管理员权限 - Amazon Q 开发者版
支持管理员使用 Amazon Q 控制台支持管理员使用 Amazon Q 开发者版控制台允许管理员创建自定义项支持管理员配置插件支持管理员配置一个提供商提供的插件支持迁移多个网络或多个子网

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

管理员权限

以下策略支持 Amazon Q 开发者版管理员在 Amazon Q 订阅管理控制台和 Amazon Q 开发者版控制台中执行管理任务。

有关允许使用 Amazon Q 开发者版功能的策略,请参阅 用户权限

支持管理员使用 Amazon Q 控制台

以下示例策略授予用户在 Amazon Q 控制台中执行操作的权限。您可以在 Amazon Q 控制台中配置 Amazon Q 与 AWS IAM Identity Center 和的集成 AWS Organizations。与 Amazon Q 开发者版相关的大多数其它任务必须在 Amazon Q 开发者版控制台中完成。有关更多信息,请参阅 支持管理员使用 Amazon Q 开发者版控制台

注意

codewhisperer 前缀是与 Amazon Q Developer 合并前的服务的旧名称。有关更多信息,请参阅 Amazon Q 开发者版重命名:变更摘要

JSON
{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "organizations:ListAWSServiceAccessForOrganization",
            "organizations:DisableAWSServiceAccess",
            "organizations:EnableAWSServiceAccess",
            "organizations:DescribeOrganization"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sso:ListApplications",
            "sso:ListInstances",
            "sso:DescribeRegisteredRegions",
            "sso:GetSharedSsoConfiguration",
            "sso:DescribeInstance",
            "sso:CreateInstance",
            "sso:CreateApplication",
            "sso:PutApplicationAuthenticationMethod",
            "sso:PutApplicationAssignmentConfiguration",
            "sso:PutApplicationGrant",
            "sso:PutApplicationAccessScope",
            "sso:DescribeApplication",
            "sso:DeleteApplication",
            "sso:GetSSOStatus",
            "sso:CreateApplicationAssignment",
            "sso:DeleteApplicationAssignment",
            "sso:UpdateApplication"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sso-directory:DescribeUsers",
            "sso-directory:DescribeGroups",
            "sso-directory:SearchGroups",
            "sso-directory:SearchUsers",
            "sso-directory:DescribeGroup",
            "sso-directory:DescribeUser",
            "sso-directory:DescribeDirectory"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "signin:ListTrustedIdentityPropagationApplicationsForConsole",
            "signin:CreateTrustedIdentityPropagationApplicationForConsole"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "codewhisperer:ListProfiles",
            "codewhisperer:CreateProfile",
            "codewhisperer:DeleteProfile"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "user-subscriptions:ListClaims",
            "user-subscriptions:ListUserSubscriptions",
            "user-subscriptions:CreateClaim",
            "user-subscriptions:DeleteClaim",
            "user-subscriptions:UpdateClaim"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "q:CreateAssignment",
            "q:DeleteAssignment"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "iam:CreateServiceLinkedRole"
         ],
         "Resource":[
            "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions"
         ]
      }
   ]
}

支持管理员使用 Amazon Q 开发者版控制台

以下示例策略授予用户访问 Amazon Q 开发者版控制台的权限。在 Amazon Q 开发者版控制台中,管理员执行大多数与 Amazon Q 开发者版相关的配置任务,包括与订阅、代码引用、自定义项和聊天插件相关的任务。此策略还包括创建和配置客户自主管理型 KMS 密钥的权限。

管理员必须通过 Amazon Q 控制台(而不是 Amazon Q 开发者版控制台)完成一些 Amazon Q 开发者版专业套餐任务。有关更多信息,请参阅 支持管理员使用 Amazon Q 控制台

注意

要创建自定义项或插件,Amazon Q 开发者版专业套餐管理员将需要额外的权限。

您需要具有两项策略之一才能使用 Amazon Q 开发者版控制台。您需要的策略取决于您是首次设置 Amazon Q Developer 还是配置旧版亚马逊 CodeWhisperer 个人资料。

注意

codewhisperer 前缀是与 Amazon Q Developer 合并前的服务的旧名称。有关更多信息,请参阅Amazon Q 开发者版重命名:变更摘要

对于 Amazon Q 开发者版的新管理员,请使用以下策略:

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso:ListInstances",
        "sso:CreateInstance",
        "sso:CreateApplication",
        "sso:PutApplicationAuthenticationMethod",
        "sso:PutApplicationGrant",
        "sso:PutApplicationAssignmentConfiguration",
        "sso:ListApplications",
        "sso:GetSharedSsoConfiguration",
        "sso:DescribeInstance",
        "sso:PutApplicationAccessScope",
        "sso:DescribeApplication",
        "sso:DeleteApplication",
        "sso:CreateApplicationAssignment",
        "sso:DeleteApplicationAssignment",
        "sso:UpdateApplication",
        "sso:DescribeRegisteredRegions",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:DescribeUser"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:GetUserPoolInfo",
        "sso-directory:DescribeUsers",
        "sso-directory:DescribeGroups",
        "sso-directory:SearchGroups",
        "sso-directory:SearchUsers",
        "sso-directory:DescribeDirectory"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "signin:ListTrustedIdentityPropagationApplicationsForConsole",
        "signin:CreateTrustedIdentityPropagationApplicationForConsole"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "user-subscriptions:ListClaims",
        "user-subscriptions:ListApplicationClaims",
        "user-subscriptions:ListUserSubscriptions",
        "user-subscriptions:CreateClaim",
        "user-subscriptions:DeleteClaim",
        "user-subscriptions:UpdateClaim"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DisableAWSServiceAccess",
        "organizations:EnableAWSServiceAccess"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:ListDashboardMetrics", 
        "q:CreateAssignment", 
        "q:DeleteAssignment"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData", 
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
显示更多显示更少

对于旧版 Amazon CodeWhisperer 个人资料,以下策略将允许 IAM 委托人管理 CodeWhisperer 应用程序。

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:SearchUsers",
        "sso-directory:SearchGroups",
        "sso-directory:GetUserPoolInfo",
        "sso-directory:DescribeDirectory",
        "sso-directory:ListMembersInGroup"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pricing:GetProducts"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:AssociateProfile",
        "sso:DisassociateProfile",
        "sso:GetProfile",
        "sso:ListProfiles",
        "sso:ListApplicationInstances",
        "sso:GetApplicationInstance",
        "sso:CreateManagedApplicationInstance",
        "sso:GetManagedApplicationInstance",
        "sso:ListProfileAssociations",
        "sso:GetSharedSsoConfiguration",
        "sso:ListDirectoryAssociations",
        "sso:DescribeRegisteredRegions",
        "sso:GetSsoConfiguration",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:ListUsers",
        "identitystore:ListGroups"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:ListDashboardMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
显示更多显示更少

允许管理员创建自定义项

以下策略授予管理员在 Amazon Q 开发者版中创建和管理自定义项的权限。

要在 Amazon Q 开发者版控制台中配置自定义项,Amazon Q 开发者版管理员将需要具有访问 Amazon Q 开发者版控制台的权限。有关更多信息,请参阅 支持管理员使用 Amazon Q 开发者版控制台

注意

在以下策略中,IAM 服务将报告有关 codeconnections:ListOwnerscodeconnections:ListRepositories 权限的错误。无论如何,都要使用这些权限创建策略。权限是必需的,该策略尽管有错误,但仍将有效。

注意

codewhisperer 前缀是与 Amazon Q Developer 合并前的服务的旧名称。有关更多信息,请参阅 Amazon Q 开发者版重命名:变更摘要

在以下示例中,account number用您的 AWS 账号替换。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sso-directory:DescribeUsers"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codewhisperer:CreateCustomization",
                "codewhisperer:DeleteCustomization",
                "codewhisperer:ListCustomizations",
                "codewhisperer:ListCustomizationVersions",
                "codewhisperer:UpdateCustomization",
                "codewhisperer:GetCustomization",
                "codewhisperer:ListCustomizationPermissions",
                "codewhisperer:AssociateCustomizationPermission",
                "codewhisperer:DisassociateCustomizationPermission"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codeconnections:ListOwners",
                "codeconnections:ListRepositories",
                "codeconnections:ListConnections",
                "codeconnections:GetConnection"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "codeconnections:UseConnection",
            "Resource": [
                "*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "codeconnections:ProviderAction": [
                        "GitPull",
                        "ListRepositories",
                        "ListOwners"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:ListBucket*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

支持管理员配置插件

以下示例策略授予管理员在 Amazon Q 开发者版控制台中查看和配置第三方插件的权限。

注意

要访问 Amazon Q 开发者版控制台,管理员还需要在支持管理员使用 Amazon Q 开发者版控制台中定义的权限。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:CreatePlugin",
        "q:GetPlugin",
        "q:DeletePlugin",
        "q:ListPlugins",
        "q:ListPluginProviders",
        "q:UpdatePlugin",
        "q:CreateAuthGrant",
        "q:CreateOAuthAppConnection",
        "q:SendEvent",
        "q:UpdateAuthGrant",
        "q:UpdateOAuthAppConnection",
        "q:UpdatePlugin",
        "iam:CreateRole",
        "secretsmanager:CreateSecret"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "q.amazonaws.com"
          ]
        }
      }
    }
  ]
}

支持管理员配置一个提供商提供的插件

以下示例策略向管理员授予配置一个提供商提供的插件的权限,插件由插件 ARN 指定,其中包含插件提供商的名称和通配符(*)。要使用此策略,请在 Resource 字段中替换 ARN 中的以下内容:

  • AWS-region— 将在 AWS 区域 哪里创建插件。

  • AWS-account-ID— 配置插件的账户的账户 ID。 AWS

  • plugin-provider— 您要允许配置的插件提供商的名称,比如CloudZeroDatadog、或Wiz。插件提供商字段区分大小写。

注意

要访问 Amazon Q 开发者版控制台,管理员还需要在支持管理员使用 Amazon Q 开发者版控制台中定义的权限。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowCreateProviderPlugin",
            "Effect": "Allow",
            "Action": [
                "q:CreatePlugin",
                "q:GetPlugin",
                "q:DeletePlugin"
            ],
            "Resource": "arn:aws:qdeveloper:us-east-1:111122223333:plugin/plugin-provider/*"
        }
    ]
}

支持迁移多个网络或多个子网

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [{
            "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceSgTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:vpc/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2RequestSgTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:security-group/*",
                "arn:aws:ec2:us-east-1:111122223333:security-group-rule/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },

        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2SecurityGroupTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:security-group/*",
                "arn:aws:ec2:us-east-1:111122223333:security-group-rule/*",
                "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
                "arn:aws:ec2:us-east-1:111122223333:network-insights-path/*",
                "arn:aws:ec2:us-east-1:111122223333:network-insights-analysis/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService",
                    "ec2:CreateAction": [
                        "CreateSecurityGroup",
                        "CreateNetworkInterface",
                        "CreateNetworkInsightsPath",
                        "StartNetworkInsightsAnalysis"
                    ]
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerENIResourceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:subnet/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerENISG",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:security-group/*"
            ]
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInsightsPath"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigAnalyzerEC2RequestTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInsightsPath",
                "ec2:StartNetworkInsightsAnalysis"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzeNetwork",
            "Effect": "Allow",
            "Action": [
                "ec2:StartNetworkInsightsAnalysis"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}