User permissions - Amazon Q Developer

User permissions

The following policies allow users to access features of Amazon Q Developer on AWS apps and websites.

For policies that enable administrative access to Amazon Q Developer, see Administrator permissions.

Allow users to access Amazon Q with an Amazon Q Developer Pro subscription

The following example policy grants permission to use Amazon Q with an Amazon Q Developer Pro subscription. Without these permissions, users can only access the Free tier of Amazon Q. To chat with Amazon Q or use other Amazon Q features, users need additional permissions, such as those granted by the example policies in this section.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGetIdentity", "Effect": "Allow", "Action": [ "q:GetIdentityMetaData" ], "Resource": "*" }, { "Sid": "AllowSetTrustedIdentity", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" } ] }

Allow Amazon Q access to customer managed keys

The following example policy grants users permissions to access features encrypted with a customer managed key by allowing Amazon Q access to the key. This policy is required to use Amazon Q if an administrator has set up a customer managed key for encryption.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "QKMSDecryptGenerateDataKeyPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptFrom", "kms:ReEncryptTo" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "q.{{region}}.amazonaws.com" ] } } } ] }

Allow users to chat with Amazon Q

The following example policy grants permissions to chat with Amazon Q in the console.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations" ], "Resource": "*" } ] }

Allow users to use Amazon Q CLI with AWS CloudShell

The following example policy grants permissions to use Amazon Q CLI with AWS CloudShell.

Note

The codewhisperer prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see Amazon Q Developer rename - Summary of changes.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codewhisperer:GenerateRecommendations", "codewhisperer:ListCustomizations", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "q:SendMessage" ], "Resource": "*" } ] }

Allow users to diagnose console errors with Amazon Q

The following example policy grants permissions to diagnose console errors with Amazon Q.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQTroubleshooting", "Effect": "Allow", "Action": [ "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult", "q:PassRequest", "cloudformation:GetResource" ], "Resource": "*" } ] }

Allow users to generate code from CLI commands with Amazon Q

The following example policy grants permissions to generate code from recorded CLI commands with Amazon Q, which enables the use of the Console-to-Code feature.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConsoleToCode", "Effect": "Allow", "Action": "q:GenerateCodeFromCommands", "Resource": "*" } ] }

Allow Amazon Q to perform actions on your behalf in chat

The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to perform actions on your behalf. Amazon Q only has permission to perform actions that your IAM identity has permission to perform.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQPassRequest", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*" } ] }

Deny Amazon Q permission to perform specific actions on your behalf

The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to perform any action on your behalf that your IAM identity has permission to perform, except for Amazon EC2 actions. This policy uses the aws:CalledVia global condition key to specify that Amazon EC2 actions are only denied when Amazon Q calls them.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } } ] }

Allow Amazon Q permission to perform specific actions on your behalf

The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to perform any action on your behalf that your IAM identity has permission to perform, with the exception of Amazon EC2 actions. This policy grants your IAM identity permission to perform any Amazon EC2 action, but only allows Amazon Q to perform the ec2:describeInstances action. This policy uses the aws:CalledVia global condition key to specify that Amazon Q is only allowed to call ec2:describeInstances, and not any other Amazon EC2 actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringNotEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } }, { "Effect": "Allow", "Action": [ "ec2:describeInstances" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["q.amazonaws.com"] } } } ] }

Allow Amazon Q permission to perform actions on your behalf in specific regions

The following example policy grants permission to chat with Amazon Q, and allows Amazon Q to make calls to only the us-east-1 and us-west-2 Regions when performing actions on your behalf. Amazon Q can't make calls to any other Region. For more information on how to specify what Regions you can make calls to, see aws:RequestedRegion in the AWS Identity and Access Management User Guide.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "us-east-1", "us-west-2" ] } } } ] }

Deny Amazon Q permission to perform actions on your behalf

The following example policy prevents Amazon Q from performing actions on your behalf.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAmazonQPassRequest", "Effect": "Deny", "Action": [ "q:PassRequest" ], "Resource": "*" } ] }

Allow users to chat with plugins from one provider

The following example policy grants permission to chat with any Datadog plugin that an administrator configures, specified by the plugin ARN with a wildcard character (*). If the plugin is deleted and re-configured, a user with these permissions will retain access to the newly configured plugin. To use this policy, replace the AWS account ID in the ARN with the ID of the account where your plugin is configured.

You can grant these permissions for other plugins by replacing Datadog with the name of another plugin, such as Wiz.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations" ], "Resource": "*" }, { "Effect": "AllowPluginAccess", "Action": [ "q:UsePlugin" ], "Resource": "arn:aws:q::123456789012:plugin/Datadog/*" } ] }

Allow users to chat with a specific plugin

The following example policy grants permission to chat with a specific Wiz plugin, specified by the plugin ARN. If the plugin is deleted and re-configured, a user will not have access to the new plugin unless the plugin ARN is updated in this policy. To use this policy, replace the example ARN with the ARN of the plugin you want to allow access to.

You can grant these permissions for other plugins by replacing Wiz with the name of another plugin, such as Datadog.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAmazonQConversationAccess", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations" ], "Resource": "*" }, { "Effect": "AllowPluginAccess", "Action": [ "q:UsePlugin" ], "Resource": "arn:aws:q::123456789012:plugin/Wiz/ABCDEFGHIJKL" } ] }

Deny access to Amazon Q

The following example policy denies all permissions to use Amazon Q.

Note

Denying access to Amazon Q will not disable the Amazon Q icon or chat panel in the AWS console, AWS website, AWS documentation pages, or AWS Console Mobile Application.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAmazonQFullAccess", "Effect": "Deny", "Action": [ "q:*" ], "Resource": "*" } ] }

Allow users to view their permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }