Identity and Access Management for AWS Chatbot - AWS Chatbot

Identity and Access Management for AWS Chatbot

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS Chatbot resources. IAM is an AWS service that you can use with no additional charge.

Audience

How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in AWS Chatbot.

Service user – If you use the AWS Chatbot service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more AWS Chatbot features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in AWS Chatbot, see Troubleshooting AWS Chatbot identity and access.

Service administrator – If you're in charge of AWS Chatbot resources at your company, you probably have full access to AWS Chatbot. It's your job to determine which AWS Chatbot features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with AWS Chatbot, see How AWS Chatbot works with IAM.

IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to AWS Chatbot. To view example AWS Chatbot identity-based policies that you can use in IAM, see Identity-based policies for AWS Chatbot.

How AWS Chatbot works with IAM

Before you use IAM to manage access to AWS Chatbot, you should understand which IAM features are available to use with AWS Chatbot. The following subsections introduce each IAM capability supported by AWS Chatbot, point you to further information about how to use them, and describe the IAM capabilities that AWS Chatbot doesn't support. To get a high-level view of how AWS Chatbot and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

For an overview of IAM and its features, see Understanding How IAM Works in the IAM User Guide.

Identity-based policies and AWS Chatbot

AWS Chatbot supports the use of IAM identity-based policies for service usage and management.

An AWS Identity and Access Management (IAM) policy is a document that defines the permissions that apply to an IAM user, group, or role. The permissions determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like Amazon Simple Notification Service (Amazon SNS) notifications. Policies can also explicitly deny access.

Identity-based policies are attached to an IAM user, group, or role (identity). These policies let you specify what that AWS identity can do (its permissions). For example, you can attach an identity policy to the IAM user named adesai, to allow that user to perform the AWS Chatbot DescribeSlackChannels action.

For information about, and examples of, using identity-based policies with AWS Chatbot, see AWS Chatbot Identity-Based Policies.

For more general information about how IAM identity-based policies work, see Identity vs. Resource in the IAM User Guide.

Resource-level permissions and AWS Chatbot

Resource-level permissions are JSON policy statements that specify the AWS resources on which associated IAM entities can perform actions. You define a resource-level permission in an IAM policy, then attach the policy to a user's AWS account or to any other IAM entity. The users then have permission to access that resource. Resource-level permissions differ from IAM resource-based policies because you attach complete resource-based policies directly to an AWS resource.

When you customize IAM policies for users to work with the AWS Chatbot service, one of your primary options for policy editing is to configure resource-based permissions for your policies.

AWS Chatbot supports resource-level permissions, but not resource-based policies.

For more information about how IAM resource-level permissions work with AWS Chatbot, see IAM Resource-Level Permissions for AWS Chatbot.

Condition keys and AWS Chatbot

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Condition element (or Condition block) lets you specify conditions in which a statement is in effect. The Condition element is optional. You can create conditional expressions that use condition operators, such as equals or less than, to match the condition in the policy with values in the request.

If you specify multiple Condition elements in a statement, or multiple keys in a single Condition element, AWS evaluates them using a logical AND operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical OR operation. All of the conditions must be met before the statement's permissions are granted.

You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see IAM policy elements: variables and tags in the IAM User Guide.

AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.

AWS Chatbot doesn't define any service-specific condition keys. It supports global condition keys. To see all actions and resources for which AWS Chatbot can use global condition keys, see Actions, Resources, and Condition Keys for AWS Chatbot in the IAM User Guide. For more information about AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.

Using temporary credentials with AWS Chatbot

You can use temporary credentials to sign in with federation, assume an IAM role, or assume a cross-account role. You obtain temporary security credentials by calling AWS Security Token Service (AWS STS) API operations, such as AssumeRole or GetFederationToken.

AWS Chatbot supports using temporary credentials. For more information about defining and using temporary IAM credentials, see Temporary Security Credentials in the IAM User Guide.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but can't edit the permissions for service-linked roles.

Service roles

AWS Chatbot supports service roles.

This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might prevent the service from functioning as expected.

Other policy types

AWS supports additional, less common policy types. These policy types can set the maximum permissions granted to you by the more common policy types.

  • AWS Organizations service control policies (SCPs) - SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each AWS account root user. For more information about Organizations and SCPs, see How SCPs Work in the AWS Organizations User Guide.

  • IAM account settings - With IAM, you can use AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. When you activate STS endpoints for a Region, AWS STS can issue temporary credentials to users and roles in your account that make an AWS STS request. Those credentials can then be used in any Region that is enabled by default or is manually enabled. You must activate the Region in the account where the temporary credentials are generated. It does not matter whether a user is signed into the same account or a different account when they make the request. For more information, see Activating and deactivating AWS STS in an AWS Region in the IAM User Guide.

Note

AWS Chatbot is a global service that requires access to all AWS Regions. If there is a policy in place that prevents access to services in certain Regions, you must change the policy to allow global AWS Chatbot access.