AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-04-14 · Documentation low

File: amazonq/latest/qdeveloper-ug/command-line-chat.md

Summary

Removed standalone 'Security risks' and 'Safety recommendations' sections, added detailed tool permission states (Trusted/Per-request), updated trustall warning with link to security documentation, added permission usage examples, and reorganized security content under 'Security considerations'

Security assessment

Changes reorganize security content rather than address vulnerabilities. Added permission states and examples improve security documentation but don't indicate a specific security issue. Warning about trustall risks remains but links to external page.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/command-line-chat.md b/amazonq/latest/qdeveloper-ug/command-line-chat.md
index db72e3467..1a6329330 100644
--- a//amazonq/latest/qdeveloper-ug/command-line-chat.md
+++ b//amazonq/latest/qdeveloper-ug/command-line-chat.md
@@ -5 +5 @@
-Starting a chat sessionChat commandsEntering multiline inputManaging tool permissionsSummarizing conversationsSecurity risksSafety recommendations
+Starting a chat sessionChat commandsEntering multiline inputManaging tool permissionsSummarizing conversations
@@ -37 +37 @@ Chat commands Command | Description
-`/profile` | Manages AWS profiles for AWS CLI commands.  
+`/profile` | Manages Q profiles for Q Developer commands.  
@@ -74,0 +75,9 @@ This displays a list of all available tools and their current permission status
+Tool permissions have two possible states:
+
+  * _Trusted_ : Amazon Q can use the tool without asking for confirmation each time.
+
+  * _Per-request_ : Amazon Q must ask for your confirmation each time before using the tool.
+
+
+
+
@@ -90 +99 @@ You can also trust all tools at once with `/tools trustall`(equivalent to the de
-Using `/tools trustall` carries risks. For more information, see Security risks.
+Using `/tools trustall` carries risks. For more information, see [Understanding security risks](./command-line-chat-security.html#command-line-chat-security-risks).
@@ -94 +103 @@ Using `/tools trustall` carries risks. For more information, see Security risks.
-The following image shows the status of the CLI tools when they are all in the trusted status.
+The following image shows the status of the CLI tools when they are all in their default trust status.
@@ -96 +105 @@ The following image shows the status of the CLI tools when they are all in the t
-![](/images/amazonq/latest/qdeveloper-ug/images/q_cli_tools_trustall_all_trusted.png)
+![](/images/amazonq/latest/qdeveloper-ug/images/q_cli_tools_trustall_all_trusted2.png)
@@ -107 +115,0 @@ Available tools Tool | Description
-`reset` | Reset all tools to default permission levels.  
@@ -111,2 +118,0 @@ When Amazon Q attempts to use a tool that doesn't have explicit permission, it w
-![](/images/amazonq/latest/qdeveloper-ug/images/q_cli_tools_list.png)
-
@@ -114,0 +121,13 @@ Each tool has a default trust behavior. `fs_read` is the only tool that is trust
+Here are some examples of when to use different permission levels:
+
+  * _Trust fs_read_ : When you want Amazon Q to read files without confirmation, such as when exploring a codebase.
+
+  * _Trust fs_write_ : When you're actively working on a project and want Amazon Q to help you create or modify files.
+
+  * _Untrust execute_bash_ : When working in sensitive environments where you want to review all commands before execution.
+
+  * _Untrust use_aws_ : When working with production AWS resources to prevent unintended changes.
+
+
+
+
@@ -133,36 +151,0 @@ When the length of characters in your conversation history approaches the limit,
-## Security risks
-
-Using `/tools trustall` or `/acceptall` introduces significant security risks:
-
-  * _Unintended system changes_ : Amazon Q may interpret your requests in unexpected ways, leading to unintended modifications
-
-  * _AWS resource modifications_ : Resources could be created, modified, or deleted without confirmation, potentially affecting production environments or incurring costs
-
-  * _Data loss_ : Commands that delete or overwrite files will execute without confirmation
-
-  * _Security vulnerabilities_ : Commands that could compromise system security will execute without review
-
-
-
-
-###### Warning
-
-AWS recommends against using `/tools trustall` or `/acceptall` mode in production environments or when working with sensitive data or resources. You are responsible for all actions performed by Amazon Q when `/acceptall` mode is enabled.
-
-## Safety recommendations
-
-If you must use `/tools trustall` or `/acceptall`, follow these safety practices:
-
-  * Only use in development or testing environments, never in production
-
-  * Enable `/acceptall` only for specific tasks, then immediately disable it
-
-  * Back up important data before enabling `/acceptall`
-
-  * Use AWS credentials with minimal permissions when `/acceptall` is enabled
-
-  * Carefully monitor all actions Amazon Q takes while `/acceptall` is enabled
-
-
-
-
@@ -177 +160 @@ Installing
-Context Management
+Security considerations