AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-04-11 · Documentation low

File: amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md

Summary

Updated policy examples and documentation for Amazon Q console access. Changes include renaming 'subscription console' to 'Q console', restructuring SSO permissions, adding new user-subscription actions, and expanding organization service permissions.

Security assessment

Changes primarily update administrative policy examples and clarify console functionality. While SSO and KMS permissions are modified/added, there's no evidence of addressing a specific vulnerability. The changes appear to reflect normal feature evolution rather than security fixes.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md b/amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md
index c948dfea2..7e6fee8dc 100644
--- a//amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md
+++ b//amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md
@@ -5 +5 @@
-Allow administrators to use the Amazon Q subscription consoleAllow administrators to use the Amazon Q Developer consoleAllow administrators to create customizationsAllow administrators to accept a connector request from the account with the Q Developer transform web experience.Allow administrators to configure pluginsAllow migration of more than one network or more than one subnet
+Allow administrators to use the Amazon Q consoleAllow administrators to use the Amazon Q Developer consoleAllow administrators to create customizationsAllow administrators to accept a connector request from the account with the Q Developer transform web experience.Allow administrators to configure pluginsAllow migration of more than one network or more than one subnet
@@ -13 +13 @@ For policies that enable the use of Amazon Q Developer features, see [User permi
-## Allow administrators to use the Amazon Q subscription console
+## Allow administrators to use the Amazon Q console
@@ -15,3 +15 @@ For policies that enable the use of Amazon Q Developer features, see [User permi
-The following example policy grants permissions for a user to create and manage subscriptions in the Amazon Q subscription management console. The Amazon Q subscription management console is where you configure Amazon Q's integration with AWS IAM Identity Center and AWS Organizations, choose which Amazon Q package to subscribe to, and attach users and groups to subscriptions.
-
-To configure Amazon Q Developer Pro after subscribing users, someone in your enterprise will also need access to the Amazon Q Developer Pro console. For more information, see Allow administrators to use the Amazon Q Developer console.
+The following example policy grants permissions for a user to perform actions in the Amazon Q console. The Amazon Q console is where you configure Amazon Q's integration with AWS IAM Identity Center and AWS Organizations. Most other Amazon Q Developer-related tasks must be completed in the Amazon Q Developer console. For more information, see Allow administrators to use the Amazon Q Developer console.
@@ -132,14 +129,0 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
-          {
-             "Effect":"Allow",
-             "Action":[
-                "codewhisperer:UpdateProfile",
-                "codewhisperer:ListProfiles",
-                "sso:CreateApplication",
-                "sso:PutApplicationAuthenticationMethod",
-                "sso:PutApplicationGrant",
-                "sso:PutApplicationAssignmentConfiguration"
-             ],
-             "Resource":[
-                "*"
-             ]
-          }
@@ -151 +135 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
-The following example policy grants permissions for a user to access the Amazon Q Developer console. On the Amazon Q Developer console, administrators can configure various aspects of Amazon Q Developer and its features, including code references, customizations, and chat plugins. This policy also includes permissions to create and configure customer managed KMS keys. 
+The following example policy grants permissions for a user to access the Amazon Q Developer console. In the Amazon Q Developer console, administrators perform most Amazon Q Developer-related configuration tasks, including tasks related to subscriptions, code references, customizations, and chat plugins. This policy also includes permissions to create and configure customer managed KMS keys. 
@@ -153 +137 @@ The following example policy grants permissions for a user to access the Amazon
-To configure Amazon Q Developer Pro subscriptions, someone in your enterprise will also need access to the Amazon Q subscription management console. For more information, see Allow administrators to use the Amazon Q subscription console.
+There are a few Amazon Q Developer Pro tasks that administrators must complete through the Amazon Q console (instead of the Amazon Q Developer console). For more information, see Allow administrators to use the Amazon Q console.
@@ -181 +164,0 @@ For new administrators of Amazon Q Developer, use the following policy:
-            "sso-directory:GetUserPoolInfo",
@@ -187 +170,12 @@ For new administrators of Amazon Q Developer, use the following policy:
-            "sso:PutApplicationAssignmentConfiguration"
+            "sso:PutApplicationAssignmentConfiguration",
+            "sso:ListApplications",
+            "sso:GetSharedSsoConfiguration",
+            "sso:DescribeInstance",
+            "sso:PutApplicationAccessScope",
+            "sso:DescribeApplication",
+            "sso:DeleteApplication",
+            "sso:CreateApplicationAssignment",
+            "sso:DeleteApplicationAssignment",
+            "sso:UpdateApplication",
+            "sso:DescribeRegisteredRegions",
+            "sso:GetSSOStatus"
@@ -205,2 +199,30 @@ For new administrators of Amazon Q Developer, use the following policy:
-            "sso:DescribeRegisteredRegions",
-            "sso:GetSSOStatus"
+            "sso-directory:GetUserPoolInfo",
+            "sso-directory:DescribeUsers",
+            "sso-directory:DescribeGroups",
+            "sso-directory:SearchGroups",
+            "sso-directory:SearchUsers",
+            "sso-directory:DescribeDirectory"
+          ],
+          "Resource": [
+            "*"
+          ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "signin:ListTrustedIdentityPropagationApplicationsForConsole",
+            "signin:CreateTrustedIdentityPropagationApplicationForConsole"
+          ],
+          "Resource": [
+            "*"
+          ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "user-subscriptions:ListClaims",
+            "user-subscriptions:ListApplicationClaims",
+            "user-subscriptions:ListUserSubscriptions",
+            "user-subscriptions:CreateClaim",
+            "user-subscriptions:DeleteClaim",
+            "user-subscriptions:UpdateClaim"
@@ -216 +238,4 @@ For new administrators of Amazon Q Developer, use the following policy:
-            "organizations:DescribeOrganization"
+            "organizations:DescribeOrganization",
+            "organizations:ListAWSServiceAccessForOrganization",
+            "organizations:DisableAWSServiceAccess",
+            "organizations:EnableAWSServiceAccess"
@@ -272,0 +298,10 @@ For new administrators of Amazon Q Developer, use the following policy:
+            "q:CreateAssignment", 
+            "q:DeleteAssignment"
+          ],
+          "Resource": [
+            "*"
+          ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [