管理員許可 - Amazon Q Developer
允許管理員使用 Amazon Q 主控台允許管理員使用 Amazon Q Developer 主控台允許管理員建立自訂允許管理員設定外掛程式允許管理員設定來自某一提供者的外掛程式允許移轉多個網路或多個子網路

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

管理員許可

下列政策允許 Amazon Q Developer 管理員在 Amazon Q 訂閱管理主控台和 Amazon Q Developer 主控台中執行管理任務。

如需啟用 Amazon Q Developer 功能以供使用的政策,請參閱 使用者許可

允許管理員使用 Amazon Q 主控台

下列範例政策會授與使用者在 Amazon Q 主控台中執行動作的許可。Amazon Q 主控台可讓您設定 Amazon Q 與 AWS IAM Identity Center 和 的整合 AWS Organizations。大多數其他與 Amazon Q Developer 相關的任務都必須在 Amazon Q Developer 主控台中完成。如需詳細資訊,請參閱允許管理員使用 Amazon Q Developer 主控台

注意

codewhisperer 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱Amazon Q Developer 重新命名 - 變更摘要

JSON
{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "organizations:ListAWSServiceAccessForOrganization",
            "organizations:DisableAWSServiceAccess",
            "organizations:EnableAWSServiceAccess",
            "organizations:DescribeOrganization"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sso:ListApplications",
            "sso:ListInstances",
            "sso:DescribeRegisteredRegions",
            "sso:GetSharedSsoConfiguration",
            "sso:DescribeInstance",
            "sso:CreateInstance",
            "sso:CreateApplication",
            "sso:PutApplicationAuthenticationMethod",
            "sso:PutApplicationAssignmentConfiguration",
            "sso:PutApplicationGrant",
            "sso:PutApplicationAccessScope",
            "sso:DescribeApplication",
            "sso:DeleteApplication",
            "sso:GetSSOStatus",
            "sso:CreateApplicationAssignment",
            "sso:DeleteApplicationAssignment",
            "sso:UpdateApplication"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "sso-directory:DescribeUsers",
            "sso-directory:DescribeGroups",
            "sso-directory:SearchGroups",
            "sso-directory:SearchUsers",
            "sso-directory:DescribeGroup",
            "sso-directory:DescribeUser",
            "sso-directory:DescribeDirectory"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "signin:ListTrustedIdentityPropagationApplicationsForConsole",
            "signin:CreateTrustedIdentityPropagationApplicationForConsole"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "codewhisperer:ListProfiles",
            "codewhisperer:CreateProfile",
            "codewhisperer:DeleteProfile"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "user-subscriptions:ListClaims",
            "user-subscriptions:ListUserSubscriptions",
            "user-subscriptions:CreateClaim",
            "user-subscriptions:DeleteClaim",
            "user-subscriptions:UpdateClaim"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "q:CreateAssignment",
            "q:DeleteAssignment"
         ],
         "Resource":[
            "*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "iam:CreateServiceLinkedRole"
         ],
         "Resource":[
            "arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions"
         ]
      }
   ]
}

允許管理員使用 Amazon Q Developer 主控台

下列範例政策會授與使用者存取 Amazon Q Developer 主控台的許可。在 Amazon Q Developer 主控台中,管理員會執行大多數與 Amazon Q Developer 相關的組態任務,包括與訂閱、程式碼參考、自訂和聊天外掛程式相關的任務。此政策也包括建立和設定客戶自管 KMS 金鑰的許可。

有少數 Amazon Q Developer 專業方案任務管理員必須透過 Amazon Q 主控台才能完成 (而非 Amazon Q Developer 主控台)。如需詳細資訊,請參閱允許管理員使用 Amazon Q 主控台

注意

若要建立自訂或外掛程式,您的 Amazon Q Developer 專業方案管理員將需要額外的許可。

您需要兩項政策之一,才能使用 Amazon Q Developer 主控台。您需要的政策取決於您是第一次設定 Amazon Q Developer,還是設定舊版 Amazon CodeWhisperer 設定檔。

注意

codewhisperer 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱Amazon Q Developer 重新命名 - 變更摘要

若是 Amazon Q Developer 的新管理員,請使用下列政策:

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso:ListInstances",
        "sso:CreateInstance",
        "sso:CreateApplication",
        "sso:PutApplicationAuthenticationMethod",
        "sso:PutApplicationGrant",
        "sso:PutApplicationAssignmentConfiguration",
        "sso:ListApplications",
        "sso:GetSharedSsoConfiguration",
        "sso:DescribeInstance",
        "sso:PutApplicationAccessScope",
        "sso:DescribeApplication",
        "sso:DeleteApplication",
        "sso:CreateApplicationAssignment",
        "sso:DeleteApplicationAssignment",
        "sso:UpdateApplication",
        "sso:DescribeRegisteredRegions",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:DescribeUser"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:GetUserPoolInfo",
        "sso-directory:DescribeUsers",
        "sso-directory:DescribeGroups",
        "sso-directory:SearchGroups",
        "sso-directory:SearchUsers",
        "sso-directory:DescribeDirectory"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "signin:ListTrustedIdentityPropagationApplicationsForConsole",
        "signin:CreateTrustedIdentityPropagationApplicationForConsole"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "user-subscriptions:ListClaims",
        "user-subscriptions:ListApplicationClaims",
        "user-subscriptions:ListUserSubscriptions",
        "user-subscriptions:CreateClaim",
        "user-subscriptions:DeleteClaim",
        "user-subscriptions:UpdateClaim"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DisableAWSServiceAccess",
        "organizations:EnableAWSServiceAccess"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:ListDashboardMetrics", 
        "q:CreateAssignment", 
        "q:DeleteAssignment"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricData", 
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
顯示較多顯示較少

對於舊版 Amazon CodeWhisperer 設定檔,下列政策將可讓 IAM 主體管理 CodeWhisperer 應用程式。

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso-directory:SearchUsers",
        "sso-directory:SearchGroups",
        "sso-directory:GetUserPoolInfo",
        "sso-directory:DescribeDirectory",
        "sso-directory:ListMembersInGroup"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "pricing:GetProducts"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sso:AssociateProfile",
        "sso:DisassociateProfile",
        "sso:GetProfile",
        "sso:ListProfiles",
        "sso:ListApplicationInstances",
        "sso:GetApplicationInstance",
        "sso:CreateManagedApplicationInstance",
        "sso:GetManagedApplicationInstance",
        "sso:ListProfileAssociations",
        "sso:GetSharedSsoConfiguration",
        "sso:ListDirectoryAssociations",
        "sso:DescribeRegisteredRegions",
        "sso:GetSsoConfiguration",
        "sso:GetSSOStatus"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:ListUsers",
        "identitystore:ListGroups"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases",
        "kms:CreateGrant",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:RetireGrant",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codeguru-security:UpdateAccountConfiguration"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "codewhisperer:UpdateProfile",
        "codewhisperer:ListProfiles",
        "codewhisperer:TagResource",
        "codewhisperer:UnTagResource",
        "codewhisperer:ListTagsForResource",
        "codewhisperer:CreateProfile"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "q:ListDashboardMetrics",
        "cloudwatch:GetMetricData",
        "cloudwatch:ListMetrics"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
顯示較多顯示較少

允許管理員建立自訂

下列政策會授與管理員在 Amazon Q Developer 中建立和管理自訂的許可。

若要在 Amazon Q Developer 主控台中設定自訂,您的 Amazon Q Developer 管理員將需要存取 Amazon Q Developer 主控台。如需詳細資訊,請參閱允許管理員使用 Amazon Q Developer 主控台

注意

在下列政策中,IAM 服務將回報有關 codeconnections:ListOwnerscodeconnections:ListRepositories 許可的錯誤。儘管如此,仍請建立包含這些許可的政策。許可為必要,即使發生錯誤,政策仍會運作。

注意

codewhisperer 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱Amazon Q Developer 重新命名 - 變更摘要

在下列範例中,將帳戶號碼取代為您的 AWS 帳戶號碼。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sso-directory:DescribeUsers"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codewhisperer:CreateCustomization",
                "codewhisperer:DeleteCustomization",
                "codewhisperer:ListCustomizations",
                "codewhisperer:ListCustomizationVersions",
                "codewhisperer:UpdateCustomization",
                "codewhisperer:GetCustomization",
                "codewhisperer:ListCustomizationPermissions",
                "codewhisperer:AssociateCustomizationPermission",
                "codewhisperer:DisassociateCustomizationPermission"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codeconnections:ListOwners",
                "codeconnections:ListRepositories",
                "codeconnections:ListConnections",
                "codeconnections:GetConnection"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "codeconnections:UseConnection",
            "Resource": [
                "*"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "codeconnections:ProviderAction": [
                        "GitPull",
                        "ListRepositories",
                        "ListOwners"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:ListBucket*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

允許管理員設定外掛程式

下列範例政策會授與管理員在 Amazon Q Developer 主控台中檢視和設定第三方外掛程式的許可。

注意

為了存取 Amazon Q Developer 主控台,管理員還需要 允許管理員使用 Amazon Q Developer 主控台 中定義的許可。

JSON
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "q:CreatePlugin",
        "q:GetPlugin",
        "q:DeletePlugin",
        "q:ListPlugins",
        "q:ListPluginProviders",
        "q:UpdatePlugin",
        "q:CreateAuthGrant",
        "q:CreateOAuthAppConnection",
        "q:SendEvent",
        "q:UpdateAuthGrant",
        "q:UpdateOAuthAppConnection",
        "q:UpdatePlugin",
        "iam:CreateRole",
        "secretsmanager:CreateSecret"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "q.amazonaws.com"
          ]
        }
      }
    }
  ]
}

允許管理員設定來自某一提供者的外掛程式

下列範例政策會授與管理員許可,以設定來自某一提供者的外掛程式,該提供者是由外掛程式 ARN 指定,且其名稱為外掛程式提供者和萬用字元 (*)。若要使用此政策,請取代「資源」欄位中 ARN 的下列內容:

  • AWS-region – 要建立外掛程式 AWS 區域 的 。

  • AWS-account-ID – 您設定外掛程式的帳戶 AWS ID。

  • plugin-provider - 您要允許設定的外掛程式提供者名稱,例如 CloudZeroDatadogWiz。外掛程式提供者欄位區分大小寫。

注意

為了存取 Amazon Q Developer 主控台,管理員還需要 允許管理員使用 Amazon Q Developer 主控台 中定義的許可。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowCreateProviderPlugin",
            "Effect": "Allow",
            "Action": [
                "q:CreatePlugin",
                "q:GetPlugin",
                "q:DeletePlugin"
            ],
            "Resource": "arn:aws:qdeveloper:us-east-1:111122223333:plugin/plugin-provider/*"
        }
    ]
}

允許移轉多個網路或多個子網路

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [{
            "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceSgTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:vpc/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2RequestSgTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:security-group/*",
                "arn:aws:ec2:us-east-1:111122223333:security-group-rule/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },

        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2SecurityGroupTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:security-group/*",
                "arn:aws:ec2:us-east-1:111122223333:security-group-rule/*",
                "arn:aws:ec2:us-east-1:111122223333:network-interface/*",
                "arn:aws:ec2:us-east-1:111122223333:network-insights-path/*",
                "arn:aws:ec2:us-east-1:111122223333:network-insights-analysis/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService",
                    "ec2:CreateAction": [
                        "CreateSecurityGroup",
                        "CreateNetworkInterface",
                        "CreateNetworkInsightsPath",
                        "StartNetworkInsightsAnalysis"
                    ]
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerENIResourceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:subnet/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerENISG",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:111122223333:security-group/*"
            ]
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzerEC2ResourceTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInsightsPath"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigAnalyzerEC2RequestTag",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInsightsPath",
                "ec2:StartNetworkInsightsAnalysis"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
                }
            }
        },
        {
            "Sid": "MGNNetworkMigrationAnalyzeNetwork",
            "Effect": "Allow",
            "Action": [
                "ec2:StartNetworkInsightsAnalysis"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}