AWS chatbot documentation change
Summary
Updated terminology from 'chat channels' to 'chat applications' throughout the document. Added JSON code block formatting and section separators. Maintained existing IAM policy content while updating service references.
Security assessment
Changes are primarily terminology updates (chat channels→chat applications) and formatting improvements. No new security controls, vulnerabilities, or policy changes were introduced. Existing security-related content about IAM policies remains substantively unchanged.
Diff
diff --git a/chatbot/latest/adminguide/chatbot-iam-policies.md b/chatbot/latest/adminguide/chatbot-iam-policies.md index 314ce2d4f..c176dad6e 100644 --- a//chatbot/latest/adminguide/chatbot-iam-policies.md +++ b//chatbot/latest/adminguide/chatbot-iam-policies.md @@ -5 +5 @@ -AWS managed IAM policies in Amazon Q Developer in chat channelsCustomer managed IAM policies in Amazon Q Developer in chat channels +AWS managed IAM policies in Amazon Q Developer in chat applicationsCustomer managed IAM policies in Amazon Q Developer in chat applications @@ -9 +9 @@ AWS Chatbot is now Amazon Q Developer. [Learn more](./service-rename.html) -# IAM policies for Amazon Q Developer in chat channels +# IAM policies for Amazon Q Developer in chat applications @@ -11 +11 @@ AWS Chatbot is now Amazon Q Developer. [Learn more](./service-rename.html) -This section describes the IAM permissions and policies that Amazon Q Developer in chat channels uses to secure its operations with other AWS services. Amazon Q Developer in chat channels uses these permissions to safely forward Amazon SNS notifications to chat rooms, support AWS CLI commands sessions in Slack, invoke Lambda functions, and create AWS support tickets directly in the Slack console. You can also define your own custom policies for the same purposes, using these policies as templates. +This section describes the IAM permissions and policies that Amazon Q Developer in chat applications uses to secure its operations with other AWS services. Amazon Q Developer in chat applications uses these permissions to safely forward Amazon SNS notifications to chat rooms, support AWS CLI commands sessions in Slack, invoke Lambda functions, and create AWS support tickets directly in the Slack console. You can also define your own custom policies for the same purposes, using these policies as templates. @@ -13 +13 @@ This section describes the IAM permissions and policies that Amazon Q Developer -When you create a new role in the Amazon Q Developer in chat applications console, any of the IAM policies described in this topic might be assigned to that role. You could apply all of them to a single role, or choose only a couple of them based on how the users of that role will use the Amazon Q Developer in chat channels. Some policies contain a superset of permissions of other policies. +When you create a new role in the Amazon Q Developer in chat applications console, any of the IAM policies described in this topic might be assigned to that role. You could apply all of them to a single role, or choose only a couple of them based on how the users of that role will use the Amazon Q Developer in chat applications. Some policies contain a superset of permissions of other policies. @@ -17 +17 @@ When you create a new role in the Amazon Q Developer in chat applications consol - * AWS managed IAM policies in Amazon Q Developer in chat channels + * AWS managed IAM policies in Amazon Q Developer in chat applications @@ -19 +19 @@ When you create a new role in the Amazon Q Developer in chat applications consol - * Customer managed IAM policies in Amazon Q Developer in chat channels + * Customer managed IAM policies in Amazon Q Developer in chat applications @@ -24 +24 @@ When you create a new role in the Amazon Q Developer in chat applications consol -## AWS managed IAM policies in Amazon Q Developer in chat channels +## AWS managed IAM policies in Amazon Q Developer in chat applications @@ -26 +26 @@ When you create a new role in the Amazon Q Developer in chat applications consol -Amazon Q Developer in chat channels supports the following AWS managed IAM policies: +Amazon Q Developer in chat applications supports the following AWS managed IAM policies: @@ -45 +45 @@ Amazon Q Developer in chat channels supports the following AWS managed IAM polic -AWS managed policies are available to all Amazon Q Developer in chat channels users, but you can't change or edit them. You can copy them and use them as templates for your own policies, knowing that you are using AWS-approved policy language to build your own policies. +AWS managed policies are available to all Amazon Q Developer in chat applications users, but you can't change or edit them. You can copy them and use them as templates for your own policies, knowing that you are using AWS-approved policy language to build your own policies. @@ -47 +47 @@ AWS managed policies are available to all Amazon Q Developer in chat channels us -Amazon Q Developer in chat channels adheres to standard IAM practices for using admin IAM accounts to activate and use the Amazon Q Developer in chat channels service. +Amazon Q Developer in chat applications adheres to standard IAM practices for using admin IAM accounts to activate and use the Amazon Q Developer in chat applications service. @@ -49 +49 @@ Amazon Q Developer in chat channels adheres to standard IAM practices for using -As a convenience, Amazon Q Developer in chat channels also supports the creation of new IAM roles directly in the Amazon Q Developer in chat applications console. However, to configure existing IAM entities to use Amazon Q Developer in chat channels, you need to use the IAM console. +As a convenience, Amazon Q Developer in chat applications also supports the creation of new IAM roles directly in the Amazon Q Developer in chat applications console. However, to configure existing IAM entities to use Amazon Q Developer in chat applications, you need to use the IAM console. @@ -53 +53 @@ As a convenience, Amazon Q Developer in chat channels also supports the creation -The **ReadOnlyAccess** policy is an AWS managed policy that is automatically assigned to roles in the Amazon Q Developer in chat channels service. +The **ReadOnlyAccess** policy is an AWS managed policy that is automatically assigned to roles in the Amazon Q Developer in chat applications service. @@ -55 +55 @@ The **ReadOnlyAccess** policy is an AWS managed policy that is automatically ass -This policy does not appear in the Amazon Q Developer in chat applications console. It defines Get, List, and Describe permissions for the entire suite of AWS services, enabling Amazon Q Developer in chat channels to use this role to access any of those services on your behalf. +This policy does not appear in the Amazon Q Developer in chat applications console. It defines Get, List, and Describe permissions for the entire suite of AWS services, enabling Amazon Q Developer in chat applications to use this role to access any of those services on your behalf. @@ -61 +61 @@ You can attach this policy to new roles in IAM, or use it as a template to defin -Amazon Q Developer in chat channels must use a role that defines all the read-only permissions necessary for its usage. You can define a policy to be more restrictive or specify fewer services than the policy described here, and use that in place of the **ReadOnlyAccess** policy. However, you must ensure that all CloudWatch and Amazon SNS read-only permissions remain in your policy, or some CloudWatch features may not work with Amazon Q Developer in chat channels. The policy also must provide Get, List, and Describe permissions for services supported by Amazon Q Developer in chat channels. +Amazon Q Developer in chat applications must use a role that defines all the read-only permissions necessary for its usage. You can define a policy to be more restrictive or specify fewer services than the policy described here, and use that in place of the **ReadOnlyAccess** policy. However, you must ensure that all CloudWatch and Amazon SNS read-only permissions remain in your policy, or some CloudWatch features may not work with Amazon Q Developer in chat applications. The policy also must provide Get, List, and Describe permissions for services supported by Amazon Q Developer in chat applications. @@ -64,0 +65,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -73 +78,0 @@ The policy's JSON code is shown following: - "a4b:Describe*", @@ -89 +93,0 @@ The policy's JSON code is shown following: - (...) @@ -101 +106 @@ The policy's JSON code is shown following: -You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer in chat channels roles when you edit them in the IAM console. This policy does not appear in the Amazon Q Developer in chat applications console. +You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer in chat applications roles when you edit them in the IAM console. This policy does not appear in the Amazon Q Developer in chat applications console. @@ -103 +108 @@ You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer in -It is an AWS managed policy. You can attach this policy to any role for Amazon Q Developer in chat channels usage. You can define your own policy with greater restrictions, using this policy as a template. +It is an AWS managed policy. You can attach this policy to any role for Amazon Q Developer in chat applications usage. You can define your own policy with greater restrictions, using this policy as a template. @@ -105 +110 @@ It is an AWS managed policy. You can attach this policy to any role for Amazon Q -Amazon Q Developer in chat channels users can use this policy to support Amazon CloudWatch events reporting, alarms, CloudWatch logs, and CloudWatch trend charts for most of Amazon Q Developer in chat channels's supported AWS services. It allows read-only operations for CloudWatch Logs and the Amazon Simple Notification Service service, and can be used in place of the customer managed Notification permissions policy. However, you must use the IAM console to attach this policy to any IAM role. +Amazon Q Developer in chat applications users can use this policy to support Amazon CloudWatch events reporting, alarms, CloudWatch logs, and CloudWatch trend charts for most of Amazon Q Developer in chat applications's supported AWS services. It allows read-only operations for CloudWatch Logs and the Amazon Simple Notification Service service, and can be used in place of the customer managed Notification permissions policy. However, you must use the IAM console to attach this policy to any IAM role. @@ -107 +112 @@ Amazon Q Developer in chat channels users can use this policy to support Amazon -The Logs permissions also support the useful **Show Logs** feature for CloudWatch alarms notifications in Slack. Amazon Q Developer in chat channels also supports actions for displaying logs for Lambda and Amazon API Gateway. +The Logs permissions also support the useful **Show Logs** feature for CloudWatch alarms notifications in Slack. Amazon Q Developer in chat applications also supports actions for displaying logs for Lambda and Amazon API Gateway. @@ -110,0 +116,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -141 +153 @@ In the IAM console, this policy appears as **AWSSupportAccess**. -It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels. +It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. @@ -146,0 +159,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -167 +186 @@ In the IAM console, this policy appears as **AmazonQFullAccess**. -It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels. +It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. @@ -170,0 +190,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -245 +271 @@ In the IAM console, this policy appears as **AIOpsOperatorAccess**. -It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels. +It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. @@ -248,0 +275,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -364 +397 @@ In the IAM console, this policy appears as **AWSResourceExplorerReadOnlyAccess** -It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels. +It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. @@ -367,0 +401,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -396 +436 @@ In the IAM console, this policy appears as **AWSIncidentManagerResolverAccess**. -It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat channels. +It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. @@ -399,0 +440,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -441 +486,0 @@ The policy's JSON code is shown following: -## Customer managed IAM policies in Amazon Q Developer in chat channels @@ -443 +488,3 @@ The policy's JSON code is shown following: -Amazon Q Developer in chat channels also supports three service-provided customer managed IAM policies, that you can apply to any Amazon Q Developer in chat channels role. They can also be used as templates for defining custom IAM permissions for your users: +## Customer managed IAM policies in Amazon Q Developer in chat applications + +Amazon Q Developer in chat applications also supports three service-provided customer managed IAM policies, that you can apply to any Amazon Q Developer in chat applications role. They can also be used as templates for defining custom IAM permissions for your users: @@ -454 +501 @@ Amazon Q Developer in chat channels also supports three service-provided custome -### The Amazon Q Developer in chat channels Read-Only Command Permissions IAM policy +### The Amazon Q Developer in chat applications Read-Only Command Permissions IAM policy @@ -458 +505 @@ The **Read-Only Command Permissions** policy appears in the Amazon Q Developer i -It is a customer managed policy. It pairs with the Lambda-Invoke Command Permissions policy to provide a convenient Amazon Q Developer in chat channels configuration to enable Slack channel support for sending commands to the AWS CLI. +It is a customer managed policy. It pairs with the Lambda-Invoke Command Permissions policy to provide a convenient Amazon Q Developer in chat applications configuration to enable Slack channel support for sending commands to the AWS CLI. @@ -460 +507 @@ It is a customer managed policy. It pairs with the Lambda-Invoke Command Permiss -The **Read-Only Command Permissions** policy denies permission for Amazon Q Developer in chat channels users to get sensitive information from AWS services through the Slack channel, such as Amazon EC2 password information, key pairs and login credentials. +The **Read-Only Command Permissions** policy denies permission for Amazon Q Developer in chat applications users to get sensitive information from AWS services through the Slack channel, such as Amazon EC2 password information, key pairs and login credentials. @@ -464 +511 @@ This policy appears in the IAM console as the **AWS-Chatbot-ReadOnly-Commands-Po -You can edit and assign this policy to any role in Amazon Q Developer in chat channels or in IAM. For editing of roles and policies for Amazon Q Developer in chat channels usage, we recommend using the IAM console. +You can edit and assign this policy to any role in Amazon Q Developer in chat applications or in IAM. For editing of roles and policies for Amazon Q Developer in chat applications usage, we recommend using the IAM console. @@ -473,0 +521,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -505 +557,0 @@ The policy's JSON code is shown following: -### The Amazon Q Developer in chat channels Lambda-Invoke Command Permissions policy @@ -507 +559,3 @@ The policy's JSON code is shown following: -The **Lambda-Invoke Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It pairs with the Read-Only Command Permissions policy to provide a convenient Amazon Q Developer in chat channels configuration to enable Slack channel access to the AWS CLI, and to features that make sense for CLI use. The policy allows Amazon Q Developer in chat channels users to invoke Lambda functions in their Slack channels. +### The Amazon Q Developer in chat applications Lambda-Invoke Command Permissions policy + +The **Lambda-Invoke Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It pairs with the Read-Only Command Permissions policy to provide a convenient Amazon Q Developer in chat applications configuration to enable Slack channel access to the AWS CLI, and to features that make sense for CLI use. The policy allows Amazon Q Developer in chat applications users to invoke Lambda functions in their Slack channels. @@ -511 +565 @@ It is a customer managed policy. In the IAM console, it appears as **AWS-Chatbot -You can edit and assign this policy to any role in Amazon Q Developer in chat channels or in IAM. +You can edit and assign this policy to any role in Amazon Q Developer in chat applications or in IAM. @@ -515 +569 @@ By default, the **Lambda-Invoke** policy is very permissive, because you can inv -We recommend using this policy as a template to define your own, more restrictive policies, such as permissions to invoke functions developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose. To edit roles and policies for Amazon Q Developer in chat channels, use the IAM console. +We recommend using this policy as a template to define your own, more restrictive policies, such as permissions to invoke functions developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose. To edit roles and policies for Amazon Q Developer in chat applications, use the IAM console. @@ -518,0 +573,6 @@ The policy's JSON code is shown following: +JSON + + +**** + + @@ -536 +595,0 @@ The policy's JSON code is shown following: -### The Amazon Q Developer in chat channels Notification Permissions IAM policy @@ -538 +597 @@ The policy's JSON code is shown following: -The **Notification Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It provides the minimum usable IAM policy configuration for using the Amazon Q Developer in chat channels in Slack channels and Amazon Chime webhooks. The **Notification Permissions** policy enables Amazon Q Developer in chat channels admins to forward CloudWatch Events, CloudWatch alarms, and format charting data for viewing in chat room messages. Because many of Amazon Q Developer in chat channels's supported services use CloudWatch as their event and alarm processing layer, Amazon Q Developer in chat channels requires this policy for core functionality. You can use other policies, such as CloudWatchReadOnlyAccess, in place of this policy, but you must attach that policy to the role in the IAM console. +### The Amazon Q Developer in chat applications Notification Permissions IAM policy @@ -540 +599,3 @@ The **Notification Permissions** policy appears in the Amazon Q Developer in cha -It is a customer managed policy. You can edit and assign this policy to any role for Amazon Q Developer in chat channels usage. +The **Notification Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It provides the minimum usable IAM policy configuration for using the Amazon Q Developer in chat applications in Slack channels and Amazon Chime webhooks. The **Notification Permissions** policy enables Amazon Q Developer in chat applications admins to forward CloudWatch Events, CloudWatch alarms, and format charting data for viewing in chat room messages. Because many of Amazon Q Developer in chat applications's supported services use CloudWatch as their event and alarm processing layer, Amazon Q Developer in chat applications requires this policy for core functionality. You can use other policies, such as CloudWatchReadOnlyAccess, in place of this policy, but you must attach that policy to the role in the IAM console. + +It is a customer managed policy. You can edit and assign this policy to any role for Amazon Q Developer in chat applications usage. @@ -549,0 +611,6 @@ The policy's JSON code is shown following: +JSON + + +**** + +