本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
用户权限
以下政策允许用户在 AWS 应用程序和网站(包括、和网站)上访问 Amazon Q Dev AWS Management Console eloper AWS Documentation 的功能。 AWS Console Mobile Application
有关允许对 Amazon Q 开发者版的管理访问权限的策略,请参阅管理员权限。
在 IDE 或命令行中访问 Amazon Q 的用户不需要 IAM 权限。
允许用户通过订阅 Amazon Q 开发者版专业套餐来访问 Amazon Q
以下示例策略授予通过订阅 Amazon Q 开发者版专业套餐使用 Amazon Q 的权限。如果没有这些权限,用户只能访问 Amazon Q 的免费套餐。要与 Amazon Q 聊天或使用其他 Amazon Q 功能,用户需要额外的权限,例如本节示例策略所授予的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetIdentity",
"Effect": "Allow",
"Action": [
"q:GetIdentityMetaData"
],
"Resource": "*"
},
{
"Sid": "AllowSetTrustedIdentity",
"Effect": "Allow",
"Action": [
"sts:SetContext"
],
"Resource": "arn:aws:sts::*:self"
}
]
}
允许 Amazon Q 访问客户托管的密钥
以下示例策略允许用户访问使用客户托管密钥加密的功能,即允许 Amazon Q 访问该密钥。如果管理员设置了用于加密的客户托管密钥,则必须使用此策略才能使用 Amazon Q。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QKMSDecryptGenerateDataKeyPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": [
"arn:aws:kms:us-east-1:{111122223333}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"q.us-east-1.amazonaws.com"
]
}
}
}
]
}
允许用户与 Amazon Q 聊天
以下示例策略授予在控制台中与 Amazon Q 聊天的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConversationAccess",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation"
],
"Resource": "*"
}
]
}
允许用户搭配使用 Amazon Q CLI 与 AWS CloudShell
以下示例策略授予将 Amazon Q CLI 与一起使用的权限 AWS CloudShell。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codewhisperer:GenerateRecommendations",
"codewhisperer:ListCustomizations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage"
],
"Resource": "*"
}
]
}
以下示例策略授予使用 Amazon Q 命令行工具转换代码以进行转换的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"qdeveloper:StartAgentSession",
"qdeveloper:ImportArtifact",
"qdeveloper:ExportArtifact",
"qdeveloper:TransformCode"
],
"Resource": "*"
}
]
}
允许用户使用 Amazon Q 诊断控制台错误
以下示例策略授予使用 Amazon Q 诊断控制台错误的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQTroubleshooting",
"Effect": "Allow",
"Action": [
"q:StartTroubleshootingAnalysis",
"q:GetTroubleshootingResults",
"q:StartTroubleshootingResolutionExplanation",
"q:UpdateTroubleshootingCommandResult",
"q:PassRequest",
"cloudformation:GetResource"
],
"Resource": "*"
}
]
}
允许用户使用 Amazon Q 并基于 CLI 命令生成代码
以下示例策略授予使用 Amazon Q 根据录制的 CLI 命令生成代码的权限,从而允许使用该 Console-to-Code功能。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConsoleToCode",
"Effect": "Allow",
"Action": "q:GenerateCodeFromCommands",
"Resource": "*"
}
]
}
允许用户与 Amazon Q 聊聊资源问题
以下示例策略授予与 Amazon Q 讨论资源的权限,并允许 Amazon Q 代表您检索资源信息。Amazon Q 仅有权访问您的 IAM 身份有权访问的资源。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQPassRequest",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Sid": "AllowCloudControlReadAccess",
"Effect": "Allow",
"Action": [
"cloudformation:GetResource",
"cloudformation:ListResources"
],
"Resource": "*"
}
]
}
允许 Amazon Q 在聊天中代表您执行操作
以下示例策略授予与 Amazon Q 聊天的权限,并允许 Amazon Q 代表您执行操作。Amazon Q 仅有权执行您的 IAM 身份有权执行的操作。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQPassRequest",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
}
]
}
允许 Amazon Q 访问成本数据并提供成本优化建议
以下示例政策允许您与 Amazon Q 讨论您的成本,并允许 Amazon Q 访问您的成本数据并提供成本分析和优化建议。此策略包括 AWS Cost Explorer AWS 成本优化中心、和中的相关权限 AWS Compute Optimizer。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQChatAndPassRequest",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Sid": "AllowCostAnalysis",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetTags",
"ce:GetCostCategories",
"ce:GetDimensionValues"
],
"Resource": "*"
},
{
"Sid": "AllowCostOptimization",
"Effect": "Allow",
"Action": [
"cost-optimization-hub:GetRecommendation",
"cost-optimization-hub:ListRecommendations",
"cost-optimization-hub:ListRecommendationSummaries",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetIdleRecommendations",
"compute-optimizer:GetEffectiveRecommendationPreferences",
"ce:GetReservationPurchaseRecommendation",
"ce:GetSavingsPlansPurchaseRecommendation"
],
"Resource": "*"
}
]
}
拒绝授予 Amazon Q 代表您执行特定操作的权限
以下示例策略授予与 Amazon Q 聊天的权限,并允许 Amazon Q 代表您执行您的 IAM 身份有权执行的任何 EC2 操作,但亚马逊操作除外。此策略使用aws:CalledVia全局条件密钥指定只有在 Amazon Q 调用亚马逊 EC2操作时才会拒绝这些操作。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": ["q.amazonaws.com"]
}
}
}
]
}
允许授予 Amazon Q 代表您执行特定操作的权限
以下示例策略授予与 Amazon Q 聊天的权限,并允许 Amazon Q 代表您执行您的 IAM 身份有权执行的任何 EC2 操作,但亚马逊操作除外。此政策授予您的 IAM 身份执行任何亚马逊 EC2 操作的权限,但仅允许 Amazon Q 执行该ec2:describeInstances操作。本政策使用aws:CalledVia全局条件密钥来指定 Amazon Q 仅允许调用ec2:describeInstances,不允许进行任何其他亚马逊 EC2操作。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotEquals": {
"aws:CalledVia": ["q.amazonaws.com"]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:describeInstances"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": ["q.amazonaws.com"]
}
}
}
]
}
允许授予 Amazon Q 代表您在特定区域执行特定操作的权限
以下示例策略授予与 Amazon Q 聊天的权限,并在 Amazon Q 代表您执行操作时,仅允许 Amazon Q 针对 us-east-1 和 us-west-2 区域发出调用。Amazon Q 无法对任何其他区域发出调用。有关如何指定可以拨打哪些区域的更多信息,请参阅《AWS Identity and Access Management 用户指南》RequestedRegion中的 a ws:。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
拒绝授予 Amazon Q 代表您执行操作的权限
以下示例策略阻止 Amazon Q 代表您执行操作。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAmazonQPassRequest",
"Effect": "Deny",
"Action": [
"q:PassRequest"
],
"Resource": "*"
}
]
}
允许用户使用来自一个提供商的插件聊天
以下示例策略授予与管理员配置的给定提供程序中的任何插件聊天的权限,这些插件由插件 ARN 指定,其中包含插件提供者的名称和通配符 ()。*如果删除并重新配置了插件,则具有这些权限的用户将保留对新配置的插件的访问权限。要使用此政策,请替换字段 ARN 中的以下Resource内容:
-
AWS-region— 插件的创建 AWS 区域 位置。
-
AWS-account-ID— 配置插件的账户的账户 ID。 AWS
-
plugin-provider— 您要允许访问的插件提供商的名称,比如CloudZeroDatadog、或Wiz。插件提供者字段区分大小写。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConversationAccess",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation"
],
"Resource": "*"
},
{
"Sid": "AllowAmazonQPluginAccess",
"Effect": "Allow",
"Action": [
"q:UsePlugin"
],
"Resource": "arn:aws:qdeveloper:us-east-1:AWS-account-ID:plugin/plugin-provider/*"
}
]
}
允许用户使用特定插件聊天
以下示例策略授予与插件 ARN 指定的特定插件聊天的权限。如果删除并重新配置了插件,则除非在此政策中更新插件 ARN,否则用户将无法访问新插件。要使用此政策,请替换字段 ARN 中的以下Resource内容:
-
AWS-region— 插件的创建 AWS 区域 位置。
-
AWS-account-ID— 配置插件的账户的账户 ID。 AWS
-
plugin-provider— 您要允许访问的插件提供商的名称,比如CloudZeroDatadog、或Wiz。插件提供者字段区分大小写。
-
plugin-ARN— 您要允许访问的插件的 ARN。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConversationAccess",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation"
],
"Resource": "*"
},
{
"Sid": "AllowAmazonQPluginAccess",
"Effect": "Allow",
"Action": [
"q:UsePlugin"
],
"Resource": "arn:aws:qdeveloper:AWS-region:AWS-account-ID:plugin/plugin-provider/plugin-ARN"
}
]
}
拒绝访问 Amazon Q
以下示例策略拒绝使用 Amazon Q 的所有权限。
当您拒绝访问 Amazon Q 时,Amazon Q 图标和聊天面板仍将出现在 AWS 控制台、 AWS 网站、 AWS 文档页面或中 AWS Console Mobile Application。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAmazonQFullAccess",
"Effect": "Deny",
"Action": [
"q:*"
],
"Resource": "*"
}
]
}
允许用户查看他们的权限
该示例说明了您如何创建策略,以允许 IAM 用户查看附加到其用户身份的内联和托管式策略。此策略包括在控制台上或使用 AWS CLI 或 AWS API 以编程方式完成此操作的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
