AWS managed policies for Amazon Q Developer - Amazon Q Developer

AWS managed policies for Amazon Q Developer

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

The quickest way for an administrator to grant access to users is through an AWS managed policy. The following AWS managed policies for Amazon Q Developer can be attached to IAM identities:

  • AmazonQFullAccess provides full access to enable interactions with Amazon Q Developer, including administrator access.

  • AmazonQDeveloperAccess provides full access to enable interactions with Amazon Q Developer, without administrator access.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they’re available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AmazonQFullAccess

The AmazonQFullAccess managed policy provides administrator access to allow users in your organization to access Amazon Q Developer. It also provides full access to enable interactions with Amazon Q Developer, including logging in with IAM Identity Center to access Amazon Q through an Amazon Q Developer Pro subscription.

Note

To enable full access to complete administrative tasks in the Amazon Q subscription management console and Amazon Q Developer Pro console, additional permissions are needed. For more information, see Administrator permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQFullAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult", "q:GetIdentityMetadata", "q:CreateAssignment", "q:DeleteAssignment", "q:GenerateCodeFromCommands", "q:CreatePlugin", "q:GetPlugin", "q:DeletePlugin", "q:ListPlugins", "q:ListPluginProviders", "q:UsePlugin", "q:TagResource", "q:UntagResource", "q:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AllowCloudControlReadAccess", "Effect": "Allow", "Action": [ "cloudformation:GetResource", "cloudformation:ListResources" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "q.amazonaws.com" ] } } } ] }

AmazonQDeveloperAccess

The AmazonQDeveloperAccess managed policy provides full access to enable interactions with Amazon Q Developer, without administrator access. It includes access to log in with IAM Identity Center to access Amazon Q through an Amazon Q Developer Pro subscription.

To use some features of Amazon Q, you might need additional permissions. See the topic for the feature you want to use for information on permissions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQDeveloperAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "q:StartTroubleshootingAnalysis", "q:StartTroubleshootingResolutionExplanation", "q:GetTroubleshootingResults", "q:UpdateTroubleshootingCommandResult", "q:GetIdentityMetaData", "q:GenerateCodeFromCommands", "q:UsePlugin" ], "Resource": "*" }, { "Sid": "AllowCloudControlReadAccess", "Effect": "Allow", "Action": [ "cloudformation:GetResource", "cloudformation:ListResources" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" } ] }

AWSServiceRoleForAmazonQDeveloperPolicy

This AWS managed policy grants permissions commonly needed to use Amazon Q Developer. The policy is added to the AWSServiceRoleForAmazonQDeveloper service linked role that is created when you onboard to Amazon Q.

You can't attach AWSServiceRoleForAmazonQDeveloperPolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Q to perform actions on your behalf. For more information, see Using service-linked roles for Amazon Q Developer and User Subscriptions.

This policy grants administrator permissions that allows metrics to be published for Billing / Usage.

Permissions details

This policy includes the following permissions.

  • cloudwatch – Allows principals to publish usage metrics to CloudWatch for Billing / Usage. This is required so that you can track your usage of Amazon Q in CloudWatch.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "AWS/Q" ] } } } ] }

To view this policy in the context of other AWS managed policies, see AmazonQDeveloperPolicy.

AWSServiceRoleForUserSubscriptionPolicy

This AWS managed policy grants permissions commonly needed to use Amazon Q Developer. The policy is added to the AWSServiceRoleForUserSubscriptions service-linked role that is created when you create Amazon Q subscriptions.

You can't attach AWSServiceRoleForUserSubscriptionPolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Q to perform actions on your behalf. For more information, see Using service-linked roles for Amazon Q Developer and User Subscriptions.

This policy provides access for Amazon Q Subscriptions to your Identity Center resources to automatically update your subscriptions.

Permissions details

This policy includes the following permissions.

  • identitystore – Allows principals to track Identity Center directory changes so that subscriptions can be automatically updated.

    organizations – Allows principals to track AWS Organizations changes so that subscriptions can be automatically updated.

    sso – Allows principals to track Identity Center instance changes so that subscriptions can be automatically updated.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "identitystore:DescribeGroup", "identitystore:DescribeUser", "identitystore:IsMemberInGroups", "identitystore:ListGroupMemberships", "organizations:DescribeOrganization", "sso:DescribeApplication", "sso:DescribeInstance", "sso:ListInstances" ], "Resource": "*" } ] }

To view this policy in the context of other AWS managed policies, see AWSServiceRoleForUserSubscriptionPolicy.

Policy updates

View details about updates to AWS managed policies for Amazon Q Developer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for Amazon Q Developer User Guide page.

Change Description Date

AmazonQDeveloperAccess - Updated policy

Additional permissions have been added to enable the use of Amazon Q Developer plugins.

November 13, 2024

AmazonQFullAccess - Updated policy

Additional permissions have been added to configure and use Amazon Q Developer plugins and to create and manage tags for Amazon Q Developer resources.

November 13, 2024

AmazonQDeveloperAccess - Updated policy

Additional permissions have been added to enable code generation from CLI commands with Amazon Q.

October 28, 2024

AmazonQFullAccess - Updated policy

Additional permissions have been added to enable code generation from CLI commands with Amazon Q.

October 28, 2024

AmazonQFullAccess - Updated policy

Additional permissions have been added to enable Amazon Q to access downstream resources.

July 9, 2024

AmazonQDeveloperAccess - New policy

Provides full access to enable interactions with Amazon Q Developer, without administrator access.

July 9, 2024

AmazonQFullAccess - Updated policy

Additional permissions have been added to enable subscriptions checks for Amazon Q Developer.

April 30, 2024

AWSServiceRoleForUserSubscriptionPolicy - New policy

Allows Amazon Q Subscriptions to automatically update subscriptions from changes in AWS IAM Identity Center, AWS IAM Identity Center directory and AWS Organizations on your behalf.

April 30, 2024

AWSServiceRoleForAmazonQDeveloperPolicy - New policy

Allows Amazon Q to call Amazon CloudWatch and Amazon CodeGuru on your behalf.

April 30, 2024

AmazonQFullAccess - New policy

Provides full access to enable interactions with Amazon Q Developer.

November 28, 2023

Amazon Q Developer started tracking changes

Amazon Q Developer started tracking changes to AWS managed policies.

November 28, 2023