Loading image...Kiro
  • CLI
  • Powers
  • Autonomous agent
  • Enterprise
  • Pricing
  • Docs
SIGN INDOWNLOADS
Loading image...Kiro
Loading image...Kiro
Product
  • About Kiro
  • CLI
  • Powers
  • Autonomous agent
  • Pricing
  • Downloads
For
  • Enterprise
  • Startups
Resources
  • Documentation
  • Blog
  • Changelog
  • FAQs
  • Report a bug
  • Suggest an idea
  • Billing support
Social
Site TermsLicenseResponsible AI PolicyLegalPrivacy PolicyCookie Preferences
  1. Docs
  3. IDE
  5. Privacy and security
  7. IAM permissions

IAM permissions

On this page
  • Required permissions
  • General
  • External identity provider related
  • Additional resources

Required permissions

To create a Kiro profile and manage subscriptions, you need to ensure that the role managing it has the following IAM permissions in the AWS account.

General

These are IAM permissions required to manage Kiro profile and users subscriptions regardless of the identity store you use. Here are the supported identity stores.

- codewhisperer:ListProfiles
- codewhisperer:CreateProfile
- codewhisperer:DeleteProfile
- codewhisperer:UpdateProfile
- codewhisperer:TagResource
- codewhisperer:UntagResource
- codewhisperer:ListTagsForResource
- codewhisperer:AllowVendedLogDeliveryForResource
- q:ListDashboardMetrics

External identity provider related

If you are connecting an external identity provider, you will also need the following permissions

- q:ListLoginDomains
- q:AssociateLoginDomain
- q:DisassociateLoginDomain
- q:ListScimAccessTokens
- q:CreateScimAccessToken
- q:DeleteScimAccessToken
- q:ListGroups
- q:ListUsers
- q:BatchDescribeUsers
- q:BatchDescribeGroups

Additional resources

For more information about IAM and security best practices:

  • AWS Identity and Access Management documentation
  • IAM best practices
  • Kiro data protection
  • Kiro infrastructure security
Page updated: February 25, 2026
Infrastructure security
Firewalls, proxies, and data perimeters