AWS Cloud Operations Blog

Managing access to AWS accounts from Microsoft Teams and Slack at scale using AWS Organizations and AWS Chatbot

Customers use chat collaboration applications like Microsoft Teams and Slack to collaborate and manage their AWS applications. AWS Chatbot is a ChatOps service that enables customers to monitor, troubleshoot issues, and manage AWS applications from chat channels. AWS Chatbot provides autonomy and customizability to DevOps teams operating their AWS environments on the go from chat collaboration platforms. Customers can monitor their budget alerts in one channel and receive security posture alerts in another. Customers can receive CI/CD alerts in a channel and take the necessary actions to unblock pipelines. Operations teams can monitor various resource state change alerts and Amazon CloudWatch alarms and use natural language and AWS CLI to diagnose and remediate issues. While customers want to empower their engineering and operations teams to move faster and resolve issues quickly, they also want centralized oversight on access to their AWS environments from chat applications. Such centralized access controls are essential for customers to ensure consistency with their corporate security policies and comply with industry standards.

AWS announced general availability AWS Organizations support for AWS Chatbot. Customers can leverage the multi-account management services available in AWS Organizations to govern access and manage command permissions from chat applications. In this blog, we discuss use cases that the AWS Organizations integration in AWS Chatbot enables. Additionally, we provide a step-by-step guide on getting started. If you are unfamiliar with AWS Chatbot, see Getting started with AWS Chatbot guide to learn more about AWS Chatbot and its capabilities.

Customer benefits of using AWS Organizations support in AWS Chatbot

Customers need centralized governance on supported chat platforms and workspaces

Customers tell us they want to control access from chat channels to their AWS accounts centrally. They want to be able to specify chat collaboration applications that their teams can use to manage AWS applications and block access to other chat applications. Some customers say that they have multiple chat workspaces and organization units in AWS Organizations reflecting their corporate structure. They want to be able to control which chat workspaces (referred to as teams in Microsoft Teams) are allowed to access AWS accounts in the organization units and restrict access to these accounts from the other workspaces. Security-conscious customers also want to lock down access to their AWS accounts from chat channels on a need-to-know basis. They want the ability to only allow members in the private Slack channels to view and operate AWS accounts and block access from public Slack channels.

Customers need security guardrails to control permissions to commands run from chat channels

Customers need to enforce guardrails on the commands their users can perform from chat channels to comply with their organization’s access control guidelines. With AWS Organizations’ support for AWS Chatbot, customers can define Service Control Policies (SCPs) to centrally control permissions to API actions from chat channels. Suppose the guidelines require that no user should be allowed to drop database clusters from chat channels. In that case, customers can define an SCP to deny rds: delete-db-cluster API action originating from chat channels.

Setting up organizational controls in AWS Organizations for Chatbot

Before beginning, make sure that your AWS organization has all features enabled.

Enable access to accounts from chat channels via chatbot policies in AWS Organizations

Chatbot policies enable you to control access to your organization’s accounts from chat channels. You use Chatbot policies to determine which permissions models, chat platforms and chat workspaces can be used to access the accounts. To get started, sign-in to your AWS management account and navigate to the AWS Organizations console. On the Policies page, enable Chatbot policies.

AWS Organizations console page to enable chatbot Organizations policy option is shown.

Figure 1: Policies page in AWS Organizations console to enable Chatbot policies.

You can now create your first Chatbot policy from the Chatbot policies page. With a Chatbot policy, you can restrict access to chat applications and specify allowed permission model types for running commands from chat channels.

hatbot policy configuration page is shown.

Figure 2: Chatbot policy configuration

After a Chatbot policy is created, you are ready to attach it to accounts and organizational units in your organization. From the Chatbot policy detail page, you can attach your policy to individual accounts, OUs, or your entire organization. Select Attach in the Targets section. Select the desired set of accounts and OUs in the Attach a Policy page. Selecting Root attaches your policy to all accounts in your org, and selecting an OU attaches your policy to all sub-OUs and accounts within it (Note: When applying a service control or chatbot policies to the root in AWS Organizations, it’s important to test the policy’s impact on accounts first.).

Page to attach AWS Organization targets to a chatbot policy are shown.

Attach a chatbot policy to Organization targets

Figure 3: Attach a chatbot policy to Organization targets

Once your policy is attached to a target, the settings defined in the Chatbot policy are automatically added to accounts in your selection. Any changes you make to your Chatbot policy are automatically applied to the settings for the attached accounts. If an account joins a selected OU, it receives the Chatbot policy automatically; likewise, if an account leaves the selected OU, the previously effective Chatbot policy no longer applies for that account.

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"AWS CloudFormation Organizations Template Example",
   "Resources":{
      "PolicyTestTemplate":{
         "DeletionPolicy":"Retain",
         "Type":"AWS::Organizations::Policy",
         "Properties":{
            "Type":"CHATBOT_POLICY",
            "Name":"AllowOnlySlackWithUserRolePolicy",
            "Content":{
               "chatbot":{
                  "default":{
                     "client":{
                        "@@assign":"disabled"
                     }
                  },
                  "platforms":{
                     "slack":{
                        "client":{
                           "@@assign":"enabled"
                        },
                        "default":{
                           "supported_role_settings":{
                              "@@assign":[
                                 "user_role"
                              ]
                           }
                        },
                        "workspaces":{
                           "@@assign":[
                              "T12341234"
                           ]
                        }
                     }
                  }
               }
            }
         }
      }
   }
}

Figure 4: A sample CloudFormation template for chatbot AWS Organizations chatbot policy.

Add guardrails on the allowed actions in chat channels

AWS Chatbot service doesn’t allow certain command actions from chat channels. Customers can further restrict specific commands by globally denying additional API actions via Service control policies (SCPs) that they can apply to any accounts within their chosen organizational unit (OU).

To create a service control policy, select Policies in the AWS Organizations Console navigation pane. You can create Service Control policies to control the types of commands users can run from chat channels. An example below denies invoking Lambda functions and running Systems Manager automation runbooks from any AWS Chatbot-managed chat channel. You can then attach the SCP to accounts and organizational units in your organization. Select Attach in the Targets section of the SCP then select the desired set of accounts and OUs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotAction": [
        "ssm:StartAutomationExecution",
        "lambda:InvokeFunction"
      ],
      "Resource": "*",
      "Condition": {
        "ArnLike": {
          "aws:ChatbotSourceArn": "arn:aws:chatbot::*:chat-configuration/*"
        }
      }
    }
  ]
}

Figure 5: Example of Service Control Policy to block specific commands (such as lambda:InvokeFunction, SSM: StartAutomationExecution) invoked from chat channels:

Conclusion

This blog post described customer use cases for managing permissions to operate AWS accounts from Microsoft Teams and Slack. We also covered a step-by-step guide to configuring AWS Organizations chatbot policies to centrally manage access from chat channels for your organization’s accounts.

Thank you for reading this post. The features described in this blog are free to use. Try out these features and tell us how you intend to use them. You can reach the AWS Chatbot team by typing the @aws feedback <your comments> command in your chat channels or by selecting the Feedback link on the AWS Chatbot Console.

About the authors

Abhijit Barde

Abhijit Barde

Abhijit Barde is the Principal Product Manager for AWS Chatbot, where he focuses on making it easy for all AWS users to discover, monitor, and interact with AWS resources using conversational interfaces.

Hayden Lawler

Hayden Lawler

Hayden Lawler is a Software Development Engineer with AWS Chatbot. He has keen interests in providing simple and safe user experiences for AWS customers and expanding the capabilities of ChatOps via AWS Chatbot.

Kate Mendiola

Kate Mendiola

Kate Mendiola is a Software Development Engineer on the AWS Chatbot team. She’s passionate about finding customer problems to solve and driving adoption of AWS Chatbot across AWS customers.

Ajaykumar Prathap

Ajaykumar Prathap

Ajaykumar Prathap is a Front-End Engineer at AWS Chatbot, with a passion for coding and solving customer problems. He leverages the latest web technologies to develop solutions that make a substantial impact.