AWS Chatbot is now Amazon Q Developer. [Learn more](service-rename.md)
# Understanding Amazon Q Developer in chat applications permissions
Amazon Q Developer in chat applications requires an AWS Identity and Access Management (IAM) role to [perform actions](performing-actions.md). Actions you can perform in your chat channels include running commands and responding to interactive messages. Amazon Q Developer in chat applications uses organization policies, service policies, channel roles, user roles, and channel guardrail policies to control the actions channel members can take. What your users can do is the intersection of your guardrail policies and what is allowed by their roles.
**Topics**
+ [Organization policies](#orgs-policy)
+ [Role setting](#role-settings)
+ [Channel guardrail policies](#channel-guardrails)
+ [Non-supported operations](#forbidden-permissions)
+ [Securing your AWS organization in Amazon Q Developer in chat applications](securing-orgs.md)
+ [Chat client application permissions for Amazon Q Developer in chat applications](app-permissions.md)
+ [Managing IAM roles for Amazon Q Developer in chat applications](manage-user-roles.md)
+ [Protection policy](#cbt-protection-policy)
## Organization policies
### Amazon Q Developer in chat applications organization policies (chat applications policies)
Organization administrators can manage multiple Amazon Q Developer in chat applications settings across all accounts within an organization using an Amazon Q Developer in chat applications chat applications policy (chat applications policy). Chat applications policies define where Amazon Q Developer in chat applications can deliver notifications and if it can respond to Amazon Q Developer in chat applications mention events. For more information, see [Securing your AWS organization in Amazon Q Developer in chat applications](securing-orgs.md).
### Service control policies (SCPs)
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. For more information, [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
## Role setting
### Channel role
A channel role gives all channel members the same permissions. This is useful if your channel members are similar users or they typically perform the same actions. You can use an existing role as your channel role or you can create a new role using templates. If you use a channel role, your channel members can still choose their own user roles. Your channel role is restricted by your guardrail policies. You can set your channel role in channel configurations from the Amazon Q Developer in chat applications console.
#### Channel role templates
There are eight templates that can be used to create a channel role:
+ Notification permissions
+ Read-only command permissions
+ Lambda-invoke command permissions
+ AWS Support command permissions
+ Incident Manager permissions
+ Resource Explorer permissions
+ Amazon Q permissions
+ Amazon Q operations assistant permissions
You can use any and all combinations of these templates to suit your needs. For example, if you want to create a configuration that only delivers notifications, choose **Notification permissions** as your policy template. If you want your channel members to run read-only commands exclusively and you want notifications to be delivered, choose **Read-only command permissions** and **Notification permissions** as your policy templates. For more information, see [IAM policies for Amazon Q Developer in chat applications](chatbot-iam-policies.md).
### User roles
User roles require channel members to choose their own roles. As a result, different users in your channel can have different permissions. If you have a diverse set of channel members or you don't want new channel members to perform actions as soon as they join your channel, user roles are appropriate. Under this schema, your channel members must have applied a user role to perform actions. When channel members apply a user role, it is mapped to their chat client ID. Administrators can unmap user roles from chat client IDs in the Amazon Q Developer in chat applications console. Your channel member's actions are limited by your guardrail policies, despite what user roles they may have applied. For more information on managing user roles, see [Managing IAM roles for Amazon Q Developer in chat applications](manage-user-roles.md).
#### User role requirement
Administrators can require user roles for all current channel members and channels and all channels created in the future by enabling a user role requirement in the Amazon Q Developer in chat applications console. Individual channels can't override this requirement. This can be done at the account level in **User permissions**, if you want to require every workspace and channel to use user roles. It can also be done at the channel configuration level wherein a channel level administrator can enable the user role requirement.
**Note**
This feature is enforced at the account level.
## Channel guardrail policies
Guardrail policies provide detailed control over what actions are available to your channel members and what actions Amazon Q Developer in chat applications can perform on your behalf. They constrain and take precedence over both user roles and channel roles. For example, if a user has a user role that allows administrator access, and they belong to a channel where the channel role or the guardrail policies limit permissions on one or more services, the user will have less than administrator-level access. You can set, view, and edit your guardrail policies in the Amazon Q Developer in chat applications console. If you had an Amazon Q Developer in chat applications configuration before the expansion of available commands on 11/28/2021, you may have a protection policy applied as one of your guardrail policies.
**Note**
AWS Service Roles IAM policies can't be used as guardrail policies.
## Non-supported operations
Amazon Q Developer in chat applications doesn't support running commands for operations in the following JSON policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"appsync:ListApiKeys",
"chatbot:*",
"codecommit:GetFile",
"codecommit:GetCommit",
"codecommit:GetDifferences",
"cognito-idp:*",
"cognito-identity:*",
"connect:GetFederationToken",
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"ec2:GetPasswordData",
"ecr:GetAuthorizationToken",
"gamelift:RequestUploadCredentials",
"gamelift:GetInstanceAccess",
"identitystore:*",
"lightsail:DownloadDefaultKeyPair",
"lightsail:GetKeyPair",
"lightsail:GetKeyPairs",
"lightsail:UpdateRelationalDatabase",
"iam:*",
"kms:*",
"redshift:GetClusterCredentials",
"sdb:*",
"secretsmanager:*",
"sso:*",
"storagegateway:DescribeChapCredentials",
"sts:*",
"s3:GetObject",
"s3:PutObject",
"s3:GetBucketPolicy",
"snowball:GetJobUnlockCode"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
```
------
# Securing your AWS organization in Amazon Q Developer in chat applications
You can secure your AWS organization or organizational units (OUs) using organization policies. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, you can apply organization policies such as a chat applications policy and service control policies (SCPs) to any or all of your accounts. A chat applications policy defines which permissions models, chat platforms, and chat workspaces can be used to access your accounts. SCPs limit permissions for entities in member accounts, including each AWS account root user. Effective chat application permissions are the intersection between organization level controls (organization policies) and account level controls ([User role requirement](understanding-permissions.md#role-reqs), Amazon Q Developer in chat applications configuration resources). For more information about organization policies, see [ Managing policies with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) in the *AWS Organizations User Guide*.
**Topics**
+ [Amazon Q Developer in chat applications organization policies](chatbot-orgs-policy.md)
+ [Service control policies (SCPs) for Amazon Q Developer in chat applications](scp.md)
# Amazon Q Developer in chat applications organization policies
Organization administrators can manage multiple Amazon Q Developer in chat applications settings across all accounts within an organization using Amazon Q Developer in chat applications chat applications policies (chat applications policies). Chat applications policies define where Amazon Q Developer in chat applications can deliver notifications and if it can respond to Amazon Q Developer in chat applications mention events. Using chat applications policies, administrators can:
+ Enforce which chat platforms can be used across your organization (Amazon Chime, Microsoft Teams, and Slack)
+ Restrict chat client access to specific workspaces and teams.
+ Restrict Slack channel visibility to either public or private channels.
+ Set and enforce specific role settings.
Chat applications policies restrict and take precedence over account level settings like [role settings](understanding-permissions.md#role-settings) and [Channel guardrail policies](understanding-permissions.md#channel-guardrails). Administrators can define rules in a policy and apply those rules to an entire organization or a group of accounts, referred to as OUs. For more information, see [Managing organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) in the *AWS Organizations User Guide*. You can access and modify these policies from the Amazon Q Developer in chat applications console or the AWS Organizations console. For more information about organization policies, see [Managing policies in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) *AWS Organizations User Guide*.
If your users try to perform an action restricted by your chat applications policy, they are informed via error message that they are disallowed due to the policy and we recommend that they contact their organization administrator.
**Note**
Amazon Q Developer in chat applications organization policies are validated at runtime, so existing resources are continuously checked for compliance. There is no overlap with existing IAM permissions as there aren’t currently any runtime-based IAM permissions for sending notifications or interacting with Amazon Q Developer in chat applications.
**Note**
Chat application policies are limited to AWS account access to Amazon Q Developer in chat applications. These policies don't manage Amazon Q Business access from chat applications.
**Topics**
+ [Example Amazon Q Developer in chat applications organization policy](#example-org-policy)
+ [Enabling chat applications policies](#enable-org-pol)
+ [Disabling chat applications policies](#disable-org-pol)
+ [Tutorial: Creating chat applications policies in Amazon Q Developer in chat applications](org-policy-tutorial.md)
+ [Editing chat applications policies in Amazon Q Developer in chat applications](edit-org-pol.md)
+ [Deleting chat applications policies in Amazon Q Developer in chat applications](delete-org-pol.md)
## Example Amazon Q Developer in chat applications organization policy
The following policy allows restricted Amazon Q Developer in chat applications access for selected Slack workspaces and a Microsoft Teams tenant.
```
{
"chatbot":{
"platforms":{
"slack":{
"client":{
"@@assign":"enabled"
},
"workspaces": { // limit 255
"@@assign":[
"Slack-Workspace-Id1",
"Slack-Workspace-Id2"
]
},
"default":{
"supported_channel_types":{
"@@assign":[
"private"
]
},
"supported_role_settings":{
"@@assign":[
"user_role"
]
}
},
"overrides":{ // limit 255
"Slack-Workspace-Id2":{
"supported_channel_types":{
"@@assign":[
"public",
"private"
]
},
"supported_role_settings":{
"@@assign":[
"channel_role",
"user_role"
]
}
}
}
},
"microsoft_teams":{
"client":{
"@@assign":"enabled"
},
"tenants":{ // limit 36
"Microsoft-Teams-Tenant-Id":{ // limit 36
"@@assign":[
"Microsoft-Teams-Team-Id"
]
}
},
"default":{
"supported_role_settings":{
"@@assign":[
"user_role"
]
}
},
"overrides":{ // limit 36
"Microsoft-Teams-Tenant-Id":{
"Microsoft-Teams-Team-Id":{
"supported_role_settings":{
"@@assign":[
"channel_role",
"user_role"
]
}
}
}
}
}
},
"default":{
"client":{
"@@assign":"disabled"
}
}
}
}
```
**For Slack**
+ The Slack client is enabled.
+ The allowed Slack workspaces are *Slack-Workspace-Id1* and *Slack-Workspace-Id2*.
+ The default settings for Slack are to only allow private channels and User level IAM roles.
+ There is an override for the workspace *Slack-Workspace-Id2* that allows both public and private channels as well as both Channel level IAM roles and User level IAM roles.
**For Microsoft Team**
+ The Microsoft Teams is enabled.
+ The allowed Teams tenants are *Microsoft-Teams-Tenant-Id* with the team *Microsoft-Teams-Team-Id*.
+ The default settings are to only allow User level IAM roles.
+ There is an override for the tenant *Microsoft-Teams-Tenant-Id* that allows both Channel level IAM roles and User level IAM roles for the team *Microsoft-Teams-Team-Id*.
**Additional details**
+ The `default` block at the bottom sets the client to be disabled, which disables Amazon Q Developer in chat applications across the organization unless overridden at a lower level. This means Amazon Chime is disabled in this example. This default also disables any new chat platform that Amazon Q Developer in chat applications supports. For example, if Amazon Q Developer in chat applications supports a new chat platform, this default disables that newly supported chat platform as well.
## Enabling chat applications policies
Before you can create chat applications policies, you must first enable them using the AWS Organizations console. For more information, see [Enabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html#enable-policy-type) in the *AWS Organizations User Guide*.
## Disabling chat applications policies
If you no longer want to use chat applications policies in your organization, you can disable them to prevent accidental use. For more information, see [Disabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html#disable-policy-type) in the *AWS Organizations User Guide*.
# Tutorial: Creating chat applications policies in Amazon Q Developer in chat applications
In this tutorial, you use the Amazon Q Developer in chat applications console to create a chat applications policy that:
+ Restricts chat client access to Slack
+ Specifies usable Slack workspaces
+ Restricts usage to private channels
+ Requires user-level roles
Subsequently, all Amazon Q Developer in chat applications configurations in your organization must adhere to these specifications.
**Topics**
+ [Prerequisites](#org-policy-tutorial-prq)
+ [Step 1: Create a new chat applications policy](#org-policy-tutorial-s1)
+ [(Optional) Step 2: Testing your chat applications policy](#org-policy-tutorial-s2)
## Prerequisites
You must have already created an organization using AWS Organizations. For more information, see [Managing an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.
## Step 1: Create a new chat applications policy
**To create a new chat applications policy**
1. Open the Amazon Q Developer in chat applications console at [https://console.aws.amazon.com/chatbot/](https://console.aws.amazon.com/chatbot/).
1. In the left sidebar menu, choose **Organization settings**.
1. Choose **Chat applications policies**.
1. Choose **Create chat applications policies**.
1.
1.
**Enable Amazon Q Developer in chat applications Orgs policies:**
**Note**
Before you can create and attach a policy to your organization, you must enable that policy type for use. This is a one-time task on the organization root. You can enable a policy type from only the organization’s management account. For more information, see [Enabling and disabling policy types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html) in the *AWS Organizations User Guide*.
On the Chat applications policies page, choose **Enable**.
1.
1.
**Enter your policy **Details**:**
Enter a policy name.
1. (Optional) Enter a policy description.
1. (Optional) Add tags.
1.
1.
**Configure chat client access:**
In **Set Amazon Chime chat client access**, choose **Deny Chime access**.
1. In **Set Microsoft Teams client access**, choose **Deny access to all Teams**.
1. In **Set Slack chat client access**, choose **Restrict access to named Slack workspaces**:
1. Enter a Slack workspace ID.
**Tip**
You can find your workspace ID in the Amazon Q Developer in chat applications console by choosing the configured client in the left sidebar and looking under **Workspace details**.
1. (Optional) Choose **Add new workspace ID** to add another Slack workspace.
1. Choose **Add**.
1. Select **Enable usage to only private Slack channels**.
1.
1.
**Set IAM permission types:**
Select **Enable User level IAM role**.
1. Choose **Create policy**.
## (Optional) Step 2: Testing your chat applications policy
If you already have an Amazon Q Developer in chat applications configuration, you can sign in as a user in any of your member accounts and try to perform any of the following actions:
+ Create an Amazon Q Developer in chat applications configuration for Microsoft Teams
+ Create a Slack Amazon Q Developer in chat applications configuration for a workspace you didn't specify in your policy
+ Create a Slack Amazon Q Developer in chat applications configuration that uses a channel role
When you try to perform these actions, you should receive an error message that explains why you’re disallowed.
# Editing chat applications policies in Amazon Q Developer in chat applications
If you need to make changes to your chat applications policy, you can edit it.
**To edit chat applications policies**
1. Sign in to the Amazon Q Developer in chat applications console;
1. In the left sidebar meny, choose **Organization settings**.
1. Choose **Chat applications Policies**.
1. Select the name of the policy.
1. Choose **Edit policy**.
1. Make your edits.
1. Choose **Save changes**.
# Deleting chat applications policies in Amazon Q Developer in chat applications
If you no longer need a Chat applications policy, you can delete it.
**To delete chat applications policies**
1. Sign in to the Amazon Q Developer in chat applications console;
1. In the left sidebar meny, choose **Organization settings**.
1. Choose **Chat applications Policies**.
1. Select the name of the policy.
1. Choose **Delete policy**.
1. Confirm your deletion by entering the policy name.
1. Choose **Delete**.
# Service control policies (SCPs) for Amazon Q Developer in chat applications
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. For more information, [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
SCPs for Amazon Q Developer in chat applications function similarly to channel guardrail policies, but are implemented on the organization level. You can use SCPs to secure your organizations by restricting what APIs can be used to configure Amazon Q Developer in chat applications and which services and operations can be run using Amazon Q Developer. This doesn’t impact resources that are already created or the ability to respond to commands in chat channels.
The global condition key, `aws:ChatbotSourceArn`, is attached to all sessions created through Amazon Q Developer in chat applications. You can use this condition key to restrict which Amazon Q Developer in chat applications API operations can be run using Amazon Q Developer in chat applications as opposed to other platforms such as the CLI or console.
**Note**
SCPs for Amazon Q Developer in chat applications are limited to Amazon Q Developer access in chat applications and don't apply to Amazon Q Business access from chat applications.
**Topics**
+ [Example Service control policies](#scp-example)
## Example Service control policies
### Example 1: Deny all IAM operations
The following SCP denies all IAM operations invoked through all Amazon Q Developer in chat applications configurations.
```
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:ChatbotSourceArn": "arn:aws:chatbot::*"
}
}
}
```
### Example 2: Deny S3 bucket put requests from a specified Slack channel
The following SCP denies S3 put requests on the specified bucket for all requests originating from a Slack channel.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExampleS3Deny",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"ArnLike": {
"aws:ChatbotSourceArn": "arn:aws:chatbot::*:chat-configuration/slack-channel/*"
}
}
}
]
}
```
------
# Chat client application permissions for Amazon Q Developer in chat applications
When you install Amazon Q Developer in chat applications on Microsoft Teams and Slack applications, each authorization process requests approval to grant Amazon Q Developer in chat applications app permissions. The following permissions are requested for each chat client.
## Microsoft Teams permissions
+ Team.ReadBasic.All
+ Channel.ReadBasic.All
+ ChannelMember.Read.All
+ User.ReadBasic.All
For more information, see [Microsoft Graph permissions reference](https://learn.microsoft.com/en-us/graph/permissions-reference).
## Slack permissions
+ app\$1mentions:read
+ channels:read
+ chat:write
+ chat:write.public
+ groups:read
+ team:read
+ users:read
For more information, see [Permission scopes](https://api.slack.com/scopes).
# Managing IAM roles for Amazon Q Developer in chat applications
You can manage the IAM roles used as channel and user roles by editing them. You can further manage your user roles depending on your user type.
**Topics**
+ [Editing an IAM role for Amazon Q Developer in chat applications](editing-iam-roles-for-chatbot.md)
+ [Managing user roles as an administrator in Amazon Q Developer in chat applications](adm-container.md)
+ [Managing user roles as a channel member in Amazon Q Developer in chat applications](cm-container.md)
# Editing an IAM role for Amazon Q Developer in chat applications
You can create new IAM roles in the Amazon Q Developer in chat applications console. You associate these roles with your chat channels or Amazon Chime webhooks. The Amazon Q Developer in chat applications console does not allow editing of IAM roles, including any roles that you've already created in the Amazon Q Developer in chat applications console.
**Note**
AWS requires that you use the IAM console to edit IAM roles. If you create roles in the Amazon Q Developer in chat applications console, you must use the IAM console to edit them. This might happen, for example, when you are using the Amazon Q Developer in chat applications service and a new release comes out that supports new features.
Use the IAM console to edit Amazon Q Developer in chat applications roles. You can use the entire set of IAM console features to specify permissions for your Amazon Q Developer in chat applications users.
**To edit roles**
1. Open the Amazon Q Developer in chat applications console at [https://console.aws.amazon.com/chatbot/](https://console.aws.amazon.com/chatbot/).
1. Choose the configured client, and choose the name of the configured channel or webhook.
1. Choose a role to edit:
------
#### [ Channel role ]
1. Choose the role you want to edit. When you choose a role, the IAM console opens, automatically showing role configuration page, with the Permissions tab displaying the selected role.
**Note**
You can attach AWS managed policies and customer managed policies. Amazon Q Developer in chat applications roles support both types of IAM policies.
1. Choose **Add permissions** and then select **Attach Policies**.
------
#### [ User roles ]
1. Choose the **User role** tab.
1. Choose **Edit**.
**Note**
You can attach AWS managed policies and customer managed policies. Amazon Q Developer in chat applications roles support both types of IAM policies.
1. Select a role.
1. Choose **Selected role information**. The IAM console opens automatically showing role configuration page.
1. Choose **Add permissions** and then select **Attach Policies**.
------
1. Choose the name of the policy that you want. You can use the **Search** box to search for the policy by name or by a partial string of characters. For example, all IAM policies associated with Amazon Q Developer in chat applications include the character string **Chatbot** as part of the policy name.
1. You can attach any of the following AWS managed policies to any role. You can also use these policies as templates to create your own policies.
+ **ReadOnlyAccess**
+ **CloudWatchReadOnlyAccess**
+ **AWSSupportAccess**
+ **AmazonQFullAccess**
+ **AIOpsOperator**
The **ReadOnlyAccess** policy is automatically attached to any role that you create in the Amazon Q Developer in chat applications console. In the console, it appears as **Read-only command permissions** policy template.
If you want your users to be able to chat with Amazon Q Developer in natural language, attach the **AmazonQDeveloperAccess** policy. If administrator access is required, use the **AmazonQFullAccess** policy. In the Amazon Q Developer in chat applications console, the **AmazonQFullAccess** policy appears as the **Amazon Q Permissions** policy template.
You can use these policies to create your own policies that are less permissive and specify the resources their users can access. You can substitute these custom policies for the ones listed here.
1. Choose each of the policies that you want to attach to the role and choose **Attach policy**. If needed, use the Search box to locate the policies you're looking for.
After you click **Attach policy**, the role's **Permissions** page opens and shows the change in the **Permissions** list.
**Note**
For more information about the customer managed policies and AWS managed policies described in this section, see [IAM Policies for Amazon Q Developer in chat applications](chatbot-iam-policies.md).
For more information about editing IAM policies, see [Editing IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html). Exercise caution at all times when editing policies, and avoid overwriting existing customer managed policies.
## Managing IAM role permissions for running commands in Amazon Q Developer in chat applications
With AWS Identity and Access Management (IAM), you can use *identity-based policies*, which are JSON permissions policy documents, and attach them to an *identity*, such as a user, role, or group. These policies work with your guardrail policies to control what actions a user can perform. Amazon Q Developer in chat applications provides the following IAM policies in the Amazon Q Developer in chat applications console that you can use to set up AWS CLI commands support for chat channels. Those policies include:
+ **ReadOnly command permissions**
+ **Lambda-Invoke command permissions**
+ **AWS Support command permissions**
You can use any or all of these policies, based on your organization's requirements. To use them, create a new channel role in your channel configuration using the Amazon Q Developer in chat applications console, and attach the policies there. You can also attach the policies to the Amazon Q Developer in chat applications IAM roles using the IAM console. The policies simplify Amazon Q Developer in chat applications role configuration and enable you to set up quickly.
You can use these IAM policies as templates to define your own policies. For example, all policies described here use a wildcard ("\$1") to apply the policy's permissions to all resources:
```
"Resource": [
"*"
]
```
You can define custom permissions in a policy to limit actions to specific resources in your AWS account. These are called *resource-based permissions*. For more information on defining resources in a policy, see the section [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*.
For more information on these policies, see [Configuring an IAM Role for Amazon Q Developer in chat applications](#editing-iam-roles-for-chatbot).
### Using the Amazon Q Developer in chat applications read-only command permissions policy
The Amazon Q Developer in chat applications **ReadOnly Command Permissions** policy controls access to several important AWS services, including IAM, AWS Security Token Service (AWS STS), AWS Key Management Service (AWS KMS), and Amazon S3. It disallows all IAM operations when using AWS commands in Microsoft Teams and Slack. When you use the **ReadOnly Command Permissions** policy, you allow or deny the following permissions to users who run commands in chat channels:
+ IAM (Deny All)
+ AWS KMS (Deny All)
+ AWS STS (Deny All)
+ Amazon Cognito (allows Read-Only, denies `GetSigningCertificate` commands)
+ Amazon EC2 (allows Read-Only, denies `GetPasswordData` commands)
+ Amazon Elastic Container Registry (Amazon ECR) (allows Read-Only, denies `GetAuthorizationToken` commands)
+ Amazon GameLift Servers (allows Read-Only, denies requests for credentials and `GetInstanceAccess` commands)
+ Amazon Lightsail (allows List, Read, denies several key pair operations and `GetInstanceAccess`)
+ Amazon Redshift (denies `GetClusterCredentials` commands)
+ Amazon S3 (allows Read-Only commands, denies `GetBucketPolicy` commands)
+ AWS Storage Gateway (allows Read-Only, denies `DescribeChapCredentials` commands)
The **ReadOnly Command Permissions** policy JSON code is shown following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:*",
"kms:*",
"sts:*",
"cognito-idp:GetSigningCertificate",
"ec2:GetPasswordData",
"ecr:GetAuthorizationToken",
"gamelift:RequestUploadCredentials",
"gamelift:GetInstanceAccess",
"lightsail:DownloadDefaultKeyPair",
"lightsail:GetInstanceAccessDetails",
"lightsail:GetKeyPair",
"lightsail:GetKeyPairs",
"redshift:GetClusterCredentials",
"s3:GetBucketPolicy",
"storagegateway:DescribeChapCredentials"
],
"Resource": [
"*"
]
}
]
}
```
------
### Using the Amazon Q Developer in chat applications Lambda-Invoke policy
The Amazon Q Developer in chat applications **Lambda-Invoke Command Permissions** policy allows users to invoke AWS Lambda functions in chat channels. This policy is an AWS managed policy that is not specific to Amazon Q Developer in chat applications, though it appears in the Amazon Q Developer in chat applications console.
By default, invoked Lambda functions can perform *any operation*. You might need to define a more restrictive inline IAM policy that allows permissions to invoke specific Lambda functions, such as functions specifically developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose.
The following example shows the **Lambda-Invoke Command Permissions** policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:invokeAsync",
"lambda:invokeFunction"
],
"Resource": [
"*"
]
}
]
}
```
------
You can also define resource-based permissions to allow invoking of Lambda functions only against specific resources, instead of the "\$1" wildcard that applies the policy to all resources. Always follow the IAM practice of granting only the permissions required for your users to do their jobs.
# Managing user roles as an administrator in Amazon Q Developer in chat applications
Administrators can unmap user roles from channel members' chat client IDs from the **User permissions** page in the Amazon Q Developer in chat applications console. Administrators can also require user roles by enabling a user role requirement in the **User permissions** page. This requirement can be applied to all workspaces and channels or to individual channel configurations. For more information on user role requirements, see [User role requirement](understanding-permissions.md#role-reqs).
**Note**
Administrators can't map user roles. Only channel members have this ability.
**Topics**
+ [Unmapping a user role in Amazon Q Developer in chat applications](#admin-unmap-role)
+ [Enabling a user role requirement in Amazon Q Developer in chat applications](#admin-ur-req)
## Unmapping a user role in Amazon Q Developer in chat applications
You can unmap a user role from a chat client ID. When you unmap a user role, it will no longer appear your **Mapped roles** table.
**Note**
Unmapping user roles doesn't impact the ability to use Amazon Q Developer in the Amazon Q Developer console or in other places where Amazon Q Developer is available.
**To unmap a user role**
1. Open the [Amazon Q Developer in chat applications console](https://console.aws.amazon.com/chatbot/).
1. Under **Account settings**, choose **User permissions**.
1. In **Mapped roles**, select the roles you want to unmap.
1. Choose **Unmap**.
## Enabling a user role requirement in Amazon Q Developer in chat applications
You can enable a user role requirement to force users to apply a user role before running commands in Microsoft Teams and Slack.
**To enable a user role requirement**
1. Open the [Amazon Q Developer in chat applications console](https://console.aws.amazon.com/chatbot/).
1. Under **Account settings**, choose **User permissions**.
1. In **User role requirement**, enable a user role requirement.
# Managing user roles as a channel member in Amazon Q Developer in chat applications
Channel members can switch their user roles from their chat channels. Additionally, channel members can unmap user roles from chat client IDs using the Amazon Q Developer in chat applications console.
**Topics**
+ [Adding a user role from a chat channel using Amazon Q Developer in chat applications](#cm-add-role)
+ [Switching user roles from a chat channel using Amazon Q Developer in chat applications](#cm-switch-role)
+ [Unmapping a user role using Amazon Q Developer in chat applications](#cm-unmap-role)
## Adding a user role from a chat channel using Amazon Q Developer in chat applications
If you are a new channel member or your channel permission approach changes, Amazon Q Developer in chat applications will prompt you to add a user role.
**To add a user role from a chat channel**
1. Choose **Let's get started**.
1. Choose an account to add a role.
**Note**
This link will take you directly to the Amazon Q Developer in chat applications console.
1. In **User role**, choose a role.
1. Choose **Save**.
**Note**
Choosing **Save** takes you to an authorization page to fetch your chat client identity. This identity is mapped to your chosen role.
1. Choose **Allow**.
## Switching user roles from a chat channel using Amazon Q Developer in chat applications
If you find that your current user role doesn’t have the right permissions to achieve your desired task, you can switch roles directly from Microsoft Teams and Slack.
**Note**
If you are unable to run a particular command after switching roles, contact your administrator regarding the channel guardrails in place.
**To switch a user role from a chat channel**
1. In your chat channel, enter `@Amazon Q switch-role`.
1. Choose the account that you want to switch roles for.
**Note**
This link will take you directly to the Amazon Q Developer in chat applications console.
1. In the Amazon Q Developer in chat applications console, choose **Choose user role**.
1. In **User role**, choose a user role.
1. Choose **Save**.
**Note**
Choosing **Save**, takes you to an authorization page. This is so your chat client identity can be retrieved and associated with your chosen role.
1. On the authorization page, choose **Allow**.
## Unmapping a user role using Amazon Q Developer in chat applications
If you have a user role applied that you no longer need, you can unmap it.
**To unmap a user role**
1. Open the [Amazon Q Developer in chat applications console](https://console.aws.amazon.com/chatbot/).
1. Choose a configured client.
1. In **User role**, choose **Clear role**.
## Protection policy
The expansion of usable CLI commands occurred on 11/28/2021. This expansion can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied as a guardrail policy to existing Amazon Q Developer in chat applications configurations by default. Specifically, the protection policy restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user-level roles align with your governance policy or channel requirements. You can detach this policy from:
+ Individual workspaces.
+ Individual channels in the channel configurations page.
+ A selection of channels using the **Set guardrails** button.
+ All channel configurations in the **User permissions** page of the Amazon Q Developer in chat applications console.
The protection policy contains the [ReadOnlyAccess policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html) and the following JSON code:
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:Invoke*",
"support:*",
"ssm-incidents:*"
],
"Resource": "*"
}
]
}
```