AWS amazonq documentation change
Summary
Added new IAM permissions (e.g., organizations:DescribeOrganization, sso-directory actions) and clarified programmatic user subscription management.
Security assessment
Expands required IAM permissions for proper access control and describes subscription management methods. While related to security configuration, there is no evidence of addressing a specific vulnerability.
Diff
diff --git a/amazonq/latest/qbusiness-ug/setting-up.md b/amazonq/latest/qbusiness-ug/setting-up.md index 233b5ed7c..3f46637bb 100644 --- a//amazonq/latest/qbusiness-ug/setting-up.md +++ b//amazonq/latest/qbusiness-ug/setting-up.md @@ -205,5 +205,10 @@ If you're using IAM Identity Center, add the following permissions: - "sso:CreateApplication" - "sso:PutApplicationAuthenticationMethod" - "sso:PutApplicationAccessScope" - "sso:PutApplicationGrant" - "sso:DeleteApplication" + "sso:CreateApplication", + "sso:PutApplicationAuthenticationMethod", + "sso:PutApplicationAccessScope", + "sso:PutApplicationGrant", + "sso:DeleteApplication", + "organizations:DescribeOrganization", + "sso-directory:DescribeGroup", + "sso-directory:DescribeUser", + "sso:DescribeApplication", + "sso:DescribeInstance" @@ -211 +216 @@ If you're using IAM Identity Center, add the following permissions: -To assign user subscriptions to applications, you must include permissions to call the necessary user subscription-related APIs. You don't call or use the APIs directly. The subscription-related APIs give permission to create, update, cancel, and view all user subscriptions for an application. Assigning user subscriptions is only available in the Amazon Q Business console. +To assign user subscriptions to applications, you must include permissions to call the necessary user subscription-related APIs. The subscription-related APIs give permission to create, update, cancel, and view all user subscriptions for an application. You can assign user subscriptions through both the Amazon Q Business console and programmatically using the AWS CLI or AWS SDKs. @@ -281,0 +287,6 @@ The following is an example policy showing how to use `qbusiness:DisableAclOnDat +JSON + + +**** + +