AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-04-18 · Documentation low

File: amazonq/latest/qdeveloper-ug/id-based-policy-examples-users.md

Summary

Updated IAM policy examples to use 'plugin-provider' instead of 'plugin-name', added AWS region specification in ARNs, and corrected policy syntax (Effect from 'AllowPluginAccess' to 'Allow' with Sid)

Security assessment

Changes clarify IAM policy structure and resource specifications but do not address a specific security vulnerability. The updates improve documentation accuracy for security-related policies.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/id-based-policy-examples-users.md b/amazonq/latest/qdeveloper-ug/id-based-policy-examples-users.md
index b6a9bd60a..3c606b37e 100644
--- a//amazonq/latest/qdeveloper-ug/id-based-policy-examples-users.md
+++ b//amazonq/latest/qdeveloper-ug/id-based-policy-examples-users.md
@@ -373 +373,3 @@ The following example policy prevents Amazon Q from performing actions on your b
-The following example policy grants permission to chat with any plugin from a given provider that an administrator configures, specified by the plugin ARN with a wildcard character (`*`). If the plugin is deleted and re-configured, a user with these permissions will retain access to the newly configured plugin. To use this policy, replace the following in the ARN in the `Resource` field: 
+The following example policy grants permission to chat with any plugin from a given provider that an administrator configures, specified by the plugin ARN with the name of the plugin provider and a wildcard character (`*`). If the plugin is deleted and re-configured, a user with these permissions will retain access to the newly configured plugin. To use this policy, replace the following in the ARN in the `Resource` field: 
+
+  * `AWS-region` – The AWS Region where the plugin was created.
@@ -377 +379 @@ The following example policy grants permission to chat with any plugin from a gi
-  * `plugin-name` – The name of the plugin you want to allow access to, like `CloudZero`, `Datadog`, or `Wiz`. The plugin name field is case sensitive.
+  * `plugin-provider` – The name of the plugin provider that you want to allow access to, like `CloudZero`, `Datadog`, or `Wiz`. The plugin provider field is case sensitive.
@@ -398 +400,2 @@ The following example policy grants permission to chat with any plugin from a gi
-                "Effect": "AllowPluginAccess",
+                "Sid": "AllowAmazonQPluginAccess",
+                "Effect": "Allow",
@@ -402 +405 @@ The following example policy grants permission to chat with any plugin from a gi
-                "Resource": "arn:aws:q::AWS-account-ID:plugin/plugin-name/*"
+                "Resource": "arn:aws:qdeveloper:AWS-region:AWS-account-ID:plugin/plugin-provider/*"
@@ -411,0 +415,2 @@ The following example policy grants permission to chat with a specific plugin, s
+  * `AWS-region` – The AWS Region where the plugin was created.
+
@@ -414 +419 @@ The following example policy grants permission to chat with a specific plugin, s
-  * `plugin-name` – The name of the plugin you want to allow access to, like `CloudZero`, `Datadog`, or `Wiz`. The plugin name field is case sensitive.
+  * `plugin-provider` – The name of the plugin provider that you want to allow access to, like `CloudZero`, `Datadog`, or `Wiz`. The plugin provider field is case sensitive.
@@ -437 +442,2 @@ The following example policy grants permission to chat with a specific plugin, s
-                "Effect": "AllowPluginAccess",
+                "Sid": "AllowAmazonQPluginAccess",
+                "Effect": "Allow",
@@ -441 +447 @@ The following example policy grants permission to chat with a specific plugin, s
-                "Resource": "arn:aws:q::AWS-account-ID:plugin/plugin-name/plugin-ARN"
+                "Resource": "arn:aws:qdeveloper:AWS-region:AWS-account-ID:plugin/plugin-provider/plugin-ARN"