Updating firewalls and gateways to allow access
If you filter access to specific Amazon domains or URL endpoints by using a web-content filtering solution, the following endpoints must be allow listed in order to access all of the services and features available through the Amazon Toolkit for Visual Studio and Amazon Q.
Amazon Toolkit for Visual Studio Endpoints
The following are lists of Amazon Toolkit for Visual Studio specific endpoints and references that need to be allow listed.
Endpoints
https://idetoolkits-hostedfiles.amazonaws.com/* https://idetoolkits.amazonwebservices.com/* http://vstoolkit.amazonwebservices.com/* https://aws-vs-toolkit.s3.amazonaws.com/* https://raw.githubusercontent.com/aws/aws-toolkit-visual-studio/main/version.json https://aws-toolkit-language-servers.amazonaws.com/*
Amazon Q plugin endpoints
The following is a list of Amazon Q plugin specific endpoints and references that need to be allow listed.
https://idetoolkits-hostedfiles.amazonaws.com/* (Plugin for configs) https://idetoolkits.amazonwebservices.com/* (Plugin for endpoints) https://aws-toolkit-language-servers.amazonaws.com/* (Language Server Process) https://client-telemetry.us-east-1.amazonaws.com/ (Telemetry) https://cognito-identity.us-east-1.amazonaws.com (Telemetry) https://aws-language-servers.us-east-1.amazonaws.com (Language Server Process)
Amazon Q Developer endpoints
The following is a list of Amazon Q Developer specific endpoints and references that need to be allow listed.
https://codewhisperer.us-east-1.amazonaws.com (Inline,Chat, QSDA,...) https://q.us-east-1.amazonaws.com (Inline,Chat, QSDA....) https://desktop-release.codewhisperer.us-east-1.amazonaws.com/ (Download URL for CLI.) https://specs.q.us-east-1.amazonaws.com (URL for auto-complete specs used by CLI) * aws-language-servers.us-east-1.amazonaws.com (Local Workspace context)
Amazon Q Code Transform Endpoints
The following is a list of Amazon Q Code Transform specific endpoints and references that need to be allow listed.
https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-policies.html
Authentication endpoints
The following is a list of authentication endpoints and references that need to be allow listed.
[Directory ID or alias].awsapps.com * oidc.[Region].amazonaws.com *.sso.[Region].amazonaws.com *.sso-portal.[Region].amazonaws.com *.aws.dev *.awsstatic.com *.console.aws.a2z.com *.sso.amazonaws.com
Identity Endpoints
The following lists contain endpoints that are specific to identity, such as Amazon IAM Identity Center and Amazon Builder ID.
Amazon IAM Identity Center
For details on required endpoints for IAM Identity Center, see the Enable IAM Identity Center topic in the Amazon IAM Identity Center User Guide.
Enterprise IAM Identity Center
https://[Center director id].awsapps.com/start (should be permitted to initiate auth) https://us-east-1.signin.aws (for facilitating authentication, assuming IAM Identity Center is in IAD) https://oidc.(us-east-1).amazonaws.com https://log.sso-portal.eu-west-1.amazonaws.com https://portal.sso.eu-west-1.amazonaws.com
Amazon Builder ID
https://view.awsapps.com/start (must be blocked to disable individual tier) https://codewhisperer.us-east-1.amazonaws.com and q.us-east-1.amazonaws.com (should be permitted)
Telemetry
The following is a Telemetry specific endpoint that needs to be allow listed.
https://client-telemetry.us-east-1.amazonaws.com
References
The following is a list of endpoint references.
idetoolkits-hostedfiles.amazonaws.com cognito-identity.us-east-1.amazonaws.com amazonwebservices.gallery.vsassets.io eu-west-1.prod.pr.analytics.console.aws.a2z.com prod.pa.cdn.uis.awsstatic.com portal.sso.eu-west-1.amazonaws.com log.sso-portal.eu-west-1.amazonaws.com prod.assets.shortbread.aws.dev prod.tools.shortbread.aws.dev prod.log.shortbread.aws.dev a.b.cdn.console.awsstatic.com assets.sso-portal.eu-west-1.amazonaws.com oidc.eu-west-1.amazonaws.com aws-toolkit-language-servers.amazonaws.com aws-language-servers.us-east-1.amazonaws.com idetoolkits.amazonwebservices.com