Chatbot policies - AWS Organizations

Chatbot policies

AWS Chatbot is an AWS service that enables DevOps and software development teams to use messaging program chat rooms to monitor and respond to operational events in their AWS Cloud. AWS Chatbot processes AWS service notifications from Amazon Simple Notification Service (Amazon SNS), and forwards them to chat rooms so teams can analyze and act on them immediately, regardless of location.

Chatbot policies in AWS Organizations enable you to control access to your organization's accounts from chat applications such as Slack and Microsoft Teams.

How chatbot policies work

Using chatbot policies, the management account or delegated administrator of an organization can do the following across an organization:

  • Enforce which supported chat applications (Amazon Chime, Microsoft Teams, and Slack) can be used.

  • Restrict chat client access to specific workspaces (Slack) and teams (Microsoft Teams).

  • Restrict Slack channel visibility to either public or private channels.

  • Set and enforce specific role settings.

Chatbot policies restrict and take precedence over account level settings such as role settings and channel guardrail policies. You can access and modify chatbot policies from the AWS Chatbot console or the Organizations console.

After the policies are attached to accounts and organizational units (OU), any current and future AWS Chatbot configurations for the accounts in scope will automatically comply with the governance and permissions settings. For more information, see Understanding management policy inheritance.

If you try to perform an action restricted by a chatbot policy, an error message will notify you that the action is not allowed due to the chatbot policy with the recommendation to contact the management account or delegated administrator of your organization.

Note

Chatbot policies are validated at runtime. This means that existing resources are continuously checked for compliance. There is no overlap with existing IAM permissions since runtime-based IAM permissions for sending notifications or interacting with AWS Chatbot are not currently supported.