IAM role for an Amazon Q Business application
When you create an Amazon Q Business application, you must provide Amazon Q with an IAM role with permissions to write to an Amazon CloudWatch log and assign user subscriptions to applications. You must also provide a trust policy that allows Amazon Q to assume the role. The following are the policies that must be provided.
To allow Amazon Q to access a CloudWatch log and assign user subscriptions, use the following role policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonQApplicationPutMetricDataPermission", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/QBusiness" } } }, { "Sid": "AmazonQApplicationDescribeLogGroupsPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AmazonQApplicationCreateLogGroupPermission", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:{{region}}:{{account_id}}:log-group:/aws/qbusiness/*" ] }, { "Sid": "AmazonQApplicationLogStreamPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:{{region}}:{{account_id}}:log-group:/aws/qbusiness/*:log-stream:*" ] }, { "Sid": "QBusinessUserSubscriptionPermissions", "Effect": "Allow", "Action": [ "qbusiness:CreateSubscription", "qbusiness:UpdateSubscription", "qbusiness:CancelSubscription", "qbusiness:ListSubscriptions", "user-subscriptions:CreateClaim", "user-subscriptions:UpdateClaim", "user-subscriptions:CommitClaim" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/subscription/{{subscription_id}}" ] } ] }
To assign user subscriptions to applications, you must include permissions to call the necessary user subscription-related APIs in the backend. You don't call or use the APIs directly. These APIs are included in the example IAM role for creating an application. The subscription-related APIs give permission to create, update, cancel, and view all user subscriptions for an application. Assigning user subscriptions is only available in the Amazon Q Business console.
To allow Amazon Q to assume a role, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonQApplicationPermission", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{account_id}}" }, "ArnLike": { "aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{account_id}}:application/*" } } } ] }
Amazon Q also supports using a service-linked role
(AWSServiceRoleForQBusiness) for an Amazon Q application. The following is the
service-linked role policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessPutMetricDataPermission", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/QBusiness" } } }, { "Sid": "QBusinessCreateLogGroupPermission", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/qbusiness/*" ] }, { "Sid": "QBusinessDescribeLogGroupsPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "QBusinessLogStreamPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/qbusiness/*:log-stream:*" ] } ] }
For more information on using service-linked roles for an Amazon Q application, see Using service-linked roles.
