AWS Security ChangesHomeSearch

AWS lexv2 documentation change

Service: lexv2 · 2026-03-22 · Documentation medium

File: lexv2/latest/dg/built-in-intent-qinconnect.md

Summary

Added detailed IAM permissions policy including KMS key requirements and ARN formatting fixes

Security assessment

Documents required encryption/decryption permissions (kms:Decrypt, kms:GenerateDataKey) and resource constraints, improving security documentation clarity. However, this appears to be general documentation improvement rather than addressing a disclosed vulnerability. The ARN placeholder fix ({accountId} -> accountId) is a formatting correction.

Diff

diff --git a/lexv2/latest/dg/built-in-intent-qinconnect.md b/lexv2/latest/dg/built-in-intent-qinconnect.md
index 353f761a9..77de952b0 100644
--- a//lexv2/latest/dg/built-in-intent-qinconnect.md
+++ b//lexv2/latest/dg/built-in-intent-qinconnect.md
@@ -90,0 +91,52 @@ The Service Linked Role will get updated with the following permissions if the Q
+    
+    {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Sid": "QInConnectAssistantPolicy",
+                "Action": [
+                    "wisdom:CreateSession",
+                    "wisdom:GetAssistant"
+                ],
+                "Resource": [
+                    "arn:aws:wisdom:*:accountId:assistant/assistantId",
+                    "arn:aws:wisdom:*:accountId:assistant/assistantId/*"
+                ]
+            },
+            {
+                "Effect": "Allow",
+                "Sid": "QInConnectSessionsPolicy",
+                "Action": [
+                    "wisdom:SendMessage",
+                    "wisdom:GetNextMessage"
+                ],
+                "Resource": [
+                    "arn:aws:wisdom:*:accountId:session/assistantId/*"
+                ]
+            },
+            {
+                "Sid": "QInConnectKmsCMKPolicy",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Decrypt",
+                    "kms:GenerateDataKey"
+                ],
+                "Resource": [
+                    "arn:aws:kms:region:accountId:key/keyId"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceAccount": "accountId",
+                        "kms:ViaService": "wisdom.region.amazonaws.com",
+                        "kms:EncryptionContext:aws:wisdom:assistant:arn": ["arn:aws:wisdom:region:accountId:assistant/assistantId"]
+                    }
+                }
+            }
+        ]
+    }
+
+###### Note
+
+The `QInConnectKmsCMKPolicy` statement is only required if you are using a customer managed KMS key with the Amazon Q in Connect assistant.
+
@@ -103 +155 @@ The Service Linked Role will get updated with the following permissions if the Q
-                "aws:SourceAccount": "{accountId}"
+                "aws:SourceAccount": "accountId"
@@ -106 +158 @@ The Service Linked Role will get updated with the following permissions if the Q
-                "aws:SourceArn": "arn:aws:lex:*:{accountId}:bot-alias/{botId}/*"
+                "aws:SourceArn": "arn:aws:lex:*:accountId:bot-alias/botId/*"