Logging users' prompts in Amazon Q Developer - Amazon Q Developer

Logging users' prompts in Amazon Q Developer

Administrators can enable the logging of all inline suggestions and chat conversations that users have with Amazon Q in their integrated development environment (IDE). These logs can help with auditing, debugging, analytics, and ensuring compliance.

When developers use inline suggestions, Amazon Q will log the accepted and actively rejected suggestions. When developers chat with Amazon Q, Amazon Q will log both the developers' prompts and Amazon Q's responses. When developers chat with the Amazon Q Agent for software development using the /dev command, only the prompts will be logged.

Amazon Q stores the logs in an Amazon S3 bucket that you create, at the following path:

bucketName/prefix/AWSLogs/accountId/QDeveloperLogs/log-type/region/year/month/day/utc-hour/zipFile.gz/logFile.json

At the previous path, log-type is one of the following:

  • GenerateAssistantResponse — holds chat logs

  • GenerateCompletions — holds inline completion logs

  • StartTaskAssistCodeGeneration — holds /dev logs

For examples and explanations of log file contents, see Prompt log examples in Amazon Q Developer.

Use the following instructions to enable prompt logging.

Prerequisite

Create an Amazon S3 bucket to hold the prompt logs. The bucket must:

  • Be in the US East (N. Virginia) Region regardless of where your IAM Identity Center is located.

  • Be in the AWS account where users are subscribed. If users are subscribed in multiple AWS accounts, then you must create a bucket in each account. Cross-account buckets are not supported.

  • Have a bucket policy like the one that follows. Replace bucketName, region, accountId, and prefix with your own information.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "QDeveloperLogsWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "q.amazonaws.com"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketName/prefix/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "accountId"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:codewhisperer:region:accountId:*"
                } 
            }
        }
    ]
}

    If you're configuring SSE-KMS on the bucket, add the following policy on the KMS key:

    {
    "Effect": "Allow",
    "Principal": {
        "Service": "q.amazonaws.com"
    },
    "Action": "kms:GenerateDataKey",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "accountId" 
        },
        "ArnLike": {
           "aws:SourceArn": "arn:aws:codewhisperer:region:accountId:*"
        }
    }
}

    To learn about protecting the data in your Amazon S3 bucket, see Protecting data with encryption in the Amazon Simple Storage Service User Guide.

To enable prompt logging

  1. Open the Amazon Q Developer console.

    To use the Amazon Q Developer console, you must have the permissions defined in Allow administrators to use the Amazon Q Developer console.

    Note

    You must sign in as a standalone account administrator, or management account administrator. Member account administrators cannot enable prompt logging.

  2. Choose Settings.

  3. Under Preferences, choose Edit.

  4. In the Edit preferences window, toggle Q Developer prompt logging.

  5. Under Amazon S3 location, enter the Amazon S3 URI that you will use to receive the logs. Example: s3://amzn-s3-demo-bucket/qdev-prompt-logs/