AWS Security ChangesHomeSearch

AWS amazonq medium security documentation change

Service: amazonq · 2025-04-18 · Security-related medium

File: amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md

Summary

Added plugin configuration documentation, updated IAM policy examples with account placeholders, and made grammatical/policy syntax improvements

Security assessment

Replaced hardcoded account numbers (123456789012) with 'account number' placeholders in IAM policies to prevent accidental exposure of credentials. Added new section about configuring plugins from specific providers with least-privilege permissions.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md b/amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md
index 7e6fee8dc..dccf7c8b8 100644
--- a//amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md
+++ b//amazonq/latest/qdeveloper-ug/id-based-policy-examples-admins.md
@@ -5 +5 @@
-Allow administrators to use the Amazon Q consoleAllow administrators to use the Amazon Q Developer consoleAllow administrators to create customizationsAllow administrators to accept a connector request from the account with the Q Developer transform web experience.Allow administrators to configure pluginsAllow migration of more than one network or more than one subnet
+Allow administrators to use the Amazon Q consoleAllow administrators to use the Amazon Q Developer consoleAllow administrators to create customizationsAllow administrators to accept a connector request from the account with the Q Developer transform web experienceAllow administrators to configure pluginsAllow administrators to configure plugins from one providerAllow migration of more than one network or more than one subnet
@@ -141 +141 @@ There are a few Amazon Q Developer Pro tasks that administrators must complete t
-If you're using customizations, then your Amazon Q Developer Pro administrator will require additional permissions. 
+To create customizations or plugins, your Amazon Q Developer Pro administrator will require additional permissions. 
@@ -471,0 +472,2 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
+In the following example, replace `account number` with your AWS account number.
+    
@@ -475 +477,2 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
-        "Statement": [{
+        "Statement": [
+            {
@@ -483,0 +487 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
+            {
@@ -549 +553 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
-## Allow administrators to accept a connector request from the account with the Q Developer transform web experience.
+## Allow administrators to accept a connector request from the account with the Q Developer transform web experience
@@ -585 +589 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
-                "Resource": "arn:aws:iam::123456789012:policy/service-role/QTransform-*"
+                "Resource": "arn:aws:iam::account number:policy/service-role/QTransform-*"
@@ -594 +598 @@ The `codewhisperer` prefix is a legacy name from a service that merged with Amaz
-                "Resource": "arn:aws:iam::123456789012:role/service-role/QTransform-*"
+                "Resource": "arn:aws:iam::account number:role/service-role/QTransform-*"
@@ -606 +610 @@ The following example policy grants administrators permissions to view and confi
-In order to access the Amazon Q Developer console, users also needs the permissions defined in Allow administrators to use the Amazon Q Developer console.
+In order to access the Amazon Q Developer console, administrators also need the permissions defined in Allow administrators to use the Amazon Q Developer console.
@@ -641,0 +646,36 @@ In order to access the Amazon Q Developer console, users also needs the permissi
+## Allow administrators to configure plugins from one provider
+
+The following example policy grants an administrator permission to configure plugins from one provider, specified by the plugin ARN with the name of the plugin provider and a wildcard character (`*`). To use this policy, replace the following in the ARN in the Resource field:
+
+  * `AWS-region` – The AWS Region where the plugin will be created.
+
+  * `AWS-account-ID` – The AWS account ID of the account where your plugin is configured.
+
+  * `plugin-provider` – The name of the plugin provider that you want to allow configuration for, like `CloudZero`, `Datadog`, or `Wiz`. The plugin provider field is case sensitive.
+
+
+
+
+###### Note
+
+In order to access the Amazon Q Developer console, administrators also need the permissions defined in Allow administrators to use the Amazon Q Developer console.
+    
+    
+    {
+       "Version": "2012-10-17",
+       "Statement": [
+          {
+             "Sid": "Allow permissions to create a plugin from one provider",
+             "Effect": "Allow",
+             "Action": [
+                "q:CreatePlugin",
+                "q:GetPlugin",
+                "q:DeletePlugin"
+                ],
+             "Resource": "arn:aws:qdeveloper:AWS-region:AWS-account-ID:plugin/plugin-provider/*"
+          }
+       ]
+    }
+    
+    
+