests to AWS KMS to decrypt the encrypted data keys so that they can be used to encrypt your data. You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Amazon Q Business won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data. ### Create a customer managed key You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs. **Important** Amazon Q does not support asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. **To create a symmetric customer managed key** Follow the steps for [Creating symmetric customer managed key](https://docs.aws.amazon.com//kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*. **Key policy** Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed keys](https://docs.aws.amazon.com//kms/latest/developerguide/control-access-overview.html#managing-access) in the *AWS Key Management Service Developer Guide*. To use your customer managed key with your Amazon Q Business resources, the following API operations must be permitted in the key policy: + [kms:CreateGrant](https://docs.aws.amazon.com//kms/latest/APIReference/API_CreateGrant.html) – Adds a grant to a customer managed key. Grants control access to a specified KMS key,which allows access to [grant operation](https://docs.aws.amazon.com//kms/latest/developerguide/grants.html#terms-grant-operations) Amazon Q Business requires. For more information about [Using Grants](https://docs.aws.amazon.com//kms/latest/developerguide/grants.html), see the *AWS Key Management Service Developer Guide*. This allows Amazon Q Business to do the following: + Call `GenerateDataKeyWithoutPlainText` to generate an encrypted data key and store it, because the data key isn't immediately used to encrypt. + Call `Decrypt` to use the stored encrypted data key to access encrypted data. + Set up a retiring principal to allow the service to `RetireGrant`. + [kms:DescribeKey](https://docs.aws.amazon.com//kms/latest/APIReference/API_DescribeKey.html) – Provides the customer managed key details to allow Amazon Q to validate the key. The following are policy statement examples you can add for Amazon Q Business ``` "Statement": [{ "Sid": "Allow access to principals authorized to use Amazon Q", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Admin" }, "Action": [ "kms:DescribeKey", "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "qbusiness.region.amazonaws.com", "kms:CallerAccount": "111122223333" } } }, { "Sid": "Allow access for key administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "kms:*" ], "Resource": "arn:aws:kms:region:111122223333:key/key_ID" }, { "Sid": "Allow read-only access to key metadata to the account", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": [ "kms:Describe*", "kms:Get*", "kms:List*", "kms:RevokeGrant" ], "Resource": "*" } ] ``` For more information about [specifying permissions in a policy](https://docs.aws.amazon.com//kms/latest/developerguide/control-access-overview.html#overview-policy-elements) and [troubleshooting key access](https://docs.aws.amazon.com//kms/latest/developerguide/policy-evaluation.html#example-no-iam), see the *AWS Key Management Service Developer Guide* ### Specifying customer managed key for Amazon Q Business You can specify a customer managed key as a second layer encryption for your Amazon Q Business application environment resource. When you create your application environment, you can specify the data key by entering a **KMS ID**, which Amazon Q Business uses to encrypt the identifiable personal data stored by the application environment. **KMS ID** – A [key identifier](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#key-id) for an AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN. Any resources you create under your Amazon Q Business application environment will be encrypted with the same key. ### Monitoring your encryption keys for Amazon Q When you use an AWS KMS customer managed key with your Amazon Q Business resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that Amazon Q Business sends to AWS KMS. The following examples are AWS CloudTrail events for `CreateGrant`, `GenerateDataKey`, `Decrypt`, and `DescribeKey` to monitor KMS operations called by Amazon Q Business to access data encrypted by your customer managed key. ------ #### [ CreateGrant ] When you use an AWS KMS customer managed key to encrypt your application environment, Amazon Q sends a `CreateGrant` request on your behalf to access the KMS key in your AWS account. The grant that Amazon Q Business creates are specific to the resource associated with the AWS KMS customer managed key. In addition , Amazon Q Business uses the `RetireGrant` operation to remove a grant when you delete a resource. The following example event records the `CreateGrant` operation: ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE3", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-22T17:02:00Z" } }, "invokedBy": "qbusiness.amazonaws.com" }, "eventTime": "2021-04-22T17:07:02Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "retiringPrincipal": "qbusiness.region.amazonaws.com", "operations": [ "CreateGrant", "RetireGrant", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "Encrypt", "ReEncryptTo", "ReEncryptFrom", "Decrypt", "DescribeKey" ], "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE", "granteePrincipal": "qbusiness.region.amazonaws.com" }, "responseElements": { "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE" }, "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333" } ``` ------ #### [ GenerateDataKey ] When you use an AWS KMS customer managed key for your application environment, Amazon Q Business creates a unique table key. It sends a `GenerateDataKey` request to AWS KMS that specifies the AWS KMS customer managed key for the application environment. The following example event records the `GenerateDataKey` operation: ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "qbusiness.amazonaws.com" }, "eventTime": "2023-11-24T01:50:25Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:398547360552:key/ba6c9092-ad4d-41c3-937a-f02177ae147e", "keySpec": "AES_256" }, "responseElements": null, "requestID": "4bd8e018-90d0-4b93-bc8d-32338578a158", "eventID": "aca6cb5b-44bb-3ed6-afdd-736432323356", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:398547360552:key/ba6c9092-ad4d-41c3-937a-f02177ae147e" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "398547360552", "sharedEventID": "57393866-c398-4fd6-a259-d6cb001c7cf9", "eventCategory": "Management" } ``` ------ #### [ Decrypt ] When you access an encrypted application environment, Amazon Q Business calls the `Decrypt` operation to use the stored encrypted data key to access the encrypted data. The following example event records the `Decrypt` operation. ``` { "eventVersion": "1.08", "userIdentity": { "type": "AWSService", "invokedBy": "qbusiness.amazonaws.com" }, "eventTime": "2021-04-22T17:10:51Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE", "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333", "sharedEventID": "dc129381-1d94-49bd-b522-f56a3482d088" } ``` ------ #### [ DescribeKey ] Amazon Q Business uses the `DescribeKey` operation to verify if the AWS KMS customer managed key associated with your application environment exists in the account and region. The following example event records `DescribeKey` operation: ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE3", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-22T17:02:00Z" } }, "invokedBy": "qbusiness.amazonaws.com" }, "eventTime": "2021-04-22T17:07:02Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey", "awsRegion": "us-west-2", "sourceIPAddress": "172.12.34.56", "userAgent": "ExampleDesktop/1.0 (V1; OS)", "requestParameters": { "keyId": "00dd0db0-0000-0000-ac00-b0c000SAMPLE" }, "responseElements": null, "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111122223333" } ``` ------ ## Encryption in transit Amazon Q Business uses the HTTPS protocol to communicate with your client application environment. It uses HTTPS and AWS Signature Version 4 (SigV4) to communicate with other services on your application environment's behalf. **Topics** + [ # Data encryption for Amazon Q Business ](data-encryption.md) + [ # Data encryption for Q Apps ](data-encryption-qapps.md) + [ # Key management ](key-management.md) + [ # Cross-region inference in Amazon Q Business ](cross-region-inference.md) + [ # Amazon Q Business Service improvement ](service-improvement.md) # Data encryption for Q Apps Q Apps stores the following data: + Title and description of the Q Apps. + Titles of the individual cards. + Prompts the builders may specify for the “Text output” cards. + Any files uploaded as default values for “File upload” cards. + The data that users put into the “Text input” cards when running the Q Apps. + Any files uploaded by users when running the Q Apps. When you create a Amazon Q Business "application" as the application environment for Q Apps after April 30th 2024, Q Apps will be enabled out of the box. If a customer managed key is not configured, then Q Apps encrypts all the above data using AWS-owned keys. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*. **Note** If you configure a customer managed key when creating an Amazon Q Business application environment, then Q Apps uses the same customer managed key to encrypt all of the above data in Q Apps as well. Q Apps requires a grant to use your customer managed key. When you create an Amazon Q Business application environment resource encrypted with a customer managed key, Q Apps, creates a grant on your behalf by sending a `CreateGrant` request to AWS KMS. Grants in AWS KMS are used to give Q Apps, access to a KMS key in a customer account. Q Apps requires the grant to use your customer managed key for the following internal operations: + Send `DescribeKey` requests to AWS KMS to verify that the symmetric customer managed key ID entered when creating application environment is valid. + Send `GenerateDataKeyWithoutPlainText` requests to AWS KMS to generate data keys encrypted by your customer managed key. + Send `Decrypt` requests to AWS KMS to decrypt the encrypted data keys so that they can be used to encrypt your data. You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Q Apps won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data. **Note** Q Apps has a different service principal and Q Apps creates a different grant from the grant created for "Amazon Q Business". You can specifically revoke access to the grant for "Q Apps" without revoking access to the grant for "Amazon Q Business" or vice versa. **Enabling Q Apps on Q applications created before April 30th 2024** If you have already configured a Amazon Q Business application environment to use a customer managed key, when you enable Q Apps feature in the web experience for the first time, under the global controls, a new grant shall be created to the same customer managed key specified when configuring data encryption Amazon Q Business. Note that disabling Q Apps in the web experience will not automatically revoke this grant because administrators can still list and delete Q Apps in the admin console, even though Q Apps web experience is disabled. But if you delete the Amazon Q Business application environment altogether, then both grants to `qbusiness` and `qapps` shall be revoked. You can always revoke access to both the grants or remove access to the customer managed key at any time. # Key management Amazon Q Business encrypts the contents of your index using the following types of keys: + An AWS-owned AWS KMS. This is the default. + A customer-managed KMS key. You can create the key when you are creating an Amazon Q application environment, retriever, index, web experience, data source, or plugins, or you can create the key using the AWS KMS console. Select a symmetric encryption customer-managed KMS key. **Important** Amazon Q does not support asymmetric KMS keys. For more information, see [Using Symmetric and Asymmetric Keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. # Cross-region inference in Amazon Q Business Cross-region inference With cross-region inference, Amazon Q Business will automatically select the optimal region within your geography (as described in more detail below) to process your inference request, maximizing available compute resources and model availability, and providing the best customer experience. With cross-region inference, you get: + Complete access to most advanced Amazon Q Business AI capabilities and features + Access to a variety of models suitable for different tasks + Improved performance for all your applications Cross-region inference requests are kept within the AWS Regions that are part of the geography where the data originally resides. For example, a request made within the US is kept within the AWS Regions in the US. Although the data remains stored only in the primary region, when using cross-region inference, your input prompts and output results may move outside of your primary region. All data will be transmitted encrypted across Amazon's secure network. **Important** Cross-region inference is enabled by default for Amazon Q Business applications. For customers with highly regulated workloads that need to keep data processing resident in-country, contact [AWS Support](https://aws.amazon.com/contact-us/). **Note** There's no additional cost for using cross-region inference. Amazon CloudWatch and AWS CloudTrail logs won't specify the AWS Region in which data inference occurs. ## Supported regions for Amazon Q Business cross-region inference Supported regions For a list of Region codes and endpoints supported in Amazon Q Business, see [Amazon Q Business endpoints and quotas](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/quotas-regions.html#regions). | Supported Amazon Q Business geography | Inference regions | | --- | --- | | United States | US East (N. Virginia) (us-east-1) US West (Oregon) (us-west-2) | | Europe | Europe (Frankfurt) (eu-central-1) Europe (Ireland) (eu-west-1) Europe (Paris) (eu-west-3) | | Australia | Asia Pacific (Tokyo) (ap-northeast-1) Asia Pacific (Seoul) (ap-northeast-2) Asia Pacific (Osaka) (ap-northeast-3) Asia Pacific (Mumbai) (ap-south-1) Asia Pacific (Singapore) (ap-southeast-1) Asia Pacific (Sydney) (ap-southeast-2) | # Amazon Q Business Service improvement Service improvement Amazon Q Business does not use customer data for service improvement or for improving underlying LLMs.