Amazon Chime

(1)

Amazon Chime

Administration Guide

(2)

Amazon Chime: Administration Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is Amazon Chime?

Amazon Chime is a communications service that transforms online meetings with an application that is secure and comprehensive. Amazon Chime works across your devices so that you can stay connected.

You can use Amazon Chime for online meetings, video conferencing, calls, and chat. You can also share content inside and outside of your organization. Amazon Chime is a fully managed service that runs securely on the AWS cloud, which frees IT from deploying and managing complex infrastructures.

For more information, see Amazon Chime.

Administration overview

As an administrator, you use the Amazon Chime console to perform key tasks, such as creating Amazon Chime accounts and managing users and permissions. To access the Amazon Chime console and create an Amazon Chime administrator account, ﬁrst create an AWS account. For more information, see Prerequisites (p. 2).

How to get started

After you complete the Prerequisites (p. 2), you can create and conﬁgure your Amazon Chime administrative account, then add users to it. Choose Pro or Basic permissions for your users.

If you're ready to get started now, see the following tutorial:

• Getting started (p. 40)

For more information on user access and permissions, see Managing user permissions and access (p. 60). For more information on the features that users with Pro and Basic permissions can access, see Plans and pricing.

Pricing

Amazon Chime provides usage-based pricing. You pay only for the users with Pro permissions that host meetings, and only on the days that those meetings are hosted. Meeting attendees and chat users are not charged.

There is no charge for users with Basic permissions. Basic users cannot host meetings, but they can attend meetings and use chat. For more information on pricing and the features that users with Pro and Basic permissions can access, see Plans and pricing.

Resources

For more information about Amazon Chime, see the following resources:

• Amazon Chime Help Center

• Amazon Chime Training Videos

(7)

Creating an Amazon Web Services account

Prerequisites

You must have an AWS account to access the Amazon Chime console and create an Amazon Chime administrator account.

Creating an Amazon Web Services account

Before you can create an administrator account for Amazon Chime, you must ﬁrst create an AWS account.

To create an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

For information about how to ﬁnish setting up your Amazon Chime administrator account, see Getting started (p. 40).

(8)

Security in Amazon Chime

Cloud security at AWS is the highest priority. As an AWS customer, you beneﬁt from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the eﬀectiveness of our security as part of the AWS Compliance Programs.

To learn about the compliance programs that apply to Amazon Chime, see AWS Services in Scope by Compliance Program.

• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using Amazon Chime. The following topics show you how to conﬁgure Amazon Chime to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon Chime resources.

Topics

• Identity and access management for Amazon Chime (p. 3)

• How Amazon Chime works with IAM (p. 8)

• Cross-service confused deputy prevention (p. 9)

• Amazon Chime resource-based policies (p. 10)

• Authorization based on Amazon Chime tags (p. 10)

• Amazon Chime IAM roles (p. 10)

• Amazon Chime identity-based policy examples (p. 10)

• Troubleshooting Amazon Chime identity and access (p. 16)

• Using service-linked roles for Amazon Chime (p. 18)

• Logging and monitoring in Amazon Chime (p. 24)

• Compliance validation for Amazon Chime (p. 37)

• Resilience in Amazon Chime (p. 38)

• Infrastructure security in Amazon Chime (p. 38)

• Understanding Amazon Chime automatic updates (p. 39)

Identity and access management for Amazon Chime

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon Chime resources. IAM is an AWS service that you can use with no additional charge.

(9)

Audience

Topics

• Audience (p. 4)

• Authenticating with identities (p. 4)

• Managing access using policies (p. 6)

Audience

How you use AWS Identity and Access Management (IAM) diﬀers, depending on the work that you do in Amazon Chime.

Service user – If you use the Amazon Chime service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more Amazon Chime features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in Amazon Chime, see Troubleshooting Amazon Chime identity and access (p. 16).

Service administrator – If you're in charge of Amazon Chime resources at your company, you probably have full access to Amazon Chime. It's your job to determine which Amazon Chime features and resources your employees should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Amazon Chime, see How Amazon Chime works with IAM (p. 8).

IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Amazon Chime. To view example Amazon Chime identity-based policies that you can use in IAM, see Amazon Chime identity-based policy examples (p. 10).

Authenticating with identities

Authentication is how you sign in to AWS using your identity credentials. For more information about signing in using the AWS Management Console, see Signing in to the AWS Management Console as an IAM user or root user in the IAM User Guide.

You must be authenticated (signed in to AWS) as the AWS account root user, an IAM user, or by assuming an IAM role. You can also use your company's single sign-on authentication or even sign in using Google or Facebook. In these cases, your administrator previously set up identity federation using IAM roles.

When you access AWS using credentials from another company, you are assuming a role indirectly.

To sign in directly to the AWS Management Console, use your password with your root user email address or your IAM user name. You can access AWS programmatically using your root user or IAM users access keys. AWS provides SDK and command line tools to cryptographically sign your request using your credentials. If you don't use AWS tools, you must sign the request yourself. Do this using Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 signing process in the AWS General Reference.

Regardless of the authentication method that you use, you might also be required to provide additional security information. For example, AWS recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

AWS account root user

When you ﬁrst create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and

(10)

is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your ﬁrst IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

IAM users and groups

An IAM user is an identity within your AWS account that has speciﬁc permissions for a single person or application. An IAM user can have long-term credentials such as a user name and password or a set of access keys. To learn how to generate access keys, see Managing access keys for IAM users in the IAM User Guide. When you generate access keys for an IAM user, make sure you view and securely save the key pair. You cannot recover the secret access key in the future. Instead, you must generate a new access key pair.

An IAM group is an identity that speciﬁes a collection of IAM users. You can't sign in as a group. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named IAMAdmins and give that group permissions to administer IAM resources.

Users are diﬀerent from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see When to create an IAM user (instead of a role) in the IAM User Guide.

IAM roles

An IAM role is an identity within your AWS account that has speciﬁc permissions. It is similar to an IAM user, but is not associated with a speciﬁc person. You can temporarily assume an IAM role in the AWS Management Console by switching roles. You can assume a role by calling an AWS CLI or AWS API operation or by using a custom URL. For more information about methods for using roles, see Using IAM roles in the IAM User Guide.

IAM roles with temporary credentials are useful in the following situations:

• Temporary IAM user permissions – An IAM user can assume an IAM role to temporarily take on diﬀerent permissions for a speciﬁc task.

• Federated user access – Instead of creating an IAM user, you can use existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated users and roles in the IAM User Guide.

• Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a diﬀerent account to access resources in your account. Roles are the primary way to grant cross-account access.

However, with some AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the diﬀerence between roles and resource-based policies for cross-account access, see How IAM roles diﬀer from resource-based policies in the IAM User Guide.

• Cross-service access – Some AWS services use features in other AWS services. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3. A service might do this using the calling principal's permissions, using a service role, or using a service-linked role.

• Principal permissions – When you use an IAM user or role to perform actions in AWS, you are considered a principal. Policies grant permissions to a principal. When you use some services, you might perform an action that then triggers another action in a diﬀerent service. In this case, you must have permissions to perform both actions. To see whether an action requires additional

(11)

Managing access using policies

dependent actions in a policy, see Actions, resources, and condition keys for Amazon Chime in the Service Authorization Reference.

• Service role – A service role is an IAM role that a service assumes to perform actions on your behalf.

An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

• Service-linked role – A service-linked role is a type of service role that is linked to an AWS service.

The service can assume the role to perform an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

• Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests.

This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance proﬁle that is attached to the instance. An instance proﬁle contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.

To learn whether to use IAM roles or IAM users, see When to create an IAM role (instead of a user) in the IAM User Guide.

Managing access using policies

You control access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, deﬁnes their permissions.

You can sign in as the root user or an IAM user, or you can assume an IAM role. When you then make a request, AWS evaluates the related identity-based or resource-based policies. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. For more information about the structure and contents of JSON policy documents, see Overview of JSON policies in the IAM User Guide.

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

Every IAM entity (user or role) starts with no permissions. In other words, by default, users can do nothing, not even change their own password. To give a user permission to do something, an administrator must attach a permissions policy to a user. Or the administrator can add the user to a group that has the intended permissions. When an administrator gives permissions to a group, all users in that group are granted those permissions.

IAM policies deﬁne permissions for an action regardless of the method that you use to perform the operation. For example, suppose that you have a policy that allows the iam:GetRole action. A user with that policy can get role information from the AWS Management Console, the AWS CLI, or the AWS API.

Identity-based policies

Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Creating IAM policies in the IAM User Guide.

Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies include AWS managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see Choosing between managed policies and inline policies in the IAM User Guide.

(12)

Resource-based policies

Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource- based policies are IAM role trust policies and Amazon S3 bucket policies. In services that support resource- based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must specify a principal in a resource-based policy.

Principals can include accounts, users, roles, federated users, or AWS services.

Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.

AWS managed policies for Amazon Chime

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies.

These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update aﬀects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources.

When a service launches a new feature, AWS adds read-only permissions for new operations and

resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

Access Control Lists (ACLs)

Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.

Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see Access control list (ACL) overview in the Amazon Simple Storage Service Developer Guide.

Other policy types

AWS supports additional, less-common policy types. These policy types can set the maximum permissions granted to you by the more common policy types.

• Permissions boundaries – A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity (IAM user or role).

You can set a permissions boundary for an entity. The resulting permissions are the intersection of entity's identity-based policies and its permissions boundaries. Resource-based policies that specify the user or role in the Principal ﬁeld are not limited by the permissions boundary. An explicit deny in any of these policies overrides the allow. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

• Service control policies (SCPs) – SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all

(13)

How Amazon Chime works with IAM

features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each AWS account root user. For more information about Organizations and SCPs, see How SCPs work in the AWS Organizations User Guide.

• Session policies – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The resulting session's permissions are the intersection of the user or role's identity-based policies and the session policies.

Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. For more information, see Session policies in the IAM User Guide.

Multiple policy types

When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see Policy evaluation logic in the IAM User Guide.

How Amazon Chime works with IAM

Before you use IAM to manage access to Amazon Chime, you should understand what IAM features are available to use with Amazon Chime. To get a high-level view of how Amazon Chime and other AWS services work with IAM, see AWS services that work with IAM in the IAM User Guide.

Topics

• Amazon Chime identity-based policies (p. 8)

• Resources (p. 9)

• Examples (p. 9)

Amazon Chime identity-based policies

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon Chime supports speciﬁc actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide.

Actions

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called dependent actions.

Include actions in a policy to grant permissions to perform the associated operation.

Condition keys

Amazon Chime does not provide any service-speciﬁc condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.

(14)

Resources

Amazon Chime does not support specifying resource ARNs in a policy.

Examples

To view examples of Amazon Chime identity-based policies, see Amazon Chime identity-based policy examples (p. 10).

Cross-service confused deputy prevention

The confused deputy problem is an information security issue that occurs when an entity without permission to perform an action calls a more-privileged entity to perform the action. This can allow malicious actors to run commands or modify resources they otherwise would not have permission to run or access. For more information, see The confused deputy problem in the AWS Identity and Access Management User Guide.

In AWS, cross-service impersonation can lead to a confused deputy scenario. Cross-service impersonation happens when one service (the calling service) calls another service (the called service). A malicious actor can use the calling service to alter resources in another service by using permissions that they normally would not have.

AWS provides service principals with managed access to resources on your account to help you protect your resources' security. We recommend using the aws:SourceAccount global condition context key in your resource policies. These keys limit the permissions that Amazon Chime gives another service to that resource.

The following example shows an S3 bucket policy that uses the aws:SourceAccount global condition context key in the conﬁgured CallDetailRecords S3 bucket to help prevent the confused deputy problem.

{ "Version": "2012-10-17", "Statement": [

{

"Sid": "AmazonChimeAclCheck668426", "Effect": "Allow",

"Principal": {

"Service": "chime.amazonaws.com"

},

"Action": "s3:GetBucketAcl",

"Resource": "arn:aws:s3:::your-cdr-bucket"

}, {

"Sid": "AmazonChimeWrite668426", "Effect": "Allow",

"Principal": {

"Service": "chime.amazonaws.com"

},

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::your-cdr-bucket/*", "Condition": {

"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "112233446677"

} } }

(15)

Amazon Chime resource-based policies

] }

Amazon Chime resource-based policies

Amazon Chime does not support resource-based policies.

Authorization based on Amazon Chime tags

Amazon Chime does not support tagging resources or controlling access based on tags.

Amazon Chime IAM roles

An IAM role is an entity within your AWS account that has speciﬁc permissions.

Using temporary credentials with Amazon Chime

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross- account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

Amazon Chime supports using temporary credentials.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services that complete actions on your behalf. Service-linked roles appear in your IAM account, and the services own the roles. An IAM administrator can view but not edit the permissions for service-linked roles.

Amazon Chime supports service-linked roles. For details about creating or managing Amazon Chime service-linked roles, see Using service-linked roles for Amazon Chime (p. 18).

Service roles

This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.

Amazon Chime does not support service roles.

Amazon Chime identity-based policy examples

By default, IAM users and roles don't have permission to create or modify Amazon Chime resources.

They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform speciﬁc API operations on the speciﬁed resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

(16)

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating policies on the JSON tab in the IAM User Guide.

Topics

• Policy best practices (p. 11)

• Using the Amazon Chime console (p. 11)

• Allow users full access to Amazon Chime (p. 12)

• Allow users to view their own permissions (p. 13)

• Allow users to access user management actions (p. 13)

• Allow users to access Amazon Chime SDK actions (p. 14)

• AWS managed policy: AmazonChimeVoiceConnectorServiceLinkedRolePolicy (p. 15)

• Amazon Chime updates to AWS managed policies (p. 15)

Policy best practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Amazon Chime resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

• Get started using AWS managed policies – To start using Amazon Chime quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get started using permissions with AWS managed policies in the IAM User Guide.

• Grant least privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant least privilege in the IAM User Guide.

• Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

• Use policy conditions for extra security – To the extent that it's practical, deﬁne the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a speciﬁed date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

Using the Amazon Chime console

To access the Amazon Chime console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Amazon Chime resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy.

To ensure that those entities can still use the Amazon Chime console, also attach the following AWS managed AmazonChimeReadOnly policy to the entities. For more information, see Adding permissions to a user in the IAM User Guide:

{

(17)

Allow users full access to Amazon Chime

"Action": [

"chime:List*", "chime:Get*",

"chime:SearchAvailablePhoneNumbers"

],

"Effect": "Allow", "Resource": "*"

} ] }

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.

Allow users full access to Amazon Chime

The following AWS managed AmazonChimeFullAccess policy grants an IAM user full access to Amazon Chime resources. The policy gives the user access to all Amazon Chime operations, as well as other operations that Amazon Chime needs to be able to perform on your behalf.

{

"Action": [ "chime:*"

],

}, {

"Action": [

"s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketVersioning", "s3:GetBucketWebsite"

],

}, {

"Action": [

"logs:CreateLogDelivery", "logs:DeleteLogDelivery", "logs:GetLogDelivery", "logs:ListLogDeliveries", "logs:DescribeResourcePolicies", "logs:PutResourcePolicy", "logs:CreateLogGroup", "logs:DescribeLogGroups"

],

}, {

"Effect": "Allow", "Action": [

"sns:CreateTopic", "sns:GetTopicAttributes"

(18)

],

"Resource": [

"arn:aws:sns:*:*:ChimeVoiceConnector-Streaming*"

] }, {

"Effect": "Allow", "Action": [

"sqs:GetQueueAttributes", "sqs:CreateQueue"

],

"Resource": [

"arn:aws:sqs:*:*:ChimeVoiceConnector-Streaming*"

] } ] }

Allow users to view their own permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{

"Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [

"iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies",

"iam:GetUser"

],

"Resource": ["arn:aws:iam::*:user/${aws:username}"]

}, {

"Sid": "NavigateInConsole", "Effect": "Allow",

"Action": [

"iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy",

"iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies",

"iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers"

],

"Resource": "*"

} ] }

Allow users to access user management actions

Use the AWS managed AmazonChimeUserManagement policy to grant users access to user management actions in the Amazon Chime console.

(19)

Allow users to access Amazon Chime SDK actions

{

"Action": [

"chime:ListAccounts", "chime:GetAccount",

"chime:GetAccountSettings", "chime:UpdateAccountSettings", "chime:ListUsers",

"chime:GetUser", "chime:GetUserByEmail", "chime:InviteUsers",

"chime:InviteUsersFromProvider", "chime:SuspendUsers",

"chime:ActivateUsers", "chime:UpdateUserLicenses", "chime:ResetPersonalPIN", "chime:LogoutUser", "chime:ListDomains", "chime:GetDomain", "chime:ListDirectories", "chime:ListGroups",

"chime:SubmitSupportRequest", "chime:ListDelegates",

"chime:ListAccountUsageReportData", "chime:GetMeetingDetail",

"chime:ListMeetingEvents", "chime:ListMeetingsReportData", "chime:GetUserActivityReportData", "chime:UpdateUser",

"chime:BatchUpdateUser", "chime:BatchSuspendUser", "chime:BatchUnsuspendUser",

"chime:AssociatePhoneNumberWithUser", "chime:DisassociatePhoneNumberFromUser", "chime:GetPhoneNumber",

"chime:ListPhoneNumbers", "chime:GetUserSettings", "chime:UpdateUserSettings", "chime:CreateUser",

"chime:AssociateSigninDelegateGroupsWithAccount", "chime:DisassociateSigninDelegateGroupsFromAccount"

],

} ] }

Allow users to access Amazon Chime SDK actions

Use the AWS managed AmazonChimeSDK policy to grant users access to Amazon Chime SDK actions.

For more information, see Example IAM roles in the Amazon Chime Developer Guide, and Actions, resources, and condition keys for Amazon Chime in the Service Authorization Reference.

// Policy ARN: arn:aws:iam::aws:policy/AmazonChimeSDK

// Description: Provides access to Amazon Chime SDK operations { "Version": "2012-10-17",

"Statement": [ {

(20)

"Action": [

"chime:CreateMeeting",

"chime:CreateMeetingWithAttendees", "chime:DeleteMeeting",

"chime:GetMeeting", "chime:ListMeetings", "chime:CreateAttendee", "chime:BatchCreateAttendee", "chime:DeleteAttendee", "chime:GetAttendee", "chime:ListAttendees", "chime:ListAttendeeTags", "chime:ListMeetingTags", "chime:ListTagsForResource", "chime:TagAttendee",

"chime:TagMeeting", "chime:TagResource", "chime:UntagAttendee", "chime:UntagMeeting", "chime:UntagResource",

"chime:StartMeetingTranscription", "chime:StopMeetingTranscription"

],

} ] }

AWS managed policy:

AmazonChimeVoiceConnectorServiceLinkedRolePolicy

The AmazonChimeVoiceConnectorServiceLinkedRolePolicy enables Amazon Chime Voice Connector to stream media to Amazon Kinesis Video Streams and provide streaming notifications. This policy grants the Amazon Chime Voice Connector service permissions to access customer’s Amazon Kinesis Video Streams and send notification events to Simple Notification Service (SNS) and Simple Queue Service (SQS). This is a managed policy attached to a service-linked role and cannot be attached to IAM entities. For more information, see Using roles to stream Amazon Chime Voice Connector media to Kinesis (p. 18).

Amazon Chime updates to AWS managed policies

The following table lists and describes the updates made to the Amazon Chime IAM policy.

Change Description Date

AmazonChimeVoiceConnectorServiceLinkedRolePolicy – Update to an existing policy Amazon Chime Voice Connector

added new permissions to allow access to Amazon Kinesis Video Streams and send notiﬁcation events to SNS and SQS. These permissions are required for Amazon Chime Voice Connectors to stream media to Amazon Kinesis Video Streams and provide streaming notiﬁcations.

December 20, 2021

(21)

Troubleshooting

Change Description Date

Change to existing policy.

Creating IAM users or roles with the Chime SDK policy.

Amazon Chime added new actions added to support expanded validation.

A number of actions were added to allow listing and tagging of attendees and meeting resources, and for starting and stopping meeting transcription.

September 23, 2021

Amazon Chime started tracking

changes Amazon Chime started tracking

changes for its AWS managed policies.

September 23, 2021

Troubleshooting Amazon Chime identity and access

Use the following information to help you diagnose and ﬁx common issues that you might encounter when working with Amazon Chime and IAM.

Topics

• I am not authorized to perform an action in Amazon Chime (p. 16)

• I am not authorized to perform iam:PassRole (p. 16)

• I want to view my access keys (p. 17)

• I'm an administrator and want to allow others to access Amazon Chime (p. 17)

• I want to allow people outside of my AWS account to access my Amazon Chime resources (p. 17)

I am not authorized to perform an action in Amazon Chime

If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password.

The following example error occurs when the mateojackson IAM user tries to use the console to view details about a domain but does not have chime:GetDomain permissions.

User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform:

chime:GetDomain

In this case, Mateo asks his administrator to update his policies to allow him to access the domain details using the chime:GetDomain action.

I am not authorized to perform iam:PassRole

If you receive an error that you're not authorized to perform the iam:PassRole action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your

(22)

user name and password. Ask that person to update your policies to allow you to pass a role to Amazon Chime.

Some AWS services allow you to pass an existing role to that service, instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.

The following example error occurs when an IAM user named marymajor tries to use the console to perform an action in Amazon Chime. However, the action requires the service to have permissions granted by a service role. Mary does not have permissions to pass the role to the service.

User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole

In this case, Mary asks her administrator to update her policies to allow her to perform the iam:PassRole action.

I want to view my access keys

After you create your IAM user access keys, you can view your access key ID at any time. However, you can't view your secret access key again. If you lose your secret key, you must create a new access key pair.

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

Important

Do not provide your access keys to a third party, even to help ﬁnd your canonical user ID. By doing this, you might give someone permanent access to your account.

When you create an access key pair, you are prompted to save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must add new access keys to your IAM user. You can have a maximum of two access keys.

If you already have two, you must delete one key pair before creating a new one. To view instructions, see Managing access keys in the IAM User Guide.

I'm an administrator and want to allow others to access Amazon Chime

To allow others to access Amazon Chime, you must create an IAM entity (user or role) for the person or application that needs access. They will use the credentials for that entity to access AWS. You must then attach a policy to the entity that grants them the correct permissions in Amazon Chime.

To get started right away, see Creating your ﬁrst IAM delegated user and group in the IAM User Guide.

I want to allow people outside of my AWS account to access my Amazon Chime resources

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following:

(23)

Using service-linked roles

• To learn whether Amazon Chime supports these features, see How Amazon Chime works with IAM (p. 8).

• To learn how to provide access to your resources across AWS accounts that you own, see Providing access to an IAM user in another AWS account that you own in the IAM User Guide.

• To learn how to provide access to your resources to third-party AWS accounts, see Providing access to AWS accounts owned by third parties in the IAM User Guide.

• To learn how to provide access through identity federation, see Providing access to externally authenticated users (identity federation) in the IAM User Guide.

• To learn the diﬀerence between using roles and resource-based policies for cross-account access, see How IAM roles diﬀer from resource-based policies in the IAM User Guide.

Using service-linked roles for Amazon Chime

Amazon Chime uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Chime. Service-linked roles are predeﬁned by Amazon Chime and include all the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up Amazon Chime more efficient because you aren't required to manually add the necessary permissions. Amazon Chime defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Chime can assume its roles. The defined permissions include the trust policy and the permissions policy. The permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after ﬁrst deleting their related resources. This protects your Amazon Chime resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see AWS services that work with IAM. Look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Topics

• Using roles to stream Amazon Chime Voice Connector media to Kinesis (p. 18)

• Using roles with shared Alexa for Business devices (p. 20)

• Using roles with live transcription (p. 22)

Using roles to stream Amazon Chime Voice Connector media to Kinesis

The information in the following sections explains how to use roles to stream Amazon Chime Voice Connector media to Kinesis.

Topics

• Service-linked role permissions for Amazon Chime Voice Connectors (p. 19)

• Creating a service-linked role for Amazon Chime Voice Connectors (p. 19)

• Editing a service-linked role for Amazon Chime Voice Connectors (p. 19)

• Deleting a service-linked role for Amazon Chime Voice Connectors (p. 19)

• Supported Regions for Amazon Chime service-linked roles (p. 20)

(24)

Service-linked role permissions for Amazon Chime Voice Connectors

Amazon Chime Voice Connectors use the service-linked role named

AWSServiceRoleForAmazonChimeVoiceConnector – Allows Amazon Chime Voice Connectors to call AWS services on your behalf. For more information about how to start media streaming for your Amazon Chime Voice Connector, see Streaming Amazon Chime Voice Connector media to Kinesis (p. 94).

The AWSServiceRoleForAmazonChimeVoiceConnector service-linked role trusts the following services to assume the role:

• voiceconnector.chime.amazonaws.com

The role permissions policy allows Amazon Chime to complete the following actions on the speciﬁed resources:

• Action: chime:GetVoiceConnector* on all AWS resources

• Action: kinesisvideo:* on arn:aws:kinesisvideo:us-east-1:111122223333:stream/

ChimeVoiceConnector-*

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

Creating a service-linked role for Amazon Chime Voice Connectors

You don't need to manually create a service-linked role. When you start Kinesis media streaming for your Amazon Chime Voice Connector in the AWS Management Console, the AWS CLI, or the AWS API, Amazon Chime creates the service-linked role for you.

You can also use the IAM console to create a service-linked role with the Chime Voice Connector use case. In the AWS CLI or the AWS API, create a service-linked role with the

voiceconnector.chime.amazonaws.com service name. For more information, see Creating a service- linked role in the IAM User Guide. If you delete this service-linked role, you can use this same process to create the role again.

Editing a service-linked role for Amazon Chime Voice Connectors

Amazon Chime does not allow you to edit the AWSServiceRoleForAmazonChimeVoiceConnector service- linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for Amazon Chime Voice Connectors

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.

(25)

Using roles with shared devices

Cleaning up a service-linked role

Before you can use IAM to delete a service-linked role, you must ﬁrst delete any resources used by the role.

Note

If the Amazon Chime service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To delete Amazon Chime resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (console)

• Stop media streaming for all the Amazon Chime Voice Connectors in your Amazon Chime account.

a. Open the Amazon Chime console at https://chime.aws.amazon.com/.

b. For Calling, choose Voice connectors.

c. Choose the name of the Amazon Chime Voice Connector.

d. Choose Streaming.

e. For Send to Kinesis Video Streams, choose Stop.

f. Choose Save.

To delete Amazon Chime resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (AWS CLI)

• Use the delete-voice-connector-streaming-conﬁguration command in the AWS CLI to stop media streaming for all Amazon Chime Voice Connectors in your account.

aws chime delete-voice-connector-streaming-configuration --voice-connector- id abcdef1ghij2klmno3pqr4

To delete Amazon Chime resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (API)

• Use the DeleteVoiceConnectorStreamingConﬁguration API operation to stop media streaming for all Amazon Chime Voice Connectors in your account. For more information, see DeleteVoiceConnectorStreamingConﬁguration in the Amazon Chime API Reference.

Manually delete the service-linked role

Use the IAM console, the AWS CLI, or the AWS API operation to delete the

AWSServiceRoleForAmazonChimeVoiceConnector service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported Regions for Amazon Chime service-linked roles

Amazon Chime supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see Amazon Chime endpoints and quotas.

Using roles with shared Alexa for Business devices

The information in the following sections explains how to use service-linked roles and grant Amazon Chime access to the Alexa for Business resources in your AWS account.

Topics

(26)

• Service-linked role permissions for Amazon Chime (p. 21)

• Creating a service-linked role for Amazon Chime (p. 21)

• Editing a service-linked role for Amazon Chime (p. 21)

• Deleting a service-linked role for Amazon Chime (p. 21)

• Supported Regions for Amazon Chime service-linked roles (p. 22)

Service-linked role permissions for Amazon Chime

Amazon Chime uses the service-linked role named AWSServiceRoleForAmazonChime – Allows access to AWS services and resources used or managed by Amazon Chime, such as Alexa for Business shared devices.

The AWSServiceRoleForAmazonChime service-linked role trusts the following services to assume the role:

• chime.amazonaws.com

The role permissions policy allows Amazon Chime to complete the following action on the speciﬁed resource:

• Action: iam:CreateServiceLinkedRole on arn:aws:iam::*:role/aws-service-role/

chime.amazonaws.com/AWSServiceRoleForAmazonChime

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating a service-linked role for Amazon Chime

You don't need to manually create a service-linked role. When you turn on Alexa for Business for a shared device in Amazon Chime in the AWS Management Console, the AWS CLI, or the AWS API, Amazon Chime creates the service-linked role for you.

You can also use the IAM console to create a service-linked role with the Amazon Chime use case. In the AWS CLI or the AWS API, create a service-linked role with the chime.amazonaws.com service name.

For more information, see Creating a service-linked role in the IAM User Guide. If you delete this service- linked role, you can use this same process to create the role again.

Editing a service-linked role for Amazon Chime

Amazon Chime does not allow you to edit the AWSServiceRoleForAmazonChime service-linked role.

After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for Amazon Chime

If you no longer require a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained.

However, you must clean up your service-linked role before you can manually delete it.

Cleaning up a service-linked role

Before you can use IAM to delete a service-linked role, you must ﬁrst delete any resources used by the role.

(27)

Using roles with live transcription

Note

If Amazon Chime is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

To delete Amazon Chime resources used by the AWSServiceRoleForAmazonChime (console)

• Turn oﬀ Alexa for Business for all shared devices in your Amazon Chime account.

a. Open the Amazon Chime console at https://chime.aws.amazon.com/.

b. Choose Users, Shared devices.

c. Select a device.

d. Choose Actions.

e. Choose Disable Alexa for Business.

Manually delete the service-linked role

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonChime service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported Regions for Amazon Chime service-linked roles

Amazon Chime supports using service-linked roles in all of the regions where the service is available. For more information, see Amazon Chime endpoints and quotas.

Using roles with live transcription

The information in the following sections explains how to create and manage a service-linked role for Amazon Chime live transcription. For more information about the live transcription service, see Using Amazon Chime SDK live transcription.

Topics

• Service-Linked Role Permissions for Amazon Chime Live Transcription (p. 22)

• Creating a Service-Linked Role for Amazon Chime Live Transcription (p. 23)

• Editing a Service-Linked Role for Amazon Chime Live Transcription (p. 23)

• Deleting a Service-Linked Role for Amazon Chime Live Transcription (p. 23)

• Supported Regions for Amazon Chime Service-Linked Roles (p. 24)

Service-Linked Role Permissions for Amazon Chime Live Transcription

Amazon Chime Live Transcription uses a service-linked role named

AWSServiceRoleForAmazonChimeTranscription – Allows Amazon Chime to access Amazon Transcribe and Amazon Transcribe Medical on your behalf.

The AWSServiceRoleForAmazonChimeTranscription service-linked role trusts the following services to assume the role:

• transcription.chime.amazonaws.com

The role permissions policy allows Amazon Chime to complete the following actions on the speciﬁed resources:

(28)

• Action: transcribe:StartStreamTranscription on all AWS resources

• Action: transcribe:StartMedicalStreamTranscription on all AWS resources

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.

Creating a Service-Linked Role for Amazon Chime Live Transcription

You use the IAM console to create a service-linked role with the Chime Transcription use case.

Note

You must have IAM administrative permissions to complete these steps. If you don't, contact a system administrator.

To create the role

1. Sign in to the AWS Management Console and open the IAM console at https://

console.aws.amazon.com/iam/.

2. In the navigation pane of the IAM console, choose Roles, then choose Create role.

3. Choose the AWS Service role type, then choose Chime Transcription.

The IAM policy appears.

4. Select the checkbox next to the policy, then choose Next: Tags.

5. Choose Next: Review.

6. Edit the description as needed, then choose Create role.

You can also use the AWS CLI or the AWS API to create a service-linked role named transcription.chime.amazonaws.com.

In the CLI, run this command: aws iam create-service-linked-role --aws-service-name transcription.chime.amazonaws.com.

For more information, see Creating a Service-Linked Role in the IAM User Guide. If you delete this service- linked role, you can use this same process to create the role again.

Editing a Service-Linked Role for Amazon Chime Live Transcription

Amazon Chime does not allow you to edit the AWSServiceRoleForAmazonChimeTranscription service- linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can use IAM to edit the role's description. For more information, see Editing a Service-Linked Role in the IAM User Guide.

Deleting a Service-Linked Role for Amazon Chime Live Transcription

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained.

To manually delete the service-linked role using IAM

(29)

Logging and monitoring

Use the IAM console, the AWS CLI, or the AWS API to delete the

AWSServiceRoleForAmazonChimeTranscription service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.

Supported Regions for Amazon Chime Service-Linked Roles

Amazon Chime supports using service-linked roles in all of the regions where the service is available.

For more information, see Amazon Chime endpoints and quotas, and Using Amazon Chime SDK media Regions.

Logging and monitoring in Amazon Chime

Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon Chime and your other AWS solutions. AWS provides the following tools to monitor Amazon Chime, report issues, and take automatic actions when appropriate:

• Amazon CloudWatch monitors in real time your AWS resources and the applications that you run on AWS. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a speciﬁed metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the Amazon CloudWatch User Guide.

• Amazon EventBridge delivers a near real-time stream of system events that describe changes in AWS resources. EventBridge enables automated event-driven computing. This lets you write rules that watch for certain events, and trigger automated actions in other AWS services when these events happen. For more information, see the Amazon EventBridge User Guide.

• Amazon CloudWatch Logs lets you monitor, store, and access your log ﬁles from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log ﬁles and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the Amazon CloudWatch Logs User Guide.

• AWS CloudTrail captures API calls and related events made by or on behalf of your AWS account. It then delivers the log ﬁles to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the AWS CloudTrail User Guide.

Topics

• Monitoring Amazon Chime with Amazon CloudWatch (p. 24)

• Automating Amazon Chime with EventBridge (p. 32)

• Logging Amazon Chime API calls with AWS CloudTrail (p. 36)

Monitoring Amazon Chime with Amazon CloudWatch

You can monitor Amazon Chime using CloudWatch, which collects raw data and processes it into

readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective about how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notiﬁcations or take actions when those thresholds are met. For more information, see the Amazon CloudWatch User Guide.

CloudWatch metrics for Amazon Chime

Amazon Chime sends the following metrics to CloudWatch.

Amazon Chime

Amazon Chime

Administration Guide

Amazon Chime: Administration Guide

Table of Contents

What is Amazon Chime?

Administration overview

How to get started

Pricing

Resources

Prerequisites

Creating an Amazon Web Services account

To create an AWS account

Security in Amazon Chime

Identity and access management for Amazon Chime

Audience

Authenticating with identities

AWS account root user

IAM users and groups

IAM roles

Managing access using policies

Identity-based policies

Resource-based policies

AWS managed policies for Amazon Chime

Access Control Lists (ACLs)

Other policy types

Multiple policy types

How Amazon Chime works with IAM

Amazon Chime identity-based policies

Actions

Condition keys

Resources

Examples

Cross-service confused deputy prevention

Amazon Chime resource-based policies

Authorization based on Amazon Chime tags

Amazon Chime IAM roles

Using temporary credentials with Amazon Chime

Service-linked roles

Service roles

Amazon Chime identity-based policy examples

Policy best practices

Using the Amazon Chime console

Allow users full access to Amazon Chime

Allow users to view their own permissions

Allow users to access user management actions

Allow users to access Amazon Chime SDK actions

AWS managed policy:

AmazonChimeVoiceConnectorServiceLinkedRolePolicy

Amazon Chime updates to AWS managed policies

Troubleshooting Amazon Chime identity and access

I am not authorized to perform an action in Amazon Chime

I am not authorized to perform iam:PassRole

I want to view my access keys

Important

I'm an administrator and want to allow others to access Amazon Chime

I want to allow people outside of my AWS account to access my Amazon Chime resources

Using service-linked roles for Amazon Chime

Using roles to stream Amazon Chime Voice Connector media to Kinesis

Service-linked role permissions for Amazon Chime Voice Connectors

Creating a service-linked role for Amazon Chime Voice Connectors

Editing a service-linked role for Amazon Chime Voice Connectors

Deleting a service-linked role for Amazon Chime Voice Connectors

Cleaning up a service-linked role

Note

To delete Amazon Chime resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (console)

To delete Amazon Chime resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (AWS CLI)

To delete Amazon Chime resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (API)

Manually delete the service-linked role

Supported Regions for Amazon Chime service-linked roles

Using roles with shared Alexa for Business devices

Service-linked role permissions for Amazon Chime

Creating a service-linked role for Amazon Chime

Editing a service-linked role for Amazon Chime

Deleting a service-linked role for Amazon Chime

Cleaning up a service-linked role

Note