Logging users' prompts in Amazon Q Developer
Administrators can enable the logging of all inline suggestions and chat conversations that users have with Amazon Q in their integrated development environment (IDE). These logs can help with auditing, debugging, analytics, and ensuring compliance.
When developers use inline suggestions, Amazon Q will log the accepted and actively rejected suggestions.
When developers chat with Amazon Q, Amazon Q will log both the developers' prompts and Amazon Q's responses. When
developers chat with the Amazon Q Agent for software development
using the /dev command, only the prompts will be logged.
Amazon Q stores the logs in an Amazon S3 bucket that you create, at the following path:
bucketName/prefix/AWSLogs/accountId/QDeveloperLogs/log-type/region/year/month/day/utc-hour/zipFile.gz/logFile.json
At the previous path, log-type
-
GenerateAssistantResponse— holds chat logs -
GenerateCompletions— holds inline completion logs -
StartTaskAssistCodeGeneration— holds/devlogs
For examples and explanations of log file contents, see Prompt log examples in Amazon Q Developer.
There is no charge for the prompt logging feature other than the storage cost of the Amazon S3 bucket used to hold the logs, and a small fee for the optional KMS key used to encrypt the bucket.
Use the following instructions to enable prompt logging.
Prerequisite
Create an Amazon S3 bucket to hold the prompt logs. The bucket must:
-
Be in the AWS Region where the Amazon Q Developer profile was installed. This profile was installed when you subscribed users to Amazon Q Developer Pro for the first time. For more information about this profile and the Regions where it's supported, see Amazon Q Developer profile, and Supported Regions for the Q Developer console and Q Developer profile.
-
Be in the AWS account where users are subscribed. If users are subscribed in multiple AWS accounts, then you must create a bucket in each account. Cross-account buckets are not supported.
-
Have a bucket policy like the one that follows. Replace
bucketName,region,accountId, andprefixwith your own information.{ "Version": "2012-10-17", "Statement": [ { "Sid": "QDeveloperLogsWrite", "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucketName/prefix/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" }, "ArnLike": { "aws:SourceArn": "arn:aws:codewhisperer:region:accountId:*" } } } ] }If you're configuring SSE-KMS on the bucket, add the following policy on the KMS key:
{ "Effect": "Allow", "Principal": { "Service": "q.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" }, "ArnLike": { "aws:SourceArn": "arn:aws:codewhisperer:region:accountId:*" } } }To learn about protecting the data in your Amazon S3 bucket, see Protecting data with encryption in the Amazon Simple Storage Service User Guide.
To enable prompt logging
-
Open the Amazon Q Developer console.
To use the Amazon Q Developer console, you must have the permissions defined in Allow administrators to use the Amazon Q Developer console.
Note
You must sign in as a standalone account administrator, or management account administrator. Member account administrators cannot enable prompt logging.
-
Choose Settings.
-
Under Preferences, choose Edit.
-
In the Edit preferences window, toggle Q Developer prompt logging.
-
Under Amazon S3 location, enter the Amazon S3 URI that you will use to receive the logs. Example:
s3://amzn-s3-demo-bucket/qdev-prompt-logs/
