View a markdown version of this page

IAM role for an Amazon Q Business application - Amazon Q Business

Amazon Q Business will no longer be open to new customers starting on July 31, 2026. If you would like to use the service, please sign up prior to July 30. For capabilities similar to Q Business, explore Amazon Quick. Learn more.

IAM role for an Amazon Q Business application

When you create an Amazon Q Business application, you must provide Amazon Q with an IAM role with permissions to write to an Amazon CloudWatch log and assign user subscriptions to applications. You must also provide a trust policy that allows Amazon Q to assume the role. The following are the policies that must be provided.

To allow Amazon Q to access a CloudWatch log and assign user subscriptions, use the following role policy:

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AmazonQApplicationPutMetricDataPermission", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/QBusiness" } } }, { "Sid": "AmazonQApplicationDescribeLogGroupsPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "AmazonQApplicationCreateLogGroupPermission", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:111122223333:log-group:/aws/qbusiness/*" ] }, { "Sid": "AmazonQApplicationLogStreamPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:111122223333:log-group:/aws/qbusiness/*:log-stream:*" ] } ] }

To allow Amazon Q to assume a role, use the following trust policy:

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "AmazonQApplicationPermission", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:qbusiness:us-east-1:111122223333:application/*" } } } ] }

Amazon Q also supports using a service-linked role (AWSServiceRoleForQBusiness) for an Amazon Q application. The following is the service-linked role policy:

JSON
{ "Version":"2012-10-17", "Statement": [ { "Sid": "QBusinessPutMetricDataPermission", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/QBusiness" } } }, { "Sid": "QBusinessCreateLogGroupPermission", "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/qbusiness/*" ] }, { "Sid": "QBusinessDescribeLogGroupsPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Sid": "QBusinessLogStreamPermission", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/qbusiness/*:log-stream:*" ] } ] }

For more information on using service-linked roles for an Amazon Q application, see Using service-linked roles.