Amazon Q Business will no longer be open to new customers starting on July 31, 2026. If you would like to use the service, please sign up prior to July 30. For capabilities similar to Q Business, explore Amazon Quick. Learn more.
Example IAM policies for Amazon Q Business application environment supporting anonymous access
We strongly recommend that you use a restricted policies for the role that will be used to call the chat APIs for anonymous access application environments.
You need permission policies to use Amazon Q Business application environments that support anonymous access. The following are examples of such restricted policies.
Policy for calling relevant APIs
Example policy to allow the Amazon Q Business APIs for anonymous access
{ "Version": "2012-10-17",, "Statement": [{ "Sid": "QBusinessAnonymousConversationAPIPermissions", "Effect": "Allow", "Action": [ "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:PutFeedback" ], "Resource": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}" }] }
Applying your restricted policies to an IAM role for using APIs for Amazon Q application environments supporting anonymous access
-
Create a directory named policies.
-
In that directory, create and save a file named permspolicyforAPIanonymous.json with the JSON for allowing Amazon Q Business API calls for anonymous access.
-
Finally, create and attach the policy using the following commands in the AWS CLI.
Create and attach policy
aws iam \ create-role \ --policy-document file://policies/permspolicyforAPIanonymous.json
Policies for using the web experience
Example policy to allow the Amazon Q Business web experience for anonymous access
{ "Version": "2012-10-17",, "Statement": [{ "Sid": "QBusinessAnonymousWebExperienceConversationPermissions", "Effect": "Allow", "Action": [ "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:PutFeedback", "qbusiness:GetChatControlsConfiguration", "qbusiness:GetApplication", ], "Resource": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}" }] }
Example trust policy to allow the Amazon Q Business web experience for anonymous access
{ "Version": "2012-10-17",, "Statement": [ { "Sid": "QBusinessTrustPolicy", "Effect": "Allow", "Principal": { "Service": "application.qbusiness.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "StringEquals": { "aws:SourceAccount": "{{account_id}}" }, "ArnEquals": { "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}" } } } ] }
Applying your restricted policies for using the web experience to an IAM role
-
Create a directory named policies.
-
Then, in the same directory, create and save a file named permspolicyforwebexperienceanonymous with the JSON for allowing the Amazon Q Business web experience for anonymous access.
-
Then, in the same directory, create and save a file named trustpolicyforanonymous.json with the JSON for the trust policy to allow the Amazon Q Business web experience for anonymous access
-
Finally, create and attach the policies using the following commands in the AWS CLI.
Create and attach policy
aws iam \ create-role \ --role-name --assume-role-policy-document file://policies/trustpolicyforanonymous.json \ --policy-document file://policies/permspolicyforwebexperienceanonymous.jsonNote
For the web experience to work properly with AWS CLI commands both policies are needed
Amazon Q also supports using a service-linked role
(AWSServiceRoleForQBusiness) for an Amazon Q application environment.
The following is the service-linked role policy:
For more information on using service-linked roles for an Amazon Q application environment, see Using service-linked roles.