Amazon Chime
Administration Guide

Control Access to the Amazon Chime Console

As an administrator, you must complete the following tasks to allow users in your account to access the Amazon Chime console.

Create an IAM User

Services in AWS, such as Amazon Chime, require that you provide credentials when you access them. This allows the service to determine whether you have permissions to access its resources. We recommend that you avoid accessing AWS with your AWS account root credentials. Instead, use AWS Identity and Access Management (IAM). Create one or more IAM users, add the users to an IAM group, and grant permissions to the group by attaching IAM policies. All of the users in that group inherit the permissions. Your IAM users can then access the AWS and Amazon Chime consoles using their account ID, IAM user name, and password.

For more information about setting up an IAM user, see Creating Your First IAM Admin User and Group. For information about IAM, see What is IAM?

Attach Required IAM User Policies

By default, IAM users don't have permission to access the Amazon Chime console. To provide access, you must create IAM policies that grant IAM users permission to use the specific resources and actions they'll need. You must then attach those policies to IAM users or groups that require those permissions.

When you attach a policy to a user or group, it allows or denies the users permission to perform the specified tasks on the specified resources.

To make creating policies easier, Amazon Chime supports using the following AWS managed policies. AWS managed policies are built for specific use cases and are automatically updated by the Amazon Chime service team when new capabilities are added. When you use these policies, your users have immediate access to the Amazon Chime console without the need to create or maintain your own policies.

AWS Managed Policies for Amazon Chime Description


Full access for Amazon Chime administrators who configure and manage the service


Read-only access to the console


Full user management capabilities and read-only access to account settings and configuration

To create your own policies, review the Amazon Chime Actions below for a list of all of the actions that you can allow or deny in your policy. For more information about managing and creating IAM policies, see Managing IAM Policies. For information about how to attach managed policies to an IAM user, see Attaching and Detaching IAM Policies .

Read-Only Policy Example

This example policy provides read-only access to the Amazon Chime console. You can use this as a base for any customizations you choose to make.


If you create a custom policy instead of using an AWS managed policy, when Amazon Chime adds new actions, it does not automatically update your policy. Instead, you must review the changes and manually update your policy.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "chime:ListAccounts", "chime:GetAccount", "chime:GetAccountSettings", "chime:ListUsers", "chime:GetUser", "chime:GetUserByEmail", "chime:ListAccountUsageReportData", "chime:ListDomains", "chime:GetDomain", "chime:ListGroups" "chime:ListDirectories", "chime:GetAccountResource" ], "Effect": "Allow", "Resource": "*" } ] }

Amazon Chime Actions

The following is the complete list of Amazon Chime actions that are available if you want to create a custom policy for your console users. For more information about creating custom IAM policies, see Creating IAM Policies.

Action Description



Creates a new Amazon Chime account.


Modifies the account name for your Amazon Chime enterprise or team account.


Lists the Amazon Chime accounts associated with your AWS account.


Gets the account details for an Amazon Chime account.


Deletes an Amazon Chime account.



Shows your Amazon Chime account settings.


Modifies your Amazon Chime account settings.


Lists the users in an Amazon Chime account.


Gets the user details for an Amazon Chime user.


Gets user details for an Amazon Chime user based on the email address in an Amazon Chime enterprise or team account.


Invites new users to an Amazon Chime account.


Suspend users from an Amazon Chime enterprise account.


Activates users in an Amazon Chime enterprise account.


Manages the licenses for your Amazon Chime users.


Resets the personal meeting PIN for an Amazon Chime user.

chime:LogoutUser Signs a user out of all their devices.
chime:ListAccountUsageReportData Lists Amazon Chime account usage reporting data.


Lists domains associated with your Amazon Chime account.


Adds a domain to your Amazon Chime account.


Shows domain details for a domain associated with your Amazon Chime account.


Deletes a domain from your Amazon Chime account.

Amazon Chime Support
chime:SubmitSupportRequest Submits a support ticket from the Amazon Chime console.


Lists active Active Directories hosted in the AWS Directory Service directory of your AWS account.


Connects an Active Directory to your Amazon Chime enterprise account.


Disconnects the Active Directory from your Amazon Chime enterprise account.


Lists Active Directory user groups associated with your Amazon Chime enterprise account.


Adds new or updates existing Active Directory user groups associated with your Amazon Chime enterprise account.


Deletes Active Directory user groups from your Amazon Chime enterprise account.

AWS Account Delegation
chime:AcceptDelegate Accepts requests to share management of an Amazon Chime account with another AWS account.
chime:ValidateDelegate Allows process to share the AWS account name and Amazon Chime account name.
chime:ListDelegates Displays shared account management status on the Account Summary page.
chime:DeleteDelegate Removes the shared AWS account management.