本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon Q 開發人員適用的身分識別政策範例
下列 IAM 政策範例可控制各種 Amazon Q 開發人員動作的許可。使用它們來允許或拒絕 Amazon Q 開發人員存取您的使用者、角色或群組。
如需您可以使用政策控制的所有 Amazon Q 許可清單,請參閱Amazon Q 開發人員許可參考.
注意
下列範例政策授予 Amazon Q 開發人員功能的許可,但使用者可能需要額外的許可,才能透過 Amazon Q 開發人員專業版訂閱存取 Amazon Q。如需詳細資訊,請參閱 允許使用者透過 Amazon Q 開發人員專業訂閱存取 Amazon Q。
您可以依寫入方式使用以下政策,也可以為要使用的個別 Amazon Q 功能新增許可。如需可建立以允許存取特定功能的原則範例,請參閱Amazon Q 開發人員適用的身分識別政策範例。
如需使用 Amazon Q 設定 IAM 許可的詳細資訊,請參閱使用政策管理 Amazon Q 開發人員的存取。
如需這些權限功能的詳細資訊,請參閱Amazon Q 開發人員許可參考。
允許管理員使用 Amazon Q 服務管理主控台
下列政策可讓使用者使用 Amazon Q 服務管理主控台。在這個主控台中,您可以在其中設定 Amazon Q 與 IAM 身分中心的整合 AWS Organizations,以及選擇要訂閱哪個 Amazon Q 套件。
若要完全設定您的 Amazon Q Pro 訂閱,您企業中的某人也需要存取 Amazon Q Pro 主控台。如需詳細資訊,請參閱指派使用 Amazon Q 開發人員專業版主控台的許可。
注意
codewhisperer前置詞是與 Amazon Q 開發人員合併的服務的舊名稱。如需詳細資訊,請參閱 Amazon Q 開發人員重命名-更改摘要。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:ListAWSServiceAccessForOrganization", "organizations:DisableAWSServiceAccess", "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:ListApplications", "sso:ListInstances", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "sso:DescribeInstance", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:DescribeApplication", "sso:DeleteApplication", "sso:GetSSOStatus", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso-directory:DescribeUsers", "sso-directory:DescribeGroups", "sso-directory:SearchGroups", "sso-directory:SearchUsers", "sso-directory:DescribeGroup", "sso-directory:DescribeUser", "sso-directory:DescribeDirectory" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "signin:ListTrustedIdentityPropagationApplicationsForConsole", "signin:CreateTrustedIdentityPropagationApplicationForConsole" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:ListProfiles", "codewhisperer:CreateProfile", "codewhisperer:DeleteProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "user-subscriptions:ListClaims", "user-subscriptions:ListUserSubscriptions", "user-subscriptions:CreateClaim", "user-subscriptions:DeleteClaim", "user-subscriptions:UpdateClaim" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "q:CreateAssignment", "q:DeleteAssignment" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions" ] } ] }
允許管理員設定 Amazon Q 開發人員專業版主控台
下列政策可讓使用者存取 Amazon Q 開發人員專業版主控台。在該主控台上,您可以將使用者和群組附加到訂閱,並設定與特定功能 (例如程式碼參考) 相關的 Amazon Q Developer 各個層面。
若要完全設定 Amazon Q Pro 訂閱,您企業中的某人也需要存取 Amazon Q 服務管理主控台。如需詳細資訊,請參閱 允許管理員使用 Amazon Q 服務管理主控台。
注意
codewhisperer前置詞是與 Amazon Q 開發人員合併的服務的舊名稱。如需詳細資訊,請參閱 Amazon Q 開發人員重命名-更改摘要。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:GetUserPoolInfo" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] }
對於舊版 Amazon CodeWhisperer 設定檔,下列政策將啟用 IAM 主體來管理 CodeWhisperer 應用程式。
注意
codewhisperer前置詞是與 Amazon Q 開發人員合併的服務的舊名稱。如需詳細資訊,請參閱 Amazon Q 開發人員重命名-更改摘要。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:GetUserPoolInfo", "sso-directory:DescribeDirectory", "sso-directory:ListMembersInGroup" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "pricing:GetProducts" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListProfiles", "sso:ListApplicationInstances", "sso:GetApplicationInstance", "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:ListProfileAssociations", "sso:GetSharedSsoConfiguration", "sso:ListDirectoryAssociations", "sso:DescribeRegisteredRegions", "sso:GetSsoConfiguration", "sso:GetSSOStatus" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "identitystore:ListUsers", "identitystore:ListGroups" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "kms:ListAliases", "kms:CreateGrant", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:RetireGrant", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codeguru-security:UpdateAccountConfiguration" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper" ] }, { "Effect": "Allow", "Action": [ "codewhisperer:UpdateProfile", "codewhisperer:ListProfiles", "codewhisperer:TagResource", "codewhisperer:UnTagResource", "codewhisperer:ListTagsForResource", "codewhisperer:CreateProfile" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:ListMetrics" ], "Resource": [ "*" ] } ] }
注意
如果您使用自訂,則 Amazon Q 開發人員管理員將需要其他許可。如需詳細資訊,請參閱自訂的必要條件。
若要進一步了解 IAM 政策,請參閱 IAM 使用者指南中的存取管理。
在 AWS 網站上為 Amazon Q 添加 IAM 許可
若要在應用 AWS 程式和網站上使用 Amazon Q 開發人員功能,您必須附加適當的 AWS Identity and Access Management (IAM) 許可。以下是可用來存取應用 AWS 程式和網站上大部分 Amazon Q 功能的範例政策:
注意
Amazon Q 功能的可用性取決於您使用 Amazon 的環境。請參閱您想要使用的功能主題,以取得有關可在何處存取該功能以及使用該功能所需的特定許可的詳細資訊。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:SendMessage", "q:StartConversation", "q:GetConversation", "q:ListConversations", "q:GetIdentityMetaData", "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult", "q:PassRequest" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ce:GetCostAndUsage" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "sts:setContext" ], "Resource": [ "arn:aws:sts::*:self" ] } ] }
允許使用者透過 Amazon Q 開發人員專業訂閱存取 Amazon Q
下列範例政策授予將 Amazon Q 與 Amazon Q 開發人員專業版訂閱搭配使用的權限。如果沒有這些許可,使用者只能存取 Amazon Q 的免費方案。若要與 Amazon Q 聊天或使用其他 Amazon Q 功能,使用者需要其他許可,例如本節範例政策授予的許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGetIdentity", "Effect": "Allow", "Action": [ "q:GetIdentityMetaData" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" } ] }
允許使用者與 Amazon Q 聊天
下列範例政策授與在主控台中與 Amazon Q 聊天的許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations" ], "Resource": "*" } ] }
允許使用者透過 Amazon Q 診斷主控台錯誤
下列範例政策授與使用 Amazon Q 診斷主控台錯誤的許可。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQTroubleshooting", "Effect": "Allow", "Action": [ "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult" ], "Resource": "*" } ] }
允許 Amazon Q 代表您執行動作
下列範例政策授予與 Amazon Q 聊天的權限,並允許 Amazon Q 代表您執行動作。Amazon Q 只有執行您的 IAM 身分具有執行許可執行動作的權限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQPassRequest", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*" } ] }
拒絕 Amazon Q 權限以代表您執行特定動作
下列範例政策授予與 Amazon Q 聊天的權限,並允許 Amazon Q 代表您執行 IAM 身分有權執行的任何動作,Amazon EC2 動作除外。此政策使用aws:CalledVia全域條件金鑰來指定只有在 Amazon Q 呼叫 Amazon EC2 動作時才會拒絕這些動作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } } ] }
允許 Amazon Q 權限代表您執行特定動作
下列範例政策授予與 Amazon Q 聊天的權限,並允許 Amazon Q 代表您執行 IAM 身分有權執行的任何動作,但 Amazon EC2 動作除外。此政策授予您的 IAM 身分權限以執行任何 Amazon EC2 動作,但只允許 Amazon Q 執行ec2:describeInstances動作。此政策使用aws:CalledVia全域條件金鑰來指定只允許 Amazon Q 呼叫ec2:describeInstances,而不允許任何其他 Amazon EC2 動作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } }, { "Effect": "Allow", "Action": [ "ec2:describeInstances" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } } ] }
允許 Amazon Q 權限代表您在特定區域執行動作
下列範例政策授予與 Amazon Q 聊天的權限,並允許 Amazon Q 在代表您執行動作時僅對us-east-1和us-west-2區域撥打電話。Amazon Q 無法撥打任何其他區域的電話。如需有關如何指定可撥打電話的區域的詳細資訊,請參閱AWS Identity and Access Management 使用者指南RequestedRegion中的 aws:。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2" ] } } } ] }
拒絕 Amazon Q 代表您執行動作的權限
下列範例政策可防止 Amazon Q 代表您執行動作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAmazonQPassRequest", "Effect": "Deny", "Action": [ "q:PassRequest" ], "Resource": "*" } ] }
拒絕存取 Amazon Q
下列範例政策拒絕所有使用 Amazon Q 的許可。
注意
拒絕存取 Amazon Q 並不會停用 AWS 主控台、 AWS 網站、 AWS 文件頁面或中的 Amazon Q 圖示或 AWS Console Mobile Application聊天面板。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAmazonQFullAccess", "Effect": "Deny", "Action": [ "q:*" ], "Resource": "*" } ] }
允許使用者檢視其權限
此範例會示範如何建立政策,允許 IAM 使用者檢視連接到他們使用者身分的內嵌及受管政策。此原則包含在主控台上或以程式設計方式使用 AWS CLI 或 AWS API 完成此動作的權限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }
