AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-02-26 · Documentation low

File: amazonq/latest/qdeveloper-ug/firewall.md

Summary

Expanded firewall/proxy configuration documentation to include data perimeters and added specific Amazon S3 bucket URLs/ARNs required for Amazon Q features

Security assessment

Added guidance for allowlisting specific S3 resources in security-sensitive environments. While this relates to security configuration, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/firewall.md
index 457596c8f..cca108b0c 100644
--- a/amazonq/latest/qdeveloper-ug/firewall.md
+++ b/amazonq/latest/qdeveloper-ug/firewall.md
@@ -5 +5 @@
-# Configuring a firewall or proxy server for Amazon Q Developer
+General URLs to allowlistAmazon S3 bucket URLs and ARNs to allowlist
@@ -7 +7,5 @@
-If you're using a firewall or proxy server, make sure to allowlist traffic to the following URLs so that Amazon Q works as expected.
+# Configuring a firewall, proxy server, or data perimeter for Amazon Q Developer
+
+If you're using a firewall, proxy server, or [data perimeter](https://aws.amazon.com/identity/data-perimeters-on-aws/), make sure to allowlist traffic to the following URLs and Amazon Resource Names (ARNs) so that Amazon Q works as expected.
+
+## General URLs to allowlist
@@ -21 +24,0 @@ URL | Purpose
-``s3-bucket-urls`` – see [Data perimeters for Amazon Q resources](./security_iam_manage-access-with-policies.html#data-perimeters) for a list of Amazon S3 bucket URLs to allowlist. |  Amazon Q Developer features  
@@ -28,0 +32,13 @@ URL | Purpose
+## Amazon S3 bucket URLs and ARNs to allowlist
+
+For some features, Amazon Q uploads artifacts to AWS service-owned Amazon S3 buckets. If you are using data perimeters to control access to Amazon S3 in your environment, you might need to explicitly allow access to these buckets to use the corresponding Amazon Q features.
+
+The following table lists the URL and ARN of each of the Amazon S3 buckets that Amazon Q requires access to, and the features that use each bucket. You can use the bucket URL or bucket ARN to allowlist these buckets, depending on how you control access to Amazon S3.
+
+Amazon S3 bucket URL and ARN | Purpose  
+---|---  
+`https://amazonq-code-scan-us-east-1-29121b44f7b.s3.amazonaws.com/` `arn:aws:s3:::amazonq-code-scan-us-east-1-29121b44f7b` |  An Amazon S3 bucket used to upload artifacts for [Amazon Q code reviews](./code-reviews.html)  
+`https://amazonq-code-transformation-us-east-1-c6160f047e0.s3.amazonaws.com/` `arn:aws:s3:::amazonq-code-transformation-us-east-1-c6160f047e0` |  An Amazon S3 bucket used to upload artifacts for the [Amazon Q Developer Agent for code transformation](./code-transformation.html)  
+`https://amazonq-feature-development-us-east-1-a5b980054c6.s3.amazonaws.com/` `arn:aws:s3:::amazonq-feature-development-us-east-1-a5b980054c6` |  An Amazon S3 bucket used to upload artifacts for the [Amazon Q Developer Agent for software development](./software-dev.html)  
+`https://amazonq-test-generation-us-east-1-74b667808f2.s3.us-east-1.amazonaws.com/` `arn:aws:s3:::amazonq-test-generation-us-east-1-74b667808f2` |  An Amazon S3 bucket used to upload artifacts for the [Amazon Q Developer Agent for unit test generation](./test-generation.html)  
+