Important
This page only applies to Amazon Q Business web experiences connected to IAM Identity Center-integrated Amazon Q Business applications.
Policy history
-
Latest policy update: — December 3, 2024
The following table list and describes the changes to this policy over time.
| Change | Description | Date |
|---|---|---|
Amazon Q Business now supports deleting attachments |
To enable delete attachments support on chats, modify your
Web experience IAM role by adding the
permission With this change, users can remove attached files in conversations. |
2/27/2025 |
Amazon Q Business plugin actions support |
To allow Amazon Q Business to list plugin actions and to
allow end users to discover plugins in their web experience, modify
the existing Web experience IAM role by adding
the following permissions: With this change, Amazon Q Business can list plugin actions and web experience users can discover plugins in their web experience. For more information, see Prerequisites for configuring Amazon Q Business built-in plugins. |
12/03/2024 |
Amazon QuickSight plugin support |
To allow the QuickSight plugin to include visuals from Amazon QuickSight,
modify the existing Web experience IAM role to
add permission for
With this change, web experience users can view visuals from QuickSight. For more information about the QuickSight plugin, see Using the QuickSight plugin to get insights from structured data. |
12/03/2024 |
Embedded visual content support |
To enable extracting semantic meaning from embedded visual
content, modify the existing Web experience IAM
role by adding the permission
With this change, if you enable content extraction for a data source, web experience users can ask questions and get answers related to the images. When an end user asks a question, Amazon Q Business retrieves relevant answers from the text and the images. Answers include the images and links for the documents that contain them. For more information, see Extracting semantic meaning from embedded visual content with Amazon Q Business. |
12/01/2024 |
Recent files support |
To enable recent files support on web experiences, modify the
existing Web experience IAM role by adding the
permission With this change, users can find and reuse any recently attached files in new conversations without uploading the files again. Additionally, users can now drag and drop files they want to upload directly into any conversation inside their Amazon Q web experience. |
11/21/2024 |
Note
To find the policy for your web experience you can go to Amazon Q Business → Applications → choose your application Name → Web experience settings in the Amazon Q Business console.
The following section lists the IAM policies required to allow you to invoke the API operations required to integrate your application environment with IAM Identity Center.
To allow an Amazon Q Business web experience to invoke the API operations required to integrate your application environment and deploy your web experience with an IAM Identity Center instance, use the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QBusinessConversationPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:Chat",
"qbusiness:ChatSync",
"qbusiness:ListMessages",
"qbusiness:ListConversations",
"qbusiness:PutFeedback",
"qbusiness:DeleteConversation",
"qbusiness:GetWebExperience",
"qbusiness:GetApplication",
"qbusiness:ListPlugins",
"qbusiness:ListPluginActions",
"qbusiness:GetChatControlsConfiguration",
"qbusiness:ListRetrievers",
"qbusiness:ListAttachments",
"qbusiness:DeleteAttachment",
"qbusiness:GetMedia"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
},
{
"Sid": "QBusinessPluginDiscoveryPermissions",
"Effect": "Allow",
"Action": [
"qbusiness:ListPluginTypeMetadata",
"qbusiness:ListPluginTypeActions"
],
"Resource": "*"
},
{
"Sid": "QBusinessRetrieverPermission",
"Effect": "Allow",
"Action": ["qbusiness:GetRetriever"],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/retriever/*"
]
},
{
"Sid": "QAppsResourceAgnosticPermissions",
"Effect": "Allow",
"Action": [
"qapps:CreateQApp",
"qapps:PredictQApp",
"qapps:PredictProblemStatementFromConversation",
"qapps:PredictQAppFromProblemStatement",
"qapps:ListQApps",
"qapps:ListLibraryItems",
"qapps:CreateSubscriptionToken",
"qapps:ListCategories"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
},
{
"Sid": "QAppsAppUniversalPermissions",
"Effect": "Allow",
"Action": ["qapps:DisassociateQAppFromUser"],
"Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*"
},
{
"Sid": "QAppsAppOwnerPermissions",
"Effect": "Allow",
"Action": [
"qapps:GetQApp",
"qapps:CopyQApp",
"qapps:UpdateQApp",
"qapps:DeleteQApp",
"qapps:ImportDocument",
"qapps:ImportDocumentToQApp",
"qapps:CreateLibraryItem",
"qapps:UpdateLibraryItem",
"qapps:StartQAppSession",
"qapps:DescribeQAppPermissions",
"qapps:UpdateQAppPermissions",
"qapps:CreatePresignedUrl"
],
"Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:UserIsAppOwner": "true"
}
}
},
{
"Sid": "QAppsPublishedAppPermissions",
"Effect": "Allow",
"Action": [
"qapps:GetQApp",
"qapps:CopyQApp",
"qapps:AssociateQAppWithUser",
"qapps:GetLibraryItem",
"qapps:CreateLibraryItemReview",
"qapps:AssociateLibraryItemReview",
"qapps:DisassociateLibraryItemReview",
"qapps:StartQAppSession",
"qapps:DescribeQAppPermissions"
],
"Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:AppIsPublished": "true"
}
}
},
{
"Sid": "QAppsAppSessionModeratorPermissions",
"Effect": "Allow",
"Action": [
"qapps:ImportDocument",
"qapps:ImportDocumentToQAppSession",
"qapps:GetQAppSession",
"qapps:GetQAppSessionMetadata",
"qapps:UpdateQAppSession",
"qapps:UpdateQAppSessionMetadata",
"qapps:StopQAppSession",
"qapps:ListQAppSessionData",
"qapps:ExportQAppSessionData",
"qapps:CreatePresignedUrl"
],
"Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:UserIsSessionModerator": "true"
}
}
},
{
"Sid": "QAppsSharedAppSessionPermissions",
"Effect": "Allow",
"Action": [
"qapps:ImportDocument",
"qapps:ImportDocumentToQAppSession",
"qapps:GetQAppSession",
"qapps:GetQAppSessionMetadata",
"qapps:UpdateQAppSession",
"qapps:ListQAppSessionData",
"qapps:CreatePresignedUrl"
],
"Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*",
"Condition": {
"StringEqualsIgnoreCase": {
"qapps:SessionIsShared": "true"
}
}
},
{
"Sid": "QBusinessToQuickSightGenerateEmbedUrlInvocation",
"Effect": "Allow",
"Action": ["quicksight:GenerateEmbedUrlForRegisteredUserWithIdentity"],
"Resource": "*"
}
]
}To allow Amazon Q to assume this role, use the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QBusinessTrustPolicy",
"Effect": "Allow",
"Principal": {
"Service": "application.qbusiness.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}