This blog post will guide you through a quick start on using Amazon Q Developer for operational investigations on AWS. We’ll walk you through the step-by-step process of setting up this powerful AI-assisted troubleshooting tool . You’ll discover how to configure user permissions, manage data access, set up encryption, and start your first investigation. We also have included in this blog a self pace demo of how this new feature works.

What is Amazon Q Developer Operational Investigations?

We recently published a comprehensive blog post explaining the details of the new feature. Amazon Q’s operational investigations feature helps you quickly investigate and resolve incidents by surfacing relevant information, leveraging the power of generative AI technology. Amazon Q will scan metrics, logs, traces, deployment events, and other data to generate root cause hypotheses and actionable insights.

Getting Started

1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
2. In the left navigation pane, choose AI Operations, Investigations.
3. Choose Configure for this account. (Please note: To create an investigation group and set up Amazon Q Developer operational investigations, you must be signed in to an IAM principal that has the either the AIOpsConsoleAdminPolicy or the AdministratorAccess IAM policy attached, or to an account that has similar permissions. Settings in the investigation group help you centrally manage the common properties of your investigations)
4. Select the retention period for investigations. The default is 90 days.
5. You can optionally customize the encryption settings. For example: if you would like to use a customer managed key instead of the default one provided by AWS. For more information, see Encryption of investigation data.

Create investigation group screen that allow to configure the retention and advanced encryption

6. (Optional) The user access section of the getting started wizard helps you understand how to set up appropriate permissions for different user roles interacting with Amazon Q Developer operational investigations. (The link will take you the documentation with more information) AWS provides three managed IAM policies: AIOpsConsoleAdminPolicy for administrators, AIOpsOperatorAccess for users who need to start and manage investigations, and AIOpsReadOnlyAccess for users who only need to view information.

User access screen that explains how to provide IAM permissions to users for Amazon Q Developer investigations assistant.

7. You can optionally connect Amazon Q Developer operational investigations to IAM Identity Center. By integrating with IAM Identity Center, you can attribute the suggestions added to the investigation feed, back to individual users. For more information, please see this link.

Identity aware console session screen to configure IAM Identity center so that suggestions can properly be attributed to users.

8. Choose Next to continue
9. In the “Investigation configuration” section, you can setup the IAM role that Q Developer will use to access telemetry data for its investigations. Select “Auto-create”. This will create a configure the new role with the required permissions.

Investigation configuration screen to setup the Q developer permissions

11. Under the Enhanced integration section, you can configure additional options that will further assist Q developer in performing the investigation. The next steps will briefly explain what these options do:
12. Tags for application boundary detection: This section allows you to specify existing custom tag keys used for your applications. These tags help Amazon Q Developer refine its search when discovering resource relationships. More information can be found here.

Enhanced integrations screen . You can setup tag for application boundary identification.

13. The CloudTrail section for change event detection lets Amazon Q Developer access CloudTrail data, improving its analysis of system changes and root cause hypotheses.

CloudTrail for change event detection screen.

14. The X-Ray for topology mapping and Application Signals for health assessment sections highlight additional AWS services that can enhance Amazon Q Developer’s capabilities.

Additional integrations screen for X-Ray and Application Signals

15. Choose “Next” to continue
16. The last section of the wizard allows to configure third party integrations. Those include ticketing systems, chat integration, and SNS. We won’t cover those in-depth here. But if you like more information, please visit this link.
17. Choose “Complete setup” to start the configuration. After a few seconds, you will see a message confirming “Initial Setup success”

Next Steps

Amazon Q Developer operational investigations offers a powerful way to accelerate incident response while maintaining strict security controls. To further enhance your security posture:

1. 1. • Review the full documentation
      • Adjust the IAM roles and policies as needed
      • Set up encryption using customer managed keys if needed
      • Conduct a test investigation to verify settings are working correctly

With Amazon Q Developer as your AI-powered assistant, you can now resolve AWS issues faster than ever before, all while keeping your data and systems secure. By prioritizing security in your implementation, you can confidently leverage its powerful AI capabilities while maintaining the integrity and confidentiality of your systems and data. This balanced approach allows you to accelerate your incident response and troubleshooting processes without compromising on security best practices.

To see this capability in action, check out this interactive demo. Link to interactive demo.

About the author