AWS Chatbot FAQs

General

AWS Chatbot is an interactive agent that makes it easy to set up ChatOps for AWS in your Amazon ChimeMicrosoft Teams, or Slack channels—and to securely interact with multiple AWS services. You can receive notifications about operational events, security findings, or budget alerts right in your chatroom, where your entire team can see and discuss them. You can issue AWS Command Line Interface (CLI) commands from Microsoft Teams and Slack channels to retrieve diagnostic information, invoke AWS Lambda functions, configure Amazon Simple Storage Service (S3) buckets, change Kinesis shards, restart Amazon Elastic Compute Cloud (EC2) instances, and resolve AWS System Manager incidents.

You can receive notifications from your AWS services, such as CloudWatch alarms, Health events, Security Hub findings, Budgets alerts, and CloudFormation stack events. You can also receive notifications for most AWS service events that are supported by Amazon EventBridge. For the full list of supported services, refer to the AWS Chatbot documentation.

AWS Chatbot supports both read-only and mutative CLI commands for most AWS services. Commands for services and operations related to credentials, authorization, and AWS Identity and Access Management (IAM) permissions, such as IAM, STS, KMS, and EC2.GetPasswordData, are not supported by AWS Chatbot. Additionally, you can specify guardrail policy permissions to define allowable commands in your channel. AWS Chatbot commands use the already-familiar AWS CLI syntax. To type a command, mention AWS Chatbot in a message by typing “@aws <command>.” AWS Chatbot will provide command cues if you use incorrect syntax and will prompt you for additional command parameters as required.

To get started with AWS Chatbot, go to the AWS Chatbot console, create a configuration for Microsoft Teams, Slack, or Chime, and add AWS Chatbot to your channels or chatrooms.

AWS Chatbot helps your entire team stay updated on, respond to, and resolve operational events, security findings, and budget alerts for applications running in your AWS environment. If you use a chat application supported by AWS Chatbot, you can configure AWS Chatbot to publish notifications and run commands in a team channel or chatroom where your entire team can see and quickly act on them. For example, you can set up CloudWatch alarms to go into a “Cloud DevOps” chat channel where DevOps engineers can see alarms, retrieve diagnostic information immediately after events occur, discuss mitigation plans, and resolve alarms by configuring AWS resources or running AWS Systems Manager runbooks from the chat channel.

You can chat with Amazon Q Developer in Microsoft Teams and Slack channels that are configured with AWS Chatbot. Amazon Q in AWS Chatbot can answer questions about resources in your AWS accounts, best practices for building solutions, troubleshooting issues, and identifying next steps. You can ask Amazon Q questions directly from your chat channels by typing "@aws list by ec2 instances in us-west-1" or "@aws how do I troubleshoot lambda concurrency issues?".

For more information, see Chatting with Amazon Q Developer in AWS Chatbot.

AWS Chatbot is a prebuilt interactive agent designed to monitor, operate, and troubleshoot your AWS resources (ChatOps). With AWS Chatbot, you can securely receive alerts, request diagnostic information from services such as Amazon CloudWatch and AWS GuardDuty, and resolve incidents by running CLI commands, such as commands for executing AWS System Manager runbooks or increasing AWS Lambda concurrency limits in your Microsoft Teams or Slack channels.

Amazon Lex provides the advanced deep learning capabilities of automatic speech recognition (ASR) for converting speech to text and natural language understanding (NLU) to recognize the intent and build lifelike interactions. This lets you quickly and easily build your own sophisticated, natural language conversational bots.

AWS Chatbot is available at no additional charge. You pay only for the AWS resources that are used with AWS Chatbot, such as Amazon Simple Notification Service (SNS) topics or Amazon CloudWatch alarms.

You can provision Microsoft Teams and Slack channel configurations using AWS CLI, AWS CloudFormation, AWS Cloud Control APIs, and SDKs. Terraform users can use AWS provider to manage Chatbot channel configurations.

AWS Chatbot is a global service and can be used in all commercial AWS Regions. You can combine Amazon SNS topics from multiple Regions in a single AWS Chatbot configuration. Visit the AWS Regional Product and Services table for details about availability.

AWS Chatbot is a global service and we may store or process customer information, such as Chatbot configurations and permissions, Microsoft Teams team identifiers, Slack workspace identifiers and channel names, notifications, user inputs, and AWS Chatbot generated responses and images, in any of the commercial AWS Regions.

You can request deletion of data used for analytics and to improve the quality of service associated with your account by contacting AWS Support. Your trust, your privacy, and the security of your data are our highest priority and we implement appropriate and sophisticated technical and physical controls, including encryption at rest and in transit, designed to prevent unauthorized access to, or disclosure of, your data and ensure that our use complies with our commitments to you. See https://aws.amazon.com/compliance/data-privacy-faq/ for more information. 

When you opt out of use of your data to improve and develop the quality of AWS Chatbot and other Amazon machine-learning/artificial-intelligence technologies, your data will be removed from all AWS Regions. For information about how to opt out, contact AWS Support.

You can customize AWS Chatbot to suit your ChatOps use cases. You can designate different channels to monitor and operate different aspects of your cloud applications. You can operate resources across multiple accounts and regions from a channel. With IAM-based permissions, guarails, and Service Control Policies (SCPs), you can decide the type of the actions channel members can take from chat channels.

You can also send custom notifications so that you are informed about the state of your resources and applications. You can also customize action buttons on notifications and configure command aliases so that you can quickly run commands to dignose and remediate issues.

Chat client integrations

AWS Chatbot supports Microsoft Teams, Slack, and Amazon Chime. Running commands is currently only supported in Microsoft Teams and Slack.

AWS Chatbot integrates with Amazon Chime via webhooks.

AWS Chatbot integrates with Microsoft Teams using an AWS Chatbot for Microsoft Teams app that you can install in your Microsoft Teams. You create a Microsoft Teams channel configuration in AWS Chatbot console and authorize AWS Chatbot to send notifications to the configured channel and process AWS commands in the chat channel. The installation is performed with a click-through flow in a browser or using AWS CloudFormation templates and takes a few minutes to set up.

AWS Chatbot integrates with Slack using an AWS Chatbot Slack app that you can install to your Slack workspace from the AWS Chatbot console. The installation is performed with a click-through OAuth 2.0 flow in a browser and takes a few clicks.

An AWS Chatbot configuration is a mapping of a Microsoft Teams channel, Slack channel or an Amazon Chime chatroom with Amazon SNS topics and an AWS IAM role with associated guardrail policies.

Notifications

AWS Chatbot integrates with supported AWS services through Amazon SNS topics. You need to configure the service to publish notifications to an SNS topic and then create an AWS Chatbot configuration that maps the topic to an Amazon Chime, a Microsoft Teams, or a Slack channel.

To receive notifications for EventBridge events from supported services with AWS Chatbot, use an Amazon SNS topic as a target for an EventBridge event rule and then use that topic in an AWS Chatbot configuration. When EventBridge receives an event with an event pattern that matches the one defined in the rule, the event rule fires and the event notification is sent to the configured chat channel. For the full list of supported services, refer to the AWS Chatbot documentation.

Click the title of the notification to navigate to the AWS Management Console page for the notification source. For example, if you click on the title of an AWS Budgets notification, you will be taken to the details page for that specific budget, where you can review and analyze your budget performance.

Yes, AWS Chatbot supports notifications for Amazon EventBridge events and custom application events to chat channels. Notifications for Amazon EventBridge events are delivered to chat channels with their original event message content. You can use AWS Chatbot custom notifications to define and add additional information in the notifications to monitor the health and performance of your AWS applications. To send a custom notification for an application event or amend an existing EventBrige event, you send the event in a Chatbot custom notificaiton schema format to an SNS topic. Customers can generate these events by writing a Lambda function or using EventBridge InputTransformers.

For more information, see Custom notifications in AWS Chatbot.

No. Only SNS topics from the AWS account that hosts the AWS Chatbot configuration can be used. However, you can create Chatbot configurations in other AWS accounts and map those configurations to a single chatroom. Because each AWS Chatbot configuration is linked to a separate AWS account, the configurations will be independent of each other. Additionally, you can receive EventBridge event notifications between AWS accounts and Regions in your Amazon Chime, Microsoft Teams, and Slack channels using one AWS Chatbot configuration and one Amazon SNS topic. For more information on receiving EventBridge event notifications between AWS accounts and Regions, refer to the AWS Chatbot documentation.

Yes. You can use SNS topics from multiple public AWS Regions in the same AWS Chatbot configuration.

You can filter notifications using an Amazon SNS filter policy or Amazon CloudWatch Event Rules for events that support filtering. For other events, filtering is not available.

While you cannot directly customize the formatting of the AWS service event notifications, you can use AWS Chatbot custom notifications to define and add additional information in the notifications to monitor the health and performance of your AWS applications in Microsoft Teams and Slack channels. For more information, see Custom notifications in AWS Chatbot.

Yes, AWS Chatbot is subject to rate limits from Microsoft Teams, Slack, and Amazon Chime. Refer to the Microsoft Teams Developer documentationSlack Web API documentation and the Amazon Chime webhook documentation, for details.

AWS Chatbot supports notifications for most AWS service events that are handled by Amazon EventBridge. If AWS Chatbot does not currently support your desired service, you will not be able to use it with AWS Chatbot. Please submit a request using the Feedback button in the footer of the AWS Chatbot console for consideration.

To unsubscribe a channel or chatroom from notifications, remove the respective configuration. If you want to unsubscribe only some notifications from the channel or chatroom, remove specific Amazon SNS topics from the AWS Chatbot configuration.

You can see the details of notification attempts and failures in Amazon CloudWatch metrics and logs. See the AWS Chatbot documentation for more details on troubleshooting.

Running commands and actions

To run a command in a Microsoft Teams or a Slack channel, first create a channel configuration using the AWS Chatbot console.

To start interacting with AWS Chatbot in Microsoft Teams or Slack, type “@aws” followed by a command using the standard AWS CLI syntax. For example, type “@aws cloudwatch describe-alarms” to get a list and a chart of CloudWatch Alarms. You can run both read-only and mutative CLI commands in your Microsoft Teams and Slack channels. Refer to the AWS Chatbot documentation for the limitations compared to the AWS CLI. If you don’t remember the command syntax, AWS Chatbot will help you complete the command by providing command cues and asking for additional command parameters as needed.

You can also run commands with command aliases or select the Chatbot service recommended or custom action buttons.

AWS Chatbot supports commands for most AWS services, and its permissions scope is defined by the IAM role and channel IAM policy guardrails defined in your AWS Chatbot configurations. Regardless of the IAM role permissions, access to certain services and commands, such as IAM and AWS Key Management Service (KMS), is disabled to prevent exposing credentials in chat channels. Refer to the AWS Chatbot documentation for details on permissions.

Direct messages are not currently supported. You can create a private channel with just yourself and AWS Chatbot and use it for direct message communication.

Message actions are shortcuts that let you take quick action by clicking a button on notifications and messages sent by AWS Chatbot. For example, CloudWatch Alarm notifications for Lambda functions and API Gateway stages have “Show Logs” and “Show Error Logs” buttons that display the logs for the affected resource in the chat channel.

Currently, you can use commands and actions in Microsoft Teams and Slack.

Security and Governance

Customers can use chatbot policies and multi-account management services in AWS Organizations to determine which permissions models, chat applications, and chat workspaces can be used to access their accounts. For example, you can restrict access to production accounts from chat channels in designated workspaces/teams. Customers can also use Service Control Policies (SCPs) to specify guardrails on the CLI command tasks executed from chat channels. For example, you can specify deny all rds: delete-db-cluster CLI actions originating from chat channels.

AWS Chatbot configurations use IAM roles that the service assumes when making API calls and running commands on behalf of AWS Chatbot users. You can set AWS Chatbot permissions scope with either a shared channel IAM role or an individual user IAM role. With a shared channel role, all channel members use a shared IAM role to run commands. Alternatively, you can configure AWS Chatbot to require channel members to choose an IAM role to run commands. The permissions scope is further controlled by channel guardrail IAM policies. Refer to the AWS Chatbot documentation for details on permissions. 

Refer to the AWS Chatbot documentation for details. 

AWS Chatbot provides an audit log of commands it executes in CloudWatch Logs. This log includes executed commands and their chat workspace ID, channel ID, and channel user ID attributes. The audit log events in CloudWatch Logs are always enabled and can't be disabled. Refer to the AWS Chatbot documentation for details.