本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

Amazon Q 開發人員的身分型政策範例

下列範例IAM政策控制各種 Amazon Q 開發人員動作的許可。使用它們來允許或拒絕使用者、角色或群組的 Amazon Q 開發人員存取權。

如需您可以使用政策控制的所有 Amazon Q 許可清單，請參閱 Amazon Q 開發人員許可參考。

您可以按照書面方式使用下列政策，也可以為要使用的個別 Amazon Q 功能新增許可。如需您可以建立以允許存取特定功能的政策範例，請參閱 Amazon Q 開發人員的身分型政策範例。

如需使用 Amazon Q 設定IAM許可的詳細資訊，請參閱 使用 政策管理對 Amazon Q Developer 的存取。

如需有關這些許可功能的詳細資訊，請參閱 Amazon Q 開發人員許可參考。

允許管理員使用 Amazon Q 服務管理主控台

下列政策可讓使用者使用 Amazon Q 服務管理主控台。這是您設定 Amazon Q 與 IAM Identity Center 和 整合的主控台 AWS Organizations，選擇要訂閱的 Amazon Q 套件，並將使用者和群組連接至訂閱。

若要完整設定 Amazon Q Pro 訂閱，企業中的某人也需要存取 Amazon Q Pro 主控台。如需詳細資訊，請參閱指派使用 Amazon Q Developer Pro 主控台 的許可。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DisableAWSServiceAccess",
        "organizations:EnableAWSServiceAccess",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:ListApplications",
        "sso:ListInstances",
        "sso:DescribeRegisteredRegions",
        "sso:GetSharedSsoConfiguration",
        "sso:DescribeInstance",
        "sso:CreateApplication",
        "sso:PutApplicationAuthenticationMethod",
        "sso:PutApplicationAssignmentConfiguration",
        "sso:PutApplicationGrant",
        "sso:PutApplicationAccessScope",
        "sso:DescribeApplication",
        "sso:DeleteApplication",
        "sso:GetSSOStatus",
        "sso:CreateApplicationAssignment",
        "sso:DeleteApplicationAssignment"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:DescribeUsers",
        "sso-directory:DescribeGroups",
        "sso-directory:SearchGroups",
        "sso-directory:SearchUsers",
        "sso-directory:DescribeGroup",
        "sso-directory:DescribeUser",
        "sso-directory:DescribeDirectory"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "signin:ListTrustedIdentityPropagationApplicationsForConsole",
        "signin:CreateTrustedIdentityPropagationApplicationForConsole"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:ListProfiles",
        "codewhisperer:CreateProfile",
        "codewhisperer:DeleteProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "user-subscriptions:ListClaims",
        "user-subscriptions:ListUserSubscriptions",
        "user-subscriptions:CreateClaim",
        "user-subscriptions:DeleteClaim",
        "user-subscriptions:UpdateClaim"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:CreateAssignment",
        "q:DeleteAssignment"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions"
      ]
    }
  ]
}

允許管理員設定 Amazon Q Developer Pro 主控台

下列政策可讓使用者存取 Amazon Q Developer Pro 主控台。在該主控台上，您可以設定 Amazon Q 開發人員與特定功能相關的各種層面，例如程式碼參考。

若要完整設定 Amazon Q Pro 訂閱，企業中的某人也需要存取 Amazon Q 服務管理主控台。如需詳細資訊，請參閱允許管理員使用 Amazon Q 服務管理主控台。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:GetUserPoolInfo"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:DescribeRegisteredRegions",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

對於舊版 Amazon CodeWhisperer 設定檔，下列政策將可讓IAM委託人管理 CodeWhisperer 應用程式。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:SearchUsers",
        "sso-directory:SearchGroups",
        "sso-directory:GetUserPoolInfo",
        "sso-directory:DescribeDirectory",
        "sso-directory:ListMembersInGroup"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pricing:GetProducts"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:AssociateProfile",
        "sso:DisassociateProfile",
        "sso:GetProfile",
        "sso:ListProfiles",
        "sso:ListApplicationInstances",
        "sso:GetApplicationInstance",
        "sso:CreateManagedApplicationInstance",
        "sso:GetManagedApplicationInstance",
        "sso:ListProfileAssociations",
        "sso:GetSharedSsoConfiguration",
        "sso:ListDirectoryAssociations",
        "sso:DescribeRegisteredRegions",
        "sso:GetSsoConfiguration",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:ListUsers",
        "identitystore:ListGroups"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

若要進一步了解IAM政策，請參閱 IAM 使用者指南 中的存取管理。

在 AWS 網站上新增 Amazon Q 的IAM許可

若要在 AWS 應用程式和網站上使用 Amazon Q Developer 功能，您必須連接適當的 AWS Identity and Access Management （IAM） 許可。以下是您可以用來存取 AWS 應用程式和網站上的大多數 Amazon Q 功能的範例政策：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:SendMessage",
        "q:StartConversation",
        "q:GetConversation",
        "q:ListConversations",
        "q:GetIdentityMetaData",
        "q:StartTroubleshootingAnalysis",
        "q:GetTroubleshootingResults",
        "q:StartTroubleshootingResolutionExplanation",
        "q:UpdateTroubleshootingCommandResult",
        "q:PassRequest"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sts:setContext"
      ],
      "Resource": [
        "arn:aws:sts::*:self"
      ]
    }
  ]
}
            
        

允許使用者透過 Amazon Q Developer Pro 訂閱存取 Amazon Q

下列範例政策授予許可，以搭配 Amazon Q Developer Pro 訂閱使用 Amazon Q。沒有這些許可，使用者只能存取 Amazon Q 的免費層。若要與 Amazon Q 聊天或使用其他 Amazon Q 功能，使用者需要額外許可，例如本節中範例政策授予的許可。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetIdentity",
            "Effect": "Allow",
            "Action": [
                "q:GetIdentityMetaData"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSetTrustedIdentity",
            "Effect": "Allow",
            "Action": [
                "sts:SetContext"
            ],
            "Resource": "arn:aws:sts::*:self"
        }
    ]
}

允許使用者與 Amazon Q 聊天

下列範例政策授予許可，以在主控台中與 Amazon Q 聊天。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAmazonQConversationAccess",
      "Effect": "Allow",
      "Action": [
        "q:StartConversation",
        "q:SendMessage",
        "q:GetConversation",
        "q:ListConversations"
      ],
      "Resource": "*"
    }
  ]
}

允許使用者CLI搭配 Amazon Q 使用 AWS CloudShell

下列範例政策授予許可，以CLI搭配 使用 Amazon Q AWS CloudShell。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:GenerateRecommendations", 
        "codewhisperer:ListCustomizations", 
      ],
      "Resource": "*"
    },
        {
      "Effect": "Allow",
      "Action": [
        "q:SendMessage" 
      ],
      "Resource": "*"
    }
  ]
}

允許使用者使用 Amazon Q 診斷主控台錯誤

下列範例政策授予許可，以診斷 Amazon Q 的主控台錯誤。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAmazonQTroubleshooting",
      "Effect": "Allow",
      "Action": [
        "q:StartTroubleshootingAnalysis",
        "q:GetTroubleshootingResults",
        "q:StartTroubleshootingResolutionExplanation",
        "q:UpdateTroubleshootingCommandResult"
      ],
      "Resource": "*"
    }
  ]
}

允許 Amazon Q 代表您執行動作

下列範例政策授予許可，以與 Amazon Q 聊天，並允許 Amazon Q 代表您執行動作。Amazon Q 僅具有執行您IAM身分具有執行許可之動作的許可。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAmazonQPassRequest",
      "Effect": "Allow",
      "Action": [
        "q:StartConversation",
        "q:SendMessage",
        "q:GetConversation",
        "q:ListConversations",
        "q:PassRequest"
      ],
      "Resource": "*"
    }
  ]
}

拒絕 Amazon Q 代表您執行特定動作的許可

下列範例政策會授予許可，以與 Amazon Q 聊天，並允許 Amazon Q 代表您執行IAM身分具有執行許可的任何動作，但 Amazon EC2動作除外。此政策使用aws:CalledVia全域條件索引鍵來指定 Amazon EC2動作只有在 Amazon Q 呼叫它們時才會遭到拒絕。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:StartConversation",
        "q:SendMessage",
        "q:GetConversation",
        "q:ListConversations",
        "q:PassRequest"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "ec2:*"
      ],
      "Resource": "*",
      "Condition": {
            "ForAnyValue:StringEquals": {
               "aws:CalledVia": ["q.amazonaws.com"]
            }
       }
    }
  ]
}

允許 Amazon Q 許可代表您執行特定動作

下列範例政策會授予許可，以與 Amazon Q 聊天，並允許 Amazon Q 代表您執行IAM身分具有執行許可的任何動作，但 Amazon EC2動作除外。此政策授予IAM您的身分許可，以執行任何 Amazon EC2動作，但僅允許 Amazon Q 執行ec2:describeInstances動作。此政策使用aws:CalledVia全域條件金鑰來指定 Amazon Q 僅允許呼叫 ec2:describeInstances，而不是任何其他 Amazon EC2動作。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:StartConversation",
        "q:SendMessage",
        "q:GetConversation",
        "q:ListConversations",
        "q:PassRequest"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": "*",
      "Condition": {
            "ForAnyValue:StringNotEquals": {
               "aws:CalledVia": ["q.amazonaws.com"]
            }
       }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:describeInstances"
      ],
      "Resource": "*",
       "Condition": {
            "ForAnyValue:StringEquals": {
               "aws:CalledVia": ["q.amazonaws.com"]
            }
       }
    }
  ]
}

允許 Amazon Q 許可在特定區域中代表您執行動作

下列範例政策會授予許可，以與 Amazon Q 聊天，並允許 Amazon Q 在代表您執行動作時僅對 us-east-1和 us-west-2區域撥打電話。Amazon Q 無法呼叫任何其他 區域。如需如何指定您可以呼叫的區域的詳細資訊，請參閱 AWS Identity and Access Management 使用者指南 中的 aws：RequestedRegion。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:StartConversation",
        "q:SendMessage",
        "q:GetConversation",
        "q:ListConversations",
        "q:PassRequest"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
            "aws:RequestedRegion": [ 
                "us-east-1", 
                "us-west-2"
            ] 
        } 
      }
    }
  ]
}

拒絕 Amazon Q 代表您執行動作的許可

下列範例政策可防止 Amazon Q 代表您執行動作。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAmazonQPassRequest",
      "Effect": "Deny",
      "Action": [
        "q:PassRequest"
      ],
      "Resource": "*"
    }
  ]
}

拒絕存取 Amazon Q

下列範例政策會拒絕使用 Amazon Q 的所有許可。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAmazonQFullAccess",
      "Effect": "Deny",
      "Action": [
        "q:*"
      ],
      "Resource": "*"
    }
  ]
}

允許使用者檢視其許可

此範例示範如何建立政策，允許使用者檢視連接至其IAM使用者身分的內嵌和受管政策。此政策包含在主控台上完成此動作或使用 或 AWS CLI 以程式設計方式完成此動作的許可 AWS API。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ViewOwnUserInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:GetUser"
            ],
            "Resource": ["arn:aws:iam::*:user/${aws:username}"]
        },
        {
            "Sid": "NavigateInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:GetGroupPolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListPolicyVersions",
                "iam:ListPolicies",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}