General URLs to allowlist Amazon S3 bucket URLs and ARNs to allowlist

Configuring a firewall, proxy server, or data perimeter for Amazon Q Developer

If you're using a firewall, proxy server, or data perimeter, make sure to allowlist traffic to the following URLs and Amazon Resource Names (ARNs) so that Amazon Q works as expected.

General URLs to allowlist

In the following URLs, replace:

idc-directory-id-or-alias with your IAM Identity Center instance's directory ID or alias. For more information about IAM Identity Center, see What is IAM Identity Center? in the AWS IAM Identity Center User Guide.
sso-region with the AWS Region where your IAM Identity Center instance is enabled. For more information, see Supported Regions for IAM Identity Center.
profile-region with the AWS Region where your Amazon Q Developer profile is installed. For more information about the Amazon Q Developer profile, see Amazon Q Developer profiles and Supported Regions for the Q Developer console and Q Developer profile.

URL	Purpose
`idc-directory-id-or-alias.awsapps.com`	Authentication
`oidc.sso-region.amazonaws.com`	Authentication
`*.sso.sso-region.amazonaws.com`	Authentication
`*.sso-portal.sso-region.amazonaws.com`	Authentication
`*.aws.dev`	Authentication
`*.awsstatic.com`	Authentication
`*.console.aws.a2z.com`	Authentication
`*.sso.amazonaws.com`	Authentication
`https://codewhisperer.us-east-1.amazonaws.com`	Amazon Q Developer features
`https://q.profile-region.amazonaws.com`	Amazon Q Developer features
`https://idetoolkits-hostedfiles.amazonaws.com/*`	Amazon Q Developer in the IDE, configuration
`https://idetoolkits.amazonwebservices.com/*`	Amazon Q Developer in the IDE, endpoints
`https://aws-toolkit-language-servers.amazonaws.com/*`	Amazon Q Developer in the IDE, language processing
`https://aws-language-servers.us-east-1.amazonaws.com/*`	Amazon Q Developer in the IDE, language processing
`https://client-telemetry.us-east-1.amazonaws.com`	Amazon Q Developer in the IDE, telemetry
`cognito-identity.us-east-1.amazonaws.com`	Amazon Q Developer in the IDE, telemetry

Amazon S3 bucket URLs and ARNs to allowlist

For some features, Amazon Q uploads artifacts to AWS service-owned Amazon S3 buckets. If you are using data perimeters to control access to Amazon S3 in your environment, you might need to explicitly allow access to these buckets to use the corresponding Amazon Q features.

The following table lists the URL and ARN of each of the Amazon S3 buckets that Amazon Q requires access to, and the features that use each bucket. You can use the bucket URL or bucket ARN to allowlist these buckets, depending on how you control access to Amazon S3.

You only need to allowlist the bucket in the AWS Region where the Amazon Q Developer profile is installed. For more information about the Amazon Q Developer profile, see Amazon Q Developer profiles.

Note

You don't need to allowlist any of the following buckets if your user base is using JetBrains with version 3.74 or later of the Amazon Q plugin. If users are using an earlier version of the JetBrains plugin or another IDE, you will still need to allowlist the buckets.

Amazon S3 bucket URL and ARN	Purpose
US East (N. Virginia): `https://amazonq-code-scan-us-east-1-29121b44f7b.s3.amazonaws.com/` `arn:aws:s3:::amazonq-code-scan-us-east-1-29121b44f7b` Europe (Frankfurt): `https://amazonq-code-scan-eu-central-1-9374e402cc5.s3.amazonaws.com/` `arn:aws:s3:::amazonq-code-scan-eu-central-1-9374e402cc5`	An Amazon S3 bucket used to upload artifacts for Amazon Q code reviews
US East (N. Virginia): `https://amazonq-code-transformation-us-east-1-c6160f047e0.s3.amazonaws.com/` `arn:aws:s3:::amazonq-code-transformation-us-east-1-c6160f047e0` Europe (Frankfurt): `https://amazonq-code-transformation-eu-central-1-a0a89cc2b94.s3.amazonaws.com/` `arn:aws:s3:::amazonq-code-transformation-eu-central-1-a0a89cc2b94`	An Amazon S3 bucket used to upload artifacts for the Amazon Q Developer Agent for code transformation
US East (N. Virginia): `https://amazonq-feature-development-us-east-1-a5b980054c6.s3.amazonaws.com/` `arn:aws:s3:::amazonq-feature-development-us-east-1-a5b980054c6` Europe (Frankfurt): Note A URL and ARN are not available for the Europe (Frankfurt) Region. As a workaround, tell users to use the agentic chat feature for their software development needs.	An Amazon S3 bucket used to upload artifacts for the Amazon Q Developer Agent for software development
US East (N. Virginia): `https://amazonq-test-generation-us-east-1-74b667808f2.s3.us-east-1.amazonaws.com/` `arn:aws:s3:::amazonq-test-generation-us-east-1-74b667808f2` Europe (Frankfurt): `https://amazonq-test-generation-eu-central-1-335c4259858.s3.us-east-1.amazonaws.com/` `arn:aws:s3:::amazonq-test-generation-eu-central-1-335c4259858`	An Amazon S3 bucket used to upload artifacts for the Amazon Q Developer Agent for unit test generation

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure security

VPC endpoints (AWS PrivateLink)