AWS Chatbot

(1)

AWS Chatbot

Administrator Guide

(2)

AWS Chatbot: Administrator Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is AWS Chatbot?

AWS resource management using CLI commands in Slack is in public preview and is subject to change.

Your use of this feature is subject to the Betas and Previews terms of the AWS Service Terms (Section 2).

AWS Chatbot is an AWS service that enables DevOps and software development teams to use Amazon Chime and Slack chat rooms to monitor and respond to operational events in their AWS Cloud. AWS Chatbot processes AWS service notiﬁcations from Amazon Simple Notiﬁcation Service (Amazon SNS), and forwards them to Amazon Chime and Slack chat rooms so teams can analyze and act on them immediately, regardless of location.

You can also run AWS CLI commands in Slack channels, and ﬁle AWS Support cases from the Slack screen.

For information about AWS Chatbot compliance, see AWS services in scope by compliance program.

Topics

• Features of AWS Chatbot (p. 1)

• How AWS Chatbot works (p. 2)

• Regions and quotas for AWS Chatbot (p. 2)

• AWS Chatbot requirements (p. 2)

• Accessing AWS Chatbot (p. 2)

Features of AWS Chatbot

AWS Chatbot enables ChatOps for AWS. ChatOps speeds software development and operations by enabling DevOps teams to use chat clients and chatbots to communicate and execute tasks. AWS Chatbot notiﬁes chat users about events in their AWS services, so teams can collaboratively monitor and resolve issues in real time, instead of addressing emails from their SNS topics. AWS Chatbot also allows you to format incident metrics from Amazon CloudWatch as charts for viewing in chat notiﬁcations.

Important features of the AWS Chatbot service include the following:

• Supports Slack and Amazon Chime – You can add AWS Chatbot to your Slack channel or Amazon Chime chat rooms in just a few clicks.

• Predefined AWS Identity and Access Management (IAM) policy templates – AWS Chatbot provides chat room-specific permission controls through AWS Identity and Access Management (IAM). AWS Chatbot’s predefined templates make it easy to select and set up the permissions you want associated with a given channel or chat room.

• Receive notiﬁcations – Use AWS Chatbot to receive notiﬁcations about operational incidents and other events from supported sources, such as operational alarms, security alerts, or budget deviations.

To set up notifications in the AWS Chatbot console, you simply choose the channels or chat rooms you want to receive notifications and then choose which Amazon Simple Notification Service (Amazon SNS) topics should trigger notifications.

• Monitor and manage AWS resources through the AWS CLI with Slack – AWS Chatbot supports CLI commands for most AWS services, making it easy to monitor and manage your AWS resources from Slack on desktop and mobile devices. Your teams can retrieve diagnostic information in real-time,

(6)

How AWS Chatbot works

change your AWS resources, run AWS SM runbooks, and start long running jobs from a centralized location. AWS Chatbot commands use the standard AWS Command Line Interface syntax.

How AWS Chatbot works

AWS Chatbot uses Amazon Simple Notiﬁcation Service (Amazon SNS) topics to send event and alarm notiﬁcations from AWS services to Slack and Amazon Chime chat rooms. Slack and Amazon Chime users map the SNS topics to their Slack channels or Amazon Chime webhooks. For Slack, after the Slack administrator approves AWS Chatbot support for the Slack workspace, anyone in the workspace can add AWS Chatbot to their Slack channels. For Amazon Chime, users with AWS Identity and Access Management (IAM) permissions to use Amazon Chime can add AWS Chatbot to their webhooks.

You use the AWS Chatbot console to conﬁgure Amazon Chime and Slack clients to receive notiﬁcations from SNS topics.

AWS Chatbot supports a number of AWS services, including Amazon CloudWatch, AWS Billing and Cost Management, and AWS Security Hub. For a complete list of supported services, see Using AWS Chatbot with Other AWS Services (p. 15).

Regions and quotas for AWS Chatbot

For information about AWS Chatbot AWS Region availability and quotas, see AWS Chatbot endpoints and quotas. AWS Chatbot supports using all supported AWS services in the Regions where they are available.

AWS Chatbot requirements

To use AWS Chatbot, you need the following:

• An AWS account to associate with Amazon Chime or Slack chat clients during AWS Chatbot setup.

• Administrative privileges for your Slack workspace or Amazon Chime chat room. You can be the Slack workspace owner or have the ability to work with workspace owners to get approval for installing AWS Chatbot.

• Familiarity with AWS Identity and Access Management (IAM) and IAM roles and policies. For more information about IAM, see What is IAM? in the IAM User Guide.

• Experience with the AWS services supported by AWS Chatbot, including experience configuring those services to subscribe to Amazon Simple Notification Service (Amazon SNS) topics to send notifications.

For information about supported services, see Using AWS Chatbot with Other AWS Services (p. 15).

To access Amazon CloudWatch metrics, AWS Chatbot requires an AWS Identity and Access Management (IAM) role with a permissions policy and a trust policy. You create this IAM role, with the required policies, using the AWS Chatbot console. You can use an existing IAM role, but it must have the required policies.

For testing, we recommend using the role that you create with the AWS Chatbot console. To use an existing IAM role, see Conﬁguring an IAM Role for AWS Chatbot (p. 12).

Accessing AWS Chatbot

You access and conﬁgure AWS Chatbot through the AWS Chatbot console at https://

console.aws.amazon.com/chatbot/.

(7)

Prerequisites

Setting up AWS Chatbot

To use AWS Chatbot, you authorize an Amazon Chime configuration or a Slack workspace with AWS Chatbot, and optionally configure AWS Chatbot to use an Amazon Simple Notification Service (Amazon SNS) topic to deliver notifications to the chat rooms. Before you can get started, you must complete the following setup tasks.

Topics

• Prerequisites (p. 3)

• Setting up IAM permissions for AWS Chatbot (p. 3)

• Setting up Amazon SNS topics (p. 4)

Prerequisites

With AWS Chatbot, you can use Amazon Chime and Slack chat rooms to monitor and respond to events in your AWS Cloud.

Below are some prerequisites you should have before you begin using AWS Chatbot:

• You have signed up for AWS and created an AWS Identity and Access Management (IAM) administrator user. If this is your ﬁrst time using AWS, see Creating Your First IAM Admin User and Group in the IAM User Guide.

• You have started using some AWS services. For more information about AWS services you can use with AWS Chatbot, see Using AWS Chatbot with other AWS services (p. 15).

• You have administrator privileges with a Slack workspace or an Amazon Chime chat room.

Setting up IAM permissions for AWS Chatbot

If you have an existing administrator user, you can access the AWS Chatbot console with no additional permissions.

If you would like to add AWS Chatbot access to an existing user or group, you can choose from allowed Chatbot actions in IAM.

NoteAll users in the Slack channel or Amazon Chime chat room will have the permissions deﬁned by the role.

To create a policy to conﬁgure AWS Chatbot

1. Sign in to the AWS Management Console and open the IAM console at https://

console.aws.amazon.com/iam/.

2. Choose Policies from the navigation pane.

3. Choose Create policy.

4. Expand Service and ﬁnd Chatbot.

5. Under Actions, expand the Read and Write sections to see the available actions.

Read actions include DescribeChimeWebhookConﬁgurations, DescribeSlackChannelConﬁgurations, and more.

(8)

Setting up Amazon SNS topics

Write actions include CreateChimeWebhookConﬁguration, DeleteChimeWebhookConﬁguration, and more.

6. After selecting the actions you want to include, choose Review policy.

7. Give your policy a name and description, then choose Create policy. You can now add your new policy to any of your users or groups.

For more information on updating the permissions of existing users, see Adding Permissions to a User (Console) in the IAM User Guide.

NoteAWS Chatbot is a global service that requires access to all AWS Regions. If there is a policy in place that prevents access to services in certain Regions, you must change the policy to allow global AWS Chatbot access. For more information about policy types that might limit how IAM roles can be assumed and how to override them, see Other policy types (p. 52).

Setting up Amazon SNS topics

To use AWS Chatbot, you must have Amazon SNS topics set up. If you don't have any Amazon SNS topics yet, follow the steps to get started in Getting Started with Amazon SNS in the Amazon Simple Notiﬁcation Service Developer Guide.

If you have server-side encryption enabled for your Amazon SNS topics, you must include the following section in your AWS KMS key policy. This gives sending services such as Amazon EventBridge permissions to post events to the encrypted SNS topics.

{

"Sid": "Allow CWE to use the key", "Effect": "Allow",

"Principal": {

"Service": "events.amazonaws.com"

},

"Action": [ "kms:Decrypt",

"kms:GenerateDataKey"

], "Resource": "*"

}

In order to successfully test the conﬁguration from the console, your role must also have permission to use the AWS KMS key.

(9)

Prerequisites

Getting started with AWS Chatbot

To get started using AWS Chatbot to help manage your AWS infrastructure, follow the steps below to set up AWS Chatbot with chat rooms and Amazon SNS topic subscriptions.

If you need to customize an IAM role to work with AWS Chatbot, you can use the procedure in this topic (p. 12).

Topics

• Step 1: Set up chat clients for AWS Chatbot (p. 5)

• Step 2: Subscribe an Amazon SNS topic to AWS Chatbot (p. 9)

• Step 3: Test notiﬁcations from AWS services to Amazon Chime or Slack (p. 10)

• Test notiﬁcations from AWS services to Amazon Chime or Slack using CloudWatch (p. 10)

• Remove chat rooms (p. 12)

• Conﬁguring an IAM role for AWS Chatbot (p. 12)

• Next steps (p. 14)

Prerequisites

Before you get started, make sure you've completed the tasks in Setting up AWS Chatbot (p. 3). You will need to choose a permissions scheme in the following procedure. This scheme determines the permissions your channel members will have.

Step 1: Set up chat clients for AWS Chatbot

You use the AWS Chatbot console to configure Amazon Chime and Slack clients to receive notifications from Amazon Simple Notification Service (Amazon SNS) topics.

Note

When you conﬁgure your clients, don't enable the Enable raw message delivery feature for any Amazon SNS topic subscription that you want to use for AWS Chatbot.

AWS Chatbot requires an AWS Identity and Access Management (IAM) role with Amazon CloudWatch read permissions and a trust policy that allows AWS Chatbot to use those permissions on your behalf.

When you configure AWS Chatbot, you can create a role with a predefined set of policies to display CloudWatch charts in AWS Chatbot notifications.

(10)

Setting up AWS Chatbot with Slack

You can also use an existing IAM role that you can configure for use with AWS Chatbot. For more information, see Configuring an IAM role for AWS Chatbot (p. 12). For simplicity, particularly in testing your setup, we recommend using the IAM role with predefined policies that you can configure in AWS Chatbot.

Setting up AWS Chatbot with Slack

To allow AWS Chatbot to send notifications to your Slack channel, you must configure AWS Chatbot with Slack. Owners of Slack workspaces can approve the use of the AWS Chatbot, and any workspace user can configure the workspace to receive notifications or run commands.

To conﬁgure a Slack client

1. Open the AWS Chatbot console at https://console.aws.amazon.com/chatbot/.

2. Under Conﬁgure a chat client, choose Slack, then choose Conﬁgure client.

3. From the dropdown list at the top right, choose the Slack workspace that you want to use with AWS Chatbot.

There's no limit to the number of workspaces that you can set up for AWS Chatbot, but you can set up only one at a time.

4. Choose Allow.

5. On the Workspace details page, you can choose to continue within the console or with an AWS CloudFormation template:

• To use an AWS CloudFormation template, copy and paste the Workspace ID found under Workspace details. For more information, see AWS::Chatbot::SlackChannelConﬁguration in the AWS CloudFormation User Guide.

• To continue within the console, choose Conﬁgure new channel.

6. Under Conﬁguration details, enter a name for your conﬁguration. The name must be unique across your account and can't be edited later.

7. If you want to enable logging for this conﬁguration, choose Publish logs to Amazon CloudWatch Logs. For more information, see Amazon CloudWatch Logs for AWS Chatbot (p. 42).

NoteThere is an extra charge for using CloudWatch Logs.

8. For Slack channel, choose the channel that you want to use.

NoteYou can use private Slack channels with AWS Chatbot. To do so, choose Private channel.

In Slack, copy the Channel ID of the private channel by right-clicking on the channel name in the left pane and choosing Copy Link. The Channel ID is the string at the end of the URL (for example, AB3BBLZZ8YY). In AWS Chatbot, paste the ID into the Channel URL ﬁeld. (If you copy the URL of the private Slack channel, the AWS Chatbot console shows only the Channel ID value when you paste it into the ﬁeld.)

9. Choose your Role Setting. You can choose a channel IAM role or user roles. A channel IAM role allows channel members to share the same permissions. User roles require your channel members to choose their own roles. If you choose to use a channel IAM role, your users can still choose to use their own user roles. For more information about role setting, see Role setting (p. 50).

Channel IAM role

1. For Role setting, choose Channel IAM role.

2. For Channel IAM role, choose Create new role. If you want to use an existing role instead, choose Use an existing role. To use an existing IAM role, you will need to modify it for use with AWS Chatbot. For more information, see Conﬁguring an IAM Role for AWS Chatbot (p. 12).

(11)

Setting up AWS Chatbot with Slack

3. For Role name, enter a name. Valid characters: a-z, A-Z, 0-9, .\w+=,.@-_.

4. For Role policy template, choose the template you wish to use.

User roles

1. For Role setting, choose User roles.

10. Select the policies that will make up your channel guardrails (p. 50). Your channel guardrails control what actions are available to your channel members.

NoteIf you initially had permission to run Lambda invoke, it is contained in All actions permitted.

Note

To run most CLI commands from your Slack channel, ensure you select All actions permitted.

11. Choose your notiﬁcation settings:

a. For SNS Region, choose the AWS Region that hosts the SNS topics for this AWS Chatbot subscription.

b. For SNS topic, choose the Amazon SNS topic for the client subscription. This topic determines the content that's sent to the Slack channel. If the region has additional SNS topics, you can choose them from the same dropdown list.

c. To add an Amazon SNS topic from another AWS Region to the notiﬁcation subscription, choose Add another Region.

12. Choose Save.

13. Set User permissions:

NoteYou can choose to enable a user role requirement. This requires channel members to apply a user role before running commands in Slack. For more information, see User role requirement (p. 50).

a. Under Account settings, choose User permissions.

b. In User role requirement, choose if you want to enable a user role requirement.

14. Add AWS Chatbot to the Slack workspace:

a. In Slack, on the left navigation pane, choose Apps.

NoteIf you do not see Apps in the left navigation pane, choose More, then choose Apps.

b. If AWS Chatbot is not listed, choose the Browse Apps Directory button.

c. Browse the directory for the AWS Chatbot app and then choose Add to add AWS Chatbot to your workspace.

Notiﬁcations from supported services that publish to the chosen Amazon SNS topics will now appear in the Slack channel.

You can conﬁgure as many channels with as many topics as you need.

NoteIf you conﬁgure a private Slack channel, run the /invite @AWS command in Slack to invite the AWS Chatbot to the chat room.

The SNS topics you choose also must be conﬁgured in the services for which you want to receive notiﬁcations. For more information, see Using AWS Chatbot with Other AWS Services (p. 15).

(12)

Setting up AWS Chatbot with Amazon Chime

To set up AWS Chatbot for Amazon Chime, get the webhook URL for your team's chat room from Amazon Chime.

Prerequisite

You must be an Amazon Chime chat room admin and have the ability to manage webhooks.

To conﬁgure an Amazon Chime client 1. Open Amazon Chime.

2. For Amazon Chime, choose the chat room that you want to set up to receive notiﬁcations through AWS Chatbot.

3. Choose the Room settings icon on the top right and choose Manage Webhooks and Bots.

Amazon Chime displays the webhooks associated with the chat room.

NoteYou can have multiple webhooks in a single Amazon Chime chat room.

For example, in an Amazon Chime chat room, one webhook could send notifications for Amazon CloudWatch alarms and another webhook could send AWS Security Hub security alerts. Each webhook receives notifications only for the SNS topics subscribed to it. All chat room members can see all of the notifications from each of the SNS topics.

4. For the webhook, choose Copy URL and choose Done.

If you need to create a new webhook for the chat room, choose Add webhook, enter a name for the webhook in the Name ﬁeld, and choose Create.

6. Choose Conﬁgure new client.

7. Choose Amazon Chime and choose Conﬁgure.

8. Under Conﬁguration details, enter a name for your conﬁguration. The name must be unique across your account and can't be edited later.

9. If you want to enable logging for this conﬁguration, choose Send logs to CloudWatch. For more information, see Amazon CloudWatch Logs for AWS Chatbot (p. 42).

NoteThere is an extra charge for using CloudWatch Logs.

10. For Conﬁgure Amazon Chime webhook, do the following.

a. Paste the webhook URL that you copied from Amazon Chime.

b. For Webhook description, use the following naming convention to describe the purpose of the webhook: Chat_room_name/Webhook_name. This helps you associate Amazon Chime webhooks with their AWS Chatbot conﬁgurations.

11. For IAM permissions, set the IAM permissions for AWS Chatbot.

a. For Role, choose Create a new role from template. If you want to use an existing role instead, choose it from the IAM Role list. To use an existing IAM role, you might need to modify it for use with AWS Chatbot. For more information, see Conﬁguring an IAM Role for AWS Chatbot (p. 12).

b. For Policy templates, choose Notiﬁcation permissions. This is the IAM policy provided by AWS Chatbot. It provides the necessary Read and List permissions for CloudWatch alarms, events and logs, and for Amazon SNS topics.

c. For Role name, enter a name. Valid characters: a-z, A-Z, 0-9.

(13)

Step 2: Subscribe an Amazon SNS topic to AWS Chatbot

12. Set up the SNS topics that will send notiﬁcations to the Amazon Chime webhook.

a. For SNS Region, choose the AWS Region that hosts the SNS topics for this AWS Chatbot subscription.

b. For SNS topic, choose the SNS topic for the client subscription. This topic determines the content that's sent to the Amazon Chime webhook. If the region has additional SNS topics, you can choose them from the same dropdown list.

c. If you want to add an SNS topic from another Region to the notiﬁcation subscription, choose Add another Region.

13. Choose Conﬁgure.

Notiﬁcations from supported services that publish to the chosen SNS topics will now appear in the Amazon Chime chat room.

You can configure as many webhooks as you need. The SNS topics that you choose also must be configured in the services for which you want to receive notifications. For more information, see Using AWS Chatbot with Other AWS Services (p. 15).

NoteYou can conﬁgure a Slack channel to run commands to your AWS account. For more information, see Running AWS CLI Commands from Slack Channels (p. 22).

Step 2: Subscribe an Amazon SNS topic to AWS Chatbot

You can quickly subscribe existing Amazon SNS topics to the AWS Chatbot service. You associate the new subscriptions to a Slack channel or Amazon Chime webhook. After doing so, the messages from those topics will appear in the Slack or Amazon Chime chat rooms. The Amazon SNS topics must be associated with AWS services that AWS Chatbot supports, and may also require further conﬁguration, such as association with a CloudWatch rule. This procedure is most useful if you have SNS topics that are already doing signiﬁcant work with CloudWatch Events and CloudWatch alarms in AWS cloud services supported by AWS Chatbot.

NoteYou can set up each supported AWS service to target one or more SNS topics to send notifications to AWS Chatbot. You do this using each AWS service's console, or using AWS CloudFormation. If you already have Amazon SNS topics set as targets for supported services, you can configure AWS Chatbot to use those topics. Notifications from subscribed topics will automatically appear in your Slack or Amazon Chime clients without further configuration.

NoteIf your SNS topic is encrypted, you must add a section to your AWS KMS key policy to give the sending service permissions to post events to the encrypted SNS topics. For more information, see Setting up Amazon SNS topics (p. 4).

2. Under Conﬁgured clients, choose Slack or Amazon Chime.

3. Choose any channel in the Slack workspace conﬁguration or webhook in the Amazon Chime webhooks list.

4. Choose Edit. The configuration page for the channel or webhook appears. Note that the Region Notifications is already configured.

5. In the Notiﬁcations panel:

(14)

Step 3: Test notiﬁcations from AWS services to Amazon Chime or Slack

• If you need to apply an Amazon SNS topic from another region, choose Add another Region.

6. For each Region in the Amazon Chime webhook or Slack channel, select the Amazon SNS topic you want to add.

7. When ﬁnished, choose Save.

8. To check for the subscription, click on any subscription entry in the AWS Chatbot console. The Amazon SNS console opens, showing the list of subscriptions for the selected topic.

Step 3: Test notiﬁcations from AWS services to Amazon Chime or Slack

To verify that an Amazon Simple Notification Service (Amazon SNS) topic sends notifications to your Amazon Chime or Slack chat room, you can test your setup by sending a notification. To test your notifications, ensure your topics are assigned to a service supported by AWS Chatbot. For a list of supported services, see Using AWS Chatbot with Other AWS Services (p. 15). You can also test notifications by using CloudWatch. For more information, see Test notifications from AWS services to Amazon Chime or Slack using CloudWatch (p. 10).

Testing notiﬁcations with conﬁgured clients 1. Open the AWS Chatbot console.

2. Choose the conﬁgured client you want to test.

3. In the conﬁgured client, choose the channel or webhook to send a test notiﬁcation to.

4. Choose Send test message.

5. View the conﬁrmation message at the top of the screen that shows a message was sent to your Amazon SNS topic.

6. Conﬁrm the test message in your Amazon Chime chat room or Slack channel.

Test notiﬁcations from AWS services to Amazon Chime or Slack using CloudWatch

To verify that an Amazon Simple Notification Service (Amazon SNS) topic sends notifications to your Amazon Chime or Slack chat room, you can test your setup by sending a notification. Any SNS topic can send notifications to your chat rooms, but the topic must be assigned to a service supported by AWS Chatbot. For a complete list of supported services, see Using AWS Chatbot with Other AWS Services (p. 15).

NoteCloudWatch alarms and events are separately conﬁgured and have diﬀerent characteristics for use with AWS Chatbot.

The following procedure uses a CloudWatch alarm because most AWS services supported by AWS Chatbot send their event and alarm data to CloudWatch.

You conﬁgure CloudWatch alarms using performance metrics from the services that are active in your account. When you associate CloudWatch alarms with an Amazon SNS topic that is mapped to AWS Chatbot, the Amazon SNS topic sends the CloudWatch alarm notiﬁcations to the chat

(15)

Test notiﬁcations with AWS Chatbot using CloudWatch

rooms. For more information, see Using AWS Chatbot with Other AWS Services (p. 15) and the Troubleshooting (p. 69) topic.

To test notiﬁcations to conﬁgured chat clients

1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

2. In the navigation pane, choose Alarms, Create alarm.

3. Select the correct AWS Region at the top right of the AWS console, that contains the Amazon SNS topic you need. (Tip: to make sure you have the right region for your SNS topics for testing alarms, you can check the AWS Chatbot conﬁguration to see the regions for all conﬁgured SNS topics in each channel or webhook.)

4. Choose Select metric, and choose the SNS service namespace. (All CloudWatch alarms use service metrics to generate their notiﬁcations, and you need to select one for this example.)

a. Choose Topic metrics.

b. Choose the check box for the SNS topic next to its Topic Name and Metric Name. Any SNS topics that you conﬁgured with AWS Chatbot appear in this list.

Important: if you do not see your desired Amazon SNS topic in the SNS Topic list, make sure to select the correct AWS Region in the AWS console when you begin conﬁguring the new CloudWatch alarm.

c. Choose Select metric.

The Specify metric and conditions page shows a graph and other information about the metric and statistic.

5. For Conditions (the circumstances under which the CloudWatch alarm ﬁres and an action takes place), choose the following options:

a. For Threshold type, choose Static.

b. For Whenever metric is, choose Lower/Equal <=threshold.

c. For than..., specify a threshold value of 1. This setting ensures you will trigger the test notiﬁcation within one minute.

d. Under Additional conﬁguration, do the following:

i. For Datapoints to alarm, select 1 out of 1.

ii. For Missing data treatment, select Treat missing data as bad.

e. Choose Next.

6. Choose Conﬁgure actions. Here, you set the action to create SNS notiﬁcations when the metric threshold is exceeded.

For Notiﬁcation, choose the following options.

a. For Whenever this alarm state is..., choose In Alarm.

b. For Select an SNS topic, choose Select an existing SNS topic.

c. For Send a notiﬁcation to..., choose your SNS topic that has a subscription to AWS Chatbot. If the SNS topic is subscribed in AWS Chatbot, the endpoint value for AWS Chatbot appears in the Email (endpoints) ﬁeld.

Note

If the endpoint value doesn't appear in the Email (endpoints) ﬁeld, make sure that the SNS topic is set up correctly in the Slack channel or Amazon Chime webhook. For more information, see Setting Up AWS Chatbot with Slack (p. 6) or Setting Up AWS Chatbot with Amazon Chime (p. 8).

(16)

Remove chat rooms

7. Enter a name and description for the alarm. The name must contain only ASCII characters. Then, choose Next.

8. For Preview and create, conﬁrm that the information and conditions are correct, then choose Create alarm.

When the alarm triggers for the first time, you should receive the first test notification in your chat room, confirming that AWS Chatbot is working correctly and receiving alarm notifications from Amazon CloudWatch.

Remove chat rooms

Removing an authorized Slack client from AWS Chatbot

When necessary, you can remove a Slack chat client from the AWS Chatbot conﬁguration. Doing so deauthorizes the Slack client, which revokes the permissions that AWS Chatbot uses to operate with Slack.

Before deauthorizing a Slack client, you must delete all Slack channels. Deleting the channels ﬁrst prevents accidentally deleting the Slack workspace.

To remove a Slack client

2. Choose Conﬁgured clients.

3. On the Conﬁgured clients page, choose the Slack client.

4. Choose each channel in the Slack workspace conﬁguration and choose Delete.

5. After you ﬁnish deleting all Slack channels from the workspace, choose Remove workspace conﬁguration. AWS deletes the Slack workspace.

Removing an Amazon Chime webhook from AWS Chatbot

You can remove an Amazon Chime webhook from the AWS Chatbot conﬁguration. Doing so deauthorizes the Amazon Chime webhook, which revokes the permissions that AWS Chatbot uses to operate with Amazon Chime.

To remove an Amazon Chime webhook

2. Choose Conﬁgured clients.

3. On the Conﬁgured clients page, choose the Amazon Chime webhook you want to delete.

4. Choose Delete.

Conﬁguring an IAM role for AWS Chatbot

You can create new IAM roles in the AWS Chatbot console, which provides a convenient way to deploy the AWS Chatbot service. You associate these roles with your Slack channels or Amazon Chime

(17)

Conﬁguring an IAM role for AWS Chatbot

webhooks. The AWS Chatbot console does not allow editing of IAM roles, including any roles that you've already created in the AWS Chatbot console.

Note

AWS requires that you use the IAM console to edit IAM roles. If you create roles in the AWS Chatbot console, you need to use the IAM console to edit them. This might happen, for example, when you are using the AWS Chatbot service and a new release comes out that supports new features.

Use the IAM console to edit AWS Chatbot roles. You can use the entire set of IAM console features to specify permissions for your AWS Chatbot users.

NoteAll users in the Slack channel or Amazon Chime chat room will have the permissions deﬁned by the role.

To edit roles

2. Choose the Slack channel or Amazon Chime webhook, and choose the IAM role associated with the channel or webhook.

The IAM console opens, automatically showing role conﬁguration page, with the Permissions tab displaying the selected role.

3. Choose Attach Policies.

NoteYou can attach AWS managed policies and customer managed policies. AWS Chatbot roles support both types of IAM policies.

4. Choose the policy you want by choosing its name. You can use the Search box to search for the policy by its name or by a partial string of characters. For example, all IAM policies associated with AWS Chatbot include the character string Chatbot as part of the policy name. Following are the preconﬁgured customer managed policies available for AWS Chatbot:

• AWS-Chatbot-NotiﬁcationsOnly-Policy

• AWS-Chatbot-ReadOnly-Commands-Policy

You can use these policies to create your own policies that are less permissive and specify the resources their users can access in their roles. You can also substitute these custom policies for the ones listed here.

5. You can also attach any of three AWS managed policies to any role. You can use these policies as templates to create your own policies.

• ReadOnlyAccess

• CloudWatchReadOnlyAccess

• AWSSupportAccess

The ReadOnlyAccess policy is automatically attached to any role you create in the AWS Chatbot console.

The AWSSupportAccess policy is the only AWS managed policy that appears in the AWS Chatbot console when you conﬁgure new roles there.

You can use these policies to create your own policies that are less permissive and specify the resources their users can access. You can substitute these custom policies for the ones listed here.

6. Choose each of the policies you want to attach to the role and choose Attach policy. If needed, use the Search box to locate the policies you're looking for.

(18)

Next steps

After you click Attach policy, the role's Permissions page opens and shows the change in the Permissions list.

NoteFor more information about the customer managed policies and AWS managed policies described in this section, see IAM Policies for AWS Chatbot (p. 54).

For more information about editing IAM policies, see Editing IAM Policies. Exercise caution at all times when editing policies, and don't overwrite existing customer managed policies unless necessary.

Next steps

After you conﬁgure your chat clients and test that your notiﬁcations are working, you might want to explore some of the following topics:

• Learn about which other AWS services you can integrate with AWS Chatbot in Using AWS Chatbot with other AWS services (p. 15).

• Learn about using AWS CLI syntax on your Slack channels in Running AWS CLI commands from Slack channels (p. 22).

(19)

AWS Billing and Cost Management

Using AWS Chatbot with other AWS services

AWS Chatbot works with a number of AWS services, including Amazon CloudWatch, AWS Security Hub, and Amazon GuardDuty. All services that work with AWS Chatbot use Amazon SNS topics as targets to send event and alarm notifications. You may already have established Amazon SNS topics that send notifications to DevOps and development personnel as emails. Because AWS Chatbot redirects those Amazon SNS topics' notifications to chat rooms, you can map those Amazon SNS topics to a Slack channel or Amazon Chime webhook in the AWS Chatbot console.

When you create a new Amazon SNS topic, your services will require additional conﬁguration.

Topics

• AWS Billing and Cost Management (p. 15)

• AWS CloudFormation (p. 15)

• Notiﬁcations for AWS developer tools (p. 16)

• Amazon CloudWatch alarms (p. 16)

• Amazon EventBridge (p. 17)

• Tutorial: Creating an Amazon EventBridge rule that sends notiﬁcations to AWS Chatbot (p. 17)

• AWS Conﬁg (p. 19)

• Amazon GuardDuty (p. 19)

• AWS Health (p. 20)

• AWS Security Hub (p. 20)

• AWS Systems Manager (p. 20)

• AWS Systems Manager Runbooks (p. 21)

• AWS Systems Manager Incident Manager (p. 21)

You can set up the following AWS services to forward notiﬁcations to Amazon Chime or Slack chat rooms.

AWS Billing and Cost Management

AWS Billing and Cost Management helps AWS account holders plan service usage, service costs, and instance reservations. You do this using several speciﬁc types of budgets, which track your unblended costs, subscriptions, refunds, and Reserved Instances. The service sends AWS Budget Alerts to an Amazon SNS topic. You then map the Amazon SNS topic in AWS Chatbot to send those notiﬁcations to your chat rooms.

For information about setting up Amazon SNS topics for AWS budgets, see Creating an Amazon SNS Topic for Budget Notiﬁcations in the AWS Billing and Cost Management User Guide.

AWS CloudFormation

AWS CloudFormation is an infrastructure management service that helps you model and set up Amazon Web Services resources so you can spend less time managing those resources and more time focusing on

(20)

Notiﬁcations for AWS developer tools

the applications that you run in AWS. You create a template that describes all of the AWS resources (for example, Amazon EC2 instances or Amazon RDS DB instances) that you want, and AWS CloudFormation provisions and conﬁgures those resources for you.

AWS Chatbot supports AWS CloudFormation notiﬁcations through Amazon SNS topics. You enable support for SNS topics that are enabled for use with AWS Chatbot by selecting them in each AWS CloudFormation stack conﬁguration. For more information, see Setting AWS CloudFormation Stack Options in the AWS CloudFormation User Guide.

Notiﬁcations for AWS developer tools

AWS provides a suite of cloud-based developer tools for creating, managing, and working with software development projects. The AWS development tools suite includes AWS services such as AWS CloudFormation stacks, AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, and more. You can redirect Amazon SNS topic subscriptions for these services to AWS Chatbot. For example, if you want notifications about events in an AWS CodeCommit repository or in a pipeline in AWS CodePipeline to appear in a Slack channel for your development teams, you can set up notifications for those resources in the Developer Tools console, and then integrate the SNS topic used for those notifications with AWS Chatbot. For more information, see Configure Integration Between Notifications and AWS Chatbot in the Developer Tools Console User Guide.

Amazon CloudWatch alarms

To monitor performance and operating metrics for AWS services, and send notiﬁcations when thresholds are breached, you can create alarms in Amazon CloudWatch. CloudWatch sends an Amazon SNS

notiﬁcation or performs an action when the alarm changes state.

CloudWatch also features composite alarms. Composite alarms allow you to combine multiple alarms to reduce alarm noise and focus on critical operational issues. You can easily combine multiple alarms together into alarm hierarchies that only trigger once, when multiple alarms ﬁre at the same time.

Composite alarms are currently supported by AWS Chatbot.

NoteParent composite alarms can have multiple triggering children however, the AWS Chatbot notiﬁcation will only display a maximum of 3 of the total triggering metric children's alarm states. For example, if you have 10 total children alarms and 5 are currently triggered, the AWS Chatbot notiﬁcation will display 3 of those 5.

Any metric, for any AWS service, that CloudWatch alarm actions can report can also be shared by an SNS topic to chat rooms through AWS Chatbot. This includes alarms for services such as Amazon Elastic Compute Cloud (Amazon EC2).

For information about setting up SNS topics to forward CloudWatch alarms, see Set Up Amazon SNS Notiﬁcations in the Amazon CloudWatch User Guide.

Because CloudWatch alarms use SNS topics to forward alarm notiﬁcations, you need to map only the associated Amazon SNS topic to your Slack channel or Amazon Chime webhook conﬁguration in AWS Chatbot.

AWS Chatbot also supports several AWS services through CloudWatch Events. For more information, see the following section.

(21)

Amazon EventBridge

AWS Chatbot supports multiple AWS services through Amazon EventBridge rules. Amazon EventBridge uses rules to help manage AWS service events and how you respond to them. You can use these rules to associate an Amazon SNS topic (or other actions) with an event type from any AWS service.

You map the Amazon SNS topic to the Amazon EventBridge rule, and then map it to a Slack channel or Amazon Chime webhook in the AWS Chatbot console. When a service event matches the rule, the rule's target Amazon SNS topic sends an event to the AWS Chatbot for processing. The AWS Chatbot then sends a notiﬁcation to the chat room. For more information about creating Amazon EventBridge rules for AWS Chatbot see, Creating an Amazon EventBridge Rule that sends notiﬁcations to AWS Chatbot (p. 17).

NoteAWS Chatbot only delivers notifications with their original EventBridge event message content to chat channels. If this message content is modified (such as by using EventBridge InputTransformers), AWS Chatbot won't be able to deliver notifications to your chat channels.

Previously, AWS Chatbot event support only included: AWS Conﬁg, Amazon GuardDuty, AWS Health, AWS Security Hub, and AWS Systems Manager. Currently, AWS Chatbot can process most service events handled by Amazon EventBridge. For an exhaustive list of supported service events, see EventBridge Event Examples from Supported AWS Services in the Amazon EventBridge User Guide.

NoteEvent notifications from: CloudWatch Alarms, CodeBuild, CodeCommit, CodeDeploy, and CodePipeline are not currently supported via EventBridge rules. If you want to receive notifications for one of these services, you can go to its console, and configure Amazon SNS notifications that you can then map to your Slack channel or Amazon Chime webhook configuration in AWS Chatbot. For more information, see Amazon CloudWatch alarms (p. 16)or Notifications for AWS developer tools (p. 16).

Tutorial: Creating an Amazon EventBridge rule that sends notiﬁcations to AWS Chatbot

AWS Chatbot currently supports notiﬁcations for most service events that are handled by Amazon EventBridge. When you create a rule for events, you tell Amazon EventBridge what action to take for events that match the rule. In this tutorial, you create a rule to use AWS Chatbot to generate an Amazon SNS topic notiﬁcation that will appear in your Slack channel or Amazon Chime chatroom.

NoteAWS Chatbot only delivers notifications with their original EventBridge event message content to chat channels. If this message content is modified (such as by using EventBridge InputTransformers), AWS Chatbot won't be able to deliver notifications to your chat channels.

Tip

You might create an Amazon EventBridge rule that unintentionally sends too many notifications to your chat channels. This typically happens with EventBridge rules that trigger on API calls via AWS CloudTrail. To better control the number of notifications you generate, write your EventBridge rules with event pattern based filtering. For more information about EventBridge event patterns, see Content-based filtering in Amazon EventBridge event patterns in the Amazon EventBridge User Guide.

Prerequisites

For this tutorial, you need a Slack or Amazon Chime client for AWS Chatbot. For more information, see Getting started with AWS Chatbot in the AWS Chatbot Administrator Guide.

(22)

Create an Amazon EventBridge Rule

You also need to set up Amazon Simple Notification Service. Your Amazon SNS topic is used in the creation of your EventBridge rule and should be identical to the Amazon SNS topic used in your AWS Chatbot configuration. If you don't have any Amazon SNS topics yet, follow the steps in Getting Started with Amazon SNS in the Amazon Simple Notification Service Developer Guide.

For more information about Amazon EventBridge, see What Is Amazon Amazon EventBridge? in the Amazon EventBridge User Guide.

Create an Amazon EventBridge Rule

Receiving notifications about events of interest in your Slack channel or Amazon Chime chat room is a convenient way to monitor service processes. In this tutorial, you create an Amazon EventBridge rule to use AWS Chatbot to generate an Amazon SNS topic notification that will appear in your Slack channel or chat room. It is important to note that you only receive notifications from Amazon SNS topics that are used in your AWS Chatbot configuration.

To create an Amazon EventBridge rule

1. Open the Amazon Amazon EventBridge console at https://console.aws.amazon.com/events/.

2. In the navigation pane, choose Rules.

3. Choose Create rule.

4. Enter a name and description for the rule. A rule must have a unique name from other rules in the same Region.

5. For Deﬁne pattern, choose Event Pattern.

6. For Event matching pattern, choose Pre-deﬁned pattern by service.

7. For Service provider, choose AWS.

Important

Choosing All Events as your service provider can result in increased costs and notiﬁcations.

NoteCurrently only AWS Services are supported.

8. For Service name, choose the name of the service that emits the event.

9. For Event type, choose the events you are interested in.

TipYou can edit event patterns by choosing Edit and then choosing Save.

10. In Select targets, set your Target as an SNS Topic.

11. For Topic, choose the appropriate topic.

NoteThis topic should be the same topic used in your AWS Chatbot conﬁguration.

12. (Optional) To add additional targets, choose Add target.

13. Choose Create.

After the rule is created, you can view, edit, or delete it in the console under Rules. When an event occurs that matches the rule, you receive a notiﬁcation in your Slack channel or Amazon Chime chat room from AWS Chatbot.

For information about testing your rule, see Test notiﬁcations from AWS services to Amazon Chime or Slack (p. 10).

(23)

Receive event notiﬁcations between AWS accounts and Regions

Receive Amazon EventBridge event notiﬁcations between AWS accounts and Regions

You can receive EventBridge event notiﬁcations between AWS accounts and Regions in your Slack channels and chat rooms using one AWS Chatbot and one Amazon SNS topic. To do this, use the Amazon SNS topic in your AWS Chatbot conﬁguration as the target for your receiver account's EventBridge rule.

With this mechanism, you don’t have to configure AWS Chatbot in each AWS account you want to receive notifications from. If you have multiple accounts with multiple resources you want to monitor, you can configure AWS Chatbot in one account and have all other accounts send their events to the account with AWS Chatbot using EventBridge. For more information about sending and receiving events across accounts and Regions, see Sending and receiving EventBridge events between AWS accounts and Regions in the Amazon EventBridge User Guide.

Delete an Amazon EventBridge rule

You can remove any resources created for this tutorial by navigating to the Amazon EventBridge console and deleting the resource.

To delete or disable an Amazon EventBridge rule

• To delete or disable an Amazon EventBridge rule, see Deleting or Disabling a Rule in the Amazon EventBridge User Guide.

AWS Conﬁg

AWS Config performs resource oversight and tracking for auditing and compliance, config change management, troubleshooting, and security analysis. It provides a detailed view of AWS resources configuration in your AWS account. The service also shows how resources relate to one another and how they were configured in the past, so you can see how configurations and relationships change over time.

For AWS Config monitoring, you configure Amazon CloudWatch Events rules to forward AWS Config events notifications to an Amazon SNS topic. You can then map that topic to AWS Chatbot to track those event notifications in chat rooms.

For more information, see Notifications for AWS Config in the AWS Config Developer Guide.

Amazon GuardDuty

Amazon GuardDuty is a security threat monitoring service that detects and reports on potential security threats in your AWS account. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify possible unauthorized and malicious activity in your AWS environment.

GuardDuty reports its security incidents and threats through ﬁndings. Findings appear in the GuardDuty console and automatically appear as CloudWatch Events. You then create Amazon CloudWatch Events rules, so these events appear as notiﬁcations to a selected SNS topic. You then map that SNS topic to a Slack channel or Amazon Chime webhook in AWS Chatbot.

For more information, see Monitoring Amazon GuardDuty Findings with Amazon CloudWatch Events in the Amazon GuardDuty User Guide.

(24)

AWS Health

AWS Health provides visibility into the state of your AWS resources, services, and accounts. It provides information about the performance and availability of resources that aﬀect your applications running on AWS and guidance for remediation. AWS Health provides this information in a console called the Personal Health Dashboard (PHD).

AWS Health directly supports CloudWatch Events notiﬁcations. You conﬁgure CloudWatch Events rules for AWS Health, and specify an SNS topic mapped in AWS Chatbot.

For more information, see Monitoring AWS Health Events with Amazon CloudWatch Events in the AWS Health User Guide.

AWS Security Hub

AWS Security Hub provides a comprehensive view of high-priority security alerts and compliance status across your AWS accounts. Security Hub aggregates, organizes, and prioritizes security findings from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, and Amazon Macie. Security Hub reduces the effort of collecting and prioritizing security findings across accounts, from AWS services, and from AWS partner tools.

Security Hub supports two types of integration with CloudWatch Events rules, both of which AWS Chatbot supports:

• Standard CloudWatch Events. Security Hub automatically sends all ﬁndings to CloudWatch Events.

You can define CloudWatch Events rules that automatically route generated findings to an Amazon Simple Storage Service (Amazon S3) bucket, a remediation workflow, or an SNS topic. Use this method to automatically send all Security Hub findings, or all findings with specific characteristics, to an SNS topic to which AWS Chatbot subscribes.

• Security Hub Custom Actions. Define custom actions in Security Hub and configure CloudWatch Events rules to respond to those actions. The event rule uses its SNS topic setting to forward its notifications to the SNS topic to which AWS Chatbot subscribes.

AWS Systems Manager

AWS Systems Manager lets you view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed instances, and reporting or taking corrective action on detected policy violations.

AWS Chatbot supports the following Systems Manager events.

Conﬁguration compliance

• Status change for association compliance.

• Status change for instance patch compliance.

Automation

• Status change for an automation execution.

• Status change for a single step in an automation execution.

(25)

AWS Systems Manager Runbooks

Run command

• Status change for a command (applies to one or more instances).

• Status change for a command invocation (applies to one instance only).

State manager

• Status change for an association.

• Status change for an instance association.

Parameter store

• A parameter is created.

• A parameter is updated.

• A parameter is deleted.

For information about monitoring Systems Manager events with CloudWatch, see Monitoring Systems Manager Events with Amazon CloudWatch Events in the AWS Systems Manager User Guide.

AWS Systems Manager Runbooks

SM runbooks deﬁne the actions that Systems Manager performs on your managed instances and other AWS resources when an automation runs. A runbook contains one or more steps that run in sequential order. The process of running these actions and their steps is called the automation. AWS Chatbot supports the ability to run SM runbooks directly from Slack using CLI commands. You can type a command to list your runbooks and choose a runbook to run. Runbooks can require one or more input parameters before running (for example, Amazon EC2 instances can require inputs such as instance id). Once the runbook begins, it runs in its entirety. For an example of running a runbook using a CLI command, see Run an Automation runbook (p. 34).

For more information about SM runbooks, see Working with runbooks in the AWS Systems Manager User Guide.

AWS Systems Manager Incident Manager

AWS Systems Manager Incident Manager is an incident management console designed to help users mitigate and recover from incidents aﬀecting their AWS-hosted applications. An incident is any unplanned interruption or reduction in quality of services.

AWS Chatbot allows you to communicate through chat channels and receive notiﬁcations and incident updates during an incident. You can also interact with the incident directly using chat commands. For more information, see Chat channels in the Incident Manager User Guide.

(26)

Running AWS CLI commands from Slack channels

Using AWS Chatbot with Slack

AWS Chatbot enables you to use diﬀerent AWS services through Slack. For example, you can retrieve diagnostic information, invoke Lambda functions, and create support cases for your AWS resources. To do these things, you can run commands using AWS CLI syntax directly in Slack channels.

Topics

• Running AWS CLI commands from Slack channels (p. 22)

• Using CLI commands with AWS Chatbot - Common use cases (p. 33)

• Tutorial: Using AWS Chatbot to run an AWS Lambda function remotely (p. 35)

Running AWS CLI commands from Slack channels

You can run commands using AWS CLI syntax directly in Slack channels. AWS Chatbot enables you to retrieve diagnostic information, conﬁgure AWS resources, and run workﬂows.

When you interact with AWS Chatbot in Slack, it prompts you for any missing parameters before it runs the command.

Topics

• Required permissions (p. 22)

• Managing user roles (p. 23)

• Protection policy (p. 25)

• Using commands in Slack (p. 25)

• Managing permissions for running commands using AWS Chatbot (p. 28)

• Running commands in Slack (p. 30)

• Conﬁguring commands support on an existing Slack channel (p. 32)

• Enabling multiple accounts to use commands in a Slack channel (p. 33)

Required permissions

AWS Chatbot requires an IAM role to perform actions. Actions you can perform in Slack are running commands and responding to interactive messages. Chatbot has three schemes that control what actions channel members can take:

• Channel guardrails

• Channel IAM role

• User roles

(27)

Managing user roles

A channel guardrail can be more restrictive than a channel IAM role, and a channel IAM role can be more restrictive than a user role. For channel IAM roles, you have the option of using an existing role or creating a new one directly in the AWS Chatbot console. For user roles, you must use an existing IAM role. User roles are applied by channel members individually. Administrators can enable a user role requirement to require channel members to apply a user role before running commands in Slack.

Channel guardrails can use a combination of managed and existing custom policies. For information on managing user roles, see Managing user roles (p. 23).

Your channel guardrails ultimately determine what actions a channel member can take, despite what user roles they may have applied or what channel IAM role you put in place. For example, a channel member with a user role applied that allows administrator access will have less than administrator-level access if the channel IAM role or the channel guardrails restrict permissions on one or more services. For more information about channel guardrails, channel IAM policies, and user roles see Identity and Access Management for AWS Chatbot (p. 48).

Managing user roles

All users have the ability to manage user roles:

• Channel members are able to switch their user roles from Slack using CLI commands. Additionally, channel members can unmap user roles from Slack IDs using the AWS Chatbot console. For more information about user roles, see User Roles (p. 50).

• Administrators can unmap user roles from channel member’s Slack IDs from the User permissions page in the AWS Chatbot console. Administrators can also require user roles by enabling a user role requirement in the User permissions page. This requirement can be applied to all workspaces and channels or to individual channel conﬁgurations. For more information on user role requirements, see User role requirement (p. 50).

NoteAdministrators can't map user roles. Only channel members have this ability.

Topics

• Channel members: Adding a user role from Slack (p. 23)

• Channel members: Switching user roles from Slack (p. 24)

• Channel members: Unmapping a user role from Slack (p. 24)

• Administrator: Unmapping a user role from Slack (p. 24)

• Administrator: Enabling a user role requirement (p. 25)

Prerequisites

To manage user roles, you need a Slack channel conﬁgured for AWS Chatbot. For more information, see Getting started with AWS Chatbot (p. 5)

Channel members: Adding a user role from Slack

If you are a new channel member or your channel permission approach changes, AWS Chatbot will prompt you to add a user role.

To add a user role from Slack 1. Choose Let's get started.

2. Choose an account to add a role.

(28)

Managing user roles

NoteThis link will take you directly to the AWS Chatbot console.

3. In User role, choose a role.

4. Choose Save.

NoteChoosing Save takes you to a Slack-workspace authorization page to fetch your Slack identity. This identity is mapped to your chosen role.

5. Choose Allow.

Channel members: Switching user roles from Slack

If you ﬁnd that your current user role doesn’t have the right permissions to achieve your desired task, you can switch roles directly from Slack.

NoteIf you are unable to run a particular command after switching roles, contact your administrator regarding the channel guardrails in place.

To switch a user role from Slack

1. Enter @aws switch-role in your Slack channel.

2. Choose the account you want to switch roles for.

3. Choose Choose user role.

4. In User role, choose a user role.

5. Choose Save.

Note

Choosing Save, takes you to a Slack-workspace authorization page. This is so your Slack identity can be retrieved and associated with your chosen role.

6. On the Slack-workspace authorization page, choose Allow.

Channel members: Unmapping a user role from Slack

If you have a user role applied that you no longer need, you can unmap it.

To unmap a user role

1. Open the AWS Chatbot console.

2. Choose a conﬁgured client.

3. In User role, choose Clear role.

Administrator: Unmapping a user role from Slack

You can unmap a user role from a Slack ID. When you unmap a user role, it will no longer appear your Mapped roles table.

To unmap a user role

1. Open the AWS Chatbot console.

2. Under Account settings, choose User permissions.

3. In Mapped roles, select the roles you want to unmap.

(29)

Protection policy

4. Choose Unmap.

Administrator: Enabling a user role requirement

You can enable a user role requirement to force users to apply a user role before running commands in Slack.

To enable a user role requirement 1. Open the AWS Chatbot console.

2. Under Account settings, choose User permissions.

3. In User role requirement, enable a user role requirement.

Protection policy

The expansion of usable CLI commands can allow channel members to create, read, update, and delete your AWS resources. To prevent this, a protection policy is applied to existing AWS Chatbot configurations by default to prevent unexpected changes. Specifically, it restricts permissions and actions to what was available before all CLI commands were usable. This policy is detachable, but we strongly recommend it stay in place until you’ve verified that all your guardrails, channel IAM roles, and user roles align with your governance policy or channel requirements. For more information, see Protection policy (p. 50).

You can view the protection policy JSON code below:

{ "Statement": [ {

"Effect": "Allow", "Action": [

"lambda:Invoke*", "support:*", "ssm-incidents:*"

],

"Resource": "*"

} ] }

Using commands in Slack

After you set up the AWS Chatbot in your Slack workspace, you run commands in Slack with the following preﬁx:

@aws

NoteIf AWS is not listed as a valid member of the channel, you need to add the AWS Chatbot app to the Slack workspace and invite it to the channel. For more information, see the Getting started guide for AWS Chatbot (p. 5).

The AWS Chatbot command syntax is the same as you would use in a terminal:

@aws service command --options

(30)

Using commands in Slack

NoteYou can specify parameters with either a double hyphen (--option) or a single hyphen (- option). This allows you to use a mobile device to run commands without running into issues with the mobile device automatically converting a double hyphen to a long dash.

NoteAWS CLI commands run from AWS Chatbot have an execution timeout of 15 seconds. If a command response is not received within 15 seconds, you receive a timeout error message.

If you have longer running jobs, such as AWS Lambda functions, you should invoke them asynchronously from AWS Chatbot. The maximum allowable Lambda function execution timeout is 900 seconds (15 minutes). For more information about asynchronous invocation, see Asynchronous invocation in the AWS Lambda Developer Guide.

For example, enter the following read-only command to view a list of your Lambda functions:

@aws lambda list-functions

Enter the following commands to list and chart CloudWatch alarms:

@aws cloudwatch describe-alarms --state ALARM

You can also use CLI commands to change you AWS resources. For example, enter the following command to change your Kinesis shards:

@aws kinesis update-shard-count --stream-name samplestream --scaling-type UNIFORM_SCALING --target-shard-count 6

You can enter a complete AWS CLI command with all the parameters, or you can enter the command without parameters and AWS Chatbot prompts you for missing parameters.

For more information on commonly used CLI commands, see Using CLI commands with AWS Chatbot - Common use cases (p. 33). For an exhaustive list of CLI commands, see the AWS CLI Command Reference.

NoteIf you ﬁnd you are unable to run commands in Slack, you may need to switch your user role or contact your administrator to ﬁnd out what actions are permissible.

The following limitations apply to running AWS CLI commands in your Slack chat rooms:

• You may experience some latency when invoking commands through AWS Chatbot.

• Regardless of their AWS Chatbot role permissions, users cannot run IAM, AWS Security Token Service, or AWS Key Management Service commands within Slack channels.

• Amazon S3 service commands support Linux-style command aliases such as ls and cp. AWS Chatbot does not support Amazon S3 command aliases for commands in Slack.

• Users cannot display or decrypt secret keys or key pairs for any AWS service, or pass IAM credentials.

• You can't use AWS CLI command memory (that is, recent commands appear when the user presses up arrow or down arrow keys) in the Slack channel. You must enter, or copy and paste each AWS CLI command in the Slack channel.

• You can create AWS support cases through your Slack channels. You cannot add attachments to these cases from the Slack channel.

• Slack channels do not support standard AWS CLI pagination.

Non-supported Operations

AWS Chatbot does not support running commands for the following operations:

(31)

Using commands in Slack

• Chatbot

• All Operations

• Amazon Cognito user pools

• All Operations

• IAM

• All Operations

• AWS Key Management Service

• All Operations

• Amazon SimpleDB

• All Operations

• Secrets Manager

• All Operations

• AWS Single Sign-On

• All Operations

• AWS Security Token Service

• All Operations

• AWS AppSync

• ListApiKeys

• AWS CodeCommit

• GetFile

• GetCommit

• GetDiﬀerences

• Amazon Connect

• GetFederationToken

• Amazon DynamoDB

• BatchGetItem

• GetItem

• Amazon EC2

• GetPasswordData

• Amazon ECR

• GetAuthorizationToken

• GetLogin

• GameLift

• RequestUploadCredentials

• GetInstanceAccess

• Lightsail

• DownloadDefaultKeyPair

• GetInstanceAccessDetail

• GetKeyPair

• GetKeyPairs

• Amazon Redshift

• GetClusterCredentials

• StorageGateway

• DescribeChapCredentials

AWS Chatbot

AWS Chatbot

Administrator Guide

AWS Chatbot: Administrator Guide

Table of Contents

What is AWS Chatbot?

Features of AWS Chatbot

How AWS Chatbot works

Regions and quotas for AWS Chatbot

AWS Chatbot requirements

Accessing AWS Chatbot

Setting up AWS Chatbot

Prerequisites

Setting up IAM permissions for AWS Chatbot

Setting up Amazon SNS topics

Getting started with AWS Chatbot

Prerequisites

Step 1: Set up chat clients for AWS Chatbot

Setting up AWS Chatbot with Slack

Setting up AWS Chatbot with Amazon Chime

Step 2: Subscribe an Amazon SNS topic to AWS Chatbot

Step 3: Test notiﬁcations from AWS services to Amazon Chime or Slack

Test notiﬁcations from AWS services to Amazon Chime or Slack using CloudWatch

Remove chat rooms

Removing an authorized Slack client from AWS Chatbot

Removing an Amazon Chime webhook from AWS Chatbot

Conﬁguring an IAM role for AWS Chatbot

Next steps

Using AWS Chatbot with other AWS services

AWS Billing and Cost Management

AWS CloudFormation

Notiﬁcations for AWS developer tools

Amazon CloudWatch alarms

Amazon EventBridge

Tutorial: Creating an Amazon EventBridge rule that sends notiﬁcations to AWS Chatbot

Prerequisites

Create an Amazon EventBridge Rule

Receive Amazon EventBridge event notiﬁcations between AWS accounts and Regions

Delete an Amazon EventBridge rule

AWS Conﬁg

Amazon GuardDuty

AWS Health

AWS Security Hub

AWS Systems Manager

AWS Systems Manager Runbooks

AWS Systems Manager Incident Manager

Using AWS Chatbot with Slack

Running AWS CLI commands from Slack channels

Required permissions

Managing user roles

Prerequisites

Channel members: Adding a user role from Slack

Channel members: Switching user roles from Slack

Channel members: Unmapping a user role from Slack

Administrator: Unmapping a user role from Slack

Administrator: Enabling a user role requirement

Protection policy

Using commands in Slack

Non-supported Operations