# Manage access to Amazon Q Developer with policies Manage access to Amazon Q **Note** The information on this page pertains to accessing Amazon Q Developer. For information about managing access to Amazon Q Business, see [Identity-based policy examples for Amazon Q Business](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/security_iam_id-based-policy-examples.html) in the *Amazon Q Business User Guide*. The policies and examples in this topic are specific to Amazon Q in the AWS Management Console, AWS Console Mobile Application, AWS website, AWS Documentation, and in chat applications. Other services integrated with Amazon Q might require different policies or settings. End users of Amazon Q in third-party IDEs are not required to use IAM policies. For more information, see the documentation for the service that contains an Amazon Q feature or integration. By default, users and roles don't have permission to use Amazon Q. IAM administrators can manage access to Amazon Q Developer and its features by granting permissions to IAM identities. The quickest way for an administrator to grant access to users is through an AWS managed policy. The `AmazonQFullAccess` policy can be attached to IAM identities to grant full access to Amazon Q Developer and its features. For more information about this policy, see [AWS managed policies for Amazon Q Developer](managed-policy.md). To manage specific actions that IAM identities can perform with Amazon Q Developer, administrators can create custom policies that define what permissions a user, group, or role has. You can also use service control policies (SCPs) to control what Amazon Q features are available in your organization. For a list of all Amazon Q permissions you can control with policies, see the see the [Amazon Q Developer permissions reference](security_iam_permissions.md). **Topics** + [ ## Policy best practices ](#security_iam_policy-best-practices) + [ ## Assign permissions ](#setting-up-assign-permissions) + [ ## Manage access with service control policies (SCPs) ](#service-control-policies) + [ # Identity-based policy examples for Amazon Q Developer ](security_iam_id-based-policy-examples.md) ## Policy best practices Identity-based policies determine whether someone can create, access, or delete Amazon Q Developer resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Assign permissions To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ## Manage access with service control policies (SCPs) Manage access with SCPs Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. You can control what Amazon Q Developer features are available in your organization by creating an SCP that specifies permissions for some or all Amazon Q actions. For more information about using SCPs to control access in your organization, see [Creating, updating, and deleting service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html) and [Attaching and detaching service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html) in the *AWS Organizations User Guide*. ### Example SCP: Deny access to Amazon Q outside EU Regions The following SCP denies access to any use of Amazon Q Developer outside of the Europe (Frankfurt) Region (eu-central-1). **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyAmazonQDeveloperOutsideEU", "Effect": "Deny", "Action": [ "codewhisperer:GenerateRecommendations", "q:SendMessage", "q:GenerateCodeFromCommands", "sqlworkbench:GetQSqlRecommendations" ], "Resource": "*", "Condition": { "StringNotEquals": {"aws:RequestedRegion": [ "eu-central-1"] } } } ] } ``` ------ ### Example SCP: Deny access to Amazon Q The following SCP denies access to Amazon Q Developer. **Note** Denying access to Amazon Q will not disable the Amazon Q icon or chat panel in the AWS console, AWS website, AWS documentation pages, or AWS Console Mobile Application. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyAmazonQFullAccess", "Effect": "Deny", "Action": [ "q:*" ], "Resource": "*" } ] } ``` ------ # Identity-based policy examples for Amazon Q Developer Identity-based policy examples for Amazon Q The following example IAM policies control permissions for various Amazon Q Developer actions. Use them to allow or deny Amazon Q Developer access for your users, roles, or groups. **Note** The following example policies grant permissions for features of Amazon Q Developer, but users might need additional permissions to access Amazon Q with an Amazon Q Developer Pro subscription. For more information, see [Allow users to access Amazon Q with an Amazon Q Developer Pro subscription](id-based-policy-examples-users.md#id-based-policy-examples-allow-subs-access). You can use these policies as written, or you can add permissions for the individual Amazon Q features you want to use. For more information about configuring IAM permissions with Amazon Q, see [Manage access to Amazon Q Developer with policies](security_iam_manage-access-with-policies.md). For a list of all Amazon Q permissions you can control with policies, see the [Amazon Q Developer permissions reference](security_iam_permissions.md). **Topics** + [ # Administrator permissions ](id-based-policy-examples-admins.md) + [ # User permissions ](id-based-policy-examples-users.md) # Administrator permissions The following policies allow Amazon Q Developer administrators to perform administrative tasks in the Amazon Q subscription management console and Amazon Q Developer console. For policies that enable the use of Amazon Q Developer features, see [User permissions](id-based-policy-examples-users.md). ## Allow administrators to use the Amazon Q console The following example policy grants permissions for a user to perform actions in the Amazon Q console. The Amazon Q console is where you configure Amazon Q's integration with AWS IAM Identity Center and AWS Organizations. Most other Amazon Q Developer-related tasks must be completed in the Amazon Q Developer console. For more information, see [Allow administrators to use the Amazon Q Developer console](#q-admin-setup-admin-users). **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "organizations:ListAWSServiceAccessForOrganization", "organizations:DisableAWSServiceAccess", "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "sso:ListApplications", "sso:ListInstances", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "sso:DescribeInstance", "sso:CreateInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:DescribeApplication", "sso:DeleteApplication", "sso:GetSSOStatus", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:UpdateApplication" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "sso-directory:DescribeUsers", "sso-directory:DescribeGroups", "sso-directory:SearchGroups", "sso-directory:SearchUsers", "sso-directory:DescribeGroup", "sso-directory:DescribeUser", "sso-directory:DescribeDirectory" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "signin:ListTrustedIdentityPropagationApplicationsForConsole", "signin:CreateTrustedIdentityPropagationApplicationForConsole" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "codewhisperer:ListProfiles", "codewhisperer:CreateProfile", "codewhisperer:DeleteProfile" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "user-subscriptions:ListClaims", "user-subscriptions:ListUserSubscriptions", "user-subscriptions:CreateClaim", "user-subscriptions:DeleteClaim", "user-subscriptions:UpdateClaim" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "q:CreateAssignment", "q:DeleteAssignment" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":[ "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions" ] } ] } ``` ------ ## Allow administrators to use the Amazon Q Developer console The following example policy grants permissions for a user to access the Amazon Q Developer console. In the Amazon Q Developer console, administrators perform most Amazon Q Developer-related configuration tasks, including tasks related to subscriptions, code references, customizations, and chat plugins. This policy also includes permissions to create and configure customer managed KMS keys. There are a few Amazon Q Developer Pro tasks that administrators must complete through the Amazon Q console (instead of the Amazon Q Developer console). For more information, see [Allow administrators to use the Amazon Q console](#q-admin-setup-admin-users-sub). **Note** To create customizations or plugins, your Amazon Q Developer Pro administrator will require additional permissions. For permissions needed for customizations, see the Prerequisites for customizations section. For permissions needed for plugins, see [Allow administrators to configure plugins](#id-based-policy-examples-admin-plugins). You will need one of two policies to use the Amazon Q Developer console. The policy you need depends on if you're setting up Amazon Q Developer for the first time or if you're configuring a legacy Amazon CodeWhisperer profile. **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). For new administrators of Amazon Q Developer, use the following policy: **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso:ListInstances", "sso:CreateInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAssignmentConfiguration", "sso:ListApplications", "sso:GetSharedSsoConfiguration", "sso:DescribeInstance", "sso:PutApplicationAccessScope", "sso:DescribeApplication", "sso:DeleteApplication", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:UpdateApplication", "sso:DescribeRegisteredRegions", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "identitystore:DescribeUser" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso-directory:GetUserPoolInfo", "sso-directory:DescribeUsers", "sso-directory:DescribeGroups", "sso-directory:SearchGroups", "sso-directory:SearchUsers", "sso-directory:DescribeDirectory" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "signin:ListTrustedIdentityPropagationApplicationsForConsole", "signin:CreateTrustedIdentityPropagationApplicationForConsole" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "user-subscriptions:ListClaims", "user-subscriptions:ListApplicationClaims", "user-subscriptions:ListUserSubscriptions", "user-subscriptions:CreateClaim", "user-subscriptions:DeleteClaim", "user-subscriptions:UpdateClaim" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:DisableAWSServiceAccess", "organizations:EnableAWSServiceAccess" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "q:ListDashboardMetrics", "q:CreateAssignment", "q:DeleteAssignment" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] } ``` For legacy Amazon CodeWhisperer profiles, the following policy will enable an IAM principal to administer a CodeWhisperer application. **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:GetUserPoolInfo", "sso-directory:DescribeDirectory", "sso-directory:ListMembersInGroup" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "pricing:GetProducts" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListProfiles", "sso:ListApplicationInstances", "sso:GetApplicationInstance", "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:ListProfileAssociations", "sso:GetSharedSsoConfiguration", "sso:ListDirectoryAssociations", "sso:DescribeRegisteredRegions", "sso:GetSsoConfiguration", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "identitystore:ListUsers", "identitystore:ListGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "q:ListDashboardMetrics", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] } ``` ## Allow administrators to create customizations The following policy grants administrators permission to create and manage customizations in Amazon Q Developer. To configure customizations in the Amazon Q Developer console, your Amazon Q Developer administrator will require access to the Amazon Q Developer console. For more information, see [Allow administrators to use the Amazon Q Developer console](#q-admin-setup-admin-users). **Note** In the following policy, the IAM service will report errors on the `codeconnections:ListOwners` and `codeconnections:ListRepositories` permissions. Create the policy with these permissions anyway. The permissions are required, and the policy will work despite the errors. **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). In the following example, replace *account number* with your AWS account number. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:DescribeUsers" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:CreateCustomization", "codewhisperer:DeleteCustomization", "codewhisperer:ListCustomizations", "codewhisperer:ListCustomizationVersions", "codewhisperer:UpdateCustomization", "codewhisperer:GetCustomization", "codewhisperer:ListCustomizationPermissions", "codewhisperer:AssociateCustomizationPermission", "codewhisperer:DisassociateCustomizationPermission" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeconnections:ListOwners", "codeconnections:ListRepositories", "codeconnections:ListConnections", "codeconnections:GetConnection" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "codeconnections:UseConnection", "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "codeconnections:ProviderAction": [ "GitPull", "ListRepositories", "ListOwners" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:ListBucket*" ], "Resource": [ "*" ] } ] } ``` ------ ## Allow administrators to configure plugins The following example policy grants administrators permissions to view and configure third party plugins in the Amazon Q Developer console. **Note** In order to access the Amazon Q Developer console, administrators also need the permissions defined in [Allow administrators to use the Amazon Q Developer console](#q-admin-setup-admin-users). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:CreatePlugin", "q:GetPlugin", "q:DeletePlugin", "q:ListPlugins", "q:ListPluginProviders", "q:UpdatePlugin", "q:CreateAuthGrant", "q:CreateOAuthAppConnection", "q:SendEvent", "q:UpdateAuthGrant", "q:UpdateOAuthAppConnection", "q:UpdatePlugin", "iam:CreateRole", "secretsmanager:CreateSecret" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "q.amazonaws.com" ] } } } ] } ``` ------ ## Allow administrators to configure plugins from one provider The following example policy grants an administrator permission to configure plugins from one provider, specified by the plugin ARN with the name of the plugin provider and a wildcard character (`*`). To use this policy, replace the following in the ARN in the Resource field: + *AWS-region* – The AWS Region where the plugin will be created. + *AWS-account-ID* – The AWS account ID of the account where your plugin is configured. + *plugin-provider* – The name of the plugin provider that you want to allow configuration for, like `CloudZero`, `Datadog`, or `Wiz`. The plugin provider field is case sensitive. **Note** In order to access the Amazon Q Developer console, administrators also need the permissions defined in [Allow administrators to use the Amazon Q Developer console](#q-admin-setup-admin-users). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCreateProviderPlugin", "Effect": "Allow", "Action": [ "q:CreatePlugin", "q:GetPlugin", "q:DeletePlugin" ], "Resource": "arn:aws:qdeveloper:us-east-1:111122223333:plugin/plugin-provider/*" } ] } ``` ------ ## Allow migration of more than one network or more than one subnet ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceSgTag", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:us-east-1:111122223333:vpc/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzerEC2RequestSgTag", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:us-east-1:111122223333:security-group/*", "arn:aws:ec2:us-east-1:111122223333:security-group-rule/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzerEC2SecurityGroupTags", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:us-east-1:111122223333:security-group/*", "arn:aws:ec2:us-east-1:111122223333:security-group-rule/*", "arn:aws:ec2:us-east-1:111122223333:network-interface/*", "arn:aws:ec2:us-east-1:111122223333:network-insights-path/*", "arn:aws:ec2:us-east-1:111122223333:network-insights-analysis/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService", "ec2:CreateAction": [ "CreateSecurityGroup", "CreateNetworkInterface", "CreateNetworkInsightsPath", "StartNetworkInsightsAnalysis" ] } } }, { "Sid": "MGNNetworkMigrationAnalyzerENIResourceTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:us-east-1:111122223333:subnet/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzerENISG", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:us-east-1:111122223333:security-group/*" ] }, { "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInsightsPath" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigAnalyzerEC2RequestTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInsightsPath", "ec2:StartNetworkInsightsAnalysis" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzeNetwork", "Effect": "Allow", "Action": [ "ec2:StartNetworkInsightsAnalysis" ], "Resource": [ "*" ] } ] } ``` ------ # User permissions The following policies allow users to access features of Amazon Q Developer on AWS apps and websites, including the AWS Management Console, AWS Console Mobile Application, and AWS Documentation site. For policies that enable administrative access to Amazon Q Developer, see [Administrator permissions](id-based-policy-examples-admins.md). **Note** Users accessing [Amazon Q in the IDE](q-in-IDE.md) or [Amazon Q on the command line](command-line.md) don't require IAM permissions. ## Allow users to access Amazon Q with an Amazon Q Developer Pro subscription The following example policy grants permission to use Amazon Q with an Amazon Q Developer Pro subscription. Without these permissions, users can only access the Free tier of Amazon Q. To chat with Amazon Q or use other Amazon Q features, users need additional permissions, such as those granted by the example policies in this section. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowGetIdentity", "Effect": "Allow", "Action": [ "q:GetIdentityMetaData" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" } ] } ``` ------ ## Allow Amazon Q access to customer managed keys The following example policy grants users permissions to access features encrypted with a customer managed key by allowing Amazon Q access to the key. This policy is required to use Amazon Q if an administrator has set up a customer managed key for encryption. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "QKMSDecryptGenerateDataKeyPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptFrom", "kms:ReEncryptTo" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/key_id" ], "Condition": { "StringLike": { "kms:ViaService": [ "q.us-east-1.amazonaws.com" ] } } } ] } ``` ------ ## Allow users to chat with Amazon Q The following example policy grants permissions to chat with Amazon Q in the console. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation" ], "Resource": "*" } ] } ``` ------ ## Allow users to use Amazon Q CLI with AWS CloudShell The following example policy grants permissions to use Amazon Q CLI with AWS CloudShell. **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codewhisperer:GenerateRecommendations", "codewhisperer:ListCustomizations" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage" ], "Resource": "*" } ] } ``` ------ ## Allow users to run transformations on the command line The following example policy grants permissions to transform code with the [Amazon Q command line tool for transformations](transform-CLI.md). This policy does not affect access to [Amazon Q on the command line](command-line.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "qdeveloper:StartAgentSession", "qdeveloper:ImportArtifact", "qdeveloper:ExportArtifact", "qdeveloper:TransformCode" ], "Resource": "*" } ] } ``` ------ ## Allow users to diagnose console errors with Amazon Q The following example policy grants permissions to diagnose console errors with Amazon Q. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQTroubleshooting", "Effect": "Allow", "Action": [ "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult", "q:PassRequest", "cloudformation:GetResource" ], "Resource": "*" } ] } ``` ------ ## Allow users to generate code from CLI commands with Amazon Q The following example policy grants permissions to generate code from recorded CLI commands with Amazon Q, which enables the use of the Console-to-Code feature. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConsoleToCode", "Effect": "Allow", "Action": "q:GenerateCodeFromCommands", "Resource": "*" } ] } ``` ------ ## Allow users to chat about resources with Amazon Q The following example policy grants permission to chat with Amazon Q about resources, and allows Amazon Q to retrieve resource information on your behalf. Amazon Q only has permission to access resources that your IAM identity has permissions for. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQPassRequest", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation", "q:PassRequest" ], "Resource": "*" }, { "Sid": "AllowCloudControlReadAccess", "Effect": "Allow", "Action": [ "cloudformation:GetResource", "cloudformation:ListResources" ], "Resource": "*" } ] } ``` ------ ## Allow Amazon Q to perform actions on your behalf in chat The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to perform actions on your behalf. Amazon Q only has permission to perform actions that your IAM identity has permission to perform. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQPassRequest", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation", "q:PassRequest" ], "Resource": "*" } ] } ``` ------ ## Allow Amazon Q to access cost data and provide cost optimization recommendations The following example policy grants permission to chat with Amazon Q about your costs and allows Amazon Q to access your cost data and provide cost analysis and optimization recommendations. This policy includes permissions for AWS Cost Explorer, AWS Cost Optimization Hub, AWS Compute Optimizer, AWS Budgets, AWS Free Tier, AWS Pricing, and Savings Plans and reservation recommendations. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQChatAndPassRequest", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation", "q:PassRequest" ], "Resource": "*" }, { "Sid": "AllowCostExplorerAccess", "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetCostAndUsageWithResources", "ce:GetCostForecast", "ce:GetUsageForecast", "ce:GetTags", "ce:GetCostCategories", "ce:GetDimensionValues", "ce:GetSavingsPlansUtilization", "ce:GetSavingsPlansCoverage", "ce:GetSavingsPlansUtilizationDetails", "ce:GetReservationUtilization", "ce:GetReservationCoverage", "ce:GetSavingsPlansPurchaseRecommendation", "ce:GetReservationPurchaseRecommendation", "ce:GetRightsizingRecommendation", "ce:GetAnomalies", "ce:GetCostAndUsageComparisons", "ce:GetCostComparisonDrivers" ], "Resource": "*" }, { "Sid": "AllowCostOptimizationHubAccess", "Effect": "Allow", "Action": [ "cost-optimization-hub:GetRecommendation", "cost-optimization-hub:ListRecommendations", "cost-optimization-hub:ListRecommendationSummaries" ], "Resource": "*" }, { "Sid": "AllowComputeOptimizerAccess", "Effect": "Allow", "Action": [ "compute-optimizer:GetAutoScalingGroupRecommendations", "compute-optimizer:GetEBSVolumeRecommendations", "compute-optimizer:GetEC2InstanceRecommendations", "compute-optimizer:GetECSServiceRecommendations", "compute-optimizer:GetRDSDatabaseRecommendations", "compute-optimizer:GetLambdaFunctionRecommendations", "compute-optimizer:GetIdleRecommendations", "compute-optimizer:GetLicenseRecommendations", "compute-optimizer:GetEffectiveRecommendationPreferences" ], "Resource": "*" }, { "Sid": "AllowBudgetsAccess", "Effect": "Allow", "Action": [ "budgets:ViewBudget" ], "Resource": "*" }, { "Sid": "AllowFreeTierAccess", "Effect": "Allow", "Action": [ "freetier:GetFreeTierUsage", "freetier:GetAccountPlanState", "freetier:ListAccountActivities", "freetier:GetAccountActivity" ], "Resource": "*" }, { "Sid": "AllowPricingAccess", "Effect": "Allow", "Action": [ "pricing:GetProducts", "pricing:GetAttributeValues", "pricing:DescribeServices" ], "Resource": "*" } ] } ``` ------ ## Deny Amazon Q permission to perform specific actions on your behalf The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to perform any action on your behalf that your IAM identity has permission to perform, except for Amazon EC2 actions. This policy uses the [`aws:CalledVia` global condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia) to specify that Amazon EC2 actions are only denied when Amazon Q calls them. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation", "q:PassRequest" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } } ] } ``` ------ ## Allow Amazon Q permission to perform specific actions on your behalf The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to perform any action on your behalf that your IAM identity has permission to perform, with the exception of Amazon EC2 actions. This policy grants your IAM identity permission to perform any Amazon EC2 action, but only allows Amazon Q to perform the `ec2:describeInstances` action. This policy uses the [`aws:CalledVia` global condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia) to specify that Amazon Q is only allowed to call `ec2:describeInstances`, and not any other Amazon EC2 actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation", "q:PassRequest" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } }, { "Effect": "Allow", "Action": [ "ec2:describeInstances" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } } ] } ``` ------ ## Allow Amazon Q permission to perform actions on your behalf in specific regions The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to make calls to only the `us-east-1` and `us-west-2` Regions when performing actions on your behalf. Amazon Q can't make calls to any other Region. For more information on how to specify what Regions you can make calls to, see [aws:RequestedRegion](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion) in the *AWS Identity and Access Management User Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation", "q:PassRequest" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2" ] } } } ] } ``` ------ ## Deny Amazon Q permission to perform actions on your behalf The following example policy prevents Amazon Q from performing actions on your behalf. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyAmazonQPassRequest", "Effect": "Deny", "Action": [ "q:PassRequest" ], "Resource": "*" } ] } ``` ------ ## Allow users to chat with plugins from one provider The following example policy grants permission to chat with any plugin from a given provider that an administrator configures, specified by the plugin ARN with the name of the plugin provider and a wildcard character (`*`). If the plugin is deleted and re-configured, a user with these permissions will retain access to the newly configured plugin. To use this policy, replace the following in the ARN in the `Resource` field: + *AWS-region* – The AWS Region where the plugin was created. + *AWS-account-ID* – The AWS account ID of the account where your plugin is configured. + *plugin-provider* – The name of the plugin provider that you want to allow access to, like `CloudZero`, `Datadog`, or `Wiz`. The plugin provider field is case sensitive. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:UpdateConversation", "q:DeleteConversation" ], "Resource": "*" }, { "Sid": "AllowAmazonQPluginAccess", "Effect": "Allow", "Action": [ "q:UsePlugin" ], "Resource": "arn:aws:qdeveloper:us-east-1:111122223333:plugin/plugin-provider/*" } ] } ``` ------ ## Allow users to chat with a specific plugin The following example policy grants permission to chat with a specific plugin, specified by the plugin ARN. If the plugin is deleted and re-configured, a user will not have access to the new plugin unless the plugin ARN is updated in this policy. To use this policy, replace the following in the ARN in the `Resource` field: + *AWS-region* – The AWS Region where the plugin was created. + *AWS-account-ID* – The AWS account ID of the account where your plugin is configured. + *plugin-provider* – The name of the plugin provider that you want to allow access to, like `CloudZero`, `Datadog`, or `Wiz`. The plugin provider field is case sensitive. + *plugin-ARN* – The ARN of the plugin you want to allow access to. ## Deny access to Amazon Q The following example policy denies all permissions to use Amazon Q. **Note** When you deny access to Amazon Q, the Amazon Q icon and chat panel will still appear in the AWS console, AWS website, AWS documentation pages, or AWS Console Mobile Application. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DenyAmazonQFullAccess", "Effect": "Deny", "Action": [ "q:*" ], "Resource": "*" } ] } ``` ------ ## Allow users to view their permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ```