Amazon Q Developer

Analyze usage, adoption, and performance metrics for your engineering team using Amazon Q Developer. This guide will walk you through the process of setting up a secure, read-only integration.

Prerequisites

Before you begin, please ensure you have the following:

Amazon Q Developer Pro subscriptions assigned to developers on your team.
An active AWS account with administrative permissions to:
- Create and manage S3 buckets.
- Create and manage IAM roles and policies.

Configure AWS for Data Export

The process involves configuring AWS to export Amazon Q metrics to a private S3 bucket.

A. Create a Cross-Account IAM Role

First, create a dedicated IAM role in your AWS account. This role provides Software.com with secure, read-only access to your Amazon Q data without sharing any secret keys.

In the AWS IAM console, create a new role.
Attach a policy to the role that grants s3:GetObject and s3:ListBucket permissions.
Following the principle of least privilege, ensure this policy is restricted to only the specific S3 bucket you will create in the next step.

B. Create an S3 bucket

Next, configure Amazon Q to export user-level data to an S3 bucket.

Create a new S3 bucket (q-developer) and folder (data) where the data will be stored (e.g., s3://q-developer/data/).

Important:

Create your bucket in us-east-1. If your organization does not support us-east-1, let us know in which region the bucket was created.
Use the S3 bucket name above (q-developer), or let us know if you use a different bucket name.

Add the following policy to your newly-created bucket:

{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "DataSyncCreateS3LocationAndTaskAccess",
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::134217665810:role/service-role/AWSDataSyncS3BucketAccess-q-developer-data-0d48b"
      },
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
      ],
      "Resource": [
        "arn:aws:s3:::q-developer",
        "arn:aws:s3:::q-developer/*"
      ]
    }
  ]
}

Disable your destination S3 bucket ACLs:
1. On the bucket's detail page, choose the Permissions tab.
2. Under Object Ownership, choose Edit.
3. If it isn't already selected, choose the ACLs disabled (recommended) option.
4. Click Save changes.

C. Enable Granular Metrics in Amazon Q

In your Amazon Q admin settings, enable the “Collect granular metrics per user” option.
Set the S3 location to the bucket path you just created.
Grant the IAM role you created in the previous step access to this S3 bucket.

⚠️ Important: Do not enable prompt logging. This setting includes full prompts and proprietary code in the data export. If this is enabled, we will be unable to ingest your data.

Ongoing Data Sync

Amazon Q Developer writes new usage data to your S3 bucket daily.
Software.com will automatically ingest this data every 24 hours to align with Amazon's schedule.
To access the bucket, our platform securely "assumes" the IAM role you configured using its ARN. AWS then grants us temporary, short-lived credentials to read the data. We never receive or store your secret keys.

Resources

Amazon Q Developer Dashboard: Introducing the Amazon Q Developer Dashboard and CloudWatch metrics
Tutorial: Transferring data between Amazon S3 buckets across AWS accounts