Security for Amazon Q Developer's cost analysis capability
The following provides an overview of permissions and data protection for Amazon Q Developer's cost analysis capability.
Permissions
All cost data provided by Amazon Q Developer is sourced from Cost Explorer. The IAM user
who accesses Amazon Q Developer’s cost analysis capabilities must have permissions
to use Amazon Q Developer and permissions to retrieve cost and usage data from
Cost Explorer. The quickest way for an administrator to grant users access to
Amazon Q Developer is to use the AmazonQFullAccess
managed policy.
Users also need access to the ce:GetCostAndUsage
permission.
The following IAM policy statement grants users access to the cost analysis capability in Amazon Q Developer:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnablesCostAnalysisInAmazonQ", "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "ce:GetCostAndUsage", "ce:GetCostForecast", "ce:GetDimensionValues", "ce:GetTags", "ce:GetCostCategories" ], "Resource": "*" } ] }
q:PassRequest
is an Amazon Q Developer permission that allows Amazon Q
Developer to call Amazon APIs on your behalf. When you add the
q:PassRequest
permission to an IAM identity, Amazon Q Developer
gains permission to call any API that the IAM identity has permission to call. For
example, if an IAM role has the ce:GetCostAndUsage
permission and the
q:PassRequest
permission, Amazon Q Developer is able to call the
GetCostAndUsage API when a user assuming that IAM role asks Amazon Q Developer to
retrieve cost and usage data from Cost Explorer.
You can also allow IAM principals to access Cost Explorer and to use Amazon Q Developer,
but restrict them from using the cost analysis capability in Amazon Q Developer, by
using the aws:CalledVia
global condition key. The following IAM policy
provides an example of using this condition key.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "ce:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ce:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "q.amazonaws.com" ] } } } ] }
For users of Amazon Organizations, management account administrators can restrict member account users’ access to Cost Explorer data (including access to discounts, credits, and refunds) using the Cost Management preferences in the Amazon Billing and Cost Management console. These preferences apply to Amazon Q Developer in the same way that they apply to the management console, SDK, and CLI. Amazon Q Developer respects the existing preferences of customers.
Data protection
We may use certain content from Amazon Q Developer Free Tier for service improvement. Amazon Q may use this content, for example, to provide better responses to common questions, fix Amazon Q operational issues, for de-bugging, or for model training. Content that Amazon may use for service improvement includes, for example, your questions to Amazon Q and the responses and code that Amazon Q generates. We do not use content from Amazon Q Developer Pro or Amazon Q Business for service improvement.
The way you opt out of Amazon Q Developer Free Tier using content for service improvement depends on the environment where you use Amazon Q. For the Amazon Management Console, Amazon Console Mobile Application, Amazon websites, and Amazon Chatbot, configure an AI services opt-out policy in Amazon Organizations. For more information, see AI services opt-out policies in the Amazon Organizations User Guide. In the IDE, for Amazon Q Developer Free Tier, adjust your settings in the IDE. For more information, see Opt out of data sharing in the IDE in the Amazon Q Developer User Guide.