We are planning to use Namespaces to isolate users from differen clients. Now with the new AI features like spaces and deep research, we are worried that data in the Quick Index from one customer can be queried by another customer.
How can we ensure isolated Quick Indexes between our customers? Can we do this within one account or do we have to create a separate AWS account for each customer?
Hi @JanoschPeters and welcome to the Quick Community!
As security is always one of the driving factors as new features get implemented, namespaces are designed specifically for this requirement and they extend through the new Agentic AI features. As namespaces operate at the permissions level, they block all users from accessing information outside of their own namespace, unless provided with the proper permissions.
This can all be done within one account, no need to create separate accounts for each customer.
I’ve also included some additional information about namespaces and how they can be used to setup multitenancy!
Hi @Brett, thanks for your response.
I’d like to follow up on a couple of points. First, the Q index doesn’t appear to be mentioned anywhere in the article you linked to. Second, the page Creating an Amazon Q index on behalf of a customer states that a shared Amazon Q Business application environment is only recommended when indexing documents that are visible to all users — which suggests the Q index is shared across all users regardless of namespaces. This is what the docs say:
We recommend creating one Amazon Q Business application environment per customer for better security and data segregation. Alternatively, you can create one Amazon Q Business application environment and share it with multiple customers. This is only recommended when you index documents that are visible to all users in your application.
If that’s the case, creating a separate account per customer would significantly increase our AWS costs, which is a concern for us.
Could someone from AWS clarify whether namespace-level index isolation is supported, or confirm the recommended architecture for multi-tenant setups?
Hi @JanoschPeters,
I understand how confusion could arise from this situation, the naming conventions are not always the clearest. However, one thing to keep in mind is that Q Business is a completely separate environment from Quick Suite. It has it’s own index setup.
The documentation you shared is specifically referring to Q Business. The Quick Index feature that handles Quick Suite, respects all existing QuickSight security models, which includes the separation of assets between namespaces.
This is a public facing forum, mostly operated by other users; so the footprint by AWS team members is fairly small. If you’d like to get in contact directly with AWS, you can try creating a support ticket: