Creating a user with AWSIQFullAccess permissions Attaching managed policies to an existing user Granular IAM permissions

Setting up permissions to use AWS IQ

To access AWS IQ, you must have the necessary permissions. Navigate to the AWS Management Console to view or set up permissions. To leverage all resources on AWS IQ, add the AWSIQFullAccess managed policy. For more granular controls, add specific permissions to your IAM identity.

Note

As a security best practice, we recommend periodically changing your user access keys. For more information, see Managing access keys in IAM.

This topic describes how to create an IAM user, attach policies to an existing user, and set up granular permissions in the AWS Management Console.

Topics

Creating a user with AWSIQFullAccess permissions
Attaching managed policies to an existing user
Granular IAM permissions

Creating a user with `AWSIQFullAccess` permissions

You, or your AWS account administrator, can create a new user with the AWSIQFullAccess managed policy on your AWS account. You can also attach this managed policy to an existing user. For more information, see AWSIQFullAccess in the AWS Managed Policy Reference Guide.

To create an IAM user with managed policies

Sign in to the AWS Management Console.
Choose Users and then choose Add users.
Enter a User name, and then choose AWS Management Console access. Accept the default information or change to custom values.
Choose Next: Permissions and then choose Attach existing policies directly.
Choose AWSIQFullAccess from the list of policy names, and then choose Next: Tags.
1. (Optional) Add tags and then choose Next: Review.
Choose Create user.
Choose Show to display the password, and then copy your password to a secure location. You can also choose Send email to send the login instructions within an email message.

Attaching managed policies to an existing user

If you already have an IAM user, you can attach the AWSIQFullAccess managed policy using the following procedure.

To attach managed policies to an existing IAM user

Sign in to the IAM console.
Choose Users.
Choose the user name to see the summary page for the user.
Choose Add permissions.
Choose Attach existing policies directly.
Choose AWSIQFullAccess from the list of policy names.

If you don't see the policy names on the first page, filter the policies or search for the names using the console.
Choose Next: Review.
Choose Add permissions.

For more information, see Adding and removing identity permissions.

Granular IAM permissions

As a user with administrative access, you can create one or more users in your AWS account. To configure your users with chosen levels of access on AWS IQ, you can deny specific permissions. First, add the AWSIQFullAccess managed policy. Then, you can add inline policies to deny specific permissions. For more information, see Actions, resource, and condition keys for AWS IQ.

The following are examples of how to use granular permissions in AWS IQ.

To use granular permissions in AWS IQ

To restrict a user from requesting access to a customer’s AWS account, create a deny policy on the CreatePermissionRequest, which is used to grant permission for creating permission requests.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "iq-permission:CreatePermissionRequest",
            "Resource": "*"
        }
    ]
}

To restrict a user from requesting payments and proposals, create a deny policy for the following permissions:
- CreatePaymentRequest – grants permission to create a payment request.
- CreateMilestoneProposal – grants permission to create a milestone proposal.
- CreateUpfrontProposal – grants permission to create an upfront proposal.
- CreateScheduledProposal – grants permission to create a scheduled billing proposal.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "iq:CreateScheduledProposal",
                "iq:CreatePaymentRequest",
                "iq:CreateMilestoneProposal",
                "iq:CreateUpfrontProposal"
            ],
            "Resource": "*"
        }
    ]
}
```
To restrict a user from sending chat messages, create a deny policy on all resources for the following permissions:
- SendIndividualChatMessage – grants permission to chat messages as an individual.
- SendCompanyChatMessage – grants permission to send chat messages as a company.
```
{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Deny",
        "Action": [
            "iq:SendIndividualChatMessage", 
            "iq:SendCompanyChatMessage"
        ],
        "Resource": "*"
    }
  ]
}
```

To attach inline policies to an existing IAM identity

Sign in to the IAM console.
Choose Users.
Choose the username to see the summary page for the user.
Choose Add permissions.
Choose Create inline policy.
Select Switch to deny permissions to deny access.
Under Service, search for IQ or IQ Permissions.

Note
If you’re searching for permission requests and access grants, use IQ Permissions. For all other permissions, use IQ.
Under Access level, select the permissions to deny.
Choose Review policy, provide the name for your policy, and then choose Create policy.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting up your individual or company details

Requests