DevOps Agent IAM permissions - AWS DevOps Agent
Agent Space management actionsInvestigation and execution actionsTopology and discovery actionsPrevention and recommendation actionsBacklog task management actionsKnowledge management actionsAWS Support integration actionsUsage and monitoring actionsCommon IAM policy examples

DevOps Agent IAM permissions

AWS DevOps Agent uses service-specific IAM actions to control access to its features and capabilities. These actions determine what users can do within the AWS DevOps Agent console and Operator Web App. This is separate from the AWS service API permissions that the agent itself uses to investigate your resources. See Limiting Agent Access in an AWS Account[link] to learn more about managing the services and resources the agent itself has access to.

Agent Space management actions

These actions control access to Agent Space configuration and management:

  • aidevops:GetAgentSpace – Allows users to view details about an Agent Space, including its configuration, status, and associated accounts. Users need this permission to access an Agent Space in the AWS Management Console.

  • aidevops:GetAssociation – Allows users to view details about a specific account association, including the IAM role configuration and connection status.

  • aidevops:ListAssociations – Allows users to list all AWS account associations configured for an Agent Space, including both primary and secondary accounts.

Investigation and execution actions

These actions control access to incident investigation features:

  • aidevops:SendChatMessage – Allows users to ask questions about investigation or mitigation activities and provide instructions.

  • aidevops:ListExecutions – Allows users to view execution metadata—including ID, status, and more—for investigations, mitigations, evaluations, and chat conversations associated with a task.

  • aidevops:ListJournalRecords – Allows users to access detailed logs that show the agent's reasoning steps, actions taken, and data sources consulted during an investigation, mitigation, evaluation and chat conversations. This is useful for understanding how the agent reached its conclusions.

Topology and discovery actions

These actions control access to application resource mapping features:

  • aidevops:DiscoverTopology – Allows users to trigger topology discovery and mapping for an Agent Space. This action initiates the process of scanning AWS accounts and building the application resource topology.

Prevention and recommendation actions

These actions control access to the Prevention feature:

  • aidevops:ListGoals – Allows users to view prevention goals and objectives that the agent is working toward based on recent incident patterns.

  • aidevops:ListRecommendations – Allows users to view all recommendations generated by the Prevention feature, including their priority and category.

  • aidevops:GetRecommendation – Allows users to view detailed information about a specific recommendation, including the incidents it would have prevented and implementation guidance.

Backlog task management actions

These actions control the ability to manage recommendations as backlog tasks:

  • aidevops:CreateBacklogTask – Allows users to create an incident investigation or prevention evaluation task.

  • aidevops:UpdateBacklogTask – Allows users to approve a mitigation plan or cancel an active investigation or evaluation.

  • aidevops:GetBacklogTask – Allows users to retrieve details about a specific task.

  • aidevops:ListBacklogTasks – Allows users to list tasks for an Agent Space, filtered by task type, status, priority, or creation time.

Knowledge management actions

These actions control the ability to add and manage custom knowledge that the agent can use during investigations:

  • aidevops:CreateKnowledgeItem – Allows users to add custom knowledge items, such as runbooks, troubleshooting guides, or application-specific information that the agent should reference.

  • aidevops:ListKnowledgeItems – Allows users to view all knowledge items configured for an Agent Space.

  • aidevops:GetKnowledgeItem – Allows users to retrieve the details of a specific knowledge item.

  • aidevops:UpdateKnowledgeItem – Allows users to modify existing knowledge items to keep information current.

  • aidevops:DeleteKnowledgeItem – Allows users to remove knowledge items that are no longer relevant.

AWS Support integration actions

These actions control integration with AWS Support cases:

  • aidevops:InitiateChatForCase – Allows users to start a chat session with AWS Support directly from an investigation, automatically providing context about the incident.

  • aidevops:EndChatForCase – Allows users to end an active AWS Support case chat session.

  • aidevops:DescribeSupportLevel – Allows users to check the AWS Support plan level for the account to determine available support options.

Usage and monitoring actions

These actions control access to usage information:

  • aidevops:GetAccountUsage – Allows users to view the AWS DevOps Agent monthly quota for investigation hours, prevention evaluation hours, and chat requests, as well as the current month's usage.

Common IAM policy examples

Administrator policy

This policy grants full access to all AWS DevOps Agent features:

{
  "Version": "2012-10-17",		 	 	 		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "aidevops:*",
      "Resource": "*"
    }
  ]
}

Operator policy

This policy grants access to investigation and prevention features without administrative capabilities:

{
  "Version": "2012-10-17",		 	 	 		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aidevops:GetAgentSpace",
        "aidevops:InvokeAgent",
        "aidevops:ListExecutions",
        "aidevops:ListJournalRecords",
        "aidevops:ListAssociations",
        "aidevops:GetAssociation",
        "aidevops:DiscoverTopology",
        "aidevops:ListRecommendations",
        "aidevops:GetRecommendation",
        "aidevops:CreateBacklogTask",
        "aidevops:UpdateBacklogTask",
        "aidevops:GetBacklogTask",
        "aidevops:ListBacklogTasks",
        "aidevops:ListKnowledgeItems",
        "aidevops:GetKnowledgeItem",
        "aidevops:InitiateChatForCase",
        "aidevops:EndChatForCase",
        "aidevops:SendChatMessage",
        "aidevops:ListGoals",
        "aidevops:CreteKnowledgeItem",
        "aidevops:UpdateKnowledgelItem",
        "aidevops:DescribeSupportLevel",
        "aidevops:ListPendingMessages"
      ],
      "Resource": "*"
    }
  ]
}

Read-only policy

This policy grants view-only access to investigations and recommendations:

{
  "Version": "2012-10-17",		 	 	 		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aidevops:GetAgentSpace",
        "aidevops:ListAssociations",
        "aidevops:GetAssociation",
        "aidevops:ListExecutions",
        "aidevops:ListJournalRecords",
        "aidevops:ListRecommendations",
        "aidevops:GetRecommendation",
        "aidevops:ListBacklogTasks",
        "aidevops:GetBacklogTask",
        "aidevops:ListKnowledgeItems",
        "aidevops:GetKnowledgeItem",
        "aidevops:GetAccountUsage"
      ],
      "Resource": "*"
    }
  ]
}