Restrict access to sensitive documents in your Amazon Quick knowledge bases for Amazon S3

2026-05-15 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cloud Computing & IT Infrastructure, Cybersecurity & Data Privacy · Depth: Intermediate, extended

Summary

Amazon Quick now supports document-level Access Control Lists (ACLs) for Amazon S3 knowledge bases, enabling fine-grained control over sensitive documents. This feature allows organizations to restrict specific S3 documents or folders to authorized users and groups, ensuring that Quick's AI-driven search and chat only surface content a user is permitted to view. The configuration involves setting up IAM policy assignments to control S3 bucket access for knowledge base creation and choosing between two ACL methods: a global ACL file for stable, folder-based permissions or document-level metadata files for frequently changing, per-document permissions. Quick enforces a deny-by-default model, meaning only explicitly allowed documents or prefixes are accessible. The process includes creating ACL files, uploading them to S3, configuring the knowledge base in Quick, and syncing to apply permissions, with verification steps for chat and automated workflows (Flows).

Key takeaway

For AI Architects and MLOps Engineers managing sensitive data in Amazon Quick, implementing document-level ACLs for S3 knowledge bases is crucial for compliance and data governance. You should carefully plan your access control structure, choosing between global or document-level ACLs based on permission granularity and change frequency. Always test ACL configurations in a non-production environment before enabling them, as this is a one-way operation.

Key insights

Amazon Quick's new S3 document-level ACLs enable fine-grained access control for sensitive data in AI-driven search.

Principles

• Deny-by-default access control is enforced.
• DENY rules always take precedence over ALLOW rules.
• IAM policies control knowledge base creation access.

Method

Configure S3 document-level ACLs in Amazon Quick by creating either a global ACL.json file for folder-level control or individual .metadata.json files for per-document control, then enable ACLs during knowledge base setup and sync.

In practice

• Use global ACL files for stable, folder-based permissions.
• Use document-level metadata files for frequently changing permissions.
• Restrict s3:PutObject on ACL files to administrators.

Topics

• Amazon Quick
• Amazon S3
• Access Control Lists
• Document-Level Permissions
• Data Governance

Best for: AI Architect, MLOps Engineer, AI Security Engineer

Related on AIssential

• From data lake to AI-ready analytics: Introducing new data source with S3 Tables in Amazon Quick — Amazon Quick now directly queries Apache Iceberg tables in S3, enabling near real-time, AI-powered analytics on data lakes.
• Stop doing admin work manually. Let AI handle it. — Connecting to the MCP server automates Azure role assignment lookups, improving efficiency.
• Building agentic AI applications with a modern data mesh strategy on AWS — Agentic AI requires multi-layered, deterministic governance across all data interaction steps, unlike single-checkpoint RAG.
• How I Connected Claude MCP to an Enterprise Identity Database for Natural Language Querying &… — Combining MCP with dynamic schema discovery and a SQL safety layer enables secure natural language querying of enterprise databases.
• AWS Introduces S3 Files, Bringing File System Access to S3 Buckets — S3 Files provides high-performance, file system access to S3 buckets, translating file operations to object storage.
• Introducing Cross-Engine ABAC — Unity Catalog's cross-engine ABAC centralizes fine-grained data access policy enforcement across diverse data engines via Iceberg REST Catalog APIs.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.