Yoshiki Fujiwara(藤原善基)@AWS Community Builder for AWS Community Builders

Posted on Jun 21

Amazon Quick Agentic Workspace Powered by FSx for ONTAP S3 Access Points — Phase 17

#aws #amazonquick #amazonfsxfornetappontap #s3accesspoints

TL;DR

UC30 bridges the gap between file-based business data and AI-powered actions. Business users maintain structured and unstructured data on an FSx for ONTAP SMB share, while Amazon Quick Suite (Index / Sight / Flows) consumes it through S3 Access Points and a serverless Action API — providing search, BI, and governed action workflows from a single workspace.

Where UC29 focuses on "self-service knowledge ingestion into Bedrock KB," UC30 focuses on unifying search, analytics, and action execution behind Quick Suite's agentic interface.

New in this release: generate_brief_with_web action augments internal context with real-time web search results via AgentCore Web Search Tool (GA June 2026), enabling briefs that combine primary internal data with current public context.

Repository: github.com/Yoshiki0705/FSx-for-ONTAP-S3AccessPoints-Serverless-Patterns (see solutions/genai/quick-agentic-workspace/ and samconfig.toml.example)

Quick Suite × S3 AP Data Mapping

Quick Feature	Role	S3 AP Data	Implementation
Quick Index / Research	Unstructured file search	`index/<role>/` (md/pdf)	S3 AP as data source
Quick Sight	Structured BI & visualization	`analytics/<role>/` (csv)	Glue/Athena (Athena Query Lambda)
Quick Flows	Action automation	`flows/<role>/` (json)	Action API (API Gateway + Lambda + Bedrock)
Quick Flows + Web	Web-augmented briefs	`flows/<role>/` + web	Action API + AgentCore Web Search (opt-in)

Seven roles (sales / marketing / finance / IT / operations / legal / developers) share the same AI-dedicated volume — reusable from UC29.

Design note: FSx for ONTAP S3 Access Points are useful as an integration boundary, but they do not remove the need to validate each consuming service connector. The access path combines S3/IAM policy evaluation with file-system-level identity authorization.

Architecture

Amazon Quick Suite provides a unified workspace — search (Index), BI (Sight), and action automation (Flows) — powered by FSx for ONTAP data via S3 Access Points.

Windows Explorer (drag & drop into quick-workspace/ SMB share)
  ├── index/<role>/ → Quick Index (unstructured search)
  ├── analytics/<role>/ → Glue/Athena → Quick Sight (BI)
  └── flows/<role>/ → Action API → Quick Flows (actions)

Action API (6 actions):
  API Gateway (IAM auth / SigV4)
  → Lambda (per-action authorization + HITL gate)
  → generate_brief           → Bedrock Converse (internal context only)
  → generate_brief_with_web  → Bedrock Converse + AgentCore Web Search (hybrid)
  → create_action_item       → SNS notification
  → request_approval         → DynamoDB (HITL entry)
  → approve                  → DynamoDB (admin only)
  → execute_approved         → DynamoDB check + execution (enforced HITL)

Hybrid RAG Flow (generate_brief_with_web)

Quick Flows request: {"action": "generate_brief_with_web", "params": {...}}
  ├─→ [1] Internal context (from params.context — FSx for ONTAP file content)
  ├─→ [2] AgentCore Web Search (us-east-1, MCP protocol)
  │       query from params.web_query or params.title
  │       → Amazon web index → snippets + URLs + titles + dates
  └─→ [3] Bedrock Converse (ap-northeast-1)
           system prompt: internal = primary, web = supplementary, untrusted
        → Unified brief with [Internal: ...] + [Web: title](URL) citations

Security Design

Authentication + Per-Action Authorization

The Action API uses IAM authentication (SigV4). The handler extracts the authenticated caller identity (requestContext.identity) — not self-declared body fields — and performs per-action authorization:

ACTION_AUTH_MODE=open (default/demo): No enforcement; audit fields still bound to authenticated caller

For production, use ACTION_AUTH_MODE=enforce and explicitly define AUTHORIZED_PRINCIPALS and ADMIN_PRINCIPALS.

ACTION_AUTH_MODE=enforce (production):

Read-only actions (generate_brief, generate_brief_with_web): always allowed

Mutating actions: caller must match AUTHORIZED_PRINCIPALS

Admin actions (approve): caller must match ADMIN_PRINCIPALS

Mismatch → 403 Forbidden

Enforced Human-in-the-Loop (HITL)

High-risk operations are gated by a DynamoDB approval store:

request_approval → persists record as pending_approval (enforced=true)
approve → admin transitions to approved (ConditionExpression prevents race)
execute_approved → only executes if record is approved; otherwise 409

Verified live: execute pre-approval → 409, post-approval → 200, re-execute → 409 (no replay).

Security note: Approval records have a 7-day TTL (DynamoDB Time-to-Live). Stale pending approvals auto-expire, preventing indefinite accumulation of unreviewed requests. Expired records cannot be approved or executed.

Additional Controls

Prompt injection defense: Both generate_brief and generate_brief_with_web treat context as untrusted data with explicit delimiter boundaries (<internal_context>, <web_search_results>)
Web query safety: Only params.web_query or params.title is sent to Web Search — never internal document content
Raw SQL disabled by default: ALLOW_RAW_SQL=false; role-level data boundaries enforced via Lake Formation (LF-TBAC) in production
Results bucket hardening: PublicAccessBlock + TLS-only + 30-day lifecycle
API throttling: Rate/burst limits against denial-of-wallet
Web Search citation obligation: Source URLs + titles are always included in responses (Acceptable Use Policy compliance)

Web-Augmented Brief Generation (opt-in)

GA at AWS Summit NYC 2026 (June 17, 2026). Powered by AgentCore Web Search Tool.

The Problem

Business briefs based solely on internal documents lack current market context. A sales brief about a product launch needs both the internal product spec and awareness of relevant public announcements published recently. A legal compliance brief needs both the internal policy document and the latest regulatory guidance.

The Solution

A new action generate_brief_with_web combines internal context with real-time web search results. The internal context remains the primary source; web results are supplemental, cited, and treated as untrusted input.

Usage

{
  "action": "generate_brief_with_web",
  "params": {
    "title": "Q3 Data Protection Regulatory Update",
    "context": "Internal operations follow FISC safety standards...",
    "web_query": "data protection regulation 2026 Japan financial services"
  }
}

Response

{
  "status": "completed",
  "action": "generate_brief_with_web",
  "title": "Q3 Data Protection Regulatory Update",
  "brief": "Based on internal FISC compliance documentation... Additionally, [Web: FISC 2026 Revision Summary](https://example.com/fisc) published on 2026-06-10 introduces...",
  "web_citations": [
    {"source": "https://example.com/fisc", "title": "FISC 2026 Revision Summary", "publishedDate": "2026-06-10"}
  ],
  "web_search_enabled": true,
  "guardrail_applied": true
}

Design Properties

Property	Detail
Internal context priority	Internal documents are the primary source; web supplements
Graceful degradation	Web Search failure → behaves like `generate_brief` (internal only)
Citation separation	Internal sources and web sources are visually distinct in the brief
Query safety	Only the `web_query` (or `title`) is sent externally — never internal content
Cross-region	Gateway in us-east-1 (Web Search Tool constraint); adds ~100-200ms
Authorization	Read-only action (same tier as `generate_brief`)
Prompt injection defense	Web results wrapped in `<web_search_results>` as untrusted data

Activation

sam deploy --parameter-overrides \
  EnableWebSearch=true \
  AgentCoreGatewayId=<gateway-id> \
  AgentCoreGatewayRegion=us-east-1

Without these parameters, generate_brief_with_web still works but produces internal-only briefs (graceful degradation).

Verification Findings

Lake Formation + Athena

Athena queries running against Glue tables backed by S3 AP data — the foundation for Quick Sight analytics.

The UC30 CloudFormation stack with all resources (API Gateway, Lambda, DynamoDB ApprovalsTable, Athena WorkGroup) deployed.

The test account had Lake Formation governing the Data Catalog. The Athena Query Lambda's execution role required Lake Formation permission grants (DESCRIBE on DB, SELECT/DESCRIBE on tables) in addition to IAM. Production deployments should design LF-TBAC for role-based data visibility.

Quick × FSx for ONTAP S3 AP Integration Boundary

Amazon Quick's S3 KB connector accepts the S3 AP alias but authorization fails due to FSx for ONTAP's dual-layer auth — leading to the recommendation below.

Quick provides multiple data integration paths — for FSx for ONTAP data, Bedrock KB (UC29) or Athena-mediated access is the validated route in this repository.

Amazon Quick's S3 knowledge base connector accepts an FSx for ONTAP S3 AP alias as a "valid URL," but verification revealed that standard connection authorization fails (authorization failure from the standard connector path). FSx for ONTAP's dual-layer auth (IAM + filesystem-level identity) requires more than IAM grants on the data access role.

Evidence-based implementation guidance:

FSx for ONTAP → RAG: Bedrock KB (UC29) is the validated path in this repository
Quick Index: Stage to a standard S3 bucket for predictable connector behavior
Quick Sight (BI): Athena-mediated access works (QuickSight role needs Athena/Glue/LF/results-bucket permissions)
Direct connection via AD-identity S3 AP: not validated yet; tracked as a future hypothesis

Glue Tables

analytics/<role>/ CSVs are pointed to by Glue tables (sales_pipeline / it_incidents) created via Athena DDL. LOCATION uses S3 AP alias format: s3://<alias>/quick-workspace/analytics/<role>/. For scale, migrate to Parquet + partitioning to reduce Athena scanned costs.

Data Classification

Output	Classification	Rationale
Action API response (generate_brief)	INTERNAL	Source-derived summary; no external disclosure
Action API response (generate_brief_with_web)	INTERNAL	Contains internal citations; web portion is PUBLIC
Action API response (create/approve/execute)	INTERNAL	Business operation records
Athena query results (results bucket)	INTERNAL	Encrypted + 30-day lifecycle + TLS
DynamoDB ApprovalsTable	INTERNAL	Approval state metadata
SNS notifications	INTERNAL	Action summaries only; no file content
Web Search results (raw)	PUBLIC	External public information

Extend shared/data_classification.py for regulated workloads (CUI / FISC / HIPAA).

Cost

Component	Monthly estimate	Notes
Amazon Quick	Per-user/plan billing	Separate; unsubscribe when done
Athena	Scanned-data pricing	Reduce with Parquet
Lambda / API Gateway	Serverless pay-per-use	< $10 for moderate usage
Bedrock LLM (briefs)	Usage-based	Usage-based; verify the current model price
DynamoDB (approvals)	Pay-per-request	Minimal for approval records
AWS Budgets alarm	Free (SNS delivery cost only)	Created when `NotificationEmail` set
AgentCore Web Search (opt-in)	Per-query pricing (see AgentCore pricing)	Gateway invocation pricing
Cross-region transfer (opt-in)	< $0.02	us-east-1 ↔ ap-northeast-1

Teardown / rebuild: one-command idempotent scripts (scripts/teardown-uc29-uc30.sh / scripts/rebuild-uc29-kb.py)

Getting Started

git clone https://github.com/Yoshiki0705/FSx-for-ONTAP-S3AccessPoints-Serverless-Patterns.git
cd FSx-for-ONTAP-S3AccessPoints-Serverless-Patterns/solutions/genai/quick-agentic-workspace

# Install dependencies
pip install -r requirements.txt        # or: uv pip install -r requirements.txt

cat samconfig.toml.example  # Review parameters

sam build && sam deploy --guided

# DemoMode=true runs without FSx for ONTAP (regular S3 bucket)

# Optional: Enable Web Search hybrid RAG
sam deploy --parameter-overrides \
  EnableWebSearch=true \
  AgentCoreGatewayId=<gateway-id> \
  AgentCoreGatewayRegion=us-east-1

Governance Note

This article is technical architecture guidance, not legal, compliance, or regulatory advice. Amazon Quick features, pricing, regional availability, and connector behavior are subject to change — verify with official documentation and your own account settings. S3 AP data source boundaries are at volume/prefix granularity. For per-user visibility control, use Quick's document-level ACL or Custom Permission-Aware RAG. Web Search Tool usage requires compliance with the Acceptable Use Policy (source citations must be retained and displayed in end-user output).

Yoshiki Fujiwara

DEV Community