AWS managed policies for Amazon Q Developer
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
The quickest way for an administrator to grant access to users is through an AWS managed policy. The following AWS managed policies for Amazon Q Developer can be attached to IAM identities:
-
AmazonQFullAccess
provides full access to enable interactions with Amazon Q Developer, including administrator access. -
AmazonQDeveloperAccess
provides full access to enable interactions with Amazon Q Developer, without administrator access.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they’re available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AmazonQFullAccess
The AmazonQFullAccess
managed policy provides
administrator access to allow users in your organization to access Amazon Q Developer. It also
provides full access to enable interactions with Amazon Q Developer, including logging in with
IAM Identity Center to access Amazon Q through an Amazon Q Developer Pro subscription.
Note
To enable full access to complete administrative tasks in the Amazon Q subscription management console and Amazon Q Developer Pro console, additional permissions are needed. For more information, see Administrator permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQFullAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult", "q:GetIdentityMetadata", "q:CreateAssignment", "q:DeleteAssignment", "q:GenerateCodeFromCommands", "q:CreatePlugin", "q:GetPlugin", "q:DeletePlugin", "q:ListPlugins", "q:ListPluginProviders", "q:UsePlugin", "q:TagResource", "q:UntagResource", "q:ListTagsForResource" ], "Resource": "*" }, { "Sid": "AllowCloudControlReadAccess", "Effect": "Allow", "Action": [ "cloudformation:GetResource", "cloudformation:ListResources" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "q.amazonaws.com" ] } } } ] }
AmazonQDeveloperAccess
The AmazonQDeveloperAccess
managed policy provides full
access to enable interactions with Amazon Q Developer, without administrator access. It includes
access to log in with IAM Identity Center to access Amazon Q through an Amazon Q Developer Pro subscription.
To use some features of Amazon Q, you might need additional permissions. See the topic for the feature you want to use for information on permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQDeveloperAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "q:StartTroubleshootingAnalysis", "q:StartTroubleshootingResolutionExplanation", "q:GetTroubleshootingResults", "q:UpdateTroubleshootingCommandResult", "q:GetIdentityMetaData", "q:GenerateCodeFromCommands", "q:UsePlugin" ], "Resource": "*" }, { "Sid": "AllowCloudControlReadAccess", "Effect": "Allow", "Action": [ "cloudformation:GetResource", "cloudformation:ListResources" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" } ] }
AWSServiceRoleForAmazonQDeveloperPolicy
This AWS managed policy grants permissions commonly needed to use Amazon Q Developer. The policy is added to the AWSServiceRoleForAmazonQDeveloper service linked role that is created when you onboard to Amazon Q.
You can't attach AWSServiceRoleForAmazonQDeveloperPolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Q to perform actions on your behalf. For more information, see Using service-linked roles for Amazon Q Developer and User Subscriptions.
This policy grants administrator
permissions that allows
metrics to be published for Billing / Usage.
Permissions details
This policy includes the following permissions.
-
cloudwatch
– Allows principals to publish usage metrics to CloudWatch for Billing / Usage. This is required so that you can track your usage of Amazon Q in CloudWatch.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": [ "AWS/Q" ] } } } ] }
To view this policy in the context of other AWS managed policies, see AmazonQDeveloperPolicy.
AWSServiceRoleForUserSubscriptionPolicy
This AWS managed policy grants permissions commonly needed to use Amazon Q Developer. The policy is added to the AWSServiceRoleForUserSubscriptions service-linked role that is created when you create Amazon Q subscriptions.
You can't attach AWSServiceRoleForUserSubscriptionPolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Q to perform actions on your behalf. For more information, see Using service-linked roles for Amazon Q Developer and User Subscriptions.
This policy provides access for Amazon Q Subscriptions to your Identity Center resources to automatically update your subscriptions.
Permissions details
This policy includes the following permissions.
-
identitystore
– Allows principals to track Identity Center directory changes so that subscriptions can be automatically updated.organizations
– Allows principals to track AWS Organizations changes so that subscriptions can be automatically updated.sso
– Allows principals to track Identity Center instance changes so that subscriptions can be automatically updated.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "identitystore:DescribeGroup", "identitystore:DescribeUser", "identitystore:IsMemberInGroups", "identitystore:ListGroupMemberships", "organizations:DescribeOrganization", "sso:DescribeApplication", "sso:DescribeInstance", "sso:ListInstances" ], "Resource": "*" } ] }
To view this policy in the context of other AWS managed policies, see AWSServiceRoleForUserSubscriptionPolicy.
Policy updates
View details about updates to AWS managed policies for Amazon Q Developer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for Amazon Q Developer User Guide page.
Change | Description | Date |
---|---|---|
AmazonQDeveloperAccess - Updated policy |
Additional permissions have been added to enable the use of Amazon Q Developer plugins. |
November 13, 2024 |
AmazonQFullAccess - Updated policy |
Additional permissions have been added to configure and use Amazon Q Developer plugins and to create and manage tags for Amazon Q Developer resources. |
November 13, 2024 |
AmazonQDeveloperAccess - Updated policy |
Additional permissions have been added to enable code generation from CLI commands with Amazon Q. |
October 28, 2024 |
AmazonQFullAccess - Updated policy |
Additional permissions have been added to enable code generation from CLI commands with Amazon Q. |
October 28, 2024 |
AmazonQFullAccess - Updated policy |
Additional permissions have been added to enable Amazon Q to access downstream resources. |
July 9, 2024 |
AmazonQDeveloperAccess - New policy |
Provides full access to enable interactions with Amazon Q Developer, without administrator access. |
July 9, 2024 |
AmazonQFullAccess - Updated policy |
Additional permissions have been added to enable subscriptions checks for Amazon Q Developer. |
April 30, 2024 |
AWSServiceRoleForUserSubscriptionPolicy - New policy |
Allows Amazon Q Subscriptions to automatically update subscriptions from changes in AWS IAM Identity Center, AWS IAM Identity Center directory and AWS Organizations on your behalf. |
April 30, 2024 |
AWSServiceRoleForAmazonQDeveloperPolicy - New policy |
Allows Amazon Q to call Amazon CloudWatch and Amazon CodeGuru on your behalf. |
April 30, 2024 |
AmazonQFullAccess - New policy |
Provides full access to enable interactions with Amazon Q Developer. |
November 28, 2023 |
Amazon Q Developer started tracking changes |
Amazon Q Developer started tracking changes to AWS managed policies. |
November 28, 2023 |