本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon Q Developer 的身分型政策範例
以下 IAM 政策範例可控制各種 Amazon Q Developer 動作的許可。使用這些範例可允許或拒絕您的使用者、角色或群組存取 Amazon Q Developer。
**注意**
下列範例政策會授與 Amazon Q Developer 功能的許可,但使用者可能需要額外的許可,才能透過 Amazon Q Developer 專業方案訂閱存取 Amazon Q。如需詳細資訊,請參閱[允許使用者透過 Amazon Q Developer 專業方案訂閱存取 Amazon Q](id-based-policy-examples-users.md#id-based-policy-examples-allow-subs-access)。
您可以依原內容使用這些政策,也可以針對您要使用的個別 Amazon Q 功能新增許可。如需設定搭配 Amazon Q 的 IAM 許可的詳細資訊,請參閱 [使用政策管理 Amazon Q Developer 的存取權](security_iam_manage-access-with-policies.md)。
如需可使用政策控制的所有 Amazon Q 許可清單,請參閱 [Amazon Q Developer 許可參考](security_iam_permissions.md)。
**Topics**
+ [管理員許可](id-based-policy-examples-admins.md)
+ [使用者許可](id-based-policy-examples-users.md)
# 管理員許可
下列政策允許 Amazon Q Developer 管理員在 Amazon Q 訂閱管理主控台和 Amazon Q Developer 主控台中執行管理任務。
如需啟用 Amazon Q Developer 功能以供使用的政策,請參閱 [使用者許可](id-based-policy-examples-users.md)。
## 允許管理員使用 Amazon Q 主控台
下列範例政策會授與使用者在 Amazon Q 主控台中執行動作的許可。Amazon Q 主控台可讓您設定 Amazon Q 與 AWS IAM Identity Center 和 的整合 AWS Organizations。大多數其他與 Amazon Q Developer 相關的任務都必須在 Amazon Q Developer 主控台中完成。如需詳細資訊,請參閱[允許管理員使用 Amazon Q Developer 主控台](#q-admin-setup-admin-users)。
**注意**
`codewhisperer` 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱[Amazon Q Developer 重新命名 - 變更摘要](service-rename.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DisableAWSServiceAccess",
"organizations:EnableAWSServiceAccess",
"organizations:DescribeOrganization"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"sso:ListApplications",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"sso:GetSharedSsoConfiguration",
"sso:DescribeInstance",
"sso:CreateInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationAssignmentConfiguration",
"sso:PutApplicationGrant",
"sso:PutApplicationAccessScope",
"sso:DescribeApplication",
"sso:DeleteApplication",
"sso:GetSSOStatus",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:UpdateApplication"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"sso-directory:DescribeUsers",
"sso-directory:DescribeGroups",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers",
"sso-directory:DescribeGroup",
"sso-directory:DescribeUser",
"sso-directory:DescribeDirectory"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"signin:ListTrustedIdentityPropagationApplicationsForConsole",
"signin:CreateTrustedIdentityPropagationApplicationForConsole"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"codewhisperer:ListProfiles",
"codewhisperer:CreateProfile",
"codewhisperer:DeleteProfile"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"user-subscriptions:ListClaims",
"user-subscriptions:ListUserSubscriptions",
"user-subscriptions:CreateClaim",
"user-subscriptions:DeleteClaim",
"user-subscriptions:UpdateClaim"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"q:CreateAssignment",
"q:DeleteAssignment"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"iam:CreateServiceLinkedRole"
],
"Resource":[
"arn:aws:iam::*:role/aws-service-role/user-subscriptions.amazonaws.com/AWSServiceRoleForUserSubscriptions"
]
}
]
}
```
------
## 允許管理員使用 Amazon Q Developer 主控台
下列範例政策會授與使用者存取 Amazon Q Developer 主控台的許可。在 Amazon Q Developer 主控台中,管理員會執行大多數與 Amazon Q Developer 相關的組態任務,包括與訂閱、程式碼參考、自訂和聊天外掛程式相關的任務。此政策也包括建立和設定客戶自管 KMS 金鑰的許可。
有少數 Amazon Q Developer 專業方案任務管理員必須透過 Amazon Q 主控台才能完成 (而非 Amazon Q Developer 主控台)。如需詳細資訊,請參閱[允許管理員使用 Amazon Q 主控台](#q-admin-setup-admin-users-sub)。
**注意**
若要建立自訂或外掛程式,您的 Amazon Q Developer 專業方案管理員將需要額外的許可。
如需自訂所需的許可,請參閱自訂的先決條件一節。
如需外掛程式所需的許可,請參閱 [允許管理員設定外掛程式](#id-based-policy-examples-admin-plugins)。
您需要兩項政策之一,才能使用 Amazon Q Developer 主控台。您需要的政策取決於您是第一次設定 Amazon Q Developer,還是設定舊版 Amazon CodeWhisperer 設定檔。
**注意**
`codewhisperer` 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱[Amazon Q Developer 重新命名 - 變更摘要](service-rename.md)。
若是 Amazon Q Developer 的新管理員,請使用下列政策:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:CreateInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:PutApplicationAssignmentConfiguration",
"sso:ListApplications",
"sso:GetSharedSsoConfiguration",
"sso:DescribeInstance",
"sso:PutApplicationAccessScope",
"sso:DescribeApplication",
"sso:DeleteApplication",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:UpdateApplication",
"sso:DescribeRegisteredRegions",
"sso:GetSSOStatus"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"identitystore:DescribeUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sso-directory:GetUserPoolInfo",
"sso-directory:DescribeUsers",
"sso-directory:DescribeGroups",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers",
"sso-directory:DescribeDirectory"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"signin:ListTrustedIdentityPropagationApplicationsForConsole",
"signin:CreateTrustedIdentityPropagationApplicationForConsole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"user-subscriptions:ListClaims",
"user-subscriptions:ListApplicationClaims",
"user-subscriptions:ListUserSubscriptions",
"user-subscriptions:CreateClaim",
"user-subscriptions:DeleteClaim",
"user-subscriptions:UpdateClaim"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DisableAWSServiceAccess",
"organizations:EnableAWSServiceAccess"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:RetireGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"codeguru-security:UpdateAccountConfiguration"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
]
},
{
"Effect": "Allow",
"Action": [
"codewhisperer:UpdateProfile",
"codewhisperer:ListProfiles",
"codewhisperer:TagResource",
"codewhisperer:UnTagResource",
"codewhisperer:ListTagsForResource",
"codewhisperer:CreateProfile"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"q:ListDashboardMetrics",
"q:CreateAssignment",
"q:DeleteAssignment"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics"
],
"Resource": [
"*"
]
}
]
}
```
對於舊版 Amazon CodeWhisperer 設定檔,下列政策將可讓 IAM 主體管理 CodeWhisperer 應用程式。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:GetUserPoolInfo",
"sso-directory:DescribeDirectory",
"sso-directory:ListMembersInGroup"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"pricing:GetProducts"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sso:AssociateProfile",
"sso:DisassociateProfile",
"sso:GetProfile",
"sso:ListProfiles",
"sso:ListApplicationInstances",
"sso:GetApplicationInstance",
"sso:CreateManagedApplicationInstance",
"sso:GetManagedApplicationInstance",
"sso:ListProfileAssociations",
"sso:GetSharedSsoConfiguration",
"sso:ListDirectoryAssociations",
"sso:DescribeRegisteredRegions",
"sso:GetSsoConfiguration",
"sso:GetSSOStatus"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"identitystore:ListUsers",
"identitystore:ListGroups"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:RetireGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"codeguru-security:UpdateAccountConfiguration"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
]
},
{
"Effect": "Allow",
"Action": [
"codewhisperer:UpdateProfile",
"codewhisperer:ListProfiles",
"codewhisperer:TagResource",
"codewhisperer:UnTagResource",
"codewhisperer:ListTagsForResource",
"codewhisperer:CreateProfile"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"q:ListDashboardMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics"
],
"Resource": [
"*"
]
}
]
}
```
## 允許管理員建立自訂
下列政策會授與管理員在 Amazon Q Developer 中建立和管理自訂的許可。
若要在 Amazon Q Developer 主控台中設定自訂,您的 Amazon Q Developer 管理員將需要存取 Amazon Q Developer 主控台。如需詳細資訊,請參閱[允許管理員使用 Amazon Q Developer 主控台](#q-admin-setup-admin-users)。
**注意**
在下列政策中,IAM 服務將回報有關 `codeconnections:ListOwners` 和 `codeconnections:ListRepositories` 許可的錯誤。儘管如此,仍請建立包含這些許可的政策。許可為必要,即使發生錯誤,政策仍會運作。
**注意**
`codewhisperer` 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱[Amazon Q Developer 重新命名 - 變更摘要](service-rename.md)。
在下列範例中,將*帳戶號碼*取代為您的 AWS 帳戶號碼。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:DescribeUsers"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"codewhisperer:CreateCustomization",
"codewhisperer:DeleteCustomization",
"codewhisperer:ListCustomizations",
"codewhisperer:ListCustomizationVersions",
"codewhisperer:UpdateCustomization",
"codewhisperer:GetCustomization",
"codewhisperer:ListCustomizationPermissions",
"codewhisperer:AssociateCustomizationPermission",
"codewhisperer:DisassociateCustomizationPermission"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"codeconnections:ListOwners",
"codeconnections:ListRepositories",
"codeconnections:ListConnections",
"codeconnections:GetConnection"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "codeconnections:UseConnection",
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"codeconnections:ProviderAction": [
"GitPull",
"ListRepositories",
"ListOwners"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:ListBucket*"
],
"Resource": [
"*"
]
}
]
}
```
------
## 允許管理員設定外掛程式
下列範例政策會授與管理員在 Amazon Q Developer 主控台中檢視和設定第三方外掛程式的許可。
**注意**
為了存取 Amazon Q Developer 主控台,管理員還需要 [允許管理員使用 Amazon Q Developer 主控台](#q-admin-setup-admin-users) 中定義的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:CreatePlugin",
"q:GetPlugin",
"q:DeletePlugin",
"q:ListPlugins",
"q:ListPluginProviders",
"q:UpdatePlugin",
"q:CreateAuthGrant",
"q:CreateOAuthAppConnection",
"q:SendEvent",
"q:UpdateAuthGrant",
"q:UpdateOAuthAppConnection",
"q:UpdatePlugin",
"iam:CreateRole",
"secretsmanager:CreateSecret"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"q.amazonaws.com"
]
}
}
}
]
}
```
------
## 允許管理員設定來自某一提供者的外掛程式
下列範例政策會授與管理員許可,以設定來自某一提供者的外掛程式,該提供者是由外掛程式 ARN 指定,且其名稱為外掛程式提供者和萬用字元 (`*`)。若要使用此政策,請取代「資源」欄位中 ARN 的下列內容:
+ *AWS-region* – 要建立外掛程式 AWS 區域 的 。
+ *AWS-account-ID* – 您設定外掛程式的帳戶 AWS ID。
+ *plugin-provider* - 您要允許設定的外掛程式提供者名稱,例如 `CloudZero`、`Datadog` 或 `Wiz`。外掛程式提供者欄位區分大小寫。
**注意**
為了存取 Amazon Q Developer 主控台,管理員還需要 [允許管理員使用 Amazon Q Developer 主控台](#q-admin-setup-admin-users) 中定義的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateProviderPlugin",
"Effect": "Allow",
"Action": [
"q:CreatePlugin",
"q:GetPlugin",
"q:DeletePlugin"
],
"Resource": "arn:aws:qdeveloper:us-east-1:111122223333:plugin/plugin-provider/*"
}
]
}
```
------
## 允許移轉多個網路或多個子網路
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "MGNNetworkMigrationAnalyzerEC2ResourceSgTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:vpc/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
}
}
},
{
"Sid": "MGNNetworkMigrationAnalyzerEC2RequestSgTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:security-group/*",
"arn:aws:ec2:us-east-1:111122223333:security-group-rule/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
}
}
},
{
"Sid": "MGNNetworkMigrationAnalyzerEC2SecurityGroupTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:security-group/*",
"arn:aws:ec2:us-east-1:111122223333:security-group-rule/*",
"arn:aws:ec2:us-east-1:111122223333:network-interface/*",
"arn:aws:ec2:us-east-1:111122223333:network-insights-path/*",
"arn:aws:ec2:us-east-1:111122223333:network-insights-analysis/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "AWSApplicationMigrationService",
"ec2:CreateAction": [
"CreateSecurityGroup",
"CreateNetworkInterface",
"CreateNetworkInsightsPath",
"StartNetworkInsightsAnalysis"
]
}
}
},
{
"Sid": "MGNNetworkMigrationAnalyzerENIResourceTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:subnet/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
}
}
},
{
"Sid": "MGNNetworkMigrationAnalyzerENISG",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:security-group/*"
]
},
{
"Sid": "MGNNetworkMigrationAnalyzerEC2ResourceTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInsightsPath"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/CreatedBy": "AWSApplicationMigrationService"
}
}
},
{
"Sid": "MGNNetworkMigAnalyzerEC2RequestTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInsightsPath",
"ec2:StartNetworkInsightsAnalysis"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "AWSApplicationMigrationService"
}
}
},
{
"Sid": "MGNNetworkMigrationAnalyzeNetwork",
"Effect": "Allow",
"Action": [
"ec2:StartNetworkInsightsAnalysis"
],
"Resource": [
"*"
]
}
]
}
```
------
# 使用者許可
下列政策可讓使用者存取 AWS 應用程式和網站上的 Amazon Q Developer 功能,包括 AWS 管理主控台 AWS Console Mobile Application和 AWS Documentation 網站。
如需啟用 Amazon Q Developer 管理存取權的政策,請參閱 [管理員許可](id-based-policy-examples-admins.md)。
**注意**
存取 [IDE 中的 Amazon Q ](q-in-IDE.md)或[命令列上的 Amazon Q](command-line.md) 的使用者不需要 IAM 許可。
## 允許使用者透過 Amazon Q Developer 專業方案訂閱存取 Amazon Q
下列範例政策會授與透過 Amazon Q Developer 專業方案訂閱使用 Amazon Q 的許可。若沒有這些許可,使用者只能存取 Amazon Q 的免費方案。若要與 Amazon Q 聊天或使用其他 Amazon Q 功能,使用者需要額外的許可,例如本節中範例政策授與的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowGetIdentity",
"Effect": "Allow",
"Action": [
"q:GetIdentityMetaData"
],
"Resource": "*"
},
{
"Sid": "AllowSetTrustedIdentity",
"Effect": "Allow",
"Action": [
"sts:SetContext"
],
"Resource": "arn:aws:sts::*:self"
}
]
}
```
------
## 允許 Amazon Q 存取客戶自管金鑰
下列範例政策會透過允許 Amazon Q 存取金鑰的方式,授與使用者存取以客戶自管金鑰加密之功能的許可。如果管理員已設定使用客戶自管金鑰進行加密,則須有此政策才能使用 Amazon Q。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "QKMSDecryptGenerateDataKeyPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptFrom",
"kms:ReEncryptTo"
],
"Resource": [
"arn:aws:kms:us-east-1:111122223333:key/key_id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"q.us-east-1.amazonaws.com"
]
}
}
}
]
}
```
------
## 允許使用者與 Amazon Q 聊天
下列範例政策會授與在主控台中與 Amazon Q 聊天的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConversationAccess",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation"
],
"Resource": "*"
}
]
}
```
------
## 允許使用者搭配 使用 Amazon Q CLI AWS CloudShell
下列範例政策會授予使用 Amazon Q CLI 的許可 AWS CloudShell。
**注意**
`codewhisperer` 字首是與 Amazon Q Developer 合併之服務的舊名稱。如需詳細資訊,請參閱[Amazon Q Developer 重新命名 - 變更摘要](service-rename.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codewhisperer:GenerateRecommendations",
"codewhisperer:ListCustomizations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage"
],
"Resource": "*"
}
]
}
```
------
## 允許使用者在命令列上執行轉換
下列範例政策授予使用 [Amazon Q 命令列工具](transform-CLI.md)進行轉換程式碼的許可。此政策不會影響[命令列上對 Amazon Q 的](command-line.md)存取。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"qdeveloper:StartAgentSession",
"qdeveloper:ImportArtifact",
"qdeveloper:ExportArtifact",
"qdeveloper:TransformCode"
],
"Resource": "*"
}
]
}
```
------
## 允許使用者使用 Amazon Q 診斷主控台錯誤
下列範例政策會授與使用 Amazon Q 診斷主控台錯誤的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQTroubleshooting",
"Effect": "Allow",
"Action": [
"q:StartTroubleshootingAnalysis",
"q:GetTroubleshootingResults",
"q:StartTroubleshootingResolutionExplanation",
"q:UpdateTroubleshootingCommandResult",
"q:PassRequest",
"cloudformation:GetResource"
],
"Resource": "*"
}
]
}
```
------
## 允許使用者使用 Amazon Q 從 CLI 命令產生程式碼
下列範例政策會授與使用 Amazon Q 從記錄的 CLI 命令產生程式碼的許可,如此就能使用 Console-to-Code 功能。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConsoleToCode",
"Effect": "Allow",
"Action": "q:GenerateCodeFromCommands",
"Resource": "*"
}
]
}
```
------
## 允許使用者與 Amazon Q 討論資源
下列範例政策會授與和 Amazon Q 討論資源的許可,並允許 Amazon Q 代表您擷取資源資訊。Amazon Q 僅具有存取 IAM 身分有權存取之資源的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQPassRequest",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Sid": "AllowCloudControlReadAccess",
"Effect": "Allow",
"Action": [
"cloudformation:GetResource",
"cloudformation:ListResources"
],
"Resource": "*"
}
]
}
```
------
## 允許 Amazon Q 在聊天中代表您執行動作
下列範例政策會授與和 Amazon Q 聊天的許可,並允許 Amazon Q 代表您執行動作。Amazon Q 僅具有執行 IAM 身分有權執行之動作的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQPassRequest",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
}
]
}
```
------
## 允許 Amazon Q 存取成本資料並提供成本最佳化建議
下列範例政策會授與和 Amazon Q 討論成本的許可,並允許 Amazon Q 存取您的成本資料和提供成本分析與最佳化建議。此政策包含 AWS Cost Explorer、AWS Cost Optimization Hub、AWS Compute Optimizer、AWS Budgets、AWS 免費方案、AWS 定價,以及 Savings Plans 和預留建議的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQChatAndPassRequest",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Sid": "AllowCostExplorerAccess",
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostForecast",
"ce:GetUsageForecast",
"ce:GetTags",
"ce:GetCostCategories",
"ce:GetDimensionValues",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetReservationUtilization",
"ce:GetReservationCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetReservationPurchaseRecommendation",
"ce:GetRightsizingRecommendation",
"ce:GetAnomalies",
"ce:GetCostAndUsageComparisons",
"ce:GetCostComparisonDrivers"
],
"Resource": "*"
},
{
"Sid": "AllowCostOptimizationHubAccess",
"Effect": "Allow",
"Action": [
"cost-optimization-hub:GetRecommendation",
"cost-optimization-hub:ListRecommendations",
"cost-optimization-hub:ListRecommendationSummaries"
],
"Resource": "*"
},
{
"Sid": "AllowComputeOptimizerAccess",
"Effect": "Allow",
"Action": [
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetECSServiceRecommendations",
"compute-optimizer:GetRDSDatabaseRecommendations",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetIdleRecommendations",
"compute-optimizer:GetLicenseRecommendations",
"compute-optimizer:GetEffectiveRecommendationPreferences"
],
"Resource": "*"
},
{
"Sid": "AllowBudgetsAccess",
"Effect": "Allow",
"Action": [
"budgets:ViewBudget"
],
"Resource": "*"
},
{
"Sid": "AllowFreeTierAccess",
"Effect": "Allow",
"Action": [
"freetier:GetFreeTierUsage",
"freetier:GetAccountPlanState",
"freetier:ListAccountActivities",
"freetier:GetAccountActivity"
],
"Resource": "*"
},
{
"Sid": "AllowPricingAccess",
"Effect": "Allow",
"Action": [
"pricing:GetProducts",
"pricing:GetAttributeValues",
"pricing:DescribeServices"
],
"Resource": "*"
}
]
}
```
------
## 拒絕 Amazon Q 代表您執行特定動作的許可
下列範例政策會授與和 Amazon Q 聊天的許可,並允許 Amazon Q 代表您執行 IAM 身分有權執行的任何動作,但 Amazon EC2 動作例外。此政策會使用 [`aws:CalledVia` 全域條件索引鍵](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia)來指定只有在 Amazon Q 呼叫時才拒絕 Amazon EC2 動作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": ["q.amazonaws.com"]
}
}
}
]
}
```
------
## 允許 Amazon Q 代表您執行特定動作的許可
下列範例政策會授與和 Amazon Q 聊天的許可,並允許 Amazon Q 代表您執行 IAM 身分有權執行的任何動作,但 Amazon EC2 動作例外。此政策會授與您的 IAM 身分許可,以執行任何 Amazon EC2 動作,但僅允許 Amazon Q 執行 `ec2:describeInstances` 動作。此政策會使用 [`aws:CalledVia` 全域條件索引鍵](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-calledvia)來指定僅允許 Amazon Q 呼叫 `ec2:describeInstances`,而不可執行任何其他 Amazon EC2 動作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotEquals": {
"aws:CalledVia": ["q.amazonaws.com"]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:describeInstances"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": ["q.amazonaws.com"]
}
}
}
]
}
```
------
## 允許 Amazon Q 許可在特定區域中代表您執行動作
下列範例政策會授與和 Amazon Q 聊天的許可,並允許 Amazon Q 代表您執行動作時,只能呼叫 `us-east-1` 和 `us-west-2` 區域。Amazon Q 無法呼叫任何其他區域。如需如何指定您可以呼叫哪些區域的詳細資訊,請參閱《AWS Identity and Access Management 使用者指南》**中的 [aws:RequestedRegion](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation",
"q:PassRequest"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
```
------
## 拒絕 Amazon Q 許可代表您執行動作
下列範例政策會阻止 Amazon Q 代表您執行動作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyAmazonQPassRequest",
"Effect": "Deny",
"Action": [
"q:PassRequest"
],
"Resource": "*"
}
]
}
```
------
## 允許使用者與來自某一提供者的外掛程式聊天
下列範例政策會授與和管理員設定的某一特定提供者的外掛程式聊天的許可,該提供者是由外掛程式 ARN 指定,且其名稱為外掛程式提供者和萬用字元 (`*`)。如果外掛程式遭到刪除後重新設定,則具有這些許可的使用者將保留對新設定外掛程式的存取權。若要使用此政策,請取代 `Resource` 欄位中 ARN 的下列內容:
+ *AWS-region* – 建立外掛程式 AWS 區域 的 。
+ *AWS-account-ID* – 您設定外掛程式的帳戶 AWS ID。
+ *plugin-provider* - 您要允許存取的外掛程式提供者名稱,例如 `CloudZero`、`Datadog` 或 `Wiz`。外掛程式提供者欄位區分大小寫。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAmazonQConversationAccess",
"Effect": "Allow",
"Action": [
"q:StartConversation",
"q:SendMessage",
"q:GetConversation",
"q:ListConversations",
"q:UpdateConversation",
"q:DeleteConversation"
],
"Resource": "*"
},
{
"Sid": "AllowAmazonQPluginAccess",
"Effect": "Allow",
"Action": [
"q:UsePlugin"
],
"Resource": "arn:aws:qdeveloper:us-east-1:111122223333:plugin/plugin-provider/*"
}
]
}
```
------
## 允許使用者與特定外掛程式聊天
下列範例政策會授與和外掛程式 ARN 所指定的特定外掛程式聊天的許可。如果外掛程式遭到刪除後重新設定,除非更新此政策中的外掛程式 ARN,否則使用者將無法存取新的外掛程式。若要使用此政策,請取代 `Resource` 欄位中 ARN 的下列內容:
+ *AWS 區域* – 建立外掛程式 AWS 區域 的 。
+ *AWS-account-ID* – 您設定外掛程式的帳戶 AWS ID。
+ *plugin-provider* - 您要允許存取的外掛程式提供者名稱,例如 `CloudZero`、`Datadog` 或 `Wiz`。外掛程式提供者欄位區分大小寫。
+ *plugin-ARN* - 您要允許存取之外掛程式的 ARN。
## 拒絕存取 Amazon Q
下列範例政策會拒絕使用 Amazon Q 的所有許可。
**注意**
當您拒絕存取 Amazon Q 時,Amazon Q 圖示和聊天面板仍會顯示在 AWS 主控台、 AWS 網站、 AWS 文件頁面或 中 AWS Console Mobile Application。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyAmazonQFullAccess",
"Effect": "Deny",
"Action": [
"q:*"
],
"Resource": "*"
}
]
}
```
------
## 允許使用者檢視其許可
此範例會示範如何建立政策,允許 IAM 使用者檢視連接到他們使用者身分的內嵌及受管政策。此政策包含在主控台或使用 或 AWS CLI AWS API 以程式設計方式完成此動作的許可。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```