Controlling AWS API Calls from Amazon Q Developer: Enterprise Governance with Built-in User Agent Markers | Amazon Web Services

Controlling AWS API Calls from Amazon Q Developer: Enterprise Governance with Built-in User Agent Markers | Amazon Web Services

Briefly

"As organizations increasingly adopt AI-powered development tools, a critical challenge emerges: how do you maintain security governance when AI assistants execute AWS operations on behalf of users? Organizations want to leverage AI assistance for development and read operations while maintaining strict controls over write operations that impact production systems and auditing calls made via AI assistants. Consider this scenario: A developer asks Amazon Q Developer "List my S3 buckets", Q Developer suggests aws s3 ls, the developer approves, and Q Developer executes the command via AWS CLI."

"To address this governance challenge, Amazon Q Developer includes a built-in solution: user-agent markers that automatically identify AWS CLI calls made through Q Developer in CloudTrail logs, enabling precise IAM policy controls. This blog post explores how Amazon Q Developer's built-in user agent markers set for AWS CLI calls enable precise IAM policy controls, allowing organizations to distinguish and govern AI-assisted AWS operations while maintaining the productivity benefits of AI-powered development. The following sections demonstrate how these user agent markers work, how to implement IAM policies that leverage them, and how to monitor their effectiveness in your environment."