Izinkan administrator menggunakan konsol langganan Amazon Q Izinkan administrator menggunakan konsol Pengembang Amazon Q Izinkan administrator untuk membuat kustomisasi Izinkan administrator menerima permintaan konektor dari akun dengan pengalaman web transformasi Pengembang Q.Izinkan administrator untuk mengkonfigurasi plugin Izinkan migrasi lebih dari satu jaringan atau lebih dari satu subnet

Izin administrator

Kebijakan berikut memungkinkan administrator Pengembang Amazon Q untuk melakukan tugas administratif di konsol manajemen langganan Amazon Q dan konsol Amazon Q Developer Pro.

Untuk kebijakan yang memungkinkan penggunaan fitur Pengembang Amazon Q, lihatIzin pengguna.

Izinkan administrator menggunakan konsol langganan Amazon Q

Contoh kebijakan berikut memberikan izin bagi pengguna untuk membuat dan mengelola langganan di konsol manajemen langganan Amazon Q. Konsol manajemen langganan Amazon Q adalah tempat Anda mengonfigurasi integrasi Amazon Q dengan AWS IAM Identity Center dan AWS Organizations, memilih paket Amazon Q mana yang akan berlangganan, dan melampirkan pengguna dan grup ke langganan.

Untuk mengonfigurasi Amazon Q Developer Pro setelah berlangganan pengguna, seseorang di perusahaan Anda juga akan memerlukan akses ke konsol Amazon Q Developer Pro. Untuk informasi selengkapnya, lihat Izinkan administrator menggunakan konsol Pengembang Amazon Q.

catatan

codewhispererAwalan adalah nama lama dari layanan yang digabungkan dengan Amazon Q Developer. Untuk informasi selengkapnya, lihat Ganti nama Pengembang Amazon Q - Ringkasan perubahan.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "organizations:ListAWSServiceAccessForOrganization",
            "organizations:DisableAWSServiceAccess",
            "organizations:EnableAWSServiceAccess",
            "organizations:DescribeOrganization"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sso:ListApplications",
            "sso:ListInstances",
            "sso:DescribeRegisteredRegions",
            "sso:GetSharedSsoConfiguration",
            "sso:DescribeInstance",
            "sso:CreateApplication",
            "sso:PutApplicationAuthenticationMethod",
            "sso:PutApplicationAssignmentConfiguration",
            "sso:PutApplicationGrant",
            "sso:PutApplicationAccessScope",
            "sso:DescribeApplication",
            "sso:DeleteApplication",
            "sso:GetSSOStatus",
            "sso:CreateApplicationAssignment",
            "sso:DeleteApplicationAssignment"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sso-directory:DescribeUsers",
            "sso-directory:DescribeGroups",
            "sso-directory:SearchGroups",
            "sso-directory:SearchUsers",
            "sso-directory:DescribeGroup",
            "sso-directory:DescribeUser",
            "sso-directory:DescribeDirectory"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "signin:ListTrustedIdentityPropagationApplicationsForConsole",
            "signin:CreateTrustedIdentityPropagationApplicationForConsole"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "codewhisperer:ListProfiles",
            "codewhisperer:CreateProfile",
            "codewhisperer:DeleteProfile"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "user-subscriptions:ListClaims",
            "user-subscriptions:ListUserSubscriptions",
            "user-subscriptions:CreateClaim",
            "user-subscriptions:DeleteClaim",
            "user-subscriptions:UpdateClaim"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "q:CreateAssignment",
            "q:DeleteAssignment"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "iam:CreateServiceLinkedRole"
         ],
         "Resource":[
            "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "codewhisperer:UpdateProfile",
            "codewhisperer:ListProfiles",
            "sso:CreateApplication",
            "sso:PutApplicationAuthenticationMethod",
            "sso:PutApplicationGrant",
            "sso:PutApplicationAssignmentConfiguration"
         ],
         "Resource":[
            "*"
         ]
      }
   ]
}

Izinkan administrator menggunakan konsol Pengembang Amazon Q

Contoh kebijakan berikut memberikan izin bagi pengguna untuk mengakses konsol Pengembang Amazon Q. Di konsol Pengembang Amazon Q, administrator dapat mengonfigurasi berbagai aspek Pengembang Amazon Q dan fitur-fiturnya, termasuk referensi kode, penyesuaian, dan plugin obrolan. Kebijakan ini juga mencakup izin untuk membuat dan mengonfigurasi kunci KMS yang dikelola pelanggan.

Untuk mengonfigurasi langganan Amazon Q Developer Pro, seseorang di perusahaan Anda juga memerlukan akses ke konsol manajemen langganan Amazon Q. Untuk informasi selengkapnya, lihat Izinkan administrator menggunakan konsol langganan Amazon Q.

catatan

Jika Anda menggunakan penyesuaian, administrator Amazon Q Developer Pro Anda akan memerlukan izin tambahan.

Untuk izin yang diperlukan untuk penyesuaian, lihat Prasyarat untuk penyesuaian.
Untuk izin yang diperlukan untuk plugin, lihat. Izinkan administrator untuk mengkonfigurasi plugin

Anda akan memerlukan salah satu dari dua kebijakan untuk menggunakan konsol Pengembang Amazon Q. Kebijakan yang Anda perlukan bergantung pada apakah Anda menyiapkan Amazon Q Developer untuk pertama kalinya atau jika Anda mengonfigurasi profil Amazon CodeWhisperer lama.

catatan

codewhispererAwalan adalah nama lama dari layanan yang digabungkan dengan Amazon Q Developer. Untuk informasi selengkapnya, lihat Ganti nama Pengembang Amazon Q - Ringkasan perubahan.

Untuk administrator baru Amazon Q Developer, gunakan kebijakan berikut:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:GetUserPoolInfo",
        "sso:ListInstances",
        "sso:CreateApplication",
        "sso:PutApplicationAuthenticationMethod",
        "sso:PutApplicationGrant",
        "sso:PutApplicationAssignmentConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:DescribeRegisteredRegions",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:ListDashboardMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Tampilkan lebih banyak

Tampilkan lebih sedikit

Untuk CodeWhisperer profil Amazon lama, kebijakan berikut akan memungkinkan prinsipal IAM untuk mengelola aplikasi. CodeWhisperer


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:SearchUsers",
        "sso-directory:SearchGroups",
        "sso-directory:GetUserPoolInfo",
        "sso-directory:DescribeDirectory",
        "sso-directory:ListMembersInGroup"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pricing:GetProducts"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:AssociateProfile",
        "sso:DisassociateProfile",
        "sso:GetProfile",
        "sso:ListProfiles",
        "sso:ListApplicationInstances",
        "sso:GetApplicationInstance",
        "sso:CreateManagedApplicationInstance",
        "sso:GetManagedApplicationInstance",
        "sso:ListProfileAssociations",
        "sso:GetSharedSsoConfiguration",
        "sso:ListDirectoryAssociations",
        "sso:DescribeRegisteredRegions",
        "sso:GetSsoConfiguration",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:ListUsers",
        "identitystore:ListGroups"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:ListDashboardMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Tampilkan lebih banyak

Tampilkan lebih sedikit

Izinkan administrator untuk membuat kustomisasi

Kebijakan berikut memberikan izin kepada administrator untuk membuat dan mengelola penyesuaian di Amazon Q Developer.

Untuk mengonfigurasi penyesuaian di konsol Amazon Q Developer Pro, administrator Pengembang Amazon Q Anda akan memerlukan akses ke konsol Amazon Q Developer Pro. Untuk informasi selengkapnya, lihat Izinkan administrator menggunakan konsol Pengembang Amazon Q.

catatan

codewhispererAwalan adalah nama lama dari layanan yang digabungkan dengan Amazon Q Developer. Untuk informasi selengkapnya, lihat Ganti nama Pengembang Amazon Q - Ringkasan perubahan.


{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "sso-directory:DescribeUsers"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codewhisperer:CreateCustomization",
                "codewhisperer:DeleteCustomization",
                "codewhisperer:ListCustomizations",
                "codewhisperer:ListCustomizationVersions",
                "codewhisperer:UpdateCustomization",
                "codewhisperer:GetCustomization",
                "codewhisperer:ListCustomizationPermissions",
                "codewhisperer:AssociateCustomizationPermission",
                "codewhisperer:DisassociateCustomizationPermission"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codeconnections:ListConnections",
                "codeconnections:ListOwners",
                "codeconnections:ListRepositories",
                "codeconnections:GetConnection"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "codeconnections:UseConnection",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "codeconnections:ProviderAction": [
                        "GitPull",
                        "ListRepositories",
                        "ListOwners"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:ListBucket*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Izinkan administrator menerima permintaan konektor dari akun dengan pengalaman web transformasi Pengembang Q.



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codewhisperer:ListProfiles",
                "q:GetConnector",
                "q:AssociateConnectorResource",
                "q:RejectConnector"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sso:ListInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicy"
            ],
            "Resource": "arn:aws:iam::123456789012:policy/service-role/QTransform-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::123456789012:role/service-role/QTransform-*"
        }
    ]
}

Izinkan administrator untuk mengkonfigurasi plugin

Contoh kebijakan berikut memberikan izin administrator untuk melihat dan mengonfigurasi plugin pihak ketiga di konsol Pengembang Amazon Q.

catatan

Untuk mengakses konsol Pengembang Amazon Q, pengguna juga memerlukan izin yang ditentukan. Izinkan administrator menggunakan konsol Pengembang Amazon Q


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:CreatePlugin",
        "q:GetPlugin",
        "q:DeletePlugin",
        "q:ListPlugins",
        "q:ListPluginProviders",
        "iam:CreateRole",
        "secretsmanager:CreateSecret"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "q.amazonaws.com"
          ]
        }
      }
    }
  ]
}

Izinkan migrasi lebih dari satu jaringan atau lebih dari satu subnet


{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceSgTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:vpc/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2RequestSgTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:security-group/*",
                "arn:aws:ec2:region:account-id:security-group-rule/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },

        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2SecurityGroupTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:security-group/*",
                "arn:aws:ec2:region:account-id:security-group-rule/*",
                "arn:aws:ec2:region:account-id:network-interface/*",
                "arn:aws:ec2:region:account-id:network-insights-path/*",
                "arn:aws:ec2:region:account-id:network-insights-analysis/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService",
                    "ec2:CreateAction": [
                        "CreateSecurityGroup",
                        "CreateNetworkInterface",
                        "CreateNetworkInsightsPath",
                        "StartNetworkInsightsAnalysis"
                    ]
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerENIResourceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:subnet/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerENISG",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:security-group/*"
            ]
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInsightsPath"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigAnalyzerEC2RequestTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInsightsPath",
                "ec2:StartNetworkInsightsAnalysis"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzeNetwork",
            "Effect": "Allow",
            "Action": [
                "ec2:StartNetworkInsightsAnalysis"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Awas Javascript dinonaktifkan atau tidak tersedia di browser Anda.

Untuk menggunakan Dokumentasi AWS, Javascript harus diaktifkan. Lihat halaman Bantuan browser Anda untuk petunjuk.

Konvensi Dokumen

Contoh kebijakan berbasis identitas untuk Amazon Q

Izin pengguna