Managing Amazon Q CLI Access via Q Developer Pro

Customer Challenges:

Organizations face difficulties enforcing granular, role-based access to Amazon Q CLI in Amazon Q Developer Pro, resulting in over-permissioning or access denials that disrupt workflows and increase security risks.

A customer wants to enable and restrict access to Amazon Q CLI using Amazon Q Developer Pro for exactly 'X' users through IAM Identity Center (IDC). They need a secure, scalable way to grant these specific users access while ensuring no other users can use the CLI. The challenge lies in configuring IAM Identity Center groups and permission sets precisely to enforce this limit, managing subscription activation, and avoiding delays or over-permissioning.

Solution:

In this blog, I will demonstrate how to enable and restrict access to only 'X' users for Amazon Q CLI with Amazon Q Developer Pro using IAM Identity Center (IDC). You can follow these steps:

Ensure you have IAM Identity Center set up and configured in your AWS account, see Enable IAM Identity Center.
Subscribe to Amazon Q Developer Pro:
- Navigate to the Amazon Q Developer console in your AWS account.
- Click on "Subscribe to Amazon Q" and then choose "Subscribe" to enable Q Developer Pro.
Create a group in IAM Identity Center for the 10 users who need access:
- In the IAM Identity Center console, create a new group (e.g., "Q-Developer-Pro-Users").

Add the 'X' specific users to this group.

4. Assign access to Amazon Q Developer Pro:

Subscribing Users and Groups in Amazon Q Developer

5.Set up permissions:

Here , I created Inline policy, for more details see AmazonQDeveloperAccess

Specify policies and permissions boundary

I used below policy used to create inline policy.

I can define session duration for your Permission set.

Permission sets initially created with "No Provisioned" status.

Permission sets created in 'Not Provisioned' Status

Assign this permission set to the group you created.

Assign permissions to group through either AWS Accounts or Applications

Assigning Group to AWS Accounts.

AWS Account is assigned to Group.

Successfully assigned AWS Accounts to Groups

Now you can see, Permission set status changed to "Provisioned".

Permission set now in "Provisioned" Status

7. Configure CLI access:

Ensure the users have the AWS CLI installed and configured to use IAM Identity Center for authentication.
Users will need to run 'aws configure sso' to set up their CLI access using their IAM Identity Center credentials.

Verify Q CLI permissions through AWS Configure SSO

8. Verify access:

Have the users log in to the AWS Management Console using their IAM Identity Center credentials.
They should see Amazon Q Developer Pro available in their console and be able to use it via the CLI.

Conclusion

In this blog, I explored how to securely enable and restrict Amazon Q CLI access to a specific number of users using IAM Identity Center in Amazon Q Developer Pro. By precisely configuring groups and permission sets, you can prevent over-permissioning and avoid access issues, ensuring a smooth and secure workflow. Following these steps helps maintain strong access control while supporting your organization’s security and compliance goals.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.

Managing Amazon Q CLI Access via Q Developer Pro

Securely enable and restrict Amazon Q CLI access for select users using Amazon Q Developer Pro. Set fine-grained controls to ensure only authorized use.

Comments