IAM role for Amazon Q BusinessAmazon S3 connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
When you use an Amazon S3 bucket as a data source, you must provide a role that has permissions to:
-
Access your Amazon S3 bucket.
-
Permission to access the
BatchPutDocumentandBatchDeleteDocumentAPI operations in order to ingest documents. -
Permission to access the Principal Store APIs needed to ingest access control and identity information from documents.
To allow Amazon Q to use an Amazon S3 bucket as a data source, use the following role policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsAmazonQToGetObjectfromS3", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::{{input_bucket_name}}/*" ], "Effect": "Allow", "Condition": { "StringEquals": { "aws:ResourceAccount": "{{account_id}}" } } }, { "Sid": "AllowsAmazonQToListS3Buckets", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::{{input_bucket_name}}" ], "Effect": "Allow", "Condition": { "StringEquals": { "aws:ResourceAccount": "{{account_id}}" } } }, { "Sid": "AllowsAmazonQToIngestDocuments", "Effect": "Allow", "Action": [ "qbusiness:BatchPutDocument", "qbusiness:BatchDeleteDocument" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" }, { "Sid": "AllowsAmazonQToCallPrincipalMappingAPIs", "Effect": "Allow", "Action": [ "qbusiness:PutGroup", "qbusiness:CreateUser", "qbusiness:DeleteGroup", "qbusiness:UpdateUser", "qbusiness:ListGroups" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*" ] } ] }
If the documents in the Amazon S3 bucket are encrypted, you must provide the following permissions to use the AWS KMS key to decrypt the documents:
{ "Sid": "AllowsAmazonQToDecryptSecret", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "secretsmanager.*.amazonaws.com" ] } } }
If you are using an Amazon VPC, you must add the following VPC access permissions to your policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsAmazonQToGetObjectfromS3", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::{{input_bucket_name}}/*" ], "Effect": "Allow", "Condition": { "StringEquals": { "aws:ResourceAccount": "{{account_id}}" } } }, { "Sid": "AllowsAmazonQToListS3Buckets", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::{{input_bucket_name}}" ], "Effect": "Allow", "Condition": { "StringEquals": { "aws:ResourceAccount": "{{account_id}}" } } }, { "Sid": "AllowsAmazonQToIngestDocuments", "Effect": "Allow", "Action": [ "qbusiness:BatchPutDocument", "qbusiness:BatchDeleteDocument" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" }, { "Sid": "AllowsAmazonQToCallPrincipalMappingAPIs", "Effect": "Allow", "Action": [ "qbusiness:PutGroup", "qbusiness:CreateUser", "qbusiness:DeleteGroup", "qbusiness:UpdateUser", "qbusiness:ListGroups" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}", "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*" ] }, { "Sid": "AllowsAmazonQToCreateAndDeleteENI", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface" ], "Resource": [ "arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]", "arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]" ] }, { "Sid": "AllowsAmazonQToCreateDeleteENI", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface" ], "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*", "Condition": { "StringLike": { "aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "AMAZON_Q" ] } } }, { "Sid": "AllowsAmazonQToCreateTags", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" } } }, { "Sid": "AllowsAmazonQToCreateNetworkInterfacePermission", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*", "Condition": { "StringLike": { "aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*" } } }, { "Sid": "AllowsAmazonQToConnectToVPC", "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeNetworkInterfacePermissions", "ec2:DescribeSubnets" ], "Resource": "*" } ] }
To allow Amazon Q to assume a role, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsAmazonQToAssumeRoleForServicePrincipal", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnLike": { "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" } } } ] }
