# Using Amazon Q Developer plugins
Amazon Q Developer integrates with third party monitoring tools and security platforms so you can access your AWS application insights without leaving the AWS builder environment. In the AWS Management Console, you can chat about metrics provided by these tools to understand and address application performance, errors, or vulnerabilities.
After you configure a plugin, add the plugin alias to the beginning of your question when you chat with Amazon Q in the AWS console. Amazon Q calls the third party provider APIs to retrieve resources and generates a response with deep links to the external resources.
When Amazon Q calls a third party API, the API will not appear in AWS CloudTrail logs. The CloudTrail log will only show when an AWS Secrets Manager secret is accessed by Amazon Q to retrieve credentials to connect to the third party provider.
Amazon Q doesn't share any information with third party providers when you configure or use plugins. For more information on how Amazon Q uses your data, see [Data protection](data-protection.md).
**Note**
Member accounts within an AWS organization don't have access to plugins that are configured in the organization's management account profile. Each member account must create their own Q Developer profile before they can configure and use plugins in their account.
**Warning**
Third party provider user permissions are not detected by Amazon Q Developer plugins. When an administrator configures a plugin in an AWS account, users with plugin permissions in that account have access to any resources in the third party provider account retrievable by the plugin.
You can configure IAM policies to restrict which plugins users have access to. For more information, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type).
To get started, see the topic for the plugin you want to use with Amazon Q Developer.
**Topics**
+ [
# Configuring the Amazon Q Developer CloudZero plugin
](cloudzero-plugin.md)
+ [
# Configuring the Amazon Q Developer Datadog plugin
](datadog-plugin.md)
+ [
# Configuring the Amazon Q Developer Wiz plugin
](wiz-plugin.md)
# Configuring the Amazon Q Developer CloudZero plugin
CloudZero is a cloud cost optimization platform that evaluates costs to improve cloud efficiency. If you use CloudZero to monitor your AWS costs, you can use the CloudZero plugin in Amazon Q Developer chat to access cost insights without leaving the AWS Management Console.
You can use the CloudZero plugin to understand your AWS costs, get cost optimization insights, and track billing. After you receive a response, you can ask follow up questions, such as the status or cost impact of CloudZero insights.
To configure the plugin, you provide authentication credentials from your CloudZero account to enable a connection between Amazon Q and CloudZero. After you configure the plugin, you can access CloudZero data by adding ****@cloudzero**** to the beginning of your question in Amazon Q chat.
**Warning**
CloudZero user permissions are not detected by the CloudZero plugin in Amazon Q. When an administrator configures the CloudZero plugin in an AWS account, users with plugin permissions in that account have access to any resources in the CloudZero account retrievable by the plugin.
You can configure IAM policies to restrict which plugins users have access to. For more information, see [Configure user permissions](#cloudzero-configure-user-permissions).
## Prerequisites
### Add permissions
To configure plugins, the following administrator level permissions are required:
+ Permissions to access the Amazon Q Developer console. For an example IAM policy that grants needed permissions, see [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users).
+ Permissions to configure plugins. For an example IAM policy that grants the needed permissions, see [Allow administrators to configure plugins](id-based-policy-examples-admins.md#id-based-policy-examples-admin-plugins).
### Acquire credentials
Before you begin, note the following information from your CloudZero account. These authentication credentials will be stored in an AWS Secrets Manager secret when you configure the plugin.
+ **API key** – An access key that allows Amazon Q to call the CloudZero API to access your organization’s cost insights and billing information. You can find the API key in your CloudZero account settings. For more information, see the [ Authorization](https://docs.cloudzero.com/reference/authorization) in the CloudZero documentation.
For more information on acquiring credentials from your CloudZero account, see the [CloudZero documentation](https://docs.cloudzero.com/docs/amazon-q-integration).
## Secrets and service roles
### AWS Secrets Manager secret
When you configure the plugin, Amazon Q creates a new AWS Secrets Manager secret for you to store CloudZero authentication credentials. Alternatively, you can use an existing secret that you create yourself.
If you create a secret yourself, enter the API key as plaintext:
```
your-api-key
```
For more information about creating secrets, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*.
### Service roles
To configure the CloudZero plugin in Amazon Q Developer, you need to create a service role that gives Amazon Q permission to access your Secrets Manager secret. Amazon Q assumes this role to access the secret where your CloudZero credentials are stored.
When you configure the plugin in the AWS console, you have the option to create a new secret or use an existing one. If you create a new secret, the associated service role is created for you. If you use an existing secret and an existing service role, make sure your service role contains the following permissions, and has the following trust policy attached. The service role required depends on your secret encryption method.
If your secret is encrypted with an AWS managed KMS key, the following IAM service role is required:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id"
]
}
]
}
```
------
If your secret is encrypted with a customer managed AWS KMS key, the following IAM service role is required:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
}
}
}
]
}
```
------
To allow Amazon Q to assume the service role, the service role needs the following trust policy:
**Note**
The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "q.amazonaws.com"
},
"Action": ["sts:AssumeRole", "sts:SetContext"],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:codewhisperer:us-east-1:111122223333:profile/profile-id"
}
}
}
]
}
```
------
For more information about service roles, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*.
## Configure the CloudZero plugin
You configure plugins in the Amazon Q Developer console. Amazon Q uses credentials stored in AWS Secrets Manager to enable interactions with CloudZero.
To configure the CloudZero plugin, complete the following procedure:
1. Open the Amazon Q Developer console at [https://console.aws.amazon.com/amazonq/developer/home](https://console.aws.amazon.com/amazonq/developer/home)
1. On the Amazon Q Developer console home page, choose **Settings**.
1. In the navigation bar, choose **Plugins**.
1. On the plugins page, choose the plus sign on the **CloudZero** panel. The plugin configuration page opens.
1. For **Configure AWS Secrets Manager**, choose either **Create a new secret** or **Use an existing secret**. The Secrets Manager secret is where your CloudZero authentication credentials will be stored.
If you create a new secret, enter the following information:
1. For **CloudZero API key**, enter the API key for your CloudZero organization.
1. A service role will be created that Amazon Q will use to access the secret where your CloudZero credentials are stored. Do not edit the service role that is created for you.
If you use an existing secret, choose a secret from the **AWS Secrets Manager secret** dropdown menu. The secret should include the CloudZero authentication credentials specified in the previous step.
For more information about the required credentials, see [Acquire credentials](#acquire-cloudzero-credentials).
1. For **Configure AWS IAM service role**, choose either **Create new service role** or **Use existing service role**.
**Note**
If you chose **Create a new secret** for step 6, you can’t use an existing service role. A new role will be created for you.
If you create a new service role, a service role will be created that Amazon Q will use to access the secret where your CloudZero credentials are stored. Do not edit the service role that is created for you.
If you use an existing service role, choose a role from the dropdown menu that appears. Make sure your service role has the permissions and trust policy defined in [Service roles](#cloudzero-service-role).
1. Choose **Save configuration**.
1. After the CloudZero plugin panel appears in the **Configured plugins** section on the Plugins page, users will have access to the plugin.
If you want to update the credentials for a plugin, you must delete your current plugin and configure a new one. Deleting a plugin removes all previous specifications. Any time you configure a new plugin, a new plugin ARN is generated.
## Configure user permissions
To use plugins, the following permissions are required:
+ Permissions to chat with Amazon Q in the console. For an example IAM policy that grants permissions needed to chat, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat).
+ The `q:UsePlugin` permission.
When you grant an IAM identity access to a configured CloudZero plugin, the identity gains access to any resources in the CloudZero account retrievable by the plugin. CloudZero user permissions are not detected by the plugin. If you want to control access to a plugin, you can do so by specifying the plugin ARN in an IAM policy.
Each time you create or delete and re-configure a plugin, it is assigned a new ARN. If you use a plugin ARN in a policy, it will need to be updated if you want to grant access to the newly configured plugin.
To locate the CloudZero plugin ARN, go to the **Plugins** page in the Amazon Q Developer console and choose the configured CloudZero plugin. On the plugin details page, copy the plugin ARN. You can add this ARN to a policy to allow or deny access to the CloudZero plugin.
If you create a policy to control access to CloudZero plugins, specify `CloudZero` for the plugin provider in the policy.
For examples of IAM policies that control plugin access, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type).
## Chat with the CloudZero plugin
To use the CloudZero plugin, enter **@cloudzero** at the beginning of a question about CloudZero or your AWS application monitors and cases. Follow up questions or responses to questions from Amazon Q must also include **@cloudzero**.
Following are some example use cases and associated questions you can ask to get the most of out of the Amazon Q CloudZero plugin:
+ **Learn about using CloudZero with AWS** – Ask about how CloudZero features work. Amazon Q might ask you for more information about what you’re trying to do to provide the best answer.
+ **@cloudzero how do I use CloudZero?**
+ **@cloudzero how do I get started with CloudZero?**
+ **List cost insights** – Get a list of cost insights or find out more about a specific insight.
+ **@cloudzero list my top cost insights**
+ **@cloudzero tell me more about insight **
+ **Get billing information** – Ask the Amazon Q CloudZero plugin about your AWS billing information.
+ **@cloudzero what were my AWS costs for December 2024?**
# Configuring the Amazon Q Developer Datadog plugin
Datadog is a monitoring and security platform that provides infrastructure, application, and network monitoring and analytics. If you use Datadog to monitor your AWS applications, you can use the Datadog plugin in Amazon Q Developer chat to access monitoring information without leaving the AWS Management Console.
You can use the Datadog plugin to learn about Datadog, understand how it works with AWS services, and ask about your Datadog cases and monitors. After you receive a response, you can ask follow up questions, including how to address an issue or for details about Datadog resources.
To configure the plugin, you provide authentication credentials from your Datadog account to enable a connection between Amazon Q and Datadog. After you configure the plugin, you can access Datadog metrics by adding ****@datadog**** to the beginning of your question in Amazon Q chat.
**Warning**
Datadog user permissions are not detected by the Datadog plugin in Amazon Q. When an administrator configures the Datadog plugin in an AWS account, users with plugin permissions in that account have access to any resources in the Datadog account retrievable by the plugin.
You can configure IAM policies to restrict which plugins users have access to. For more information, see [Configure user permissions](#datadog-configure-user-permissions).
## Prerequisites
### Add permissions
To configure plugins, the following administrator level permissions are required:
+ Permissions to access the Amazon Q Developer console. For an example IAM policy that grants needed permissions, see [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users).
+ Permissions to configure plugins. For an example IAM policy that grants the needed permissions, see [Allow administrators to configure plugins](id-based-policy-examples-admins.md#id-based-policy-examples-admin-plugins).
### Acquire credentials
Before you begin, note the following information from your Datadog account. These authentication credentials will be stored in an AWS Secrets Manager secret when you configure the plugin.
+ **Site parameter** – The Datadog site parameter you use. For example, `us3.datadoghq.com`. For more information, see [Getting Started with Datadog Sites](https://docs.datadoghq.com/getting_started/site/) in the Datadog documentation.
+ **API key and application key** – Access keys that allow Amazon Q to call the Datadog API to access events and metrics. You can find these under **Organization Settings** in your Datadog account. For more information, see [API and Application Keys](https://docs.datadoghq.com/account_management/api-app-keys/) in the Datadog documentation.
## Secrets and service roles
### AWS Secrets Manager secret
When you configure the plugin, Amazon Q creates a new AWS Secrets Manager secret for you to store Datadog authentication credentials. Alternatively, you can use an existing secret that you create yourself.
If you create a secret yourself, make sure it includes the following credentials and uses the following JSON format:
```
{
"ApiKey": "",
"AppKey": ""
}
```
For more information about creating secrets, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*.
### Service roles
To configure the Datadog plugin in Amazon Q Developer, you need to create a service role that gives Amazon Q permission to access your Secrets Manager secret. Amazon Q assumes this role to access the secret where your Datadog credentials are stored.
When you configure the plugin in the AWS console, you have the option to create a new secret or use an existing one. If you create a new secret, the associated service role is created for you. If you use an existing secret and an existing service role, make sure your service role contains the following permissions, and has the following trust policy attached. The service role required depends on your secret encryption method.
If your secret is encrypted with an AWS managed KMS key, the following IAM service role is required:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id"
]
}
]
}
```
------
If your secret is encrypted with a customer managed AWS KMS key, the following IAM service role is required:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
}
}
}
]
}
```
------
To allow Amazon Q to assume the service role, the service role needs the following trust policy:
**Note**
The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "q.amazonaws.com"
},
"Action": ["sts:AssumeRole", "sts:SetContext"],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:codewhisperer:us-east-1:111122223333:profile/profile-id"
}
}
}
]
}
```
------
For more information about service roles, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*.
## Configure the Datadog plugin
You configure plugins in the Amazon Q Developer console. Amazon Q uses credentials stored in AWS Secrets Manager to enable interactions with Datadog.
To configure the Datadog plugin, complete the following procedure:
1. Open the Amazon Q Developer console at [https://console.aws.amazon.com/amazonq/developer/home](https://console.aws.amazon.com/amazonq/developer/home)
1. On the Amazon Q Developer console home page, choose **Settings**.
1. In the navigation bar, choose **Plugins**.
1. On the plugins page, choose the plus sign on the **Datadog** panel. The plugin configuration page opens.
1. For **Site URL**, enter the URL of the Datadog site you use.
1. For **Configure AWS Secrets Manager**, choose either **Create a new secret** or **Use an existing secret**. The Secrets Manager secret is where your Datadog authentication credentials will be stored.
If you create a new secret, enter the following information:
1. For **Datadog API key**, enter the API key for your Datadog organization.
1. For **Datadog application key**, enter the application key for your Datadog account.
1. A service role will be created that Amazon Q will use to access the secret where your Datadog credentials are stored. Do not edit the service role that is created for you.
If you use an existing secret, choose a secret from the **AWS Secrets Manager secret** dropdown menu. The secret should include the Datadog authentication credentials specified in the previous step.
For more information about the required credentials, see [Acquire credentials](#acquire-datadog-credentials).
1. For **Configure AWS IAM service role**, choose either **Create new service role** or **Use existing service role**.
**Note**
If you chose **Create a new secret** for step 6, you can’t use an existing service role. A new role will be created for you.
If you create a new service role, a service role will be created that Amazon Q will use to access the secret where your Datadog credentials are stored. Do not edit the service role that is created for you.
If you use an existing service role, choose a role from the dropdown menu that appears. Make sure your service role has the permissions and trust policy defined in [Service roles](#datadog-service-role).
1. Choose **Save configuration**.
1. After the Datadog plugin panel appears in the **Configured plugins** section on the Plugins page, users will have access to the plugin.
If you want to update the credentials for a plugin, you must delete your current plugin and configure a new one. Deleting a plugin removes all previous specifications. Any time you configure a new plugin, a new plugin ARN is generated.
## Configure user permissions
To use plugins, the following permissions are required:
+ Permissions to chat with Amazon Q in the console. For an example IAM policy that grants permissions needed to chat, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat).
+ The `q:UsePlugin` permission.
When you grant an IAM identity access to a configured Datadog plugin, the identity gains access to any resources in the Datadog account retrievable by the plugin. Datadog user permissions are not detected by the plugin. If you want to control access to a plugin, you can do so by specifying the plugin ARN in an IAM policy.
Each time you create or delete and re-configure a plugin, it is assigned a new ARN. If you use a plugin ARN in a policy, it will need to be updated if you want to grant access to the newly configured plugin.
To locate the Datadog plugin ARN, go to the **Plugins** page in the Amazon Q Developer console and choose the configured Datadog plugin. On the plugin details page, copy the plugin ARN. You can add this ARN to a policy to allow or deny access to the Datadog plugin.
If you create a policy to control access to Datadog plugins, specify `Datadog` for the plugin provider in the policy.
For examples of IAM policies that control plugin access, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type).
## Chat with the Datadog plugin
To use the Datadog plugin, enter **@datadog** at the beginning of a question about Datadog or your AWS application monitors and cases. Follow up questions or responses to questions from Amazon Q must also include **@datadog**.
Following are some example use cases and associated questions you can ask to get the most of out of the Amazon Q Datadog plugin:
+ **Learn about using Datadog features in your AWS workload** – Ask about how Datadog features work with certain AWS services. Amazon Q might ask you for more information about what you’re trying to do to provide the best answer.
+ **@datadog how do I use APM on EC2?**
+ **Retrieve and summarize cases and monitors** – Ask about a specific case or monitor, or specify properties to get information about monitors and cases like create date, status, or author. For more information about properties, see [Properties](https://docs.datadoghq.com/monitors/manage/status/#properties) in the Datadog documentation.
+ **@datadog summarize the global outage case**
+ **@datadog summarize my top cases**
+ **Check monitors that are in an alarm state** – Ask the Amazon Q Datadog plugin to find your AWS application monitors that are in alarm. You can follow up with questions about the monitors it lists.
+ **@datadog what monitors are in alarm?**
+ **@datadog what is the status for monitor ?**
# Configuring the Amazon Q Developer Wiz plugin
Wiz is a cloud security platform that provides security posture management, risk assessment and prioritization, and vulnerability management. If you use Wiz to evaluate and monitor your AWS applications, you can use the plugin in Amazon Q chat to access insights from Wiz without leaving the AWS Management Console.
You can use the plugin to identify and retrieve Wiz issues, assess your riskiest assets, and understand vulnerabilities or exposures. After you receive a response, you can ask follow up questions, including how to remediate an issue.
To configure the plugin, you provide authentication credentials from your Wiz account to enable a connection between Amazon Q and Wiz. After you configure the plugin, you can access Wiz metrics by adding **@wiz** to the beginning of your question in Amazon Q chat.
**Warning**
Wiz user permissions are not detected by the Wiz plugin in Amazon Q. When an administrator configures the Wiz plugin in an AWS account, users with plugin permissions in that account have access to any resources in the Wiz account retrievable by the plugin.
You can configure IAM policies to restrict which plugins users have access to. For more information, see [Configure user permissions](#wiz-configure-user-permissions).
## Prerequisites
### Add permissions
To configure plugins, the following administrator level permissions are required:
+ Permissions to access the Amazon Q Developer console. For an example IAM policy that grants needed permissions, see [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users).
+ Permissions to configure plugins. For an example IAM policy that grants the needed permissions, see [Allow administrators to configure plugins](id-based-policy-examples-admins.md#id-based-policy-examples-admin-plugins).
### Acquire credentials
Before you begin, note the following information from your Wiz account. These authentication credentials will be stored in an AWS Secrets Manager secret when you configure the plugin.
+ **API endpoint URL** – The URL where you access Wiz. For example, `https://api.us1.app.Wiz.io/graphql`. For more information, see [API endpoint URL](https://win.wiz.io/reference/prerequisites#api-endpoint-url) in the Wiz documentation.
+ **Client ID and Client secret** – Credentials that allow Amazon Q to call Wiz APIs to access your application. For more information, see [Client ID and Client secret](https://win.wiz.io/reference/prerequisites#client-id-and-client-secret) in the Wiz documentation.
## Secrets and service roles
### AWS Secrets Manager secret
When you configure the plugin, Amazon Q creates a new AWS Secrets Manager secret for you to store Wiz authentication credentials. Alternatively, you can use an existing secret that you create yourself.
If you create a secret yourself, make sure it includes the following credentials and uses the following JSON format:
```
{
"ClientId": "",
"ClientSecret": ""
}
```
For more information about creating secrets, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*.
### Service roles
To configure the Wiz plugin in Amazon Q Developer, you need to create a service role that gives Amazon Q permission to access your Secrets Manager secret. Amazon Q assumes this role to access the secret where your Wiz credentials are stored.
When you configure the plugin in the AWS console, you have the option to create a new secret or use an existing one. If you create a new secret, the associated service role is created for you. If you use an existing secret and an existing service role, make sure your service role contains these permissions, and has the following trust policy attached. The service role required depends on your secret encryption method.
If your secret is encrypted with an AWS managed KMS key, the following IAM service role is required:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id"
]
}
]
}
```
------
If your secret is encrypted with a customer managed AWS KMS key, the following IAM service role is required:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
}
}
}
]
}
```
------
To allow Amazon Q to assume the service role, the service role needs the following trust policy:
**Note**
The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "q.amazonaws.com"
},
"Action": ["sts:AssumeRole", "sts:SetContext"],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:codewhisperer:us-east-1:111122223333:profile/profile-id"
}
}
}
]
}
```
------
For more information about service roles, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*.
## Configure the Wiz plugin
You configure plugins in the Amazon Q Developer console. Amazon Q uses credentials stored in AWS Secrets Manager to enable interactions with Wiz.
To configure the Wiz plugin, complete the following procedure:
1. Open the Amazon Q Developer console at [https://console.aws.amazon.com/amazonq/developer/home](https://console.aws.amazon.com/amazonq/developer/home)
1. On the Amazon Q Developer console home page, choose **Settings**.
1. In the navigation bar, choose **Plugins**.
1. On the plugins page, choose the plus sign on the **Wiz** panel. The plugin configuration page opens.
1. For **API endpoint URL**, enter the URL of API endpoint where you access Wiz.
1. For **Configure AWS Secrets Manager**, choose either **Create a new secret** or **Use an existing secret**. The Secrets Manager secret is where your Wiz authentication credentials will be stored.
If you create a new secret, enter the following information:
1. For **Client ID**, enter the Client ID for your Wiz account.
1. For **Client Secret**, enter the Client Secret for your Wiz account.
1. A service role will be created that Amazon Q will use to access the secret where your Wiz credentials are stored. Do not edit the service role that is created for you.
If you use an existing secret, choose a secret from the **AWS Secrets Manager secret** dropdown menu. The secret should include the Wiz authentication credentials specified in the previous step.
For more information about the required credentials, see [Acquire credentials](#acquire-wiz-credentials).
1. For **Configure AWS IAM service role**, choose either **Create new service role** or **Use existing service role**.
**Note**
If you chose **Create a new secret** for step 6, you can’t use an existing service role. A new role will be created for you.
If you create a new service role, a service role will be created that Amazon Q will use to access the secret where your Wiz credentials are stored. Do not edit the service role that is created for you.
If you use an existing service role, choose a role from the dropdown menu that appears. Make sure your service role has the permissions and trust policy defined in [Service roles](#wiz-service-role).
1. Choose **Save configuration**.
1. After the Wiz plugin panel appears in the **Configured plugins** section on the Plugins page, users will have access to the plugin.
If you want to update the credentials for a plugin, you must delete your current plugin and configure a new one. Deleting a plugin removes all previous specifications. Any time you configure a new plugin, a new plugin ARN is generated.
## Configure user permissions
To use plugins, the following permissions are required:
+ Permissions to chat with Amazon Q in the console. For an example IAM policy that grants permissions needed to chat, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat).
+ The `q:UsePlugin` permission.
When you grant an IAM identity access to a configured Wiz plugin, the identity gains access to any resources in the Wiz account retrievable by the plugin. Wiz user permissions are not detected by the plugin. If you want to control access to a plugin, you can do so by specifying the plugin ARN in an IAM policy.
Each time you create or delete and re-configure a plugin, it is assigned a new ARN. If you use a plugin ARN in a policy, it will need to be updated if you want to grant access to the newly configured plugin.
To locate the Wiz plugin ARN, go to the **Plugins** page in the Amazon Q Developer console and choose the configured Wiz plugin. On the plugin details page, copy the plugin ARN. You can add this ARN to a policy to allow or deny access to the Wiz plugin.
If you create a policy to control access to Wiz plugins, specify `Wiz` for the plugin provider in the policy.
For examples of IAM policies that control plugin access, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type).
## Chat with the Wiz plugin
To use the Amazon Q Wiz plugin, enter **@Wiz** at the beginning of a question about your Wiz issues. Follow up questions or responses to questions from Amazon Q must also include **@Wiz**.
Following are some example use cases and associated questions you can ask to get the most of out of the Amazon Q Wiz plugin:
+ **View issues with critical severity** – Ask the Amazon Q Wiz plugin to list your issues with critical or high severity. The plugin can return up to 10 issues. You can also ask to list up to the top 10 most severe issues.
+ **@wiz what are my critical severity issues?**
+ **@wiz can you specify the top 5?**
+ **List issues based on date or status ** – Ask to list issues based on create date, due date, or resolved date. You can also specify issues based on properties like status, severity, and type.
+ **@wiz which issues are due before ?**
+ **@wiz what are my issues that have been resolved since ?**
+ **Assess issues with security vulnerabilities** – Ask about the vulnerabilities or exposures that are posing security threats in your issues.
+ **@wiz which issues are associated with vulnerabilities or external exposures?**