Understanding AWS Chatbot permissions

AWS Chatbot requires an AWS Identity and Access Management (IAM) role to perform actions. Actions you can perform in your chat channels include running commands and responding to interactive messages. AWS Chatbot uses organization policies, service policies, channel roles, user roles, and channel guardrail policies to control the actions channel members can take. What your users can do is the intersection of your guardrail policies and what is allowed by their roles.

Topics

• Organization policies
• Role setting
• Channel guardrail policies
• Non-supported operations
• Securing your AWS organization in AWS Chatbot
• Chat client application permissions for AWS Chatbot
• Managing user roles in AWS Chatbot
• Editing an IAM role for AWS Chatbot
• Managing IAM role permissions for running commands in AWS Chatbot
• Protection policy

Organization policies

AWS Chatbot organization policies (Chatbot policies)

Organization administrators can manage multiple AWS Chatbot settings across all accounts within an organization using an AWS Chatbot organization policy (Chatbot policy). Chatbot policies define where AWS Chatbot can deliver notifications and if it can respond to AWS Chatbot mention events. For more information, see Securing your AWS organization in AWS Chatbot.

Service control policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. For more information, Service control policies (SCPs) in the AWS Organizations User Guide.

Role setting

Channel role

A channel role gives all channel members the same permissions. This is useful if your channel members are similar users or they typically perform the same actions. You can use an existing role as your channel role or you can create a new role using templates. If you use a channel role, your channel members can still choose their own user roles. Your channel role is restricted by your guardrail policies. You can set your channel role in channel configurations from the AWS Chatbot console.

Channel role templates

There are six templates that can be used to create a channel role:

• Notification permissions

• Read-only command permissions

• Lambda-invoke command permissions

• AWS Support command permissions

• Incident Manager permissions

• Resource Explorer permissions

You can use any and all combinations of these templates to suit your needs. For example, if you want to create a configuration that only delivers notifications, choose Notification permissions as your policy template. If you want your channel members to run read-only commands exclusively and you want notifications to be delivered, choose Read-only command permissions and Notification permissions as your policy templates.

User roles

User roles require channel members to choose their own roles. As a result, different users in your channel can have different permissions. If you have a diverse set of channel members or you don't want new channel members to perform actions as soon as they join your channel, user roles are appropriate. Under this schema, your channel members must have applied a user role to perform actions. When channel members apply a user role, it is mapped to their chat client ID. Administrators can unmap user roles from chat client IDs in the AWS Chatbot console. Your channel member's actions are limited by your guardrail policies, despite what user roles they may have applied. For more information on managing user roles, see Managing user roles in AWS Chatbot.

User role requirement

Administrators can require user roles for all current channel members and channels and all channels created in the future by enabling a user role requirement in the AWS Chatbot console. Individual channels can't override this requirement. This can be done at the account level in User permissions, if you want to require every workspace and channel to use user roles. It can also be done at the channel configuration level wherein a channel level administrator can enable the user role requirement.

Note

This feature is enforced at the account level.

Channel guardrail policies

Guardrail policies provide detailed control over what actions are available to your channel members and what actions AWS Chatbot can perform on your behalf. They constrain and take precedence over both user roles and channel roles. For example, if a user has a user role that allows administrator access, and they belong to a channel where the channel role or the guardrail policies limit permissions on one or more services, the user will have less than administrator-level access. You can set, view, and edit your guardrail policies in the AWS Chatbot console. If you had an AWS Chatbot configuration before the expansion of available commands on 11/28/2021, you may have a protection policy applied as one of your guardrail policies.

Note

AWS Service Roles IAM policies can't be used as guardrail policies.

Non-supported operations

AWS Chatbot doesn't support running commands for operations in the following JSON policy:

{
  "Statement": [
    {
      "Action": [
        "appsync:ListApiKeys",
        "chatbot:*",
        "codecommit:GetFile",
        "codecommit:GetCommit",
        "codecommit:GetDifferences",
        "cognito-idp:*",
        "cognito-identity:*",
        "connect:GetFederationToken",
        "dynamodb:BatchGetItem",
        "dynamodb:GetItem",
        "ec2:GetPasswordData",
        "ecr:GetAuthorizationToken",
        "ecr:GetLogin",
        "gamelift:RequestUploadCredentials",
        "gamelift:GetInstanceAccess",
        "identitystore:*",
        "lightsail:DownloadDefaultKeyPair",
        "lightsail:GetInstanceAccessDetail",
        "lightsail:GetKeyPair",
        "lightsail:GetKeyPairs",
        "lightsail:UpdateRelationalDatabase",
        "iam:*",
        "kms:*",
        "redshift:GetClusterCredentials",
        "sdb:*",
        "secretsmanager:*",
        "sso:*",
        "sso-admin:*",
        "sso-oidc:*",
        "storagegateway:DescribeChapCredentials",
        "sts:*",
        "s3:GetObject",
        "s3:HeadObject",
        "s3:PutObject",
        "s3:GetBucketPolicy",
        "snowball:GetJobUnlockCode"
      ],
      "Effect": "Deny",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

Protection policy

The expansion of usable CLI commands occurred on 11/28/2021. This expansion can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied as a guardrail policy to existing AWS Chatbot configurations by default. Specifically, the protection policy restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user-level roles align with your governance policy or channel requirements. You can detach this policy from:

• Individual workspaces.

• Individual channels in the channel configurations page.

• A selection of channels using the Set guardrails button.

• All channel configurations in the User permissions page of the AWS Chatbot console.

The protection policy contains the ReadOnlyAccess policy and the following JSON code:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:Invoke*",
                "support:*",
                "ssm-incidents:*"
            ],
            "Resource": "*"
        }
    ]
}