Actions, resources, and condition keys for Amazon Q Business - Service Authorization Reference

Actions, resources, and condition keys for Amazon Q Business

Amazon Q Business (service prefix: qbusiness) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Q Business

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddUserLicenses Grants permission to add one or more users for licenses Write
BatchDeleteDocument Grants permission to batch delete document Write

application*

index*

BatchPutDocument Grants permission to batch put document Write

application*

index*

CancelSubscription Grants permission to cancel a subscription Write

application*

subscription*

Chat Grants permission to chat using an application Read

application*

ChatSync Grants permission to chat synchronously using an application Read

application*

CreateApplication Grants permission to create an application Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSource Grants permission to create a data source for a given application and index Write

application*

index*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateIndex Grants permission to create an index for a given application Write

application*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateLicense Grants permission to create a license Write
CreatePlugin Grants permission to create a plugin for a given application Write

application*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRetriever Grants permission to create a retriever for a given application Write

application*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSubscription Grants permission to create a subscription Write

application*

CreateUser Grants permission to create a user Write

application*

CreateWebExperience Grants permission to create a web experience for a given application Write

application*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteApplication Grants permission to delete an application Write

application*

DeleteChatControlsConfiguration Grants permission to delete chat controls configuration for an application Write

application*

DeleteConversation Grants permission to delete a conversation Write

application*

DeleteDataSource Grants permission to delete a DataSource Write

application*

data-source*

index*

DeleteGroup Grants permission to delete a group Write

application*

index*

DeleteIndex Grants permission to delete an index Write

application*

index*

DeletePlugin Grants permission to delete a plugin Write

application*

plugin*

DeleteRetriever Grants permission to delete a retriever Write

application*

retriever*

DeleteUser Grants permission to delete a user Write

application*

DeleteWebExperience Grants permission to delete a web-experience Write

application*

web-experience*

DisableAclOnDataSource [permission only] Grants permission to disable the ACL crawl while creating the Amazon Q Business data source resource Write

application*

GetApplication Grants permission to get an application Read

application*

GetChatControlsConfiguration Grants permission to get chat controls configuration for an application List

application*

GetDataSource Grants permission to get a data source Read

application*

data-source*

index*

GetGroup Grants permission to get a group Read

application*

index*

GetIndex Grants permission to get an index Read

application*

index*

GetLicense Grants permission to get a license Read

user-license*

GetPlugin Grants permission to get a plugin Read

application*

plugin*

GetRetriever Grants permission to get a retriever Read

application*

retriever*

GetUser Grants permission to get a user Read

application*

GetWebExperience Grants permission to get a web-experience Read

application*

web-experience*

ListApplications Grants permission to list the applications List
ListConversations Grants permission to list all conversations for an application List

application*

ListDataSourceSyncJobs Grants permission to get Data Source sync job history List

application*

data-source*

index*

ListDataSources Grants permission to list the data sources of an application and an index List

application*

index*

ListDocuments Grants permission to list all documents List

application*

index*

ListGroups Grants permission to list groups List

application*

index*

ListIndices Grants permission to list the indices of an application List

application*

ListMessages Grants permission to list all messages List

application*

ListPlugins Grants permission to list the plugins of an application List

application*

ListRetrievers Grants permission to list the retrievers of an application List

application*

ListSubscriptions Grants permission to list subscriptions List

application*

ListTagsForResource Grants permission to list tags for a resource Read

application

data-source

index

plugin

retriever

web-experience

ListUserLicenses Grants permission to list licenses List
ListWebExperiences Grants permission to list the web experiences of an application List

application*

PutFeedback Grants permission to put feedback about a conversation message Write

application*

PutGroup Grants permission to put a group of users Write

application*

index*

RemoveUserLicenses Grants permission to remove licenses for one or more users Write
StartDataSourceSyncJob Grants permission to start Data Source sync job Write

application*

data-source*

index*

StopDataSourceSyncJob Grants permission to stop Data Source sync job Write

application*

data-source*

index*

TagResource Grants permission to tag a resource with given key value pairs Tagging

application

data-source

index

plugin

retriever

web-experience

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove the tag with the given key from a resource Tagging

application

data-source

index

plugin

retriever

web-experience

aws:TagKeys

UpdateApplication Grants permission to update an Application Write

application*

UpdateChatControlsConfiguration Grants permission to update chat controls configuration for an application Write

application*

UpdateDataSource Grants permission to update a DataSource Write

application*

data-source*

index*

UpdateIndex Grants permission to update an index Write

application*

index*

UpdatePlugin Grants permission to update a plugin Write

application*

plugin*

UpdateRetriever Grants permission to update a Retriever Write

application*

retriever*

UpdateSubscription Grants permission to update a subscription Write

application*

subscription*

UpdateUser Grants permission to update a user Write

application*

UpdateWebExperience Grants permission to update a WebExperience Write

application*

web-experience*

Resource types defined by Amazon Q Business

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
application arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}

aws:ResourceTag/${TagKey}

retriever arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/retriever/${RetrieverId}

aws:ResourceTag/${TagKey}

index arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/index/${IndexId}

aws:ResourceTag/${TagKey}

data-source arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/index/${IndexId}/data-source/${DataSourceId}

aws:ResourceTag/${TagKey}

plugin arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/plugin/${PluginId}

aws:ResourceTag/${TagKey}

web-experience arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/web-experience/${WebExperienceId}

aws:ResourceTag/${TagKey}

user-license arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/user-license/${UserLicenseId}
subscription arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId}/subscription/${SubscriptionId}

Condition keys for Amazon Q Business

Amazon Q Business defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString