Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Administrator permissions

Focus mode
Administrator permissions - Amazon Q Developer

The following policies allow Amazon Q Developer administrators to perform administrative tasks in the Amazon Q subscription management console and Amazon Q Developer Pro console.

For policies that enable the use of Amazon Q Developer features, see User permissions.

Allow administrators to use the Amazon Q subscription console

The following example policy grants permissions for a user to create and manage subscriptions in the Amazon Q subscription management console. The Amazon Q subscription management console is where you configure Amazon Q's integration with AWS IAM Identity Center and AWS Organizations, choose which Amazon Q package to subscribe to, and attach users and groups to subscriptions.

To configure Amazon Q Developer Pro after subscribing users, someone in your enterprise will also need access to the Amazon Q Developer Pro console. For more information, see Allow administrators to use the Amazon Q Developer console.

Note

The codewhisperer prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see Amazon Q Developer rename - Summary of changes.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:ListAWSServiceAccessForOrganization", "organizations:DisableAWSServiceAccess", "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:ListApplications", "sso:ListInstances", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:DescribeApplication", "sso:DeleteApplication", "sso:GetSSOStatus", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso-directory:DescribeUsers", "sso-directory:DescribeGroups", "sso-directory:SearchGroups", "sso-directory:SearchUsers", "sso-directory:DescribeGroup", "sso-directory:DescribeUser", "sso-directory:DescribeDirectory" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "signin:ListTrustedIdentityPropagationApplicationsForConsole", "signin:CreateTrustedIdentityPropagationApplicationForConsole" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:ListProfiles", "codewhisperer:CreateProfile", "codewhisperer:DeleteProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "user-subscriptions:ListClaims", "user-subscriptions:ListUserSubscriptions", "user-subscriptions:CreateClaim", "user-subscriptions:DeleteClaim", "user-subscriptions:UpdateClaim" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "q:CreateAssignment", "q:DeleteAssignment" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions" ] } ] "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAssignmentConfiguration" ], "Resource": [ "*" ] } ] }

Allow administrators to use the Amazon Q Developer console

The following example policy grants permissions for a user to access the Amazon Q Developer console. On the Amazon Q Developer console, administrators can configure various aspects of Amazon Q Developer and its features, including code references, customizations, and chat plugins. This policy also includes permissions to create and configure customer managed KMS keys.

To configure Amazon Q Developer Pro subscriptions, someone in your enterprise will also need access to the Amazon Q subscription management console. For more information, see Allow administrators to use the Amazon Q subscription console.

Note

If you're using customizations, then your Amazon Q Developer Pro administrator will require additional permissions.

You will need one of two policies to use the Amazon Q Developer console. The policy you need depends on if you're setting up Amazon Q Developer for the first time or if you're configuring a legacy Amazon CodeWhisperer profile.

Note

The codewhisperer prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see Amazon Q Developer rename - Summary of changes.

For new administrators of Amazon Q Developer, use the following policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:GetUserPoolInfo", "sso:ListInstances", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAssignmentConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "q:ListDashboardMetrics", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] }

For legacy Amazon CodeWhisperer profiles, the following policy will enable an IAM principal to administer a CodeWhisperer application.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:GetUserPoolInfo", "sso-directory:DescribeDirectory", "sso-directory:ListMembersInGroup" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "pricing:GetProducts" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListProfiles", "sso:ListApplicationInstances", "sso:GetApplicationInstance", "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:ListProfileAssociations", "sso:GetSharedSsoConfiguration", "sso:ListDirectoryAssociations", "sso:DescribeRegisteredRegions", "sso:GetSsoConfiguration", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "identitystore:ListUsers", "identitystore:ListGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "q:ListDashboardMetrics", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] }

Allow administrators to create customizations

The following policy grants administrators permission to create and manage customizations in Amazon Q Developer.

To configure customizations in the Amazon Q Developer Pro console, your Amazon Q Developer administrator will require access to the Amazon Q Developer Pro console. For more information, see Allow administrators to use the Amazon Q Developer console.

Note

The codewhisperer prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see Amazon Q Developer rename - Summary of changes.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "sso-directory:DescribeUsers" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:CreateCustomization", "codewhisperer:DeleteCustomization", "codewhisperer:ListCustomizations", "codewhisperer:ListCustomizationVersions", "codewhisperer:UpdateCustomization", "codewhisperer:GetCustomization", "codewhisperer:ListCustomizationPermissions", "codewhisperer:AssociateCustomizationPermission", "codewhisperer:DisassociateCustomizationPermission" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeconnections:ListConnections", "codeconnections:ListOwners", "codeconnections:ListRepositories", "codeconnections:GetConnection" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": "codeconnections:UseConnection", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "codeconnections:ProviderAction": [ "GitPull", "ListRepositories", "ListOwners" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:ListBucket*" ], "Resource": [ "*" ] } ] }

Allow administrators to accept a connector request from the account with the Q Developer transform web experience.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codewhisperer:ListProfiles", "q:GetConnector", "q:AssociateConnectorResource", "q:RejectConnector" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sso:ListInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPublicAccessBlock", "s3:GetAccountPublicAccessBlock" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreatePolicy" ], "Resource": "arn:aws:iam::123456789012:policy/service-role/QTransform-*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:AttachRolePolicy", "iam:PassRole" ], "Resource": "arn:aws:iam::123456789012:role/service-role/QTransform-*" } ] }

Allow administrators to configure plugins

The following example policy grants administrators permissions to view and configure third party plugins in the Amazon Q Developer console.

Note

In order to access the Amazon Q Developer console, users also needs the permissions defined in Allow administrators to use the Amazon Q Developer console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:CreatePlugin", "q:GetPlugin", "q:DeletePlugin", "q:ListPlugins", "q:ListPluginProviders", "iam:CreateRole", "secretsmanager:CreateSecret" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "q.amazonaws.com" ] } } } ] }

Allow migration of more than one network or more than one subnet

{ "Version": "2012-10-17", "Statement": [{ "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceSgTag", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:region:account-id:vpc/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzerEC2RequestSgTag", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:region:account-id:security-group/*", "arn:aws:ec2:region:account-id:security-group-rule/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzerEC2SecurityGroupTags", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:region:account-id:security-group/*", "arn:aws:ec2:region:account-id:security-group-rule/*", "arn:aws:ec2:region:account-id:network-interface/*", "arn:aws:ec2:region:account-id:network-insights-path/*", "arn:aws:ec2:region:account-id:network-insights-analysis/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService", "ec2:CreateAction": [ "CreateSecurityGroup", "CreateNetworkInterface", "CreateNetworkInsightsPath", "StartNetworkInsightsAnalysis" ] } } }, { "Sid": "MGNNetworkMigrationAnalyzerENIResourceTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:region:account-id:subnet/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzerENISG", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:region:account-id:security-group/*" ] }, { "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInsightsPath" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigAnalyzerEC2RequestTag", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInsightsPath", "ec2:StartNetworkInsightsAnalysis" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService" } } }, { "Sid": "MGNNetworkMigrationAnalyzeNetwork", "Effect": "Allow", "Action": [ "ec2:StartNetworkInsightsAnalysis" ], "Resource": [ "*" ] } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.