User permissions How to control what data Amazon Q Developer has access to during investigations Encryption of investigation data Changing your encryption configuration

Security in operational investigations

Note

The Amazon Q Developer operational investigations feature is in preview release and is subject to change. It is currently available only in the US East (N. Virginia) Region.

This section includes topics about how Amazon Q Developer operational investigations integrate with AWS security and permissions features.

Topics

User permissions
How to control what data Amazon Q Developer has access to during investigations
Encryption of investigation data
Changing your encryption configuration

User permissions

AWS has created three managed IAM policies that you can use for your users who will be working with Amazon Q Developer operational investigations.

AIOpsConsoleAdminPolicy– grants an administrator the ability to set up Amazon Q Developer operational investigations in the account, access to Amazon Q Developer operational investigations actions, the management of trusted identity propagation, and the management of integration with IAM Identity Center and organizational access.
AIOpsOperatorAccess– grants a user access to investigation actions including starting an investigation. It also grants additional permissions that are necessary for accessing investigation events.
AIOpsReadOnlyAccess– grants read-only permissions for Amazon Q Developer operational investigations and other related services.

We recommend that you use three IAM principals, granting one of them the AIOpsConsoleAdminPolicy IAM policy, granting another the AIOpsOperatorAccess policy, and granting the third the AIOpsReadOnlyAccess policy. These principals could be either IAM roles (recommended) or IAM users. Then your users who work with Amazon Q Developer operational investigations would sign on with one of these principals.

How to control what data Amazon Q Developer has access to during investigations

When you enable the Amazon Q Developer operational investigations feature, you specify what permissions that Amazon Q Developer has to access your resources during investigations. You do this by assigning an IAM role to the assistant.

To enable Amazon Q Developer to access resources and be able to make suggestions and hypotheses, the recommended method is to attach the AIOpsAssistantPolicy to the assistant's role. This grants the assistant permissions to analyze your AWS resources during your investigations. For information about the complete contents of this policy, see IAM policy for Amazon Q Developer operational investigations (AIOpsAssistantPolicy).

You can also choose to attach the general AWS ReadOnlyAccess to the assistant's role, in addition to attaching AIOpsAssistantPolicy. The reason to do this is that AWS updates ReadOnlyAccess more frequently with permissions for new AWS services and actions that are released. The AIOpsAssistantPolicy will also be updated for new actions, but not as frequently.

If you want to scope down the permissions granted to Amazon Q Developer, you can attach a custom IAM policy to the assistant's IAM role instead of attaching the AIOpsAssistantPolicy policy. To do this, start your custom policy with the contents of AIOpsAssistantPolicy and then remove permissions that you don't want to grant to Amazon Q Developer. This will prevent the assistant from being able to make suggestions based on the AWS services or actions that you don't grant access to.

Note

Anything that Amazon Q Developer can access can be added to the investigation and seen by your investigation operators. We recommend that you align Amazon Q Developer operational investigations permissions with the permissions that your investigation group operators have.

Allowing Amazon Q Developer to decrypt encrypted data during investigations

If you encrypt your data in any of the following services with a customer managed key in AWS KMS, and you want Amazon Q Developer to be able to decrypt the data from these services and include them in investigations, you'll need to attach one or more additional IAM policies to the assistant's IAM role.

AWS Step Functions

The policy statement should include a context key for encryption context to help scope down the permissions. For example, the following policy would enable the Amazon Q Developer to decrypt data for a Step Functions state machine.


{
  "Version": "2012-10-17",
  "Statement": [
        {
            "Sid": "AIOPSKMSAccessForStepFunctions",
            "Effect": "Allow",
            "Principal": {
                "Service": "aiops.amazonaws.com"
            },
            "Action":
            [
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition":
            {
                "StringEquals":
                {
                     "kms:ViaService": "states.*.amazonaws.com",
                     "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:region:accountId:stateMachine:*"
                }
            }
        }
    ]
}

For more information about these types of policies and using these context keys, see kms:ViaService and kms:EncryptionContext:context-key in the AWS Key Management Service Developer Guide, and aws:SourceArn in the IAM User Guide.

Encryption of investigation data

For the encryption of your investigation data, AWS offers two options:

AWS owned keys– By default, Amazon Q Developer encrypts investigation data at rest with an AWS owned key. You can't view or manage AWS owned keys, and you can't use them for other purposes or audit their use. However, you don't have to take any action or change any settings to use these keys. For more information about AWS owned keys, see AWS owned keys.
Customer managed keys– These are keys that you create and manage yourself. You can choose to use a customer managed key instead of an AWS owned key for your investigation data. For more information about customer managed keys, see Customer managed keys.

Note

Amazon Q Developer automatically enables encryption at rest using AWS owned keys at no charge. If you use a customer managed key, AWS KMS charges apply. For more information about pricing, see AWS Key Management Service pricing.

For more information about AWS KMS, see AWS Key Management Service.

Using a customer managed key for your investigation group

You can associate an investigation group with a customer managed key, and then all investigations created in that group will use the customer managed key to encrypt your investigation data at rest.

Amazon Q Developer operational investigations customer managed key usage has the following conditions:

Amazon Q Developer operational investigations supports only symmetric encryption AWS KMS keys with the default key spec, SYMMETRIC_DEFAULT, and that have usage defined as ENCRYPT_DECRYPT.
For a user to create or update an investigation group with a customer managed key, that user must have the kms:DescribeKey, kms:GenerateDataKey, and kms:Decrypt permissions.
For a user to create or update an investigation in an investigation group that uses a customer managed key, that user must have the kms:GenerateDataKey and kms:Decrypt permissions.
For a user to view investigation data in an investigation group that uses a customer managed key, that user must have the kms:Decrypt permission.

Setting up investigations to use a AWS KMS customer managed key

First, if you don't already have a symmetric key that you want to use, create a new key with the following command.


aws kms create-key

The command output includes the key ID and the Amazon Resource Name (ARN) of the key. You will need those in later steps in this section. The following is an example of this output.


{
"KeyMetadata": {
"Origin": "AWS_KMS",
        "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
        "Description": "",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1478910250.94,
        "Arn": "arn:aws:kms:us-west-2:111122223333:key/6f815f63-e628-448c-8251-e4EXAMPLE",
        "AWSAccountId": "111122223333",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ]
    }
}

Set permissions on the key

Next, set permissions on the key. By default, all AWS KMS keys are private. Only the resource owner can use it to encrypt and decrypt data. However, the resource owner can grant permissions to access the key to other users and resources. With this step, you give the AI Operations service principal permission to use the key. This service principal must be in the same AWS Region where the KMS key is stored.

As a best practice, we recommend that you restrict the use of the KMS key to only those AWS accounts or resources that you specify.

The first step to set the permissions is to save the default policy for your key as policy.json. Use the following command to do so. Replace key-id with the ID of your key.


aws kms get-key-policy --key-id key-id --policy-name default --output text > ./policy.json

Open the policy.json file in a text editor and add the following policy sections into that policy. Separate the existing statement from the new sections with a comma. These new sections use Condition sections to enhance the security of the AWS KMS key. For more information, see AWS KMS keys and encryption context.

This policy provides permissions for service principals for the following reasons:

The aiops service needs GenerateDataKey permissions to get the data key and use that data key to encrypt your data while it is stored in rest. The Decrypt permission is needed to decrypt your data while reading from the data store. The decryption happens when you read the data using aiops APIs or when you update the investigation or investigation event. The update operation fetches the existing data after decrypting it, updates the data, and stores the updated data in the data store after encrypting
The CloudWatch alarms service can create investigations or investigation events. These create operations verify that the caller has access to the AWS KMS key defined for the investigation group. The policy statement gives the GenerateDataKey and Decrypt permissions to the CloudWatch alarms service to create investigations on behalf of you.

Note

The following policy assumes that you follow the recommendation of using three IAM principals, and granting one of them the AIOpsConsoleAdminPolicy IAM policy, granting another the AIOpsOperatorAccess policy, and granting the third the AIOpsReadOnlyAccess policy. These principals could be either IAM roles (recommended) or IAM users. Then your users who work with Amazon Q Developer operational investigations would sign on with one of these principals.

For the following policy, you'll need the ARNs of those three principals.


{
    "Sid": "Enable AI Operations Admin for the DescribeKey permissions",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::{account-id}:role/{AIOpsConsoleAdmin}"
    },
    "Action": [
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:ViaService": "aiops.{region}.amazonaws.com"
        }
    }
},
{
   "Sid": "Enable AI Operations Admin and Operator for the Decrypt and GenerateDataKey permissions", 
   "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::{account-id}:role/{AIOpsConsoleAdmin}",
            "arn:aws:iam::{account-id}:role/{AIOpsOperator}"
         ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
       "StringEquals": {
            "kms:ViaService": "aiops.{region}.amazonaws.com"
        },
        "ArnLike": {
            "kms:EncryptionContext:aws:aiops:investigation-group-arn": "arn:aws:aiops:{region}:{account-id}:investigation-group/*"
        }
    }
 },
 {
   "Sid": "Enable AI Operations ReadOnly for the Decrypt permission",
   "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::{account-id}:role/{AIOpsReadOnly}"
    },
    "Action": [
        "kms:Decrypt"
    ],
    "Resource": "*",
    "Condition": {
       "StringEquals": {
            "kms:ViaService": "aiops.{region}.amazonaws.com"
        },
        "ArnLike": {
            "kms:EncryptionContext:aws:aiops:investigation-group-arn": "arn:aws:aiops:{region}:{account-id}:investigation-group/*"
        }
    }
 },
 {
   "Sid": "Enable the AI Operations service to have the DescribeKey permission",
   "Effect": "Allow",
    "Principal": {
        "Service": "aiops.amazonaws.com"
    },
    "Action": [
        "kms:DescribeKey"
    ],
    "Resource": "*",
    "Condition": {
       "StringEquals": {
            "aws:SourceAccount": "{account-id}"
        },
        "StringLike": {
            "aws:SourceArn": "arn:aws:aiops:{region}:{account-id}:investigation-group/*"
        }
    }
 },
 {
   "Sid": "Enable the AI Operations service to have the Decrypt and GenerateDataKey permissions",
   "Effect": "Allow",
    "Principal": {
        "Service": "aiops.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
       "StringEquals": {
            "aws:SourceAccount": "{account-id}"
        },
        "StringLike": {
            "aws:SourceArn": "arn:aws:aiops:{region}:{account-id}:investigation-group/*"
        },
        "ArnLike": {
            "kms:EncryptionContext:aws:aiops:investigation-group-arn": "arn:aws:aiops:{region}:{account-id}:investigation-group/*"
        }
    }
 },
 {
    "Sid": "Enable CloudWatch to have the Decrypt and GenerateDataKey permissions",
    "Effect": "Allow",
    "Principal": {
        "Service": "aiops.alarms.cloudwatch.amazonaws.com"
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
    ],
    "Resource": "*",
    "Condition": {
        "ArnLike": {
            "kms:EncryptionContext:aws:aiops:investigation-group-arn": "arn:aws:aiops:{region}:{account-id}:investigation-group/*"
        },
        "StringEquals": {
            "aws:SourceAccount": "{account-id}",
            "kms:ViaService": "aiops.{region}.amazonaws.com"
        }, 
        "StringLike": { 
            "aws:SourceArn": "arn:aws:cloudwatch:{region}:{account-id}:alarm:*"
        }
    }
  }

After you've updated the policy, assign it to the key by entering the following command.


aws kms put-key-policy --key-id key-id --policy-name default --policy file://policy.json

Associate the key with the investigation group

When you use the CloudWatch console to create an investigation group, you can choose to associate the AWS KMS key with the investigation group. For more information, see Set up operational investigations.

You can also associate a customer managed key with an existing investigation group.

Changing your encryption configuration

You can update an investigation group to change between using a customer managed key or a service owned key. You can also change from using one customer managed key to using another. When you make such a change, the change applies to new investigations created after the change. Previous investigations are still associated with the old encryption configuration. Current ongoing investigations also continue using the original key for new data.

As long as a previously-used key is active and Amazon Q has access to it for investigations, you can retrieve the older investigations encrypted with that method, as well as data in current investigations that was encrypted with the previous key. If you delete a previously-used key or revoke access to it, the investigation data encrypted with that key can't be retrieved.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Manage your current investigations

Troubleshooting