Deployment options for Amazon Q Developer Pro if you're using AWS Organizations

Subscribe users to Amazon Q Developer Pro across accounts

Note

This page is intended for enterprise administrators who are using AWS Organizations and who want to deploy Amazon Q Developer Pro to their user base. If you're an individual who wants to use Amazon Q Developer Pro for personal use, or if you're an enterprise administrator who does not want to use AWS Organizations, see instead Subscribe users in a standalone account for end-to-end instructions on subscribing to Amazon Q Developer Pro.

When using AWS Organizations, you'll have a mix of management and member accounts. To subscribe users, you'll need to make three key decisions across these accounts:

Decision 1: Where to enable AWS IAM Identity Center – IAM Identity Center is the service that you use to manage user identities. You can enable IAM Identity Center in a management or member account. For more information about IAM Identity Center, see What is IAM Identity Center? in the IAM Identity Center User Guide.
Decision 2: Where to install the Amazon Q Developer profile – The profile is a collection of Pro tier settings. You can install the profile in a management or member account. For more information about the profile, see Amazon Q Developer profiles.
Decision 3: Where to subscribe users – After you add users to IAM Identity Center, you must subscribe them. You can subscribe users in a management or member account. For more information about subscriptions, see Managing Amazon Q Developer Pro subscriptions.

Your specific combination of these three decisions constitutes your deployment option.

Deployment options are described in the following table.

Deployment options for Amazon Q Developer Pro if you're using AWS Organizations

Deployment option	Description	Advantages	Disadvantages
Deployment option 1: Deploy in management and member accounts	With this deployment option: In the management account, you enable IAM Identity Center. In the management account, you install the Amazon Q Developer profile and then share it with member accounts. In a member account, you subscribe users.	More features. Because IAM Identity Center is installed in a management account, it is considered to be an organization instance. Organization instances support all features of IAM Identity Center. For a list of supported features, see When to use an organization instance in the AWS IAM Identity Center User Guide. Distributed management. Subscription management tasks are distributed across member accounts, which is a best practice.	Complexity. Requires coordination across accounts by multiple administrators.
Deployment option 2: Deploy in a member account only	With this deployment option, you enable IAM Identity Center, install the Amazon Q Developer profile, and subscribe users in a member account.	Quick setup. Individual member account administrators can deploy without waiting or needing approval for an enterprise-wide implementation. Flexibility for complex organizations. Use this option when you don't have a unified identity provider or identity store containing the entire user base that you want to subscribe to Amazon Q Developer Pro.	Fewer features. Because IAM Identity Center is enabled in a member account, it is considered to be an account instance. Account instances support fewer features than organization instances. For example, account instance don't support permission sets, which means that users cannot use their Amazon Q Developer Pro subscriptions in the AWS console and AWS websites. For a list of the limitations of account instances, see Account instance considerations in the AWS IAM Identity Center User Guide.
Deployment option 3: Deploy in a management account only Warning Only use this option if options 1 and 2 are not available to you.	With this deployment option, you enable IAM Identity Center, install the Amazon Q Developer profile, and subscribe users in the management account.	More features. Because IAM Identity Center is enabled in a management account, it is considered to be an organization instance. Organization instances support all features of IAM Identity Center. For a list of supported features, see When to use an organization instance in the AWS IAM Identity Center User Guide.	Does not comply with best practices. Because users are subscribed in the management account, and because of a limitation in Amazon Q Developer where delegated administration is not supported, management account administrators must handle subscription management tasks. You cannot follow the recommended practice of delegating tasks to member accounts.

Deployment option

Description

Advantages

Disadvantages

Deployment option 1: Deploy in management and member accounts

With this deployment option:

In the management account, you enable IAM Identity Center.
In the management account, you install the Amazon Q Developer profile and then share it with member accounts.
In a member account, you subscribe users.

More features. Because IAM Identity Center is installed in a management account, it is considered to be an organization instance. Organization instances support all features of IAM Identity Center. For a list of supported features, see When to use an organization instance in the AWS IAM Identity Center User Guide.

Distributed management. Subscription management tasks are distributed across member accounts, which is a best practice.

Complexity. Requires coordination across accounts by multiple administrators.

Deployment option 2: Deploy in a member account only

With this deployment option, you enable IAM Identity Center, install the Amazon Q Developer profile, and subscribe users in a member account.

Quick setup. Individual member account administrators can deploy without waiting or needing approval for an enterprise-wide implementation.

Flexibility for complex organizations. Use this option when you don't have a unified identity provider or identity store containing the entire user base that you want to subscribe to Amazon Q Developer Pro.

Fewer features. Because IAM Identity Center is enabled in a member account, it is considered to be an account instance. Account instances support fewer features than organization instances. For example, account instance don't support permission sets, which means that users cannot use their Amazon Q Developer Pro subscriptions in the AWS console and AWS websites. For a list of the limitations of account instances, see Account instance considerations in the AWS IAM Identity Center User Guide.

Deployment option 3: Deploy in a management account only

Warning

Only use this option if options 1 and 2 are not available to you.

With this deployment option, you enable IAM Identity Center, install the Amazon Q Developer profile, and subscribe users in the management account.

More features. Because IAM Identity Center is enabled in a management account, it is considered to be an organization instance. Organization instances support all features of IAM Identity Center. For a list of supported features, see When to use an organization instance in the AWS IAM Identity Center User Guide.

Does not comply with best practices. Because users are subscribed in the management account, and because of a limitation in Amazon Q Developer where delegated administration is not supported, management account administrators must handle subscription management tasks. You cannot follow the recommended practice of delegating tasks to member accounts.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

In a member account

Across Regions