Working with chat channels in Incident Manager
A key feature of AWS Systems Manager Incident Manager is the ability to directly communicate through chat channels during an incident. During an incident, Incident Manager pushes incident updates and notifications directly to the chat channel to keep all responders informed. Responders can update and interact with the incident directly from the chat channel by using chat commands. For more information about AWS Chatbot, see AWS Chatbot Administrator Guide.
Topics
Set up an AWS Chatbot client
Incident Manager uses AWS Chatbot clients to connect responders in Amazon Chime or Slack. Add AWS Chatbot client to a response plan to notify the chat room that an incident started.
Configure an AWS Chatbot client.
-
Open the AWS Chatbot console
, and in the left navigation bar, choose Configured clients. -
Choose Configure new client.
-
Choose Amazon Chime or Slack.
You can now add this AWS Chatbot client to an Incident Manager response plan. To learn more about setting up response plans, see Working with response plans in Incident Manager.
Using SNS topics with Incident Manager incurs the costs of SNS. For more information, see
Amazon SNS pricing
Configuring SNS permissions
Before you can use the AWS Chatbot client during an incident, update the access policy of the related Amazon SNS topics.
-
Navigate to the Amazon SNS console
and choose Topics from the navigation panel. -
Select the Amazon SNS topic related to the AWS Chatbot client you set up in the previous section.
-
Choose Edit.
-
Expand the Access policy section and add the following statement to the policy's Statement array.
{ "Sid": "IncidentManagerSNSPublishingPermissions", "Effect": "Allow", "Principal": { "Service": "ssm-incidents.amazonaws.com" }, "Action": "SNS:Publish", "Resource":
"arn:aws:sns:us-east-1:111122223333:example_SNS_topic"
, "Condition": { "StringEqualsIfExists": { "AWS:SourceAccount":"111122223333"
} } }Important The AWS service ssm-incidents.amazonaws.com must have permissions to publish to the chat channel's SNS topic. Without permissions to publish to the SNS topic, Incident Manager won't be able to publish notifications to your chat channel.
-
Replace the
Resource
value"arn:aws:sns:us-east-1:111122223333:example_SNS_topic"
with your Amazon SNS topic ARN. -
Replace the
AWS:SourceAccount
value"111122223333"
with your AWS account ID. -
Choose Save changes.
Use the previous steps to update each SNS topic related to the configure AWS Chatbot client.
Encrypting Amazon SNS topics used by Incident Manager
You can encrypt Amazon SNS topics used by Incident Manager by using an AWS Key Management Service (AWS KMS) Customer Managed Key (CMK). For more information, see Creating keys in the AWS Key Management Service Developer Guide.
To configure Incident Manager with the required kms:GenerateDataKey
and
kms:Decrypt
permissions, see Enable
compatibility between event sources from AWS services and encrypted topics in the
Amazon Simple Notification Service Developer Guide.
Interacting through chat
Incident Manager enables responders to interact with incidents directly from the chat channel. Chat commands are only available in Slack chat channel. These are some common commands:
To use any of the preceding commands from an active incident's chat channel, use the
following format. Replace <CLI Command>
with any of the
preceding commands and its appropriate fields.
@aws ssm-incidents
<CLI Command>
@aws ssm-contacts
<CLI Command>
Best practices
Best practices to keep in mind when configuring your chat channels using AWS Chatbot.
-
AWS Chatbot enabled Slack channels inherit the permissions of the IAM role used to configure AWS Chatbot. This enables responders in an AWS Chatbot enabled Slack channel to call any allow-listed action; such as Incident Manager APIs and retrieving metrics graphs.
-
Maintain principal of least permission, practice security standards, and regularly review membership of your AWS Chatbot enabled chat channels.