AWS Security ChangesHomeSearch

AWS chatbot documentation change

Service: chatbot · 2025-05-31 · Documentation low

File: chatbot/latest/adminguide/chatbot-iam-policies.md

Summary

Updated documentation to consistently use 'Amazon Q Developer in chat channels' phrasing throughout the document, clarifying the service context for IAM policy configurations

Security assessment

The changes are primarily branding/terminology updates (adding 'in chat channels' qualifiers) rather than substantive security content changes. No specific vulnerabilities, policy changes, or security incidents are addressed. The updates maintain existing security documentation about IAM policies but don't introduce new security features or warnings.

Diff

diff --git a/chatbot/latest/adminguide/chatbot-iam-policies.md b/chatbot/latest/adminguide/chatbot-iam-policies.md
index 50baccab9..314ce2d4f 100644
--- a//chatbot/latest/adminguide/chatbot-iam-policies.md
+++ b//chatbot/latest/adminguide/chatbot-iam-policies.md
@@ -5 +5 @@
-AWS managed IAM policies in Amazon Q DeveloperCustomer managed IAM policies in Amazon Q Developer
+AWS managed IAM policies in Amazon Q Developer in chat channelsCustomer managed IAM policies in Amazon Q Developer in chat channels
@@ -9 +9 @@ AWS Chatbot is now Amazon Q Developer. [Learn more](./service-rename.html)
-# IAM policies for Amazon Q Developer
+# IAM policies for Amazon Q Developer in chat channels
@@ -11 +11 @@ AWS Chatbot is now Amazon Q Developer. [Learn more](./service-rename.html)
-This section describes the IAM permissions and policies that Amazon Q Developer uses to secure its operations with other AWS services. Amazon Q Developer uses these permissions to safely forward Amazon SNS notifications to chat rooms, support AWS CLI commands sessions in Slack, invoke Lambda functions, and create AWS support tickets directly in the Slack console. You can also define your own custom policies for the same purposes, using these policies as templates.
+This section describes the IAM permissions and policies that Amazon Q Developer in chat channels uses to secure its operations with other AWS services. Amazon Q Developer in chat channels uses these permissions to safely forward Amazon SNS notifications to chat rooms, support AWS CLI commands sessions in Slack, invoke Lambda functions, and create AWS support tickets directly in the Slack console. You can also define your own custom policies for the same purposes, using these policies as templates.
@@ -13 +13 @@ This section describes the IAM permissions and policies that Amazon Q Developer
-When you create a new role in the Amazon Q Developer in chat applications console, any of the IAM policies described in this topic might be assigned to that role. You could apply all of them to a single role, or choose only a couple of them based on how the users of that role will use the Amazon Q Developer. Some policies contain a superset of permissions of other policies. 
+When you create a new role in the Amazon Q Developer in chat applications console, any of the IAM policies described in this topic might be assigned to that role. You could apply all of them to a single role, or choose only a couple of them based on how the users of that role will use the Amazon Q Developer in chat channels. Some policies contain a superset of permissions of other policies. 
@@ -17 +17 @@ When you create a new role in the Amazon Q Developer in chat applications consol
-  * AWS managed IAM policies in Amazon Q Developer
+  * AWS managed IAM policies in Amazon Q Developer in chat channels
@@ -19 +19 @@ When you create a new role in the Amazon Q Developer in chat applications consol
-  * Customer managed IAM policies in Amazon Q Developer
+  * Customer managed IAM policies in Amazon Q Developer in chat channels
@@ -24 +24 @@ When you create a new role in the Amazon Q Developer in chat applications consol
-## AWS managed IAM policies in Amazon Q Developer
+## AWS managed IAM policies in Amazon Q Developer in chat channels
@@ -26 +26 @@ When you create a new role in the Amazon Q Developer in chat applications consol
-Amazon Q Developer supports the following AWS managed IAM policies:
+Amazon Q Developer in chat channels supports the following AWS managed IAM policies:
@@ -45 +45 @@ Amazon Q Developer supports the following AWS managed IAM policies:
-AWS managed policies are available to all Amazon Q Developer users, but you can't change or edit them. You can copy them and use them as templates for your own policies, knowing that you are using AWS-approved policy language to build your own policies.
+AWS managed policies are available to all Amazon Q Developer in chat channels users, but you can't change or edit them. You can copy them and use them as templates for your own policies, knowing that you are using AWS-approved policy language to build your own policies.
@@ -47 +47 @@ AWS managed policies are available to all Amazon Q Developer users, but you can'
-Amazon Q Developer adheres to standard IAM practices for using admin IAM accounts to activate and use the Amazon Q Developer service.
+Amazon Q Developer in chat channels adheres to standard IAM practices for using admin IAM accounts to activate and use the Amazon Q Developer in chat channels service.
@@ -49 +49 @@ Amazon Q Developer adheres to standard IAM practices for using admin IAM account
-As a convenience, Amazon Q Developer also supports the creation of new IAM roles directly in the Amazon Q Developer in chat applications console. However, to configure existing IAM entities to use Amazon Q Developer, you need to use the IAM console.
+As a convenience, Amazon Q Developer in chat channels also supports the creation of new IAM roles directly in the Amazon Q Developer in chat applications console. However, to configure existing IAM entities to use Amazon Q Developer in chat channels, you need to use the IAM console.
@@ -53 +53 @@ As a convenience, Amazon Q Developer also supports the creation of new IAM roles
-The **ReadOnlyAccess** policy is an AWS managed policy that is automatically assigned to roles in the Amazon Q Developer service. 
+The **ReadOnlyAccess** policy is an AWS managed policy that is automatically assigned to roles in the Amazon Q Developer in chat channels service. 
@@ -55 +55 @@ The **ReadOnlyAccess** policy is an AWS managed policy that is automatically ass
-This policy does not appear in the Amazon Q Developer in chat applications console. It defines Get, List, and Describe permissions for the entire suite of AWS services, enabling Amazon Q Developer to use this role to access any of those services on your behalf. 
+This policy does not appear in the Amazon Q Developer in chat applications console. It defines Get, List, and Describe permissions for the entire suite of AWS services, enabling Amazon Q Developer in chat channels to use this role to access any of those services on your behalf. 
@@ -61 +61 @@ You can attach this policy to new roles in IAM, or use it as a template to defin
-Amazon Q Developer must use a role that defines all the read-only permissions necessary for its usage. You can define a policy to be more restrictive or specify fewer services than the policy described here, and use that in place of the **ReadOnlyAccess** policy. However, you must ensure that all CloudWatch and Amazon SNS read-only permissions remain in your policy, or some CloudWatch features may not work with Amazon Q Developer. The policy also must provide Get, List, and Describe permissions for services supported by Amazon Q Developer. 
+Amazon Q Developer in chat channels must use a role that defines all the read-only permissions necessary for its usage. You can define a policy to be more restrictive or specify fewer services than the policy described here, and use that in place of the **ReadOnlyAccess** policy. However, you must ensure that all CloudWatch and Amazon SNS read-only permissions remain in your policy, or some CloudWatch features may not work with Amazon Q Developer in chat channels. The policy also must provide Get, List, and Describe permissions for services supported by Amazon Q Developer in chat channels. 
@@ -101 +101 @@ The policy's JSON code is shown following:
-You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer roles when you edit them in the IAM console. This policy does not appear in the Amazon Q Developer in chat applications console.
+You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer in chat channels roles when you edit them in the IAM console. This policy does not appear in the Amazon Q Developer in chat applications console.
@@ -103 +103 @@ You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer rol
-It is an AWS managed policy. You can attach this policy to any role for Amazon Q Developer usage. You can define your own policy with greater restrictions, using this policy as a template.
+It is an AWS managed policy. You can attach this policy to any role for Amazon Q Developer in chat channels usage. You can define your own policy with greater restrictions, using this policy as a template.
@@ -105 +105 @@ It is an AWS managed policy. You can attach this policy to any role for Amazon Q
-Amazon Q Developer users can use this policy to support Amazon CloudWatch events reporting, alarms, CloudWatch logs, and CloudWatch trend charts for most of Amazon Q Developer's supported AWS services. It allows read-only operations for CloudWatch Logs and the Amazon Simple Notification Service service, and can be used in place of the customer managed Notification permissions policy. However, you must use the IAM console to attach this policy to any IAM role.
+Amazon Q Developer in chat channels users can use this policy to support Amazon CloudWatch events reporting, alarms, CloudWatch logs, and CloudWatch trend charts for most of Amazon Q Developer in chat channels's supported AWS services. It allows read-only operations for CloudWatch Logs and the Amazon Simple Notification Service service, and can be used in place of the customer managed Notification permissions policy. However, you must use the IAM console to attach this policy to any IAM role.
@@ -107 +107 @@ Amazon Q Developer users can use this policy to support Amazon CloudWatch events
-The Logs permissions also support the useful **Show Logs** feature for CloudWatch alarms notifications in Slack. Amazon Q Developer also supports actions for displaying logs for Lambda and Amazon API Gateway.
+The Logs permissions also support the useful **Show Logs** feature for CloudWatch alarms notifications in Slack. Amazon Q Developer in chat channels also supports actions for displaying logs for Lambda and Amazon API Gateway.
@@ -141 +141 @@ In the IAM console, this policy appears as **AWSSupportAccess**.
-It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer.
+It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels.
@@ -167 +167 @@ In the IAM console, this policy appears as **AmazonQFullAccess**.
-It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer.
+It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels.
@@ -245 +245 @@ In the IAM console, this policy appears as **AIOpsOperatorAccess**.
-It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer.
+It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels.
@@ -364 +364 @@ In the IAM console, this policy appears as **AWSResourceExplorerReadOnlyAccess**
-It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer.
+It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels.
@@ -396 +396 @@ In the IAM console, this policy appears as **AWSIncidentManagerResolverAccess**.
-It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer.
+It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels.
@@ -441 +441 @@ The policy's JSON code is shown following:
-## Customer managed IAM policies in Amazon Q Developer
+## Customer managed IAM policies in Amazon Q Developer in chat channels
@@ -443 +443 @@ The policy's JSON code is shown following:
-Amazon Q Developer also supports three service-provided customer managed IAM policies, that you can apply to any Amazon Q Developer role. They can also be used as templates for defining custom IAM permissions for your users:
+Amazon Q Developer in chat channels also supports three service-provided customer managed IAM policies, that you can apply to any Amazon Q Developer in chat channels role. They can also be used as templates for defining custom IAM permissions for your users:
@@ -454 +454 @@ Amazon Q Developer also supports three service-provided customer managed IAM pol
-###  The Amazon Q Developer Read-Only Command Permissions IAM policy
+###  The Amazon Q Developer in chat channels Read-Only Command Permissions IAM policy
@@ -458 +458 @@ The **Read-Only Command Permissions** policy appears in the Amazon Q Developer i
-It is a customer managed policy. It pairs with the Lambda-Invoke Command Permissions policy to provide a convenient Amazon Q Developer configuration to enable Slack channel support for sending commands to the AWS CLI.
+It is a customer managed policy. It pairs with the Lambda-Invoke Command Permissions policy to provide a convenient Amazon Q Developer in chat channels configuration to enable Slack channel support for sending commands to the AWS CLI.
@@ -460 +460 @@ It is a customer managed policy. It pairs with the Lambda-Invoke Command Permiss
-The **Read-Only Command Permissions** policy denies permission for Amazon Q Developer users to get sensitive information from AWS services through the Slack channel, such as Amazon EC2 password information, key pairs and login credentials.
+The **Read-Only Command Permissions** policy denies permission for Amazon Q Developer in chat channels users to get sensitive information from AWS services through the Slack channel, such as Amazon EC2 password information, key pairs and login credentials.
@@ -464 +464 @@ This policy appears in the IAM console as the **AWS-Chatbot-ReadOnly-Commands-Po
-You can edit and assign this policy to any role in Amazon Q Developer or in IAM. For editing of roles and policies for Amazon Q Developer usage, we recommend using the IAM console.
+You can edit and assign this policy to any role in Amazon Q Developer in chat channels or in IAM. For editing of roles and policies for Amazon Q Developer in chat channels usage, we recommend using the IAM console.
@@ -505 +505 @@ The policy's JSON code is shown following:
-### The Amazon Q Developer Lambda-Invoke Command Permissions policy 
+### The Amazon Q Developer in chat channels Lambda-Invoke Command Permissions policy 
@@ -507 +507 @@ The policy's JSON code is shown following:
-The **Lambda-Invoke Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It pairs with the Read-Only Command Permissions policy to provide a convenient Amazon Q Developer configuration to enable Slack channel access to the AWS CLI, and to features that make sense for CLI use. The policy allows Amazon Q Developer users to invoke Lambda functions in their Slack channels. 
+The **Lambda-Invoke Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It pairs with the Read-Only Command Permissions policy to provide a convenient Amazon Q Developer in chat channels configuration to enable Slack channel access to the AWS CLI, and to features that make sense for CLI use. The policy allows Amazon Q Developer in chat channels users to invoke Lambda functions in their Slack channels. 
@@ -511 +511 @@ It is a customer managed policy. In the IAM console, it appears as **AWS-Chatbot
-You can edit and assign this policy to any role in Amazon Q Developer or in IAM. 
+You can edit and assign this policy to any role in Amazon Q Developer in chat channels or in IAM. 
@@ -515 +515 @@ By default, the **Lambda-Invoke** policy is very permissive, because you can inv
-We recommend using this policy as a template to define your own, more restrictive policies, such as permissions to invoke functions developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose. To edit roles and policies for Amazon Q Developer, use the IAM console.
+We recommend using this policy as a template to define your own, more restrictive policies, such as permissions to invoke functions developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose. To edit roles and policies for Amazon Q Developer in chat channels, use the IAM console.
@@ -536 +536 @@ The policy's JSON code is shown following:
-###  The Amazon Q Developer Notification Permissions IAM policy
+###  The Amazon Q Developer in chat channels Notification Permissions IAM policy
@@ -538 +538 @@ The policy's JSON code is shown following:
-The **Notification Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It provides the minimum usable IAM policy configuration for using the Amazon Q Developer in Slack channels and Amazon Chime webhooks. The **Notification Permissions** policy enables Amazon Q Developer admins to forward CloudWatch Events, CloudWatch alarms, and format charting data for viewing in chat room messages. Because many of Amazon Q Developer's supported services use CloudWatch as their event and alarm processing layer, Amazon Q Developer requires this policy for core functionality. You can use other policies, such as CloudWatchReadOnlyAccess, in place of this policy, but you must attach that policy to the role in the IAM console.
+The **Notification Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It provides the minimum usable IAM policy configuration for using the Amazon Q Developer in chat channels in Slack channels and Amazon Chime webhooks. The **Notification Permissions** policy enables Amazon Q Developer in chat channels admins to forward CloudWatch Events, CloudWatch alarms, and format charting data for viewing in chat room messages. Because many of Amazon Q Developer in chat channels's supported services use CloudWatch as their event and alarm processing layer, Amazon Q Developer in chat channels requires this policy for core functionality. You can use other policies, such as CloudWatchReadOnlyAccess, in place of this policy, but you must attach that policy to the role in the IAM console.
@@ -540 +540 @@ The **Notification Permissions** policy appears in the Amazon Q Developer in cha
-It is a customer managed policy. You can edit and assign this policy to any role for Amazon Q Developer usage.
+It is a customer managed policy. You can edit and assign this policy to any role for Amazon Q Developer in chat channels usage.