# Using Amazon Q Developer on AWS apps and websites On AWS Use Amazon Q Developer in the AWS Management Console, AWS Console Mobile Application, AWS Marketing website, AWS Documentation website, and supported chat applications to ask questions about AWS. You can ask Amazon Q about AWS architecture, best practices, support, and documentation. Amazon Q can also help with code that you're writing with the AWS SDKs and AWS Command Line Interface (AWS CLI). In the AWS Management Console, you can ask Amazon Q about your AWS resources and costs, contact Support directly, and diagnose common console errors. To quickly provide access to features of Amazon Q Developer on AWS, attach the ` AmazonQDeveloperAccess` AWS managed policy to the IAM identity using Amazon Q. For permissions needed for specific features, see the topic for the feature you want to use. **Topics** + [ ## Authenticating to your Amazon Q Developer Pro subscription ](#qdevpro-authentication) + [ # Chatting with Amazon Q Developer about AWS ](chat-with-q.md) + [ # Using Amazon Q Developer plugins ](plugins.md) + [ # Automating AWS services with Amazon Q Developer Console-to-Code ](console-to-code.md) + [ # Diagnosing common errors in the console with Amazon Q Developer ](diagnose-console-errors.md) + [ # Using Amazon Q Developer to chat with Support ](support-chat.md) ## Authenticating to your Amazon Q Developer Pro subscription To access Amazon Q at the Free tier, sign in to the AWS Management Console. Any Free tier features are available as long as you have the required permissions. To access Amazon Q at the Pro tier, sign to the console with IAM Identity Center. When you sign in with IAM Identity Center, including authenticating through an external identity provider that is connected to IAM Identity Center, you will automatically have access to the Pro tier if your IAM Identity Center identity is subscribed to Amazon Q Developer Pro. For more information on the Amazon Q Developer Pro tier, see [Tiers of service for Q Developer – Free and Pro](q-tiers.md). **Note** If you see an error message that starts with, `Your account has not been configured to use an Amazon Q subscription`, see [Troubleshooting Amazon Q Developer Pro subscriptions](q-admin-setup-subscribe-troubleshooting.md) for troubleshooting tips. If you sign in to the AWS console with IAM or federation with IAM, then you will be prompted to authenticate with IAM Identity Center when you reach a Free tier limit or attempt to use a feature only available at the Pro tier. # Chatting with Amazon Q Developer about AWS Chatting about AWS **Introducing generative AI-based Q artifacts** Amazon Q can now provide answers to questions with table and chart visualizations. A prompt library makes it easier to find example prompts. The Q experience is now more usable and useful. The Q icon has been relocated to the navigation bar. The Q chat panel now opens on the left side. Chat with Amazon Q in the AWS Management Console, AWS Console Mobile Application, AWS website, AWS Documentation website, and chat applications to learn about AWS services. You can ask Amazon Q about best practices, recommendations, step-by-step instructions for AWS tasks, and architecting your AWS resources and workflows. You can also ask about your AWS resources and account costs. Amazon Q additionally generates short scripts or code snippets to help you get started using the AWS SDKs and AWS CLI. The following topics describe how to use Amazon Q chat and topics you can chat about. **Topics** + [ # Using Q artifacts in Amazon Q ](chat-artifacts.md) + [ ## Add permissions ](#add-permissions-chat) + [ ## Start a conversation ](#start-conversation) + [ ## Manage conversations in the console ](#manage-conversations-console) + [ ## Navigate the Amazon Q chat panel ](#navigate-amazon-q-chat-panel) + [ ## Chat settings ](#chat-settings) + [ ## Example prompts ](#example-questions) + [ # Chatting about your resources with Amazon Q Developer ](chat-actions.md) + [ # Asking Amazon Q to troubleshoot your resources ](chat-actions-troubleshooting.md) + [ # Chatting about your costs ](chat-costs.md) + [ # Chatting about your network security ](chat-network-security.md) + [ # Chatting about email sending ](chat-email.md) + [ # Chatting about your telemetry and operations ](chat-ops.md) # Using Q artifacts in Amazon Q Using Q artifacts in Amazon Q Amazon Q artifacts enable Amazon Q to deliver responses enriched with table and chart visualizations. When you ask natural language questions about your resources, Amazon Q may display an artifact that helps you quickly understand your resources at a glance. The Q experience is now more usable and useful. Access Q easily from the navigation bar next to search. The Q chat panel opens on the left and can expand to full screen. A new prompt library helps you discover useful example prompts. To get started, ensure you have the required permissions, and then review the example prompts to get the most out of Amazon Q artifacts. For more information, see [Prerequisites](#chat-artifacts-prereqs) and [Example prompts](#chat-artifacts-example-prompts). ## Prerequisites To view visualizations with Amazon Q see [Allow users to chat with Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat) and [Chatting about your costs](chat-costs.md#cost-chat-getting-started). ## How it works **Note** All data associated with Amazon Q visualizations is saved in us-east-1. **To view Q artifacts in Amazon Q in the AWS management Console:** 1. Sign in to the AWS Management Console. 1. Access Amazon Q by choosing the Q icon in the Unified Navigation bar. 1. Describe your task to Amazon Q using natural language. For example: 1. "List my running EC2 instances" 1. "Create a chart of my costs by region last month" 1. If Amazon Q determines a visual interface would be helpful, it automatically displays an artifact in a new panel next to Q chat with either a table or chart visualization. 1. If you are asking about resources, the panel will include: 1. A table with the resources you asked about, categorized based on any properties you specify. 1. Deep links to the resources that redirect you to the resource page in the service console. 1. If you are asking about cost and billing information with chart visualization, the panel will include a chart widget. ## Example prompts The following categories and associated prompts are examples of the types of tasks you can complete with Amazon Q artifacts. + **View resource information ** – Visualize resource information in table or chart format. + **Get billing recommendations and forecasts** – Show me a line chart of my forecasted costs for the next 6 months, Graph RDS costs by instance type by month for the last 6 months. + **Security and compliance** – Check traffic and internet accessibility to EC2 resources, verify internet connectivity for EC2 instances across regions. For a list of suggested use cases, choose the Amazon Q prompt library icon in the top-right of the Q chat panel and filter by table or visualization response type. ## Add permissions For an IAM policy that grants permissions needed for chatting with Amazon Q, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). ## Start a conversation To open up the Amazon Q chat panel in the AWS Management Console, choose the Amazon Q icon in the top left in the Unified Navigation bar. To open up the panel on the AWS website or any AWS service’s documentation page, choose the Amazon Q icon in the bottom right corner. To ask Amazon Q a question, enter your question into the text bar in the Amazon Q panel. Amazon Q generates a response to your question with a sources section that links to its references. After you receive a response, you can optionally leave feedback by using the thumbs-up and thumbs-down icons. You can also copy the response to your clipboard by choosing the copy icon. **To start a new conversation in the console:** 1. You can start a new conversation by choosing the plus icon in the top right corner of the chat panel. 1. To name or rename a conversation, choose the text at the top of the chat panel and enter your conversation name. ## Manage conversations in the console You can view, switch to, and delete your past conversations in Amazon Q. Amazon Q maintains the history of previously asked questions and responses within a given conversation to use as context to inform responses. You can save up to 1,000 separate conversations with Amazon Q chat in the AWS console. When you start a conversation, it’s automatically saved as a new conversation. You can title the conversation, or Amazon Q will generate a title based on the example prompt you select or the first few questions in the conversation. You can switch between conversations to continue chatting with Amazon Q about previous topics. Inactive conversations, in which you don’t ask a new question, will be deleted after 90 days of inactivity. Messages older than 90 days will be deleted, even if a conversation is still active. **To switch conversations:** 1. Choose the clock icon on the top right of the chat panel. The **Conversations** pop-up opens. 1. Choose the name of the conversation you want to resume. All previous messages from that conversation appear in the chat panel where you can continue chatting with Amazon Q. **To delete conversations:** 1. Choose the clock icon on the top right of the chat panel. The **Conversations** pop-up opens. 1. Choose the delete icon next to the name of the conversation you want to delete. If you’re using Amazon Q in the console, your current conversation and associated context are maintained when you navigate to another place in the console or to another browser or tab. If you’re using Amazon Q on the AWS website, Documentation website, or Console Mobile Application, a new conversation starts without any context when you navigate to a new page, browser, or tab. ## Navigate the Amazon Q chat panel Note: You can switch between the Amazon Q chat panel and service consoles at any time: 1. To expand the Q chat panel in full-screen mode, choose the maximize icon in the top-right corner. To toggle full-screen mode, choose the resize icon. 1. To close the Q chat panel, choose < in the top-right corner. To close the panel with visualizations, choose X in the top-right corner. 1. To adjust the chat panel size, use the divider. 1. To reopen the chat panel, choose the Q icon in the Unified Navigation bar. 1. Your work is automatically saved when switching between views. ## Chat settings To view your chat settings in Amazon Q, choose the gear icon in the top right of the chat panel. + **Region** — Amazon Q defaults to the AWS Region set in the AWS Management Console when you open the chat panel. To update the Region used by Amazon Q, change your console Region. ## Example prompts You can ask Amazon Q questions about AWS and AWS services, such as finding the right service, understanding best practices or reviewing the state of your resources. If Amazon Q determines a visual interface would be helpful, it automatically displays a new panel with either a table or chart visualization. You can also ask about software development with the AWS SDKs and AWS CLI. Amazon Q in the console can generate short scripts or code snippets to help you get started using the AWS SDKs and AWS CLI. The following are example questions that demonstrate how Amazon Q can help you build on AWS: + List RDS databases without CloudWatch alarms + What's the maximum runtime for a Lambda function? + When should I put my resources in a VPC? + List S3 buckets with tag value ** + Create a chart showing my cost per GB for different S3 storage classes + Graph EC2 cost per vCPU hour over the last 3 weeks + What's the best container service to use to run my workload if I need to keep my costs low? + Show me a bar chart of potential savings by optimization recommendation To help you get started, Q recommends prompts when you start a new conversation. You can also view the list of supported prompts in the prompt library. To view prompts in the prompt library, choose the book icon in the top right of the chat panel. # Chatting about your resources with Amazon Q Developer Chatting about your resources Amazon Q Developer answers questions about your AWS account resources to help you understand your AWS infrastructure through natural language prompts. Using advanced reasoning capabilities, Amazon Q analyzes and provides insights about your resources so you can quickly get the information you need without relying on multiple service consoles, APIs, or complicated scripts. The type of resource analysis Amazon Q can perform includes: + **Resource listing and details** – Ask for lists or specific details about resources in your account. + **Filtered queries** – Request resource information based on criteria such as region or configuration state. + **Cross-service analysis** – Ask complex questions about your infrastructure, configurations, and dependencies across multiple AWS resources and services. + **Troubleshooting assistance** – Get help identifying and resolving issues with your resources. For more information, see [Asking Amazon Q to troubleshoot your resources](chat-actions-troubleshooting.md). For examples of questions you can ask, see [Ask Amazon Q for resource information](#ask-resource-questions). **Topics** + [ ## How it works ](#how-chat-actions-works) + [ ## Prerequisites ](#resoure-chat-prereqs) + [ ## Ask Amazon Q for resource information ](#ask-resource-questions) + [ ## Count resources with AWS Resource Explorer ](#count-resources) ## How it works To respond to questions about resources, Amazon Q uses service APIs and AWS Cloud Control API to retrieve the requested information. To allow Amazon Q to call the APIs required to retrieve requested resource information, your IAM identity must have permissions to use those APIs. For more information, see [Prerequisites](#resoure-chat-prereqs). Amazon Q can perform get, list, and describe actions to retrieve information about multiple AWS resources at a time. When asked complex resource questions, Amazon Q creates dynamic, multi-step plans that explain the reasoning behind the actions it’s taking to further your understanding of your AWS environment. If the initial plan fails, Amazon Q attempts alternative methods or prompts you for any additional information required to continue. Amazon Q can provide answers to questions enriched with read-only Q artifacts. For example, when you ask a question about your resources or cost and billing, Amazon Q generates visualizations like tables and charts to help you quickly understand the state of your account resources. Amazon Q can’t answer questions about the data stored in your resources, such as listing objects in an Amazon S3 bucket, or questions related to your account security, identity, credentials, or cryptography. ## Prerequisites You can chat about your account resources with Amazon Q in the AWS Management Console, AWS Console Mobile Application, and in [configured chat applications](q-in-chat-applications.md). To chat about your resources, your IAM identity must have the following permissions: + Permissions to chat with Amazon Q, to use Cloud Control API, and to allow Amazon Q to access your resources. For an IAM policy that grants the required permissions, see [Allow users to chat about resources with Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-resource-chat). + Permissions to access the resources you ask about. For example, if you ask Amazon Q to list your Amazon S3 buckets, you must have the `s3:ListAllMyBuckets` permission. Amazon Q will never access resources that your IAM identity doesn't have access to. **Important** Normal fees apply when you ask Amazon Q to perform read, list, or describe actions. For more information, see the pricing page for the AWS service you are asking Amazon Q about. ## Ask Amazon Q for resource information When you ask Amazon Q about your resources, you can specify the AWS Region that Amazon Q calls to locate your resources. If no Region is specified in a given query, Amazon Q will use a Region previously specified in your conversation if applicable, and otherwise uses your current console Region (or the most recent console Region if you are using a global console Region). Amazon Q might need additional information to answer to your resource questions. When Amazon Q asks a follow up, reply with the requested details. Following are example questions you can ask Amazon Q about your resources: + Describe the encryption settings for S3 bucket ** + What SQS queues invoke my Lambda functions? + Do I have any MySQL RDS clusters that need updates? + List my EC2 instances in ** + Get the configuration for my lambda function ** + What alarms are configured for instance **? + List RDS databases without CloudWatch alarms + List S3 buckets with tag value ** + Show me chart of my costs by service last week + Show me a bar chart of my top 10 most expensive resources + Create a chart showing budget vs forecasted spend ## Count resources with AWS Resource Explorer When you ask a question that requires resource counting, such as 'How many EC2 resources are running in my account?', Amazon Q uses Cloud Control API by default to return a count of the requested resources. You also have the option to enable and configure Resource Explorer for faster resource counting with Amazon Q. If Resource Explorer is enabled, Amazon Q will attempt to use it when generating a response that requires counting your resources. Amazon Q can use Resource Explorer to count a single type of resource across all AWS Regions. Using Resource Explorer enables Amazon Q to count resources faster by returning the count from the Resource Explorer index, as opposed to calling service APIs to list resources and count the results. If you choose to enable Resource Explorer for resource counting, note that resource information can be out of date. Resource Explorer indexes resources in your account by taking a periodic inventory, and if resources have been created or deleted after the last inventory, the resource count will be incorrect. Resource Explorer also doesn't support resource filtering. If you ask to count resources matching a specific criteria, Amazon Q will fall back to Cloud Control API. If you don't have Resource Explorer enabled and configured for use, or if Amazon Q can't use Resource Explorer to answer your question, Amazon Q uses Cloud Control API to count resources. Using Cloud Control API ensures an accurate resource count and supports resource filtering, however this can also lead to increased latency compared to counting with Resource Explorer. If you are counting a large number of resources, Cloud Control API can also time out. To use Resource Explorer for resource counting, the following configuration is required: + The user interacting with Amazon Q must be in account where an Resource Explorer default view is configured and an aggregator index has been created in the same Region as the default view. For more information, see [Setting up Resource Explorer using Advanced setup](https://docs.aws.amazon.com/resource-explorer/latest/userguide/getting-started-setting-up.html#getting-started-setting-up-advanced) in the *AWS Resource Explorer User Guide*. + The user's IAM identity must have read permissions for the default view. For more information, see [Granting access to Resource Explorer views for search](https://docs.aws.amazon.com/resource-explorer/latest/userguide/configure-views-grant-access.html) in the *AWS Resource Explorer User Guide*. # Asking Amazon Q to troubleshoot your resources Asking Amazon Q to troubleshoot your resources In the AWS Management Console, you can ask Amazon Q to troubleshoot issues you're having with your AWS resources. When you encounter a problem, open the chat panel and describe the situation to Amazon Q. For instance, you might enter, "I can't add an object to my S3 bucket" or "My load balancer is returning a 503 error". Amazon Q analyzes the information you provided to identify potential root causes. It then offers tailored solutions, step-by-step instructions, or best practices to resolve your issue efficiently. Amazon Q currently accepts English prompts for the issues shown in the following table. | AWS service | Type of issue that Amazon Q can help with | Example prompts | | --- | --- | --- | | Amazon S3 | Permissions issues | Why can’t I put objects into my S3 bucket? The bucket ID is amzn-s3-demo-bucket. Why can’t I delete the object s3://amzn-s3-demo-bucket-locked/Q-Stream2.jpg? Why can't I delete an object in S3? | | AWS Glue | Job failures | My Glue job with the job name 'Run111B11B11-*<…>*' and the job run id 'bb\$1b1b111*<…>*' in the 'us-west-2' region failed. Why did my Glue job called GlueRun00AA00A00A-*<…>* fail? | | Amazon Athena | Query issues | My Athena query didn't return any results. query ID: 222c22cc-2c022-*<…>* region id: us-east-2 I ran an Athena query with an execution ID of 333d33dd-3d33-*<…>* and a region of us-east-1, and it didn't return any results. | | Amazon ECS | Task stoppage issues; Fargate health check issues; disconnected agent issues | My ECS task is stopped and I don't know why. The details of the task are: Cluster: my-ecs-cluster, Service: my-ecs-service, Task Definition: my-task-definition, Task ARN: arn:aws:ecs:us-west-2:444444444444:task/my-ecs-cluster/4ee4ee4ee4444*<…>* I'm having a problem with my ECS task. The task health check always fails for the task in the 'my-ecs-cluster' cluster and service. The Amazon ECS agent on one of my container instances appears to be disconnected. The agent is not responding or updating its status, which is causing tasks to be stuck in a pending state. | | Amazon EC2 Elastic Load Balancing | Health check issues; 504, 503, 502, and 500 errors | Why are the health checks for the target group called 'my-target-group' failing? Why am I receiving 503 errors from my load balancer 'my-elb'? | | Amazon EKS | Application Load Balancer (ALB) ingress controller issues; managed add-on issues | I have an ALB ingress controller in my EKS cluster, and am seeing a failure with the error message 'WebIdentityErr:failed to retrieve credentials'. The AWS region is us-west-2. There seems to be an issue with the add-ons in my EKS cluster called my-eks-cluster, in the us-west-2 region. | | Amazon ECR | Secondary account access issues | I'm having difficulty granting access to an Amazon ECR image repository from a different AWS account. Specifically, I need to allow account 222222222222 to push and pull images from the repository named "my-ecr-repo" in my account (111111111111) in the region (us-west-2). | For Amazon Q to troubleshoot your resources, you'll need the same permissions as those outlined in [Chatting about your resources with Amazon Q DeveloperChatting about your resources](chat-actions.md). # Chatting about your costs Amazon Q Developer is a generative artificial intelligence (AI) powered conversational assistant that can help you understand, build, extend, and operate AWS applications. Amazon Q Developer provides powerful capabilities to help you manage your AWS costs through natural conversation. You can analyze your historical and forecasted costs from Cost Explorer, discover cost-saving recommendations from Cost Optimization Hub and AWS Compute Optimizer, understand Savings Plans and reservation opportunities, and get instant answers about AWS product attributes or service pricing. Amazon Q Developer can both answer specific questions (e.g., "What were net unblended costs for EC2 instances last month?") or perform complex or open-ended analysis (e.g., "What were the biggest drivers of last week's cost decrease?"). Amazon Q Developer transforms how you interact with AWS cost data by letting you ask questions in your own words instead of learning query syntax or navigating multiple console pages, while providing precise answers backed by real data from your AWS account and showing exactly which APIs were called and where to find the information in the console. For more information about the cost management capabilities in Amazon Q Developer, see [Managing your costs using generative AI with Amazon Q Developer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-cost-analysis-q.html) in the *AWS Cost Management User Guide*. ## What you can do With Amazon Q Developer, you can: + **Analyze your costs** – Ask questions about your historical spending patterns, cost trends, and forecasted costs. For example, "What were my EC2 costs last month?" or "Why did my costs increase last week?" + **Find optimization opportunities** – Discover ways to reduce your AWS spending by asking about recommendations from Cost Optimization Hub, AWS Compute Optimizer, and Savings Plans. For example, "What are my top cost optimization opportunities?" or "Which EC2 instances are over-provisioned?" + **Understand pricing** – Get instant answers about AWS service pricing. For example, "How much does a c8g.2xlarge instance cost in us-east-1?" or "What would it cost to store 1 PB in S3 in Dublin?" + **Check payment status** – List recent invoices and check payment balance. For example, “List my invoices for the last 6 months” and “Do I have an outstanding payment balance?” + **Visualize your costs** – Generate custom charts and graphs of historical costs and usage, service pricing, budgets, and more. For example, “Show me a graph of how much we’re spending in each region” or “Create a chart breaking down EC2-Other costs last month”. Amazon Q Developer adapts to however you phrase your questions. You can ask specific questions when you know exactly what you want, or ask open-ended exploratory questions and let Q investigate on your behalf. Q maintains context throughout your conversation, so you can ask follow-up questions to dive deeper or guide the analysis in a specific direction. ## How it works When you ask Amazon Q Developer about your costs, Q retrieves data from AWS Cost Explorer, Cost Optimization Hub, AWS Compute Optimizer, and other AWS services. Q performs calculations, analyzes patterns, and provides insights based on your actual usage and spending data. With each response, Q provides transparency into how it arrived at its answer by showing you the API calls it made, the parameters used, and links to matching views in the AWS Management Console where available. This helps you verify the data and explore further. ## Getting started To chat about your AWS costs, you need: + **Appropriate IAM permissions** – Your IAM identity must have permissions to chat with Amazon Q and access your billing data. For an IAM policy that grants the required permissions, see [Allow Amazon Q to access cost data and provide cost optimization recommendations](id-based-policy-examples-users.md#id-based-policy-examples-allow-cost-chat). + **Cost Explorer opt-in** – You must enable AWS Cost Explorer in your AWS account. To enable Cost Explorer, open the [Cost Explorer console](https://console.aws.amazon.com/costmanagement/home#/cost-explorer). For more information, see [Enabling Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html) in the *AWS Cost Management User Guide*. To take advantage of the full range of Amazon Q Developer's cost management capabilities, you can also enable additional services such as AWS Cost Optimization Hub or AWS Budgets. To learn more, see [Overview of cost management capabilities in Amazon Q Developer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-q-overview.html) in the *AWS Cost Management User Guide*. To get started: 1. Sign in to the AWS Management Console at [https://console.aws.amazon.com](https://console.aws.amazon.com). 1. Choose the Amazon Q icon on the right side of the console navigation bar. 1. Ask a question about your costs, such as: + "What were my costs last month?" + "What are my top cost optimization opportunities?" + "How much does a c8g.2xlarge instance running Linux cost in us-east-1?" + “Show me a pie chart of my costs by region last week” You can also configure Amazon Q Developer in chat applications such as Slack and Microsoft Teams. For more information about using Amazon Q Developer in chat applications, see [Chatting with Amazon Q Developer in chat applications](q-in-chat-applications.md). ## Example questions Following are example questions about costs that you can ask Amazon Q Developer: **Cost analysis** + "What were my costs last month?" + "Show me my EC2 spending trends for the past six months." + "What are the top contributing services to my AWS bill in the eu-central-1 region?" + "Why did my costs increase last week?" + "Analyze my spending data for the last month and give me the most important insights." **Cost optimization** + "What are my top cost optimization opportunities?" + "Which EC2 instances are over-provisioned?" + "Do I have any idle resources?" + "Which Savings Plans should I purchase?" **Budget and anomaly monitoring** + "Have any teams exceeded their budgets?" + "Do I have any cost anomalies?" **Pricing estimation** + "How much does a c8g.2xlarge instance cost in us-east-1?" + "What would it cost to store 1 PB in S3 in Dublin?" + "What's the monthly cost of a t4g.xlarge RDS instance with Multi-AZ and 300 GB gp2 storage?" + "What would be the price to build a basic three tier web app, with a small EC2 instance, API gateway, a \$15GB SQL database, and a basic JS front-end hosted in CloudFront?" **Cost visualization** + “Graph my support charges by month for the last 12 months” + “Show me an area chart of EC2 costs by instance type by day this month” + “Create a chart of S3 storage pricing by tier in us-east-1”" + “Line chart of Savings Plans coverage and utilization % over the last 3 months” + “Graph EC2 cost per vCPU hour over the last 3 weeks” # Chatting about your network security **** | | | --- | | Chatting about network security is in preview, and is subject to change. | Amazon Q can help you analyze your network security configurations, identify missing or misconfigured AWS network security services, and provide recommendations for a stronger network security posture. This helps you understand network security findings, implement remediation steps, and follow security best practices without interrupting your workflow. When you ask Amazon Q about your network security, its responses include specific information about your resources, related security findings, and detailed remediation instructions as well as links to learn more in the AWS Management Console. For more information about network security analysis with Amazon Q, see [Get insights with Amazon Q Developer](https://docs.aws.amazon.com/waf/latest/developerguide/nsd-security-insights.html) in the *AWS Shield network security director Developer Guide*. ## Prerequisites You can chat about your AWS network security in the AWS Management Console and in [configured chat applications](q-in-chat-applications.md). For Amazon Q to answer questions about your network security, the following prerequisites must be met. ### Add permissions To chat about your network security, your IAM identity must have permissions to chat with Amazon Q. For an IAM policy that grants the required permissions, see [Allow users to chat with Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). ### Enable AWS Shield network security director To chat about your network security with Amazon Q, you must enable AWS Shield network security director in your AWS account. To enable AWS Shield network security director: 1. Open the AWS Shield network security director console at [https://console.aws.amazon.com/nsd/](https://console.aws.amazon.com/nsd/). 1. Follow the setup instructions to enable the service. 1. Run a scan to collect security information about your resources. ## Example questions Following are example questions about network security that you can ask Amazon Q: + Identify my top network security findings + Summarize the network security of my environment + Are my systems at risk of DDoS attacks? + How can I improve my network security? + Do I have any resources without WAF protection? + Which resources are not protected from common web vulnerabilities? + What are the common network security issues on my EC2 instances? + Do I have any WAF WebACLs that aren’t protecting anything? # Chatting about email sending Amazon Q can help you set up email sending in Amazon Simple Email Service (Amazon SES), helping you to optimize your sending delivery and engagement rates, and troubleshoot sending problems. When you ask Amazon Q about Amazon SES, it’s responses include information about the sending identities, configuration sets, and other Amazon SES resources in your account. It is also able to answer questions about your email sending patterns, as well as patterns of responses from mailbox providers such as Gmail and Yahoo. ## Prerequisites You can chat about your Amazon SES in the AWS Management Console and in [configured chat applications](q-in-chat-applications.md). For Amazon Q to answer questions about your email sending, the following prerequisites must be met. ### Add permissions To chat about your email sending, your IAM identity must have permissions to chat with Amazon Q. For an IAM policy that grants the required permissions, see [Allow users to chat with Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). You must also have permissions to access the Amazon SES resources you ask about. ## Example questions Following are example questions about email sending that you can ask Amazon Q: + Do I need to do anything to finish setting up SES for email sending? + Tell me which sending identities have the best deliverability performance. + How is my deliverability for emails sent to Yahoo? + Do you have any recommendations to improve my sending? + Tell me if there have been any recent events where my deliverability performance suddenly improved or worsened. # Chatting about your telemetry and operations Amazon Q analyzes your CloudWatch telemetry and operational data to help manage your AWS environment. It retrieves resource health information, monitors alarms, and provides troubleshooting guidance. When you ask questions, Amazon Q may prompt you for specific details like resource names and time ranges to ensure accurate assistance. **AWS service health check:** Evaluate the health of resources of specified AWS services, assisting customers in troubleshooting and resolving issues or errors they encounter with these resources. + Is my Lambda function X healthy? + Is anything wrong with my Amazon ECS clusters? + Help me troubleshoot my DynamoDB tables between time X and Y. + Investigate anomalies related to Amazon S3 between time X and Y. **Alarm troubleshooting:** Identifies alarms in Alarm state and the underlying telemetry that triggered the alarm, helping customers diagnose the reasons behind the alarm/alert/pages. + Why is my alarm with name X firing? **Application Signals specific troubleshooting:** Analyzes CloudWatch Application Signals service-level objectives and indicators to determine the overall health of a service, enabling you to assess and maintain application performance. + Is my Service X in environment Y healthy? For more information about how Amazon Q analyzes your CloudWatch telemetry and operational data, see *CloudWatch investigations* in the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Investigations.html). # Using Amazon Q Developer plugins Using plugins Amazon Q Developer integrates with third party monitoring tools and security platforms so you can access your AWS application insights without leaving the AWS builder environment. In the AWS Management Console, you can chat about metrics provided by these tools to understand and address application performance, errors, or vulnerabilities. After you configure a plugin, add the plugin alias to the beginning of your question when you chat with Amazon Q in the AWS console. Amazon Q calls the third party provider APIs to retrieve resources and generates a response with deep links to the external resources. When Amazon Q calls a third party API, the API will not appear in AWS CloudTrail logs. The CloudTrail log will only show when an AWS Secrets Manager secret is accessed by Amazon Q to retrieve credentials to connect to the third party provider. Amazon Q doesn't share any information with third party providers when you configure or use plugins. For more information on how Amazon Q uses your data, see [Data protection](data-protection.md). **Note** Member accounts within an AWS organization don't have access to plugins that are configured in the organization's management account profile. Each member account must create their own Q Developer profile before they can configure and use plugins in their account. **Warning** Third party provider user permissions are not detected by Amazon Q Developer plugins. When an administrator configures a plugin in an AWS account, users with plugin permissions in that account have access to any resources in the third party provider account retrievable by the plugin. You can configure IAM policies to restrict which plugins users have access to. For more information, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type). To get started, see the topic for the plugin you want to use with Amazon Q Developer. **Topics** + [ # Configuring the Amazon Q Developer CloudZero plugin ](cloudzero-plugin.md) + [ # Configuring the Amazon Q Developer Datadog plugin ](datadog-plugin.md) + [ # Configuring the Amazon Q Developer Wiz plugin ](wiz-plugin.md) # Configuring the Amazon Q Developer CloudZero plugin CloudZero CloudZero is a cloud cost optimization platform that evaluates costs to improve cloud efficiency. If you use CloudZero to monitor your AWS costs, you can use the CloudZero plugin in Amazon Q Developer chat to access cost insights without leaving the AWS Management Console. You can use the CloudZero plugin to understand your AWS costs, get cost optimization insights, and track billing. After you receive a response, you can ask follow up questions, such as the status or cost impact of CloudZero insights. To configure the plugin, you provide authentication credentials from your CloudZero account to enable a connection between Amazon Q and CloudZero. After you configure the plugin, you can access CloudZero data by adding ****@cloudzero**** to the beginning of your question in Amazon Q chat. **Warning** CloudZero user permissions are not detected by the CloudZero plugin in Amazon Q. When an administrator configures the CloudZero plugin in an AWS account, users with plugin permissions in that account have access to any resources in the CloudZero account retrievable by the plugin. You can configure IAM policies to restrict which plugins users have access to. For more information, see [Configure user permissions](#cloudzero-configure-user-permissions). ## Prerequisites ### Add permissions To configure plugins, the following administrator level permissions are required: + Permissions to access the Amazon Q Developer console. For an example IAM policy that grants needed permissions, see [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users). + Permissions to configure plugins. For an example IAM policy that grants the needed permissions, see [Allow administrators to configure plugins](id-based-policy-examples-admins.md#id-based-policy-examples-admin-plugins). ### Acquire credentials Before you begin, note the following information from your CloudZero account. These authentication credentials will be stored in an AWS Secrets Manager secret when you configure the plugin. + **API key** – An access key that allows Amazon Q to call the CloudZero API to access your organization’s cost insights and billing information. You can find the API key in your CloudZero account settings. For more information, see the [ Authorization](https://docs.cloudzero.com/reference/authorization) in the CloudZero documentation. For more information on acquiring credentials from your CloudZero account, see the [CloudZero documentation](https://docs.cloudzero.com/docs/amazon-q-integration). ## Secrets and service roles ### AWS Secrets Manager secret When you configure the plugin, Amazon Q creates a new AWS Secrets Manager secret for you to store CloudZero authentication credentials. Alternatively, you can use an existing secret that you create yourself. If you create a secret yourself, enter the API key as plaintext: ``` your-api-key ``` For more information about creating secrets, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*. ### Service roles To configure the CloudZero plugin in Amazon Q Developer, you need to create a service role that gives Amazon Q permission to access your Secrets Manager secret. Amazon Q assumes this role to access the secret where your CloudZero credentials are stored. When you configure the plugin in the AWS console, you have the option to create a new secret or use an existing one. If you create a new secret, the associated service role is created for you. If you use an existing secret and an existing service role, make sure your service role contains the following permissions, and has the following trust policy attached. The service role required depends on your secret encryption method. If your secret is encrypted with an AWS managed KMS key, the following IAM service role is required: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" ] } ] } ``` ------ If your secret is encrypted with a customer managed AWS KMS key, the following IAM service role is required: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" } } } ] } ``` ------ To allow Amazon Q to assume the service role, the service role needs the following trust policy: **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": ["sts:AssumeRole", "sts:SetContext"], "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333", "aws:SourceArn": "arn:aws:codewhisperer:us-east-1:111122223333:profile/profile-id" } } } ] } ``` ------ For more information about service roles, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*. ## Configure the CloudZero plugin You configure plugins in the Amazon Q Developer console. Amazon Q uses credentials stored in AWS Secrets Manager to enable interactions with CloudZero. To configure the CloudZero plugin, complete the following procedure: 1. Open the Amazon Q Developer console at [https://console.aws.amazon.com/amazonq/developer/home](https://console.aws.amazon.com/amazonq/developer/home) 1. On the Amazon Q Developer console home page, choose **Settings**. 1. In the navigation bar, choose **Plugins**. 1. On the plugins page, choose the plus sign on the **CloudZero** panel. The plugin configuration page opens. 1. For **Configure AWS Secrets Manager**, choose either **Create a new secret** or **Use an existing secret**. The Secrets Manager secret is where your CloudZero authentication credentials will be stored. If you create a new secret, enter the following information: 1. For **CloudZero API key**, enter the API key for your CloudZero organization. 1. A service role will be created that Amazon Q will use to access the secret where your CloudZero credentials are stored. Do not edit the service role that is created for you. If you use an existing secret, choose a secret from the **AWS Secrets Manager secret** dropdown menu. The secret should include the CloudZero authentication credentials specified in the previous step. For more information about the required credentials, see [Acquire credentials](#acquire-cloudzero-credentials). 1. For **Configure AWS IAM service role**, choose either **Create new service role** or **Use existing service role**. **Note** If you chose **Create a new secret** for step 6, you can’t use an existing service role. A new role will be created for you. If you create a new service role, a service role will be created that Amazon Q will use to access the secret where your CloudZero credentials are stored. Do not edit the service role that is created for you. If you use an existing service role, choose a role from the dropdown menu that appears. Make sure your service role has the permissions and trust policy defined in [Service roles](#cloudzero-service-role). 1. Choose **Save configuration**. 1. After the CloudZero plugin panel appears in the **Configured plugins** section on the Plugins page, users will have access to the plugin. If you want to update the credentials for a plugin, you must delete your current plugin and configure a new one. Deleting a plugin removes all previous specifications. Any time you configure a new plugin, a new plugin ARN is generated. ## Configure user permissions To use plugins, the following permissions are required: + Permissions to chat with Amazon Q in the console. For an example IAM policy that grants permissions needed to chat, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). + The `q:UsePlugin` permission. When you grant an IAM identity access to a configured CloudZero plugin, the identity gains access to any resources in the CloudZero account retrievable by the plugin. CloudZero user permissions are not detected by the plugin. If you want to control access to a plugin, you can do so by specifying the plugin ARN in an IAM policy. Each time you create or delete and re-configure a plugin, it is assigned a new ARN. If you use a plugin ARN in a policy, it will need to be updated if you want to grant access to the newly configured plugin. To locate the CloudZero plugin ARN, go to the **Plugins** page in the Amazon Q Developer console and choose the configured CloudZero plugin. On the plugin details page, copy the plugin ARN. You can add this ARN to a policy to allow or deny access to the CloudZero plugin. If you create a policy to control access to CloudZero plugins, specify `CloudZero` for the plugin provider in the policy. For examples of IAM policies that control plugin access, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type). ## Chat with the CloudZero plugin To use the CloudZero plugin, enter **@cloudzero** at the beginning of a question about CloudZero or your AWS application monitors and cases. Follow up questions or responses to questions from Amazon Q must also include **@cloudzero**. Following are some example use cases and associated questions you can ask to get the most of out of the Amazon Q CloudZero plugin: + **Learn about using CloudZero with AWS** – Ask about how CloudZero features work. Amazon Q might ask you for more information about what you’re trying to do to provide the best answer. + **@cloudzero how do I use CloudZero?** + **@cloudzero how do I get started with CloudZero?** + **List cost insights** – Get a list of cost insights or find out more about a specific insight. + **@cloudzero list my top cost insights** + **@cloudzero tell me more about insight ** + **Get billing information** – Ask the Amazon Q CloudZero plugin about your AWS billing information. + **@cloudzero what were my AWS costs for December 2024?** # Configuring the Amazon Q Developer Datadog plugin Datadog Datadog is a monitoring and security platform that provides infrastructure, application, and network monitoring and analytics. If you use Datadog to monitor your AWS applications, you can use the Datadog plugin in Amazon Q Developer chat to access monitoring information without leaving the AWS Management Console. You can use the Datadog plugin to learn about Datadog, understand how it works with AWS services, and ask about your Datadog cases and monitors. After you receive a response, you can ask follow up questions, including how to address an issue or for details about Datadog resources. To configure the plugin, you provide authentication credentials from your Datadog account to enable a connection between Amazon Q and Datadog. After you configure the plugin, you can access Datadog metrics by adding ****@datadog**** to the beginning of your question in Amazon Q chat. **Warning** Datadog user permissions are not detected by the Datadog plugin in Amazon Q. When an administrator configures the Datadog plugin in an AWS account, users with plugin permissions in that account have access to any resources in the Datadog account retrievable by the plugin. You can configure IAM policies to restrict which plugins users have access to. For more information, see [Configure user permissions](#datadog-configure-user-permissions). ## Prerequisites ### Add permissions To configure plugins, the following administrator level permissions are required: + Permissions to access the Amazon Q Developer console. For an example IAM policy that grants needed permissions, see [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users). + Permissions to configure plugins. For an example IAM policy that grants the needed permissions, see [Allow administrators to configure plugins](id-based-policy-examples-admins.md#id-based-policy-examples-admin-plugins). ### Acquire credentials Before you begin, note the following information from your Datadog account. These authentication credentials will be stored in an AWS Secrets Manager secret when you configure the plugin. + **Site parameter** – The Datadog site parameter you use. For example, `us3.datadoghq.com`. For more information, see [Getting Started with Datadog Sites](https://docs.datadoghq.com/getting_started/site/) in the Datadog documentation. + **API key and application key** – Access keys that allow Amazon Q to call the Datadog API to access events and metrics. You can find these under **Organization Settings** in your Datadog account. For more information, see [API and Application Keys](https://docs.datadoghq.com/account_management/api-app-keys/) in the Datadog documentation. ## Secrets and service roles ### AWS Secrets Manager secret When you configure the plugin, Amazon Q creates a new AWS Secrets Manager secret for you to store Datadog authentication credentials. Alternatively, you can use an existing secret that you create yourself. If you create a secret yourself, make sure it includes the following credentials and uses the following JSON format: ``` { "ApiKey": "", "AppKey": "" } ``` For more information about creating secrets, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*. ### Service roles To configure the Datadog plugin in Amazon Q Developer, you need to create a service role that gives Amazon Q permission to access your Secrets Manager secret. Amazon Q assumes this role to access the secret where your Datadog credentials are stored. When you configure the plugin in the AWS console, you have the option to create a new secret or use an existing one. If you create a new secret, the associated service role is created for you. If you use an existing secret and an existing service role, make sure your service role contains the following permissions, and has the following trust policy attached. The service role required depends on your secret encryption method. If your secret is encrypted with an AWS managed KMS key, the following IAM service role is required: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" ] } ] } ``` ------ If your secret is encrypted with a customer managed AWS KMS key, the following IAM service role is required: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" } } } ] } ``` ------ To allow Amazon Q to assume the service role, the service role needs the following trust policy: **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": ["sts:AssumeRole", "sts:SetContext"], "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333", "aws:SourceArn": "arn:aws:codewhisperer:us-east-1:111122223333:profile/profile-id" } } } ] } ``` ------ For more information about service roles, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*. ## Configure the Datadog plugin You configure plugins in the Amazon Q Developer console. Amazon Q uses credentials stored in AWS Secrets Manager to enable interactions with Datadog. To configure the Datadog plugin, complete the following procedure: 1. Open the Amazon Q Developer console at [https://console.aws.amazon.com/amazonq/developer/home](https://console.aws.amazon.com/amazonq/developer/home) 1. On the Amazon Q Developer console home page, choose **Settings**. 1. In the navigation bar, choose **Plugins**. 1. On the plugins page, choose the plus sign on the **Datadog** panel. The plugin configuration page opens. 1. For **Site URL**, enter the URL of the Datadog site you use. 1. For **Configure AWS Secrets Manager**, choose either **Create a new secret** or **Use an existing secret**. The Secrets Manager secret is where your Datadog authentication credentials will be stored. If you create a new secret, enter the following information: 1. For **Datadog API key**, enter the API key for your Datadog organization. 1. For **Datadog application key**, enter the application key for your Datadog account. 1. A service role will be created that Amazon Q will use to access the secret where your Datadog credentials are stored. Do not edit the service role that is created for you. If you use an existing secret, choose a secret from the **AWS Secrets Manager secret** dropdown menu. The secret should include the Datadog authentication credentials specified in the previous step. For more information about the required credentials, see [Acquire credentials](#acquire-datadog-credentials). 1. For **Configure AWS IAM service role**, choose either **Create new service role** or **Use existing service role**. **Note** If you chose **Create a new secret** for step 6, you can’t use an existing service role. A new role will be created for you. If you create a new service role, a service role will be created that Amazon Q will use to access the secret where your Datadog credentials are stored. Do not edit the service role that is created for you. If you use an existing service role, choose a role from the dropdown menu that appears. Make sure your service role has the permissions and trust policy defined in [Service roles](#datadog-service-role). 1. Choose **Save configuration**. 1. After the Datadog plugin panel appears in the **Configured plugins** section on the Plugins page, users will have access to the plugin. If you want to update the credentials for a plugin, you must delete your current plugin and configure a new one. Deleting a plugin removes all previous specifications. Any time you configure a new plugin, a new plugin ARN is generated. ## Configure user permissions To use plugins, the following permissions are required: + Permissions to chat with Amazon Q in the console. For an example IAM policy that grants permissions needed to chat, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). + The `q:UsePlugin` permission. When you grant an IAM identity access to a configured Datadog plugin, the identity gains access to any resources in the Datadog account retrievable by the plugin. Datadog user permissions are not detected by the plugin. If you want to control access to a plugin, you can do so by specifying the plugin ARN in an IAM policy. Each time you create or delete and re-configure a plugin, it is assigned a new ARN. If you use a plugin ARN in a policy, it will need to be updated if you want to grant access to the newly configured plugin. To locate the Datadog plugin ARN, go to the **Plugins** page in the Amazon Q Developer console and choose the configured Datadog plugin. On the plugin details page, copy the plugin ARN. You can add this ARN to a policy to allow or deny access to the Datadog plugin. If you create a policy to control access to Datadog plugins, specify `Datadog` for the plugin provider in the policy. For examples of IAM policies that control plugin access, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type). ## Chat with the Datadog plugin To use the Datadog plugin, enter **@datadog** at the beginning of a question about Datadog or your AWS application monitors and cases. Follow up questions or responses to questions from Amazon Q must also include **@datadog**. Following are some example use cases and associated questions you can ask to get the most of out of the Amazon Q Datadog plugin: + **Learn about using Datadog features in your AWS workload** – Ask about how Datadog features work with certain AWS services. Amazon Q might ask you for more information about what you’re trying to do to provide the best answer. + **@datadog how do I use APM on EC2?** + **Retrieve and summarize cases and monitors** – Ask about a specific case or monitor, or specify properties to get information about monitors and cases like create date, status, or author. For more information about properties, see [Properties](https://docs.datadoghq.com/monitors/manage/status/#properties) in the Datadog documentation. + **@datadog summarize the global outage case** + **@datadog summarize my top cases** + **Check monitors that are in an alarm state** – Ask the Amazon Q Datadog plugin to find your AWS application monitors that are in alarm. You can follow up with questions about the monitors it lists. + **@datadog what monitors are in alarm?** + **@datadog what is the status for monitor ?** # Configuring the Amazon Q Developer Wiz plugin Wiz Wiz is a cloud security platform that provides security posture management, risk assessment and prioritization, and vulnerability management. If you use Wiz to evaluate and monitor your AWS applications, you can use the plugin in Amazon Q chat to access insights from Wiz without leaving the AWS Management Console. You can use the plugin to identify and retrieve Wiz issues, assess your riskiest assets, and understand vulnerabilities or exposures. After you receive a response, you can ask follow up questions, including how to remediate an issue. To configure the plugin, you provide authentication credentials from your Wiz account to enable a connection between Amazon Q and Wiz. After you configure the plugin, you can access Wiz metrics by adding **@wiz** to the beginning of your question in Amazon Q chat. **Warning** Wiz user permissions are not detected by the Wiz plugin in Amazon Q. When an administrator configures the Wiz plugin in an AWS account, users with plugin permissions in that account have access to any resources in the Wiz account retrievable by the plugin. You can configure IAM policies to restrict which plugins users have access to. For more information, see [Configure user permissions](#wiz-configure-user-permissions). ## Prerequisites ### Add permissions To configure plugins, the following administrator level permissions are required: + Permissions to access the Amazon Q Developer console. For an example IAM policy that grants needed permissions, see [Allow administrators to use the Amazon Q Developer console](id-based-policy-examples-admins.md#q-admin-setup-admin-users). + Permissions to configure plugins. For an example IAM policy that grants the needed permissions, see [Allow administrators to configure plugins](id-based-policy-examples-admins.md#id-based-policy-examples-admin-plugins). ### Acquire credentials Before you begin, note the following information from your Wiz account. These authentication credentials will be stored in an AWS Secrets Manager secret when you configure the plugin. + **API endpoint URL** – The URL where you access Wiz. For example, `https://api.us1.app.Wiz.io/graphql`. For more information, see [API endpoint URL](https://win.wiz.io/reference/prerequisites#api-endpoint-url) in the Wiz documentation. + **Client ID and Client secret** – Credentials that allow Amazon Q to call Wiz APIs to access your application. For more information, see [Client ID and Client secret](https://win.wiz.io/reference/prerequisites#client-id-and-client-secret) in the Wiz documentation. ## Secrets and service roles ### AWS Secrets Manager secret When you configure the plugin, Amazon Q creates a new AWS Secrets Manager secret for you to store Wiz authentication credentials. Alternatively, you can use an existing secret that you create yourself. If you create a secret yourself, make sure it includes the following credentials and uses the following JSON format: ``` { "ClientId": "", "ClientSecret": "" } ``` For more information about creating secrets, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide*. ### Service roles To configure the Wiz plugin in Amazon Q Developer, you need to create a service role that gives Amazon Q permission to access your Secrets Manager secret. Amazon Q assumes this role to access the secret where your Wiz credentials are stored. When you configure the plugin in the AWS console, you have the option to create a new secret or use an existing one. If you create a new secret, the associated service role is created for you. If you use an existing secret and an existing service role, make sure your service role contains these permissions, and has the following trust policy attached. The service role required depends on your secret encryption method. If your secret is encrypted with an AWS managed KMS key, the following IAM service role is required: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" ] } ] } ``` ------ If your secret is encrypted with a customer managed AWS KMS key, the following IAM service role is required: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-id" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com" } } } ] } ``` ------ To allow Amazon Q to assume the service role, the service role needs the following trust policy: **Note** The `codewhisperer` prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see [Amazon Q Developer rename - Summary of changes](service-rename.md). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": ["sts:AssumeRole", "sts:SetContext"], "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333", "aws:SourceArn": "arn:aws:codewhisperer:us-east-1:111122223333:profile/profile-id" } } } ] } ``` ------ For more information about service roles, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*. ## Configure the Wiz plugin You configure plugins in the Amazon Q Developer console. Amazon Q uses credentials stored in AWS Secrets Manager to enable interactions with Wiz. To configure the Wiz plugin, complete the following procedure: 1. Open the Amazon Q Developer console at [https://console.aws.amazon.com/amazonq/developer/home](https://console.aws.amazon.com/amazonq/developer/home) 1. On the Amazon Q Developer console home page, choose **Settings**. 1. In the navigation bar, choose **Plugins**. 1. On the plugins page, choose the plus sign on the **Wiz** panel. The plugin configuration page opens. 1. For **API endpoint URL**, enter the URL of API endpoint where you access Wiz. 1. For **Configure AWS Secrets Manager**, choose either **Create a new secret** or **Use an existing secret**. The Secrets Manager secret is where your Wiz authentication credentials will be stored. If you create a new secret, enter the following information: 1. For **Client ID**, enter the Client ID for your Wiz account. 1. For **Client Secret**, enter the Client Secret for your Wiz account. 1. A service role will be created that Amazon Q will use to access the secret where your Wiz credentials are stored. Do not edit the service role that is created for you. If you use an existing secret, choose a secret from the **AWS Secrets Manager secret** dropdown menu. The secret should include the Wiz authentication credentials specified in the previous step. For more information about the required credentials, see [Acquire credentials](#acquire-wiz-credentials). 1. For **Configure AWS IAM service role**, choose either **Create new service role** or **Use existing service role**. **Note** If you chose **Create a new secret** for step 6, you can’t use an existing service role. A new role will be created for you. If you create a new service role, a service role will be created that Amazon Q will use to access the secret where your Wiz credentials are stored. Do not edit the service role that is created for you. If you use an existing service role, choose a role from the dropdown menu that appears. Make sure your service role has the permissions and trust policy defined in [Service roles](#wiz-service-role). 1. Choose **Save configuration**. 1. After the Wiz plugin panel appears in the **Configured plugins** section on the Plugins page, users will have access to the plugin. If you want to update the credentials for a plugin, you must delete your current plugin and configure a new one. Deleting a plugin removes all previous specifications. Any time you configure a new plugin, a new plugin ARN is generated. ## Configure user permissions To use plugins, the following permissions are required: + Permissions to chat with Amazon Q in the console. For an example IAM policy that grants permissions needed to chat, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). + The `q:UsePlugin` permission. When you grant an IAM identity access to a configured Wiz plugin, the identity gains access to any resources in the Wiz account retrievable by the plugin. Wiz user permissions are not detected by the plugin. If you want to control access to a plugin, you can do so by specifying the plugin ARN in an IAM policy. Each time you create or delete and re-configure a plugin, it is assigned a new ARN. If you use a plugin ARN in a policy, it will need to be updated if you want to grant access to the newly configured plugin. To locate the Wiz plugin ARN, go to the **Plugins** page in the Amazon Q Developer console and choose the configured Wiz plugin. On the plugin details page, copy the plugin ARN. You can add this ARN to a policy to allow or deny access to the Wiz plugin. If you create a policy to control access to Wiz plugins, specify `Wiz` for the plugin provider in the policy. For examples of IAM policies that control plugin access, see [Allow users to chat with plugins from one provider](id-based-policy-examples-users.md#id-based-policy-examples-allow-plugin-type). ## Chat with the Wiz plugin To use the Amazon Q Wiz plugin, enter **@Wiz** at the beginning of a question about your Wiz issues. Follow up questions or responses to questions from Amazon Q must also include **@Wiz**. Following are some example use cases and associated questions you can ask to get the most of out of the Amazon Q Wiz plugin: + **View issues with critical severity** – Ask the Amazon Q Wiz plugin to list your issues with critical or high severity. The plugin can return up to 10 issues. You can also ask to list up to the top 10 most severe issues. + **@wiz what are my critical severity issues?** + **@wiz can you specify the top 5?** + **List issues based on date or status ** – Ask to list issues based on create date, due date, or resolved date. You can also specify issues based on properties like status, severity, and type. + **@wiz which issues are due before ?** + **@wiz what are my issues that have been resolved since ?** + **Assess issues with security vulnerabilities** – Ask about the vulnerabilities or exposures that are posing security threats in your issues. + **@wiz which issues are associated with vulnerabilities or external exposures?** # Automating AWS services with Amazon Q Developer Console-to-Code Console-to-Code ## What is Console-to-Code? Console-to-Code Console-to-Code is a feature of Amazon Q Developer that can help you write code to automate your use of other AWS services. Console-to-Code records your console actions, then uses generative AI to suggest the equivalent AWS CLI commands and code in your preferred language and format. ### Tiers of service Tiers Since Console-to-Code is a part of Amazon Q Developer, your use of it is subject to Amazon Q Developer’s tiers of service. + At the Free tier, there is no fixed monthly limit to the number of times you can record your console actions and generate CLI commands based on those actions. However, there is a limit to how many times per month you can generate code to use with the AWS CDK or AWS CloudFormation based on your recorded actions. To access the Free tier, sign into the AWS Management Console. After you reach the monthly code generations limit, you must authenticate to the Pro tier in order to generate more code. + At the Pro tier, there is no fixed monthly limit to the number of times you can generate code for the AWS CDK or CloudFormation. To access the Pro tier, you must be a user registered with IAM Identity Center, and your IAM Identity Center identity must be subscribed to Amazon Q Developer Pro. For more information, see [Authenticating to your Amazon Q Developer Pro subscription](q-on-aws.md#qdevpro-authentication) or contact your AWS administrator. For more information on pricing tiers, visit the [Amazon Q Developer pricing page](https://aws.amazon.com/q/developer/pricing/). **Note** When you record an action, you will still be charged for the action itself, if applicable. For example, if you record yourself provisioning an Amazon EC2 instance, then you will still be charged for the instance. There is no additional cost for recording the action. ### Supported code formats Supported code formats Console-to-Code can currently generate infrastructure-as-code (IaC) in the following languages and formats: + CDK Java + CDK Python + CDK TypeScript + CloudFormation JSON + CloudFormation YAML ## Where can you use Console-to-Code? Where you can use Console-to-Code ### Using Console-to-Code across multiple services Using with multiple services Console-to-Code works across multiple services, saving its own state for as long as your browser tab is open. For example, you may record your actions during a complete setup of a web server: + In the Amazon VPC console, you provision two subnets (one public and one private), security groups, NACLs, a custom routing table, and an internet gateway. + In the Amazon EC2 console, you provision an Amazon EC2 instance and place it in the public subnet. + In the Amazon RDS console, you provision an Amazon RDS DB instance and place it in the private subnet. Even if you perform your actions in different parts of the console and they use different AWS services, Console-to-Code can include them in a single recording. ### AWS services that support Console-to-Code AWS services that support Console-to-Code Currently, Console-to-Code is available to record your actions when using the AWS management console with the following services: + Amazon DynamoDB + AWS IoT + Amazon Cognito + Amazon EC2 + Amazon VPC + Amazon RDS ## Granting permissions to use Console-to-Code Granting permissions To use Console-to-Code, the following permissions are required: + `q:GenerateCodeFromCommands` to use Console-to-Code. For an example IAM policy that grants the needed permission, see [Allow users to generate code from CLI commands with Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-console-to-code). + Permissions to take the actions that you're going to record. ## Using Console-to-Code Using Using Console-to-Code consists of three steps. ### Step 1: Start recording To start recording with Console-to-Code, use the following procedure. 1. Go to the console of one of the integrated services (Amazon VPC, Amazon RDS, or Amazon EC2). 1. On the right edge of the browser window, choose the Console-to-Code icon: ![\[The console-to-code icon.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/c2c-icon.png) 1. In the Console-to-Code side panel, choose **Start recording**. ### Step 2: Take actions In the consoles of any of the integrated services, proceed to take any actions that you want to record. The Console-to-Code side panel retains its own state. You can move between the consoles of the integrated services, creating one recording that involves actions for multiple services. The Console-to-Code side panel will retain your actions until your Console-to-Code session ends. The session will end when you close the browser tab, or when your AWS Management Console session ends, whichever comes first. When you have finished taking actions that you want to convert to code, choose **Stop** from the top of the Console-to-Code panel. ### Step 3: Gather CLI commands and generating code You can follow either Step 3a or Step 3b. #### Step 3a: Gather CLI commands To use Console-to-Code to generate CLI commands based on your actions, use the following procedure. 1. In the Console-to-Code panel, review your recorded actions. You can filter the recorded actions using the dropdown, search box, or filter widget at the top of the Console-to-Code panel. 1. Do one of the following: + To copy an individual CLI command, choose the copy button to the left of the command. + To run an individual CLI command in AWS CloudShell, choose the CloudShell icon ![\[The console-to-code icon.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/cloudshell-icon.png) to the left of the command. This opens CloudShell and populates it with the CLI command ready for you to execute. + To view or run a set of CLI commands, select the commands and choose either **Copy CLI** to copy all selected commands, or **Run CLI** to open CloudShell and populate it with all commands. To learn more about the AWS CLI, see [What is the AWS Command Line Interface?](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) in the *AWS Command Line Interface User Guide.* #### Step 3b: Generate code 1. In the Console-to-Code panel, review your recorded actions. You can filter the recorded actions using the dropdown, search box, or filter widget at the top of the Console-to-Code panel. 1. Select the actions that you want to convert into code. Only the actions with checked boxes will be used in the following steps. 1. Indicate the type of code that you want to generate. From the reverse dropdown menu at the lower right of the Console-to-Code panel, select the language and (if applicable) format of the code to be generated. 1. Choose **Generate chosen language**. The generated code will appear, along with the equivalent CLI commands. # Diagnosing common errors in the console with Amazon Q Developer Diagnosing console errors In the AWS Management Console, Amazon Q Developer diagnoses common errors you encounter while working with AWS services, such as insufficient permissions, incorrect configuration, and exceeding service limits. Amazon Q troubleshoots errors you receive while using the following services in the AWS console: + Amazon Elastic Compute Cloud (Amazon EC2) + Amazon Elastic Container Service (Amazon ECS) + Amazon Simple Storage Service (Amazon S3) + AWS Lambda + AWS Step Functions In addition, Amazon Q troubleshoots IAM permission errors across all AWS console pages and a limited number of service-specific errors for some AWS services. Amazon Q doesn't maintain a history of previous error diagnosing sessions. If you're unable to diagnose your error with Amazon Q, you can use Amazon Q to create a support case with Support. For more information, see [Using Amazon Q Developer to chat with Support](support-chat.md). If you have an issue specific to the Amazon Q error diagnosing feature, you can use the thumbs-down icon to report an issue. ## Add permissions For an IAM policy that grants permissions needed for diagnosing console errors, see [Allow users to diagnose console errors with Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-error-diagnosing). ## Diagnose common errors in the console To use Amazon Q to diagnose an error in the AWS Management Console, use the following procedure. 1. If you receive an error that Amazon Q can help you with, a **Diagnose with Amazon Q** button appears in the error message. If you want to use Amazon Q to diagnose the error, choose **Diagnose with Amazon Q** to proceed. 1. A window appears where Amazon Q first provides information about the error. It then provides a series of steps you can take to resolve the error. It can take several seconds for Amazon Q to generate instructions. 1. To provide feedback, you can use the thumbs-up and thumbs-down icons. To provide detailed feedback, choose the **Tell me more** button that appears after you select an icon. # Using Amazon Q Developer to chat with Support Chatting with Support You can use Amazon Q Developer to create a support case and contact Support from anywhere in the AWS Management Console, including the AWS Support Center Console. Amazon Q uses the context of your conversation to draft a support case on your behalf automatically. It also adds your recent conversation to the support case description. After creating the case, Amazon Q can transfer you to a support agent in the method of your choice, including live chat in the same interface. When you create a support case in Amazon Q, the case is also updated in the Support Center Console. To track updates on cases created with Amazon Q, use the Support Center Console. The type of Support available to you depends on the support plan for your AWS account. All AWS users have access to account and billing support as part of the Basic Support plan. For technical support questions, only users with support plans other than the Basic Support plan can contact Support with Amazon Q. For more information about AWS Support, see [Getting started with AWS Support](https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html) in the *AWS Support User Guide*. **Tip** Before you create a support ticket, try asking Amazon Q to resolve the issue. For more information, see [Asking Amazon Q to troubleshoot your resources](chat-actions-troubleshooting.md). You can also try the **Diagnose with Amazon Q** button, if it's available. For more information, see [Diagnosing console errors](diagnose-console-errors.md). ## Prerequisites To create cases in Amazon Q, you must meet the following requirements: + You have a support plan higher than the Basic Support plan. Only users with support plans other than the Basic Support plan can contact Support with Amazon Q. + You have permissions to chat with Amazon Q. For more information, see [Allow users to chat with Amazon QAllow users to use Amazon Q CLI with AWS CloudShell](id-based-policy-examples-users.md#id-based-policy-examples-allow-chat). + You have permissions to create Support cases. For more information, see [Manage access to Support Center](https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html). ## Specify the right service When you create a support case with Amazon Q, it populates the service field based on your question. If Amazon Q chooses the wrong service, update the case with the correct service. If your question has to do with multiple services, specify the service that's most applicable. To contact Support about an Amazon Q feature that is part of another AWS service, create a support case for the other AWS service, not for Amazon Q. For example, if you're using Amazon Q network troubleshooting in Amazon VPC Reachability Analyzer, choose Amazon VPC for the service in the support case. To contact Support about features in either Amazon Q Developer or Amazon Q Business, create a support case for Amazon Q. ## Create a support case To create an Support case with Amazon Q, use the following steps. 1. You can create an Support case through Amazon Q in one of two ways: 1. Ask for help directly by entering a question such as “I want to speak to someone” or “Get support”. To provide more context for Amazon Q to create the support case, you can add more information when requesting support directly. Following is an example of providing more information in a request: "I am unable to connect to my bastion instance. I have tried restarting it and generating new key pairs but still nothing works. This started this morning after a planned deployment. I can confirm that no other network related changes were made. Can I talk to someone?" 1. If an Amazon Q response didn’t help you, choose the thumbs-down icon on the response and then choose a reason that you're providing the feedback. To contact Support, choose **Create a support case**. The following image shows the **Create a support case** button in the Amazon Q chat panel that appears after you leave feedback. ![\[The Create a support case button in the Amazon Q chat panel.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/support-feedback.png) 1. A support case appears in the chat panel. If you had a conversation with Amazon Q before requesting support, it will use the context of your conversation to autopopulate the fields in the case. To update any field in the support case, choose **Edit**. You can also attach files that help explain your issue. If you didn't chat with Amazon Q before requesting support or Amazon Q otherwise can’t complete the fields in the support case, you can input your support case information into the case manually. The following image is an example of a filled-out support case in the Amazon Q chat panel. ![\[A filled-out support case in an Amazon Q chat panel.\]](http://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/images/support-edit.png) 1. After confirming that the support case describes your needs, choose **Submit** to create the support case. If you no longer want to create the case, choose **Cancel**. 1. To contact Support, choose the method that you want to use. Depending on your case details, you can chat, email, or request a phone call from a live support agent: 1. **Chat** – If you choose to chat with an agent, a live support agent will enter the conversation. To end the chat with the support agent, choose **End this chat** at any time during the chat. If you refresh your page, navigate to a different console, or get signed out of the console because of session expiration, the conversation will end. If you minimize the chat panel or leave the page, you might miss notifications and be disconnected because of inactivity. We recommend that you keep the chat panel open throughout the duration of your support chat. 1. **Email** – If you choose to send an email message to an agent, a support agent will contact you at the email address that's associated with your AWS account. 1. **Call** – If you choose to call an agent, enter your phone number when prompted, and choose **Submit**. You will be added to the call queue. 1. You can leave feedback or choose **Skip** to return to the Amazon Q chat panel. ## Leave feedback After the support chat has ended, you can optionally leave feedback. Rate your experience, enter any additional feedback, and then choose **Submit feedback**.