AWS amazonq documentation change
Summary
Replaced inline IAM policy JSON blocks with links to AWS Managed Policy Reference documentation
Security assessment
The change removes detailed IAM policy configurations from the documentation and replaces them with references to centralized policy documents. While this impacts policy visibility in the documentation, there is no evidence of addressing a specific security vulnerability or weakness. The change appears to be about documentation structure rather than security remediation.
Diff
diff --git a/amazonq/latest/qdeveloper-ug/managed-policy.md b/amazonq/latest/qdeveloper-ug/managed-policy.md index 0331a0ac9..fae48e91e 100644 --- a//amazonq/latest/qdeveloper-ug/managed-policy.md +++ b//amazonq/latest/qdeveloper-ug/managed-policy.md @@ -5 +5 @@ -AmazonQFullAccessAmazonQDeveloperAccessAWSServiceRoleForAmazonQDeveloperPolicyAWSServiceRoleForUserSubscriptionsGitLabDuoWithAmazonQPermissionsPolicyPolicy updates +AmazonQFullAccessAmazonQDeveloperAccessAWSServiceRoleForAmazonQDeveloperAWSServiceRoleForUserSubscriptionsGitLabDuoWithAmazonQPermissionsPolicyPolicy updates @@ -38,75 +38 @@ To enable full access to complete administrative tasks in the Amazon Q subscript - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAmazonQFullAccess", - "Effect": "Allow", - "Action": [ - "q:StartConversation", - "q:SendMessage", - "q:GetConversation", - "q:ListConversations", - "q:PassRequest", - "q:StartTroubleshootingAnalysis", - "q:GetTroubleshootingResults", - "q:StartTroubleshootingResolutionExplanation", - "q:UpdateTroubleshootingCommandResult", - "q:GetIdentityMetadata", - "q:CreateAssignment", - "q:DeleteAssignment", - "q:GenerateCodeFromCommands", - "q:CreatePlugin", - "q:GetPlugin", - "q:DeletePlugin", - "q:ListPlugins", - "q:ListPluginProviders", - "q:UsePlugin", - "q:TagResource", - "q:UntagResource", - "q:ListTagsForResource", - "q:UpdatePlugin", - "q:CreateAuthGrant", - "q:CreateOAuthAppConnection", - "q:SendEvent", - "q:UpdateAuthGrant", - "q:UpdateOAuthAppConnection", - "q:UpdatePlugin", - "q:UpdateConversation", - "q:DeleteConversation" - ], - "Resource": "*" - }, - { - "Sid": "AllowCloudControlReadAccess", - "Effect": "Allow", - "Action": [ - "cloudformation:GetResource", - "cloudformation:ListResources" - ], - "Resource": "*" - }, - { - "Sid": "AllowSetTrustedIdentity", - "Effect": "Allow", - "Action": [ - "sts:SetContext" - ], - "Resource": "arn:aws:sts::*:self" - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:PassedToService": [ - "q.amazonaws.com" - ] - } - } - } - ] - } +To view the permissions for this policy, see [AmazonQFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonQFullAccess.html) in the _AWS Managed Policy Reference_. @@ -119,0 +46 @@ To use some features of Amazon Q, you might need additional permissions. See the +To view the permissions for this policy, see [AmazonQDeveloperAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonQDeveloperAccess.html) in the _AWS Managed Policy Reference_. @@ -121,46 +48 @@ To use some features of Amazon Q, you might need additional permissions. See the - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAmazonQDeveloperAccess", - "Effect": "Allow", - "Action": [ - "q:StartConversation", - "q:SendMessage", - "q:GetConversation", - "q:ListConversations", - "q:PassRequest", - "q:StartTroubleshootingAnalysis", - "q:StartTroubleshootingResolutionExplanation", - "q:GetTroubleshootingResults", - "q:UpdateTroubleshootingCommandResult", - "q:GetIdentityMetaData", - "q:GenerateCodeFromCommands", - "q:UsePlugin", - "q:UpdateConversation", - "q:DeleteConversation" - - ], - "Resource": "*" - }, - { - "Sid": "AllowCloudControlReadAccess", - "Effect": "Allow", - "Action": [ - "cloudformation:GetResource", - "cloudformation:ListResources" - ], - "Resource": "*" - }, - { - "Sid": "AllowSetTrustedIdentity", - "Effect": "Allow", - "Action": [ - "sts:SetContext" - ], - "Resource": "arn:aws:sts::*:self" - } - ] - } - -## AWSServiceRoleForAmazonQDeveloperPolicy +## AWSServiceRoleForAmazonQDeveloper @@ -170 +52 @@ This AWS managed policy grants permissions commonly needed to use Amazon Q Devel -You can't attach AWSServiceRoleForAmazonQDeveloperPolicy to your IAM entities. This policy is attached to [a service-linked role](./using-service-linked-roles.html) that allows Amazon Q to perform actions on your behalf. For more information, see [Using service-linked roles for Amazon Q Developer and User Subscriptions](./using-service-linked-roles.html). +You can't attach AWSServiceRoleForAmazonQDeveloper to your IAM entities. This policy is attached to [a service-linked role](./using-service-linked-roles.html) that allows Amazon Q to perform actions on your behalf. For more information, see [Using service-linked roles for Amazon Q Developer and User Subscriptions](./using-service-linked-roles.html). @@ -183,22 +65 @@ This policy includes the following permissions. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudwatch:PutMetricData" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "cloudwatch:namespace": [ - "AWS/Q" - ] - } - } - } - ] - } - -To view this policy in the context of other AWS managed policies, see [AmazonQDeveloperPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonQDeveloperPolicy.html). +To view the permissions for this policy, see [AWSServiceRoleForAmazonQDeveloper](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForAmazonQDeveloper.html) in the _AWS Managed Policy Reference_. @@ -227,24 +88 @@ This policy includes the following permissions. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "identitystore:DescribeGroup", - "identitystore:DescribeUser", - "identitystore:IsMemberInGroups", - "identitystore:ListGroupMemberships", - "organizations:DescribeOrganization", - "sso:DescribeApplication", - "sso:DescribeInstance", - "sso:ListInstances", - "sso:ListApplicationAssignments", - "sso:UpdateApplication" - ], - "Resource": "*" - } - ] - } - -To view this policy in the context of other AWS managed policies, see [AWSServiceRoleForUserSubscriptions](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForUserSubscriptions.html). +To view the permissions for this policy, see [AWSServiceRoleForUserSubscriptions](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForUserSubscriptions.html) in the _AWS Managed Policy Reference_. @@ -265,40 +103 @@ This policy grants permission to connect with Amazon Q and utilize the features - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "GitLabDuoUsagePermissions", - "Effect": "Allow", - "Action": [ - "q:SendEvent", - "q:CreateAuthGrant", - "q:UpdateAuthGrant", - "q:GenerateCodeRecommendations",