• Test notifications from AWS services to Amazon Chime or Slack using CloudWatch (p. 10)
• Remove chat rooms (p. 12)
• Configuring an IAM role for AWS Chatbot (p. 12)
• Next steps (p. 14)
Prerequisites
Before you get started, make sure you've completed the tasks in Setting up AWS Chatbot (p. 3). You will need to choose a permissions scheme in the following procedure. This scheme determines the permissions your channel members will have.
Step 1: Set up chat clients for AWS Chatbot
You use the AWS Chatbot console to configure Amazon Chime and Slack clients to receive notifications from Amazon Simple Notification Service (Amazon SNS) topics.
Note
When you configure your clients, don't enable the Enable raw message delivery feature for any Amazon SNS topic subscription that you want to use for AWS Chatbot.
AWS Chatbot requires an AWS Identity and Access Management (IAM) role with Amazon CloudWatch read permissions and a trust policy that allows AWS Chatbot to use those permissions on your behalf.
When you configure AWS Chatbot, you can create a role with a predefined set of policies to display CloudWatch charts in AWS Chatbot notifications.
Setting up AWS Chatbot with Slack
You can also use an existing IAM role that you can configure for use with AWS Chatbot. For more information, see Configuring an IAM role for AWS Chatbot (p. 12). For simplicity, particularly in testing your setup, we recommend using the IAM role with predefined policies that you can configure in AWS Chatbot.
Setting up AWS Chatbot with Slack
To allow AWS Chatbot to send notifications to your Slack channel, you must configure AWS Chatbot with Slack. Owners of Slack workspaces can approve the use of the AWS Chatbot, and any workspace user can configure the workspace to receive notifications or run commands.
To configure a Slack client
1. Open the AWS Chatbot console at https://console.aws.amazon.com/chatbot/.
2. Under Configure a chat client, choose Slack, then choose Configure client.
3. From the dropdown list at the top right, choose the Slack workspace that you want to use with AWS Chatbot.
There's no limit to the number of workspaces that you can set up for AWS Chatbot, but you can set up only one at a time.
4. Choose Allow.
5. On the Workspace details page, you can choose to continue within the console or with an AWS CloudFormation template:
• To use an AWS CloudFormation template, copy and paste the Workspace ID found under Workspace details. For more information, see AWS::Chatbot::SlackChannelConfiguration in the AWS CloudFormation User Guide.
• To continue within the console, choose Configure new channel.
6. Under Configuration details, enter a name for your configuration. The name must be unique across your account and can't be edited later.
7. If you want to enable logging for this configuration, choose Publish logs to Amazon CloudWatch Logs. For more information, see Amazon CloudWatch Logs for AWS Chatbot (p. 42).
NoteThere is an extra charge for using CloudWatch Logs.
8. For Slack channel, choose the channel that you want to use.
NoteYou can use private Slack channels with AWS Chatbot. To do so, choose Private channel.
In Slack, copy the Channel ID of the private channel by right-clicking on the channel name in the left pane and choosing Copy Link. The Channel ID is the string at the end of the URL (for example, AB3BBLZZ8YY). In AWS Chatbot, paste the ID into the Channel URL field. (If you copy the URL of the private Slack channel, the AWS Chatbot console shows only the Channel ID value when you paste it into the field.)
9. Choose your Role Setting. You can choose a channel IAM role or user roles. A channel IAM role allows channel members to share the same permissions. User roles require your channel members to choose their own roles. If you choose to use a channel IAM role, your users can still choose to use their own user roles. For more information about role setting, see Role setting (p. 50).
Channel IAM role
1. For Role setting, choose Channel IAM role.
2. For Channel IAM role, choose Create new role. If you want to use an existing role instead, choose Use an existing role. To use an existing IAM role, you will need to modify it for use with AWS Chatbot. For more information, see Configuring an IAM Role for AWS Chatbot (p. 12).
Setting up AWS Chatbot with Slack
3. For Role name, enter a name. Valid characters: a-z, A-Z, 0-9, .\w+=,.@-_.
4. For Role policy template, choose the template you wish to use.
User roles
1. For Role setting, choose User roles.
10. Select the policies that will make up your channel guardrails (p. 50). Your channel guardrails control what actions are available to your channel members.
NoteIf you initially had permission to run Lambda invoke, it is contained in All actions permitted.
Note
To run most CLI commands from your Slack channel, ensure you select All actions permitted.
11. Choose your notification settings:
a. For SNS Region, choose the AWS Region that hosts the SNS topics for this AWS Chatbot subscription.
b. For SNS topic, choose the Amazon SNS topic for the client subscription. This topic determines the content that's sent to the Slack channel. If the region has additional SNS topics, you can choose them from the same dropdown list.
c. To add an Amazon SNS topic from another AWS Region to the notification subscription, choose Add another Region.
12. Choose Save.
13. Set User permissions:
NoteYou can choose to enable a user role requirement. This requires channel members to apply a user role before running commands in Slack. For more information, see User role requirement (p. 50).
a. Under Account settings, choose User permissions.
b. In User role requirement, choose if you want to enable a user role requirement.
14. Add AWS Chatbot to the Slack workspace:
a. In Slack, on the left navigation pane, choose Apps.
NoteIf you do not see Apps in the left navigation pane, choose More, then choose Apps.
b. If AWS Chatbot is not listed, choose the Browse Apps Directory button.
c. Browse the directory for the AWS Chatbot app and then choose Add to add AWS Chatbot to your workspace.
Notifications from supported services that publish to the chosen Amazon SNS topics will now appear in the Slack channel.
You can configure as many channels with as many topics as you need.
NoteIf you configure a private Slack channel, run the /invite @AWS command in Slack to invite the AWS Chatbot to the chat room.
The SNS topics you choose also must be configured in the services for which you want to receive notifications. For more information, see Using AWS Chatbot with Other AWS Services (p. 15).
Setting up AWS Chatbot with Amazon Chime
Setting up AWS Chatbot with Amazon Chime
To set up AWS Chatbot for Amazon Chime, get the webhook URL for your team's chat room from Amazon Chime.
Prerequisite
You must be an Amazon Chime chat room admin and have the ability to manage webhooks.
To configure an Amazon Chime client 1. Open Amazon Chime.
2. For Amazon Chime, choose the chat room that you want to set up to receive notifications through AWS Chatbot.
3. Choose the Room settings icon on the top right and choose Manage Webhooks and Bots.
Amazon Chime displays the webhooks associated with the chat room.
NoteYou can have multiple webhooks in a single Amazon Chime chat room.
For example, in an Amazon Chime chat room, one webhook could send notifications for Amazon CloudWatch alarms and another webhook could send AWS Security Hub security alerts. Each webhook receives notifications only for the SNS topics subscribed to it. All chat room members can see all of the notifications from each of the SNS topics.
4. For the webhook, choose Copy URL and choose Done.
If you need to create a new webhook for the chat room, choose Add webhook, enter a name for the webhook in the Name field, and choose Create.
5. Open the AWS Chatbot console at https://console.aws.amazon.com/chatbot/.
6. Choose Configure new client.
7. Choose Amazon Chime and choose Configure.
8. Under Configuration details, enter a name for your configuration. The name must be unique across your account and can't be edited later.
9. If you want to enable logging for this configuration, choose Send logs to CloudWatch. For more information, see Amazon CloudWatch Logs for AWS Chatbot (p. 42).
NoteThere is an extra charge for using CloudWatch Logs.
10. For Configure Amazon Chime webhook, do the following.
a. Paste the webhook URL that you copied from Amazon Chime.
b. For Webhook description, use the following naming convention to describe the purpose of the webhook: Chat_room_name/Webhook_name. This helps you associate Amazon Chime webhooks with their AWS Chatbot configurations.
11. For IAM permissions, set the IAM permissions for AWS Chatbot.
a. For Role, choose Create a new role from template. If you want to use an existing role instead, choose it from the IAM Role list. To use an existing IAM role, you might need to modify it for use with AWS Chatbot. For more information, see Configuring an IAM Role for AWS Chatbot (p. 12).
b. For Policy templates, choose Notification permissions. This is the IAM policy provided by AWS Chatbot. It provides the necessary Read and List permissions for CloudWatch alarms, events and logs, and for Amazon SNS topics.
c. For Role name, enter a name. Valid characters: a-z, A-Z, 0-9.
Step 2: Subscribe an Amazon SNS topic to AWS Chatbot
12. Set up the SNS topics that will send notifications to the Amazon Chime webhook.
a. For SNS Region, choose the AWS Region that hosts the SNS topics for this AWS Chatbot subscription.
b. For SNS topic, choose the SNS topic for the client subscription. This topic determines the content that's sent to the Amazon Chime webhook. If the region has additional SNS topics, you can choose them from the same dropdown list.
c. If you want to add an SNS topic from another Region to the notification subscription, choose Add another Region.
13. Choose Configure.
Notifications from supported services that publish to the chosen SNS topics will now appear in the Amazon Chime chat room.
You can configure as many webhooks as you need. The SNS topics that you choose also must be configured in the services for which you want to receive notifications. For more information, see Using AWS Chatbot with Other AWS Services (p. 15).
NoteYou can configure a Slack channel to run commands to your AWS account. For more information, see Running AWS CLI Commands from Slack Channels (p. 22).
Step 2: Subscribe an Amazon SNS topic to AWS Chatbot
You can quickly subscribe existing Amazon SNS topics to the AWS Chatbot service. You associate the new subscriptions to a Slack channel or Amazon Chime webhook. After doing so, the messages from those topics will appear in the Slack or Amazon Chime chat rooms. The Amazon SNS topics must be associated with AWS services that AWS Chatbot supports, and may also require further configuration, such as association with a CloudWatch rule. This procedure is most useful if you have SNS topics that are already doing significant work with CloudWatch Events and CloudWatch alarms in AWS cloud services supported by AWS Chatbot.
NoteYou can set up each supported AWS service to target one or more SNS topics to send notifications to AWS Chatbot. You do this using each AWS service's console, or using AWS CloudFormation. If you already have Amazon SNS topics set as targets for supported services, you can configure AWS Chatbot to use those topics. Notifications from subscribed topics will automatically appear in your Slack or Amazon Chime clients without further configuration.
NoteIf your SNS topic is encrypted, you must add a section to your AWS KMS key policy to give the sending service permissions to post events to the encrypted SNS topics. For more information, see Setting up Amazon SNS topics (p. 4).
1. Open the AWS Chatbot console at https://console.aws.amazon.com/chatbot/.
2. Under Configured clients, choose Slack or Amazon Chime.
3. Choose any channel in the Slack workspace configuration or webhook in the Amazon Chime webhooks list.
4. Choose Edit. The configuration page for the channel or webhook appears. Note that the Region Notifications is already configured.
5. In the Notifications panel:
Step 3: Test notifications from AWS services to Amazon Chime or Slack
• If you need to apply an Amazon SNS topic from another region, choose Add another Region.
6. For each Region in the Amazon Chime webhook or Slack channel, select the Amazon SNS topic you want to add.
7. When finished, choose Save.
8. To check for the subscription, click on any subscription entry in the AWS Chatbot console. The Amazon SNS console opens, showing the list of subscriptions for the selected topic.
Step 3: Test notifications from AWS services to Amazon Chime or Slack
To verify that an Amazon Simple Notification Service (Amazon SNS) topic sends notifications to your Amazon Chime or Slack chat room, you can test your setup by sending a notification. To test your notifications, ensure your topics are assigned to a service supported by AWS Chatbot. For a list of supported services, see Using AWS Chatbot with Other AWS Services (p. 15). You can also test notifications by using CloudWatch. For more information, see Test notifications from AWS services to Amazon Chime or Slack using CloudWatch (p. 10).
Testing notifications with configured clients 1. Open the AWS Chatbot console.
2. Choose the configured client you want to test.
3. In the configured client, choose the channel or webhook to send a test notification to.
4. Choose Send test message.
5. View the confirmation message at the top of the screen that shows a message was sent to your Amazon SNS topic.
6. Confirm the test message in your Amazon Chime chat room or Slack channel.
Test notifications from AWS services to Amazon Chime or Slack using CloudWatch
To verify that an Amazon Simple Notification Service (Amazon SNS) topic sends notifications to your Amazon Chime or Slack chat room, you can test your setup by sending a notification. Any SNS topic can send notifications to your chat rooms, but the topic must be assigned to a service supported by AWS Chatbot. For a complete list of supported services, see Using AWS Chatbot with Other AWS Services (p. 15).
NoteCloudWatch alarms and events are separately configured and have different characteristics for use with AWS Chatbot.
The following procedure uses a CloudWatch alarm because most AWS services supported by AWS Chatbot send their event and alarm data to CloudWatch.
You configure CloudWatch alarms using performance metrics from the services that are active in your account. When you associate CloudWatch alarms with an Amazon SNS topic that is mapped to AWS Chatbot, the Amazon SNS topic sends the CloudWatch alarm notifications to the chat
Test notifications with AWS Chatbot using CloudWatch
rooms. For more information, see Using AWS Chatbot with Other AWS Services (p. 15) and the Troubleshooting (p. 69) topic.
To test notifications to configured chat clients
1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
2. In the navigation pane, choose Alarms, Create alarm.
3. Select the correct AWS Region at the top right of the AWS console, that contains the Amazon SNS topic you need. (Tip: to make sure you have the right region for your SNS topics for testing alarms, you can check the AWS Chatbot configuration to see the regions for all configured SNS topics in each channel or webhook.)
4. Choose Select metric, and choose the SNS service namespace. (All CloudWatch alarms use service metrics to generate their notifications, and you need to select one for this example.)
a. Choose Topic metrics.
b. Choose the check box for the SNS topic next to its Topic Name and Metric Name. Any SNS topics that you configured with AWS Chatbot appear in this list.
Important: if you do not see your desired Amazon SNS topic in the SNS Topic list, make sure to select the correct AWS Region in the AWS console when you begin configuring the new CloudWatch alarm.
c. Choose Select metric.
The Specify metric and conditions page shows a graph and other information about the metric and statistic.
5. For Conditions (the circumstances under which the CloudWatch alarm fires and an action takes place), choose the following options:
a. For Threshold type, choose Static.
b. For Whenever metric is, choose Lower/Equal <=threshold.
c. For than..., specify a threshold value of 1. This setting ensures you will trigger the test notification within one minute.
d. Under Additional configuration, do the following:
i. For Datapoints to alarm, select 1 out of 1.
ii. For Missing data treatment, select Treat missing data as bad.
e. Choose Next.
6. Choose Configure actions. Here, you set the action to create SNS notifications when the metric threshold is exceeded.
For Notification, choose the following options.
a. For Whenever this alarm state is..., choose In Alarm.
b. For Select an SNS topic, choose Select an existing SNS topic.
c. For Send a notification to..., choose your SNS topic that has a subscription to AWS Chatbot. If the SNS topic is subscribed in AWS Chatbot, the endpoint value for AWS Chatbot appears in the Email (endpoints) field.
Note
If the endpoint value doesn't appear in the Email (endpoints) field, make sure that the SNS topic is set up correctly in the Slack channel or Amazon Chime webhook. For more information, see Setting Up AWS Chatbot with Slack (p. 6) or Setting Up AWS Chatbot with Amazon Chime (p. 8).
Remove chat rooms
7. Enter a name and description for the alarm. The name must contain only ASCII characters. Then, choose Next.
8. For Preview and create, confirm that the information and conditions are correct, then choose Create alarm.
When the alarm triggers for the first time, you should receive the first test notification in your chat room, confirming that AWS Chatbot is working correctly and receiving alarm notifications from Amazon CloudWatch.
Remove chat rooms
Removing an authorized Slack client from AWS Chatbot
When necessary, you can remove a Slack chat client from the AWS Chatbot configuration. Doing so deauthorizes the Slack client, which revokes the permissions that AWS Chatbot uses to operate with Slack.
Before deauthorizing a Slack client, you must delete all Slack channels. Deleting the channels first prevents accidentally deleting the Slack workspace.
To remove a Slack client
1. Open the AWS Chatbot console at https://console.aws.amazon.com/chatbot/.
2. Choose Configured clients.
3. On the Configured clients page, choose the Slack client.
4. Choose each channel in the Slack workspace configuration and choose Delete.
5. After you finish deleting all Slack channels from the workspace, choose Remove workspace
5. After you finish deleting all Slack channels from the workspace, choose Remove workspace