# Managing resources for Amazon Q Business application environments that support anonymous access
You can choose to manage your Amazon Q Business application environment and associated resources. To learn how to do so, see the following sections:
**Topics**
+ [Example IAM policies for Amazon Q Business application environment supporting anonymous access](anonymous-application-iam-policies.md)
+ [Managing Amazon Q Business anonymous application environments](supported-anonymous-app-actions.md)
+ [Managing Amazon Q Business web experiences for anonymous access](supported-exp-actions-anonymous.md)
# Example IAM policies for Amazon Q Business application environment supporting anonymous access
We strongly recommend that you use a restricted policies for the role that will be used to call the chat APIs for anonymous access application environments.
You need permission policies to use Amazon Q Business application environments that support anonymous access. The following are examples of such restricted policies.
**Topics**
+ [Policy for calling relevant APIs](#anonymous-application-iam-policies-api)
+ [Policies for using the web experience](#anonymous-application-iam-policies-web-experience)
## Policy for calling relevant APIs
**Example policy to allow the Amazon Q Business APIs for anonymous access**
```
{
"Version": "2012-10-17", ,
"Statement": [{
"Sid": "QBusinessAnonymousConversationAPIPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:Chat",
"qbusiness:ChatSync",
"qbusiness:PutFeedback"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}"
}]
}
```
**Applying your restricted policies to an IAM role for using APIs for Amazon Q application environments supporting anonymous access**
1. Create a directory named *policies*.
1. In that directory, create and save a file named *permspolicyforAPIanonymous.json* with the JSON for allowing Amazon Q Business API calls for anonymous access.
1. Finally, create and attach the policy using the following commands in the AWS CLI.
**Create and attach policy**
```
aws iam \
create-role \
--policy-document file://policies/permspolicyforAPIanonymous.json
```
## Policies for using the web experience
**Example policy to allow the Amazon Q Business web experience for anonymous access**
```
{
"Version": "2012-10-17", ,
"Statement": [{
"Sid": "QBusinessAnonymousWebExperienceConversationPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:Chat",
"qbusiness:ChatSync",
"qbusiness:PutFeedback",
"qbusiness:GetChatControlsConfiguration",
"qbusiness:GetApplication",
],
"Resource": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}"
}]
}
```
**Example trust policy to allow the Amazon Q Business web experience for anonymous access**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "QBusinessTrustPolicy",
"Effect": "Allow",
"Principal": {
"Service": "application.qbusiness.amazonaws.com"
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{account_id}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}"
}
}
}
]
}
```
**Applying your restricted policies for using the web experience to an IAM role**
1. Create a directory named *policies*.
1. Then, in the same directory, create and save a file named *permspolicyforwebexperienceanonymous* with the JSON for allowing the Amazon Q Business web experience for anonymous access.
1. Then, in the same directory, create and save a file named *trustpolicyforanonymous.json* with the JSON for the trust policy to allow the Amazon Q Business web experience for anonymous access
1. Finally, create and attach the policies using the following commands in the AWS CLI.
**Create and attach policy**
```
aws iam \
create-role \
--role-name --assume-role-policy-document file://policies/trustpolicyforanonymous.json \
--policy-document file://policies/permspolicyforwebexperienceanonymous.json
```
**Note**
For the web experience to work properly with AWS CLI commands both policies are needed
**Amazon Q also supports using a service-linked role (`AWSServiceRoleForQBusiness`) for an Amazon Q application environment. The following is the service-linked role policy:**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "QBusinessPutMetricDataPermission",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/QBusiness"
}
}
},
{
"Sid": "QBusinessCreateLogGroupPermission",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/qbusiness/*"
]
},
{
"Sid": "QBusinessDescribeLogGroupsPermission",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "QBusinessLogStreamPermission",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/qbusiness/*:log-stream:*"
]
}
]
}
```
------
For more information on using service-linked roles for an Amazon Q application environment, see [Using service-linked roles](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/using-service-linked-roles.html).
# Managing Amazon Q Business anonymous application environments
To manage an Amazon Q Business application environment, you can take the following actions:
**Topics**
+ [Deleting an anonymous application environment](#delete-anonymous-app)
+ [Getting anonymous application environment properties](#describe-anonymous-app)
+ [Listing anonymous application environments](#list-anonymous-app)
+ [Updating an application environment](#update-anonymous-app)
## Deleting an anonymous application environment
To delete an Amazon Q Business anonymous application environment, you can use the console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_DeleteApplication.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_DeleteApplication.html) API operation.
The following tabs provide a procedure for the console and code example for the AWS CLI.
------
#### [ Console ]
**To delete an Amazon Q Business application environment**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, choose **Actions**.
1. Choose **Delete**.
1. In the dialog box that opens, type **Delete** to confirm deletion, and then choose **Delete**.
You are returned to the service console while your application environment is deleted. When the deletion process is complete, the console displays a message confirming successful deletion.
------
#### [ AWS CLI ]
**To delete an Amazon Q Business application environment**
```
aws qbusiness delete-application \
--application-id application-id
```
------
## Getting anonymous application environment properties
To get the properties of an Amazon Q Business application environment, you can use the console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_GetApplication.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_GetApplication.html) API operation.
The following tabs provide a procedure for the console and code examples for the AWS CLI.
------
#### [ Console ]
**To get properties of an Amazon Q Business application environment**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. For **Applications**, select the name of your application environment from the list of application environments.
1. On **Application settings**, the following properties are available:
+ **Application name** – The name that you chose for your application environment.
+ **Application ID** – The ID assigned to your application environment.
+ **Subtitle** – The subtitle that you chose to assign to your application environment.
+ **Service access** – The service access role that your application environment is using.
+ **Title** – The title that you gave to your application environment.
+ **Application status** – The status of your application environment.
To update a setting, select **Edit**.
------
#### [ AWS CLI ]
**To get Amazon Q Business application environment properties **
```
aws qbusiness get-application \
--application-id application-id
```
------
## Listing anonymous application environments
To list Amazon Q Business application environments, you can use the console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_ListApplications.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_ListApplications.html) API operation.
The following tabs provide a procedure for the console and code examples for the AWS CLI.
------
#### [ Console ]
**To list your Amazon Q Business application environments**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, all your configured application environments are listed.
------
#### [ AWS CLI ]
**To list Amazon Q Business application environments **
```
aws qbusiness list-applications \
--max-results max-results-to-return
```
------
## Updating an application environment
To update an Amazon Q Business application environment, you can use the console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateApplication.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateApplication.html) API operation.
The following tabs provide a procedure for the console and code examples for the AWS CLI.
------
#### [ Console ]
**To update an Amazon Q Business application environment**
**Option 1**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, select the name of your application environment from the list of application environments.
1. In **Applications**, choose **Actions**.
1. Choose **Edit**.
On the **Update application environment** page, edit your application environment settings.
**Option 2**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, select the name of your application environment from the list of application environments.
1. On the application environment page, select **Edit** from the page header, or select **Edit** from **Application settings**.
1. Choose **Edit**.
On the **Update application environment** page, edit your application environment settings.
------
#### [ AWS CLI ]
**To update an Amazon Q Business application environment **
```
aws qbusiness update-application \
--application-id application-id \
--display-name application-name \
--role-arn your-role-arn \
--description application-description \
```
------
# Managing Amazon Q Business web experiences for anonymous access
To manage Amazon Q Business web experiences for anonymous access, you can take the following actions:
**Topics**
+ [Share an anonymous web experience](#create-experience-anonymous-url)
+ [Deleting a web experience](#delete-web-experience-anonymous)
+ [Getting properties of a web experience](#describe-web-experience-anonymous)
+ [Listing web experiences](#list-web-experiences-anonymous)
+ [Updating a web experience](#update-web-experience-anonymous)
## Share an anonymous web experience
If you created a web experience when you created your application, you can preview that Amazon Q Business web experience for anonymous access, using the console or the [CreateAnonymousWebExperienceUrl](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateAnonymousWebExperienceUrl.html) API operation.
**Note**
The preview URL for the web experience is for one-time use only and has to be regenerated every time. This URL must be accessed within 5 minutes of creation. Once accessed, the session remains active for the configured duration. To use the web experience in your applications, you must use the [Amazon Q embedded](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/embed-amazon-q-business.html) feature and call the [CreateAnonymousWebExperienceUrl](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateAnonymousWebExperienceUrl.html) API operation whenever you need a new application session or after one hour whichever comes first.
All anonymous web experience URLs generated are able to process billable chat requests until the sessions expire. For more information, see [Amazon Q Business pricing](https://aws.amazon.com/q/business/pricing/).
The following tabs provide a procedure for the AWS Management Console and code examples for the AWS CLI.
------
#### [ Console ]
1. After [Creating an anonymous access application environment](create-anonymous-application.md#create-anonymous-app) in the console with a web experience, you can navigate to your anonymous application.
1. In the **Web experience settings** section in the console, you can **Preview web experience** to view the web experience.
1. Alternatively, you can choose to **Share the web experience URL** to share the web experience. To do this, you can choose the duration your **Testing link is valid for** and choose **Create URL**. The URL will be automatically copied to your clipboard.
------
#### [ AWS CLI ]
**To share an Amazon Q Business anonymous web experience url**
After [Creating an anonymous access application environment](create-anonymous-application.md#create-anonymous-app) with a web experience, you can do the following.
```
aws qbusiness create-anonymous-web-experience-url \
--application-id \
--web-experience-id
--session-duration-in-minutes
```
------
## Deleting a web experience
To delete an Amazon Q Business web experience, you can use the console or the [DeleteWebExperience](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_DeleteWebExperience.html) API operation.
If you're using the API, you can delete a web experience without deleting the application environment that it's a part of.
If you're using the console, the only way to delete your Amazon Q Business web experience is to delete the Amazon Q Business application environment that it's attached to.
**Note**
Even after deleting the web experience all URLs connected to this web experience continue to process billable chat requests until their sessions expire. For more information, see [Share an anonymous web experience](#create-experience-anonymous-url).
The following tabs provide a procedure for the AWS Management Console and code examples for the AWS CLI.
------
#### [ Console ]
**To delete an Amazon Q Business web experience**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, choose **Actions**.
1. Choose **Delete**.
1. In the dialog box that opens, type **Delete** to confirm deletion, and then choose **Delete**.
You are returned to the service console while your application environment is deleted. When the deletion process is complete, the console displays a message confirming successful deletion. Both the application environment and the web experience are deleted.
------
#### [ AWS CLI ]
**To delete an Amazon Q Business web experience**
```
aws qbusiness delete-web-experience \
--application-id application-id \
--web-experience-id web-experience-id
```
------
## Getting properties of a web experience
To get the properties of an Amazon Q Business web experience, you can use the console or the [GetWebExperience](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_GetWebExperience.html) API operation.
The following tabs provide a procedure for the AWS Management Console and code examples for the AWS CLI.
------
#### [ Console ]
**To get properties of an Amazon Q Business web experience **
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, select the name of your application environment from the list of applications.
1. For **Web experience settings**, the following settings are available:
+ **Web experience IAM role ARN** – The IAM role assumed by end users when they log in to your web experience.
+ **Deployed URL** – The deployed URL of your web experience.
+ **Tags** – Tags that are attached to your web experience.
To update a setting, choose **Edit**.
------
#### [ AWS CLI ]
**To get properties of an Amazon Q Business web experience**
```
aws qbusiness get-web-experience \
--application-id application-id \
--web-experience-id web-experience-id
```
------
## Listing web experiences
To list Amazon Q Business web experiences, you can use the console or the [ListWebExperiences](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_ListWebExperiences.html) API operation.
If you use the console, you can only see the web experience that's attached to a single application environment.
The following tabs provide a procedure for the AWS Management Console and code examples for the AWS CLI.
------
#### [ Console ]
**To list Amazon Q Business web experiences**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. For **Applications**, the Amazon Q Business web experience attached to your application environment is shown.
------
#### [ AWS CLI ]
**To list Amazon Q Business web experiences**
```
aws qbusiness get-web-experience \
--application-id application-id \
--web-experience-id web-experience-id \
--max-results max-results-to-return
```
------
## Updating a web experience
To update an Amazon Q Business web experience, you can use the console or the [UpdateWebExperience](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateWebExperience.html) API operation.
The following tabs provide a procedure for the AWS Management Console and code examples for the AWS CLI.
------
#### [ Console ]
**To update an Amazon Q Business web experience**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. In **Applications**, select the name of your application environment from the list of applications.
1. Select **Customize web experience**.
1. Expand the right navigation menu to edit your web experience settings.
------
#### [ AWS CLI ]
**To update an Amazon Q Business web experience**
```
aws qbusiness update-web-experience \
--application-id application-id \
--web-experience-id web-experience-id \
--subtitle subtitle \
--title title \
--welcome-message welcome-message
```
------