AWS chatbot documentation change
Summary
Updated product references from 'Amazon Q Developer' to 'Amazon Q Developer in chat channels' throughout documentation, clarifying the chat channel context for permissions and policies
Security assessment
Changes are primarily branding/scope clarifications rather than addressing specific vulnerabilities. While the documentation discusses security controls (guardrail policies, protection policies), these are existing security features being described with updated product naming rather than new security content.
Diff
diff --git a/chatbot/latest/adminguide/understanding-permissions.md b/chatbot/latest/adminguide/understanding-permissions.md index b7ced8f1f..1d946d576 100644 --- a//chatbot/latest/adminguide/understanding-permissions.md +++ b//chatbot/latest/adminguide/understanding-permissions.md @@ -11 +11 @@ AWS Chatbot is now Amazon Q Developer. [Learn more](./service-rename.html) -Amazon Q Developer requires an AWS Identity and Access Management (IAM) role to [perform actions](./performing-actions.html). Actions you can perform in your chat channels include running commands and responding to interactive messages. Amazon Q Developer uses organization policies, service policies, channel roles, user roles, and channel guardrail policies to control the actions channel members can take. What your users can do is the intersection of your guardrail policies and what is allowed by their roles. +Amazon Q Developer in chat channels requires an AWS Identity and Access Management (IAM) role to [perform actions](./performing-actions.html). Actions you can perform in your chat channels include running commands and responding to interactive messages. Amazon Q Developer in chat channels uses organization policies, service policies, channel roles, user roles, and channel guardrail policies to control the actions channel members can take. What your users can do is the intersection of your guardrail policies and what is allowed by their roles. @@ -38 +38 @@ Amazon Q Developer requires an AWS Identity and Access Management (IAM) role to -Organization administrators can manage multiple Amazon Q Developer settings across all accounts within an organization using an Amazon Q Developer chat applications policy (chat applications policy). Chat applications policies define where Amazon Q Developer can deliver notifications and if it can respond to Amazon Q Developer mention events. For more information, see [Securing your AWS organization in Amazon Q Developer in chat applications](./securing-orgs.html). +Organization administrators can manage multiple Amazon Q Developer in chat channels settings across all accounts within an organization using an Amazon Q Developer in chat channels chat applications policy (chat applications policy). Chat applications policies define where Amazon Q Developer in chat channels can deliver notifications and if it can respond to Amazon Q Developer in chat channels mention events. For more information, see [Securing your AWS organization in Amazon Q Developer in chat applications](./securing-orgs.html). @@ -48 +48 @@ Service control policies (SCPs) are a type of organization policy that you can u -A channel role gives all channel members the same permissions. This is useful if your channel members are similar users or they typically perform the same actions. You can use an existing role as your channel role or you can create a new role using templates. If you use a channel role, your channel members can still choose their own user roles. Your channel role is restricted by your guardrail policies. You can set your channel role in channel configurations from the Amazon Q Developer console. +A channel role gives all channel members the same permissions. This is useful if your channel members are similar users or they typically perform the same actions. You can use an existing role as your channel role or you can create a new role using templates. If you use a channel role, your channel members can still choose their own user roles. Your channel role is restricted by your guardrail policies. You can set your channel role in channel configurations from the Amazon Q Developer in chat channels console. @@ -73 +73 @@ There are eight templates that can be used to create a channel role: -You can use any and all combinations of these templates to suit your needs. For example, if you want to create a configuration that only delivers notifications, choose **Notification permissions** as your policy template. If you want your channel members to run read-only commands exclusively and you want notifications to be delivered, choose **Read-only command permissions** and **Notification permissions** as your policy templates. For more information, see [IAM policies for Amazon Q Developer](./chatbot-iam-policies.html). +You can use any and all combinations of these templates to suit your needs. For example, if you want to create a configuration that only delivers notifications, choose **Notification permissions** as your policy template. If you want your channel members to run read-only commands exclusively and you want notifications to be delivered, choose **Read-only command permissions** and **Notification permissions** as your policy templates. For more information, see [IAM policies for Amazon Q Developer in chat channels](./chatbot-iam-policies.html). @@ -89 +89 @@ This feature is enforced at the account level. -Guardrail policies provide detailed control over what actions are available to your channel members and what actions Amazon Q Developer can perform on your behalf. They constrain and take precedence over both user roles and channel roles. For example, if a user has a user role that allows administrator access, and they belong to a channel where the channel role or the guardrail policies limit permissions on one or more services, the user will have less than administrator-level access. You can set, view, and edit your guardrail policies in the Amazon Q Developer console. If you had an Amazon Q Developer configuration before the expansion of available commands on 11/28/2021, you may have a protection policy applied as one of your guardrail policies. +Guardrail policies provide detailed control over what actions are available to your channel members and what actions Amazon Q Developer in chat channels can perform on your behalf. They constrain and take precedence over both user roles and channel roles. For example, if a user has a user role that allows administrator access, and they belong to a channel where the channel role or the guardrail policies limit permissions on one or more services, the user will have less than administrator-level access. You can set, view, and edit your guardrail policies in the Amazon Q Developer in chat channels console. If you had an Amazon Q Developer in chat channels configuration before the expansion of available commands on 11/28/2021, you may have a protection policy applied as one of your guardrail policies. @@ -97 +97 @@ AWS Service Roles IAM policies can't be used as guardrail policies. -Amazon Q Developer doesn't support running commands for operations in the following JSON policy: +Amazon Q Developer in chat channels doesn't support running commands for operations in the following JSON policy: @@ -151 +151 @@ Amazon Q Developer doesn't support running commands for operations in the follow -The expansion of usable CLI commands occurred on 11/28/2021. This expansion can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied as a guardrail policy to existing Amazon Q Developer configurations by default. Specifically, the protection policy restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user-level roles align with your governance policy or channel requirements. You can detach this policy from: +The expansion of usable CLI commands occurred on 11/28/2021. This expansion can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied as a guardrail policy to existing Amazon Q Developer in chat channels configurations by default. Specifically, the protection policy restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user-level roles align with your governance policy or channel requirements. You can detach this policy from: @@ -159 +159 @@ The expansion of usable CLI commands occurred on 11/28/2021. This expansion can - * All channel configurations in the **User permissions** page of the Amazon Q Developer console. + * All channel configurations in the **User permissions** page of the Amazon Q Developer in chat channels console. @@ -187 +187 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Test notifications with Amazon Q Developer using CloudWatch +Test notifications with Amazon Q Developer in chat channels using CloudWatch