Security for the Amazon Q cost analysis capability - Amazon Cost Management
PermissionsData protection
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security for the Amazon Q cost analysis capability

Amazon Q's cost analysis capability is in preview and can make mistakes. Please verify your cost data with Amazon Cost Explorer. Use the thumb icon in Amazon Q to provide feedback and help us improve.

This page provides an overview of permissions and data protection for the Amazon Q cost analysis capability.

Permissions

All cost data provided by Amazon Q is sourced from Cost Explorer. The IAM user who accesses Amazon Q’s cost analysis capabilities must have permissions to use Amazon Q, and permissions to retrieve cost and usage data from Cost Explorer. The quickest way for an administrator to grant users access to Amazon Q is to use the AmazonQFullAccess managed policy. Users also need access to the ce:GetCostAndUsage permission.

The following IAM policy statement grants users access to the cost analysis capability in Amazon Q:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "EnablesCostAnalysisInAmazonQ",
			"Effect": "Allow",
			"Action": [
				"q:*",
				"ce:GetCostAndUsage"
			],
			"Resource": "*"
		}
	]
}

For users of Amazon Organizations, management account administrators can restrict member account users’ access to Cost Explorer data (including access to discounts, credits, and refunds) using the Cost Management preferences in the Billing and Cost Management console. These preferences apply to Amazon Q in the same way that they apply to the management console, SDK, and CLI. Amazon Q respects the existing preferences of customers.

Data protection

All of Amazon Q Developer’s existing data protection policies also apply to cost data. Amazon may use certain content from Amazon Q Developer for service improvement, including questions to Amazon Q and its responses, to provide better responses to common questions, fix Amazon Q operational issues, or for de-bugging. To learn more, see Amazon Q Developer service improvement in the Amazon Q Developer User Guide. For information on how to opt out of having your content used for service improvements, see AI services opt-out policies in the Amazon Organizations User Guide.