AWS Security ChangesHomeSearch

AWS chatbot medium security documentation change

Service: chatbot · 2025-08-01 · Security-related medium

File: chatbot/latest/adminguide/understanding-permissions.md

Summary

Updated terminology from 'chat channels' to 'chat applications' throughout the document and removed specific IAM actions (ecr:GetLogin, lightsail:GetInstanceAccessDetail, sso-admin:*, sso-oidc:*, s3:HeadObject) from the list of unsupported commands

Security assessment

The removal of specific IAM actions from the unsupported commands list indicates expanded command capabilities. This could introduce new attack surfaces if these actions were previously restricted for security reasons (e.g., sso-admin:* and sso-oidc:* permissions are particularly sensitive). The change affects authorization boundaries without explicit justification in the diff.

Diff

diff --git a/chatbot/latest/adminguide/understanding-permissions.md b/chatbot/latest/adminguide/understanding-permissions.md
index 1d946d576..b7efe78ad 100644
--- a//chatbot/latest/adminguide/understanding-permissions.md
+++ b//chatbot/latest/adminguide/understanding-permissions.md
@@ -11 +11 @@ AWS Chatbot is now Amazon Q Developer. [Learn more](./service-rename.html)
-Amazon Q Developer in chat channels requires an AWS Identity and Access Management (IAM) role to [perform actions](./performing-actions.html). Actions you can perform in your chat channels include running commands and responding to interactive messages. Amazon Q Developer in chat channels uses organization policies, service policies, channel roles, user roles, and channel guardrail policies to control the actions channel members can take. What your users can do is the intersection of your guardrail policies and what is allowed by their roles.
+Amazon Q Developer in chat applications requires an AWS Identity and Access Management (IAM) role to [perform actions](./performing-actions.html). Actions you can perform in your chat channels include running commands and responding to interactive messages. Amazon Q Developer in chat applications uses organization policies, service policies, channel roles, user roles, and channel guardrail policies to control the actions channel members can take. What your users can do is the intersection of your guardrail policies and what is allowed by their roles.
@@ -38 +38 @@ Amazon Q Developer in chat channels requires an AWS Identity and Access Manageme
-Organization administrators can manage multiple Amazon Q Developer in chat channels settings across all accounts within an organization using an Amazon Q Developer in chat channels chat applications policy (chat applications policy). Chat applications policies define where Amazon Q Developer in chat channels can deliver notifications and if it can respond to Amazon Q Developer in chat channels mention events. For more information, see [Securing your AWS organization in Amazon Q Developer in chat applications](./securing-orgs.html).
+Organization administrators can manage multiple Amazon Q Developer in chat applications settings across all accounts within an organization using an Amazon Q Developer in chat applications chat applications policy (chat applications policy). Chat applications policies define where Amazon Q Developer in chat applications can deliver notifications and if it can respond to Amazon Q Developer in chat applications mention events. For more information, see [Securing your AWS organization in Amazon Q Developer in chat applications](./securing-orgs.html).
@@ -48 +48 @@ Service control policies (SCPs) are a type of organization policy that you can u
-A channel role gives all channel members the same permissions. This is useful if your channel members are similar users or they typically perform the same actions. You can use an existing role as your channel role or you can create a new role using templates. If you use a channel role, your channel members can still choose their own user roles. Your channel role is restricted by your guardrail policies. You can set your channel role in channel configurations from the Amazon Q Developer in chat channels console. 
+A channel role gives all channel members the same permissions. This is useful if your channel members are similar users or they typically perform the same actions. You can use an existing role as your channel role or you can create a new role using templates. If you use a channel role, your channel members can still choose their own user roles. Your channel role is restricted by your guardrail policies. You can set your channel role in channel configurations from the Amazon Q Developer in chat applications console. 
@@ -73 +73 @@ There are eight templates that can be used to create a channel role:
-You can use any and all combinations of these templates to suit your needs. For example, if you want to create a configuration that only delivers notifications, choose **Notification permissions** as your policy template. If you want your channel members to run read-only commands exclusively and you want notifications to be delivered, choose **Read-only command permissions** and **Notification permissions** as your policy templates. For more information, see [IAM policies for Amazon Q Developer in chat channels](./chatbot-iam-policies.html).
+You can use any and all combinations of these templates to suit your needs. For example, if you want to create a configuration that only delivers notifications, choose **Notification permissions** as your policy template. If you want your channel members to run read-only commands exclusively and you want notifications to be delivered, choose **Read-only command permissions** and **Notification permissions** as your policy templates. For more information, see [IAM policies for Amazon Q Developer in chat applications](./chatbot-iam-policies.html).
@@ -89 +89 @@ This feature is enforced at the account level.
-Guardrail policies provide detailed control over what actions are available to your channel members and what actions Amazon Q Developer in chat channels can perform on your behalf. They constrain and take precedence over both user roles and channel roles. For example, if a user has a user role that allows administrator access, and they belong to a channel where the channel role or the guardrail policies limit permissions on one or more services, the user will have less than administrator-level access. You can set, view, and edit your guardrail policies in the Amazon Q Developer in chat channels console. If you had an Amazon Q Developer in chat channels configuration before the expansion of available commands on 11/28/2021, you may have a protection policy applied as one of your guardrail policies. 
+Guardrail policies provide detailed control over what actions are available to your channel members and what actions Amazon Q Developer in chat applications can perform on your behalf. They constrain and take precedence over both user roles and channel roles. For example, if a user has a user role that allows administrator access, and they belong to a channel where the channel role or the guardrail policies limit permissions on one or more services, the user will have less than administrator-level access. You can set, view, and edit your guardrail policies in the Amazon Q Developer in chat applications console. If you had an Amazon Q Developer in chat applications configuration before the expansion of available commands on 11/28/2021, you may have a protection policy applied as one of your guardrail policies. 
@@ -97 +97,7 @@ AWS Service Roles IAM policies can't be used as guardrail policies.
-Amazon Q Developer in chat channels doesn't support running commands for operations in the following JSON policy:
+Amazon Q Developer in chat applications doesn't support running commands for operations in the following JSON policy:
+
+JSON
+    
+
+****
+    
@@ -116 +121,0 @@ Amazon Q Developer in chat channels doesn't support running commands for operati
-            "ecr:GetLogin",
@@ -121 +125,0 @@ Amazon Q Developer in chat channels doesn't support running commands for operati
-            "lightsail:GetInstanceAccessDetail",
@@ -132,2 +135,0 @@ Amazon Q Developer in chat channels doesn't support running commands for operati
-            "sso-admin:*",
-            "sso-oidc:*",
@@ -137 +138,0 @@ Amazon Q Developer in chat channels doesn't support running commands for operati
-            "s3:HeadObject",
@@ -151 +153 @@ Amazon Q Developer in chat channels doesn't support running commands for operati
-The expansion of usable CLI commands occurred on 11/28/2021. This expansion can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied as a guardrail policy to existing Amazon Q Developer in chat channels configurations by default. Specifically, the protection policy restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user-level roles align with your governance policy or channel requirements. You can detach this policy from:
+The expansion of usable CLI commands occurred on 11/28/2021. This expansion can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied as a guardrail policy to existing Amazon Q Developer in chat applications configurations by default. Specifically, the protection policy restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user-level roles align with your governance policy or channel requirements. You can detach this policy from:
@@ -159 +161 @@ The expansion of usable CLI commands occurred on 11/28/2021. This expansion can
-  * All channel configurations in the **User permissions** page of the Amazon Q Developer in chat channels console.
+  * All channel configurations in the **User permissions** page of the Amazon Q Developer in chat applications console.
@@ -187 +189 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Test notifications with Amazon Q Developer in chat channels using CloudWatch
+Test notifications with Amazon Q Developer in chat applications using CloudWatch