Manage access to Amazon Q Developer with IAM policies - Amazon Q Developer

Amazon Q Developer is in preview release and is subject to change.

Manage access to Amazon Q Developer with IAM policies

Note

The information on this page pertains to accessing Amazon Q Developer. For information about managing access to Amazon Q Business, see Identity-based policy examples for Amazon Q Business in the Amazon Q Business User Guide.

The policies and examples in this topic are specific to Amazon Q in the AWS Management Console, AWS Console Mobile Application, AWS website, and AWS Documentation. Other services integrated with Amazon Q might require different policies or settings. For more information, see the documentation for the service that contains an Amazon Q feature or integration.

IAM administrators can manage access to Amazon Q Developer and its features in the AWS Management Console, AWS website, AWS Documentation pages, and AWS Console Mobile Application by granting permissions to IAM identities.

The quickest way for an administrator to grant access to users is through an AWS managed policy. The following AWS managed policy for Amazon Q Developer can be attached to IAM identities:

  • AmazonQFullAccess provides full access to enable interactions with Amazon Q Developer.

For more information about this policy, see AWS managed policies for Amazon Q Developer.

Amazon Q Developer permissions

You can use the following table as a reference when you are setting up Authenticating with identities in Amazon Q and writing permissions policies that you can attach to an IAM identity (identity-based policies).

Important

To chat with Amazon Q, an IAM identity needs permissions for the following actions:

  • StartConversation

  • SendMessage

  • GetConversation (console only)

  • ListConversations (console only)

To troubleshoot console errors with Amazon Q, an IAM identity needs permissions for the following actions:

  • StartTroubleshootingAnalysis

  • GetTroubleshootingResults

  • StartTroubleshootingResolutionExplanation

If one of these actions isn't explicitly allowed by an attached policy, an IAM permissions error is returned when you try to use Amazon Q.

The following table shows the Amazon Q Developer permissions that you can allow or deny access to in IAM policies.

Amazon Q Developer permissions
Name Description of permission granted What feature is it required for?
q:StartConversation

Start a conversation with Amazon Q

Required to chat with Amazon Q

q:SendMessage

Send a message to Amazon Q

Required to chat with Amazon Q

q:GetConversation

Get individual messages associated with a specific conversation with Amazon Q

Required to chat with Amazon Q in the console and use Amazon Q network troubleshooting

q:ListConversations

List individual conversations associated with a specific Amazon Q user

Required to chat with Amazon Q in the console
q:StartTroubleshootingAnalysis

Start a troubleshooting analysis with Amazon Q

Required to use troubleshooting console errors with Amazon Q

q:GetTroubleshootingResults

Get troubleshooting results with Amazon Q

Required to use troubleshooting console errors with Amazon Q

q:StartTroubleshootingResolutionExplanation

Start a troubleshooting resolution explanation with Amazon Q

Required to use troubleshooting console errors with Amazon Q

Policy best practices

Identity-based policies determine whether someone can create, access, or delete Amazon Q Developer resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started with AWS managed policies and move toward least-privilege permissions – To get started granting permissions to your users and workloads, use the AWS managed policies that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see AWS managed policies or AWS managed policies for job functions in the IAM User Guide.

  • Apply least-privilege permissions – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. For more information about using IAM to apply permissions, see Policies and permissions in IAM in the IAM User Guide.

  • Use conditions in IAM policies to further restrict access – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as AWS CloudFormation. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

  • Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see IAM Access Analyzer policy validation in the IAM User Guide.

  • Require multi-factor authentication (MFA) – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see Configuring MFA-protected API access in the IAM User Guide.

For more information about best practices in IAM, see Security best practices in IAM in the IAM User Guide.

Create custom policies with Amazon Q Developer permissions

To manage specific actions that IAM identities can perform with Amazon Q Developer, administrators can create custom IAM policies that define what permissions a user, group, or role has. You can also edit existing policies that are attached to the relevant IAM identity.

For example, you can create a policy that allows access to having conversations with Amazon Q, but not troubleshooting console errors. You can also explicitly deny access to Amazon Q.

The following AmazonQFullAccess policy uses the wildcard (*) character to give the IAM identity (user, role, or group) full access to Amazon Q and its features.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQFullAccess", "Effect": "Allow", "Action": [ "q:*" ], "Resource": "*" } ] }

You can use the AmazonQFullAccess policy as a template for custom policies that are more restrictive in terms of permitted user actions. Under Action, replace the wildcard character with the name of the permission that you want to add to the policy. For examples, see Identity-based policy examples for Amazon Q Developer.

Manage access with service control policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. You can control what Amazon Q Developer features are available in your organization by creating an SCP that specifies permissions for some or all Amazon Q actions.

For more information about using SCPs to control access in your organization, see Creating, updating, and deleting service control policies and Attaching and detaching service control policies in the AWS Organizations User Guide.

The following is an example of an SCP that denies access to Amazon Q. This policy restricts access to Amazon Q chat, console error troubleshooting, and network troubleshooting.

Note

Denying access to Amazon Q will not disable the Amazon Q icon or chat panel in the AWS console, AWS website, AWS documentation pages, or AWS Console Mobile Application.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAmazonQFullAccess", "Effect": "Deny", "Action": [ "q:*" ], "Resource": "*" } ] }

Identity-based policy examples for Amazon Q Developer

The following example IAM policies control permissions for various Amazon Q Developer actions. Use them to allow or deny Amazon Q Developer access for your users, roles, or groups.

Allow users to chat with Amazon Q

The following example policy grants permissions to have a conversation with Amazon Q in the console.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations" ], "Resource": "*" } ] }

Allow users to troubleshoot console errors with Amazon Q

The following example policy grants permissions to troubleshoot console errors with Amazon Q.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQTroubleshooting", "Effect": "Allow", "Action": [ "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation" ], "Resource": "*" } ] }

Deny access to Amazon Q

The following example policy denies all permissions to use Amazon Q. This policy restricts access to Amazon Q chat, console error troubleshooting, and network troubleshooting.

Note

Denying access to Amazon Q will not disable the Amazon Q icon or chat panel in the AWS console, AWS website, AWS documentation pages, or AWS Console Mobile Application.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAmazonQFullAccess", "Effect": "Deny", "Action": [ "q:*" ], "Resource": "*" } ] }

Allow users to view their permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }