As organizations navigate the complexities of the digital realm, generative AI has emerged as a transformative force, empowering enterprises to enhance productivity, streamline workflows, and drive innovation. To maximize the value of insights generated by generative AI, it is crucial to provide simple ways for users to preserve and share these insights using commonly used tools such as email.
Amazon Q Business is a generative AI-powered assistant that can answer questions, provide summaries, generate content, and securely complete tasks based on data and information in your enterprise systems. It is redefining the way businesses approach data-driven decision-making, content generation, and secure task management. By using the custom plugin capability of Amazon Q Business, you can extend its functionality to support sending emails directly from Amazon Q applications, allowing you to store and share the valuable insights gleaned from your conversations with this powerful AI assistant.
Amazon Simple Email Service (Amazon SES) is an email service provider that provides a simple, cost-effective way for you to send and receive email using your own email addresses and domains. Amazon SES offers many email tools, including email sender configuration options, email deliverability tools, flexible email deployment options, sender and identity management, email security, email sending statistics, email reputation dashboard, and inbound email services.
This post explores how you can integrate Amazon Q Business with Amazon SES to email conversations to specified email addresses.
Solution overview
The following diagram illustrates the solution architecture.
The workflow includes the following steps:
- Create an Amazon Q Business application with an Amazon Simple Storage Service (Amazon S3) data source. Amazon Q uses Retrieval Augmented Generation (RAG) to answer user questions. Configure an AWS IAM Identity Center instance for your Amazon Q Business application environment with users and groups added. Amazon Q Business supports both organization- and account-level IAM Identity Center instances. Create a custom plugin that invokes an OpenAPI schema of the Amazon API Gateway This API sends emails to the users. Store OAuth information in AWS Secrets Manager and provide the secret information to the plugin. Provide AWS Identity Manager and Access Management (IAM) roles to access the secrets in Secrets Manager. The custom plugin takes the user to an Amazon Cognito sign-in page. The user provides credentials to log in. After authentication, the user session is stored in the Amazon Q Business application for subsequent API calls. Post-authentication, the custom plugin will pass the token to API Gateway to invoke the API. You can help secure your API Gateway REST API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks, using AWS WAF. AWS Lambda hosted in Amazon Virtual Private Cloud (Amazon VPC) internally calls the Amazon SES SDK. Lambda uses AWS Identity and Access Management (IAM) permissions to make an SDK call to Amazon SES. Amazon SES sends an email using SMTP to verified emails provided by the user.
In the following sections, we walk through the steps to deploy and test the solution. This solution is supported only in the us-east-1 AWS Region.
Prerequisites
Complete the following prerequisites:
- Have a valid AWS account. Enable an IAM Identity Center instance and capture the Amazon Resource Name (ARN) of the IAM Identity Center instance from the settings page. Add users and groups to IAM Identity Center. Have an IAM role in the account that has sufficient permissions to create the necessary resources. If you have administrator access to the account, no action is necessary. Enable Amazon CloudWatch Logs for API Gateway. For more information, see How do I turn on CloudWatch Logs to troubleshoot my API Gateway REST API or WebSocket API? Have two email addresses to send and receive emails that you can verify using the link sent to you. Do not use existing verified identities in Amazon SES for these email addresses. Otherwise, the AWS CloudFormation template will fail. Have an Amazon Q Business Pro subscription to create Amazon Q apps. Have the service-linked IAM role
AWSServiceRoleForQBusiness. If you don’t have one, create it with the amazonaws.com service name. Enable AWS CloudTrail logging for operational and risk auditing. For instructions, see Creating a trail for your AWS account. Enable budget policy notifications to help protect from unwanted billing. Deploy the solution resources
In this step, we use a CloudFormation template to deploy a Lambda function, configure the REST API, and create identities. Complete the following steps:
- Open the AWS CloudFormation console in the
us-east-1 Choose Create stack. Download the CloudFormation template and upload it in the Specify template Choose Next. 
- For Stack name, enter a name (for example,
QIntegrationWithSES). In the Parameters section, provide the following: - For IDCInstanceArn, enter your IAM Identity Center instance ARN. For LambdaName, enter the name of your Lambda function. For Fromemailaddress, enter the address to send email. For Toemailaddress, enter the address to receive email.
- Keep the other values as default and select I acknowledge that AWS CloudFormation might create IAM resources in the Capabilities Choose Submit to create the CloudFormation stack. After the successful deployment of the stack, on the Outputs tab, make a note of the value for
apiGatewayInvokeURL. You will need this later to create a custom plugin. Verification emails will be sent to the Toemailaddress and Fromemailaddress values provided as input to the CloudFormation template.
- Verify the newly created email identities using the link in the email.
This post doesn’t cover auto scaling of Lambda functions. For more information about how to integrate Lambda with Application Auto Scaling, see AWS Lambda and Application Auto Scaling.
To configure AWS WAF on API Gateway, refer to Use AWS WAF to protect your REST APIs in API Gateway.
This is sample code, for non-production usage. You should work with your security and legal teams to meet your organizational security, regulatory, and compliance requirements before deployment.
Create Amazon Cognito users
This solution uses Amazon Cognito to authorize users to make a call to API Gateway. The CloudFormation template creates a new Amazon Cognito user pool.
Complete the following steps to create a user in the newly created user pool and capture information about the user pool:
- On the AWS CloudFormation console, navigate to the stack you created. On the Resources tab, choose the link next to the physical ID for
CognitoUserPool. 
- On the Amazon Cognito console, choose User management and users in the navigation pane. Choose Create user. Enter an email address and password of your choice, then choose Create user.
- In the navigation pane, choose Applications and app clients. Capture the client ID and client secret. You will need these later during custom plugin development. On the Login pages tab, copy the values for Allowed callback URLs. You will need these later during custom plugin development. In the navigation pane, choose Branding. Capture the Amazon Cognito domain. You will need this information to update OpenAPI specifications.
Upload documents to Amazon S3
This solution uses the fully managed Amazon S3 data source to seamlessly power a RAG workflow, eliminating the need for custom integration and data flow management.
For this post, we use sample articles to upload to Amazon S3. Complete the following steps:
- On the AWS CloudFormation console, navigate to the stack you created. On the Resources tab, choose the link for the physical ID of
AmazonQDataSourceBucket. 
- Upload the sample articles file to the S3 bucket. For instructions, see Uploading objects.
Add users to the Amazon Q Business application
Complete the following steps to add users to the newly created Amazon Q business application:
- On the Amazon Q Business console, choose Applications in the navigation pane. Choose the application you created using the CloudFormation template. Under User access, choose Manage user access.
- On the Manage access and subscriptions page, choose Add groups and users.
- Select Assign existing users and groups, then choose Next. Search for your IAM Identity Center user group.
- Choose the group and choose Assign to add the group and its users. Make sure that the current subscription is Q Business Pro. Choose Confirm.
Sync Amazon Q data sources
To sync the data source, complete the following steps:
- On the Amazon Q Business console, navigate to your application. Choose Data Sources under Enhancements in the navigation pane. From the Data sources list, select the data source you created through the CloudFormation template. Choose Sync now to sync the data source.
It takes some time to sync with the data source. Wait until the sync status is Completed.
Create an Amazon Q custom plugin
In this section, you create the Amazon Q custom plugin for sending emails. Complete the following steps:
- On the Amazon Q Business console, navigate to your application. Under Enhancements in the navigation pane, choose Plugins. Choose Add plugin.
- Choose Create custom plugin. For Plugin name, enter a name (for example,
email-plugin). For Description, enter a description. Select Define with in-line OpenAPI schema editor. You can also upload API schemas to Amazon S3 by choosing Select from S3. That would be the best way to upload for production use cases.
Your API schema must have an API description, structure, and parameters for your custom plugin.
- Select JSON for the schema format. Enter the following schema, providing your API Gateway invoke URL and Amazon Cognito domain URL:
{ "openapi": "3.0.0", "info": { "title": "Send Email API", "description": "API to send email from SES", "version": "1.0.0" }, "servers": [ { "url": "< API Gateway Invoke URL >" } ], "paths": { "/": { "post": { "summary": "send email to the user and returns the success message", "description": "send email to the user and returns the success message", "security": [ { "OAuth2": [ "email/read" ] } ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/sendEmailRequest" } } } }, "responses": { "200": { "description": "Successful response", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/sendEmailResponse" } } } } } } } }, "components": { "schemas": { "sendEmailRequest": { "type": "object", "required": [ "emailContent", "toEmailAddress", "fromEmailAddress" ], "properties": { "emailContent": { "type": "string", "description": "Body of the email." }, "toEmailAddress": { "type": "string", "description": "To email address." }, "fromEmailAddress": { "type": "string", "description": "To email address." } } }, "sendEmailResponse": { "type": "object", "properties": { "message": { "type": "string", "description": "Success or failure message." } } } }, "securitySchemes": { "OAuth2": { "type": "oauth2", "description": "OAuth2 client credentials flow.", "flows": { "authorizationCode": { "authorizationUrl": "<Cognito Domain>/oauth2/authorize", "tokenUrl": "<Cognito Domain>/oauth2/token", "scopes": { "email/read": "read the email" } } } } } }} 
- Under Authentication, select Authentication required. For AWS Secrets Manager secret, choose Create and add new secret.
- In the Create an AWS Secrets Manager secret pop-up, enter the following values captured earlier from Amazon Cognito:
- Client ID Client secret OAuth callback URL
- For Choose a method to authorize Amazon Q Business, leave the default selection as Create and use a new service role. Choose Add plugin to add your plugin.
Wait for the plugin to be created and the build status to show as Ready.
The maximum size of an OpenAPI schema in JSON or YAML is 1 MB.
To maximize accuracy with the Amazon Q Business custom plugin, follow the best practices for configuring OpenAPI schema definitions for custom plugins.
Test the solution
To test the solution, complete the following steps:
- On the Amazon Q Business console, navigate to your application. In the Web experience settings section, find the deployed URL. Open the web experience deployed URL. Use the credentials of the user created earlier in IAM Identity Center to log in to the web experience.
- Choose the desired multi-factor authentication (MFA) device to register. For more information, see Register an MFA device for users. After you log in to the web portal, choose the appropriate application to open the chat interface.
- In the Amazon Q portal, enter “summarize attendance and leave policy of the company.”
Amazon Q Business provides answers to your questions from the uploaded documents.
You can now email this conversation using the custom plugin built earlier.
- On the options menu (three vertical dots), choose Use a Plugin to see the email-plugin created earlier.
- Choose email-plugin and enter “Email the summary of this conversation.” Amazon Q will ask you to provide the email address to send the conversation. Provide the verified identity configured as part of the CloudFormation template.
- After you enter your email address, the authorization page appears. Enter your Amazon Cognito user email ID and password to authenticate and choose Sign in.
This step verifies that you’re an authorized user.
The email will be sent to the specified inbox.
You can further personalize the emails by using email templates.
Securing the solution
Security is a shared responsibility model between you and AWS and is described as security of the cloud vs. security in the cloud. Keep in mind the following best practices:
- To build a secure email application, we recommend you follow best practices for Security, Identity & Compliance to help protect sensitive information and maintain user trust. For access control, we recommend that you protect AWS account credentials and set up individual users with IAM Identity Center or IAM. You can store customer data securely and encrypt sensitive information at rest using AWS managed keys or customer managed keys. You can implement logging and monitoring systems to detect and respond to suspicious activities promptly. Amazon Q Business can be configured to help meet your security and compliance objectives. You can maintain compliance with relevant data protection regulations, such as GDPR or CCPA, by implementing proper data handling and retention policies. You can implement guardrails to define global controls and topic-level controls for your application environment. You can enable AWS Shield on your network to help prevent DDOS attacks. You should follow best practices of Amazon Q access control list (ACL) crawling to help protect your business data. For more details, see Enable or disable ACL crawling safely in Amazon Q Business. We recommend using the
aws:SourceArn and aws:SourceAccount global condition context keys in resource policies to limit the permissions that Amazon Q Business gives another service to the resource. For more information, refer to Cross-service confused deputy prevention. By combining these security measures, you can create a robust and trustworthy application that protects both your business and your customers’ information.
Clean up
To avoid incurring future charges, delete the resources that you created and clean up your account. Complete the following steps:
- Empty the contents of the S3 bucket that was created as part of the CloudFormation stack. Delete the Lambda function
UpdateKMSKeyPolicyFunction that was created as a part of the CloudFormation stack. Delete the CloudFormation stack. Delete the identities in Amazon SES. Delete the Amazon Q Business application. Conclusion
The integration of Amazon Q Business, a state-of-the-art generative AI-powered assistant, with Amazon SES, a robust email service provider, unlocks new possibilities for businesses to harness the power of generative AI. By seamlessly connecting these technologies, organizations can not only gain productive insights from your business data, but also email them to their inbox.
Ready to supercharge your team’s productivity? Empower your employees with Amazon Q Business today! Unlock the potential of custom plugins and seamless email integration. Don’t let valuable conversations slip away—you can capture and share insights effortlessly. Additionally, explore our library of built-in plugins.
Stay up to date with the latest advancements in generative AI and start building on AWS. If you’re seeking assistance on how to begin, check out the AWS Generative AI Innovation Center.
About the Authors
Sujatha Dantuluri is a seasoned Senior Solutions Architect in the US federal civilian team at AWS, with over two decades of experience supporting commercial and federal government clients. Her expertise lies in architecting mission-critical solutions and working closely with customers to ensure their success. Sujatha is an accomplished public speaker, frequently sharing her insights and knowledge at industry events and conferences. She has contributed to IEEE standards and is passionate about empowering others through her engaging presentations and thought-provoking ideas.
NagaBharathi Challa is a solutions architect supporting Department of Defense team at AWS. She works closely with customers to effectively use AWS services for their mission use cases, providing architectural best practices and guidance on a wide range of services. Outside of work, she enjoys spending time with family and spreading the power of meditation.
Pranit Raje is a Solutions Architect in the AWS India team. He works with ISVs in India to help them innovate on AWS. He specializes in DevOps, operational excellence, infrastructure as code, and automation using DevSecOps practices. Outside of work, he enjoys going on long drives with his beloved family, spending time with them, and watching movies.
Dr Anil Giri is a Solutions Architect at Amazon Web Services. He works with enterprise software and SaaS customers to help them build generative AI applications and implement serverless architectures on AWS. His focus is on guiding clients to create innovative, scalable solutions using cutting-edge cloud technologies.
