AWS Cloud Operations Blog
Managing access to AWS accounts from Microsoft Teams and Slack at scale using AWS Organizations and AWS Chatbot
Customers use chat collaboration applications like Microsoft Teams Slack to collaborate and manage their AWS applications. AWS Chatbot is a ChatOps service that enables customers to monitor, troubleshoot issues, and manage AWS applications from chat channels. AWS Chatbot provides autonomy and customizability to DevOps teams operating their AWS environments on the go from chat collaboration platforms. Customers can monitor their budget alerts in one channel and receive security posture alerts in another. Customers can receive CI/CD alerts in a channel and take the necessary actions to unblock pipelines. Operations teams can monitor various resource state change alerts and Amazon CloudWatch alarms and use natural language and AWS CLI to diagnose and remediate issues. While customers want to empower their engineering and operations teams to move faster and resolve issues quickly, they also want centralized oversight on access to their AWS environments from chat applications. Such centralized access controls are essential for customers to ensure consistency with their corporate security policies and comply with industry standards.
AWS announced general availability AWS Organizations support for AWS Chatbot. Customers can leverage the multi-account management services available in AWS Organizations to govern access and manage command permissions from chat applications. In this blog, we discuss use cases that the AWS Organizations integration in AWS Chatbot enables. Additionally, we provide a step-by-step guide on getting started. If you are unfamiliar with AWS Chatbot, see Getting started with AWS Chatbot guide to learn more about AWS Chatbot and its capabilities.
Customer benefits of using AWS Organizations support in AWS Chatbot
Customers need centralized governance on supported chat platforms and workspaces
Customers tell us they want to control access from chat channels to their AWS accounts centrally. They want to be able to specify chat collaboration applications that their teams can use to manage AWS applications and block access to other chat applications. Some customers say that they have multiple chat workspaces and organization units in AWS Organizations reflecting their corporate structure. They want to be able to control which chat workspaces (referred to as teams in Microsoft Teams) are allowed to access AWS accounts in the organization units and restrict access to these accounts from the other workspaces. Security-conscious customers also want to lock down access to their AWS accounts from chat channels on a need-to-know basis. They want the ability to only allow members in the private Slack channels to view and operate AWS accounts and block access from public Slack channels.
Customers need security guardrails to control permissions to commands run from chat channels
Customers need to enforce guardrails on the commands their users can perform from chat channels to comply with their organization’s access control guidelines. With AWS Organizations’ support for AWS Chatbot, customers can define Service Control Policies (SCPs) to centrally control permissions to API actions from chat channels. Suppose the guidelines require that no user should be allowed to drop database clusters from chat channels. In that case, customers can define an SCP to deny rds: delete-db-cluster API action originating from chat channels.
Setting up organizational controls in AWS Organizations for Chatbot
Before beginning, make sure that your AWS organization has all features enabled.
Enable access to accounts from chat channels via chatbot policies in AWS Organizations
Chatbot policies enable you to control access to your organization’s accounts from chat channels. You use Chatbot policies to determine which permissions models, chat platforms and chat workspaces can be used to access the accounts. To get started, sign-in to your AWS management account and navigate to the AWS Organizations console. On the Policies page, enable Chatbot policies.
Figure 1: Policies page in AWS Organizations console to enable Chatbot policies.
You can now create your first Chatbot policy from the Chatbot policies page. With a Chatbot policy, you can restrict access to chat applications and specify allowed permission model types for running commands from chat channels.
Figure 2: Chatbot policy configuration
After a Chatbot policy is created, you are ready to attach it to accounts and organizational units in your organization. From the Chatbot policy detail page, you can attach your policy to individual accounts, OUs, or your entire organization. Select Attach in the Targets section. Select the desired set of accounts and OUs in the Attach a Policy page. Selecting Root attaches your policy to all accounts in your org, and selecting an OU attaches your policy to all sub-OUs and accounts within it (Note: When applying a service control or chatbot policies to the root in AWS Organizations, it’s important to test the policy’s impact on accounts first.).
Figure 3: Attach a chatbot policy to Organization targets
Once your policy is attached to a target, the settings defined in the Chatbot policy are automatically added to accounts in your selection. Any changes you make to your Chatbot policy are automatically applied to the settings for the attached accounts. If an account joins a selected OU, it receives the Chatbot policy automatically; likewise, if an account leaves the selected OU, the previously effective Chatbot policy no longer applies for that account.
{
"AWSTemplateFormatVersion":"2010-09-09",
"Description":"AWS CloudFormation Organizations Template Example",
"Resources":{
"PolicyTestTemplate":{
"DeletionPolicy":"Retain",
"Type":"AWS::Organizations::Policy",
"Properties":{
"Type":"CHATBOT_POLICY",
"Name":"AllowOnlySlackWithUserRolePolicy",
"Content":{
"chatbot":{
"default":{
"client":{
"@@assign":"disabled"
}
},
"platforms":{
"slack":{
"client":{
"@@assign":"enabled"
},
"default":{
"supported_role_settings":{
"@@assign":[
"user_role"
]
}
},
"workspaces":{
"@@assign":[
"T12341234"
]
}
}
}
}
}
}
}
}
}
Figure 4: A sample CloudFormation template for chatbot AWS Organizations chatbot policy.
Add guardrails on the allowed actions in chat channels
AWS Chatbot service doesn’t allow certain command actions from chat channels. Customers can further restrict specific commands by globally denying additional API actions via Service control policies (SCPs) that they can apply to any accounts within their chosen organizational unit (OU).
To create a service control policy, select Policies in the AWS Organizations Console navigation pane. You can create Service Control policies to control the types of commands users can run from chat channels. An example below denies invoking Lambda functions and running Systems Manager automation runbooks from any AWS Chatbot-managed chat channel. You can then attach the SCP to accounts and organizational units in your organization. Select Attach in the Targets section of the SCP then select the desired set of accounts and OUs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotAction": [
"ssm:StartAutomationExecution",
"lambda:InvokeFunction"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:ChatbotSourceArn": "arn:aws:chatbot::*:chat-configuration/*"
}
}
}
]
}
Figure 5: Example of Service Control Policy to block specific commands (such as lambda:InvokeFunction, SSM: StartAutomationExecution) invoked from chat channels:
Conclusion
This blog post described customer use cases for managing permissions to operate AWS accounts from Microsoft Teams and Slack. We also covered a step-by-step guide to configuring AWS Organizations chatbot policies to centrally manage access from chat channels for your organization’s accounts.
Thank you for reading this post. The features described in this blog are free to use. Try out these features and tell us how you intend to use them. You can reach the AWS Chatbot team by typing the @aws feedback <your comments>
command in your chat channels or by selecting the Feedback link on the AWS Chatbot Console.