Managing IAM role permissions for running commands in AWS Chatbot - AWS Chatbot

Managing IAM role permissions for running commands in AWS Chatbot

With AWS Identity and Access Management (IAM), you can use identity-based policies, which are JSON permissions policy documents, and attach them to an identity, such as a user, role, or group. These policies work with your guardrail policies to control what actions a user can perform. AWS Chatbot provides three IAM policies in the AWS Chatbot console that you can use to set up AWS CLI commands support for chat channels. Those policies include:

  • ReadOnly Command Permissions

  • Lambda-Invoke Command Permissions

  • AWS Support Command Permissions

You can use any or all of these policies, based on your organization's requirements. To use them, create a new channel IAM role in your channel configuration using the AWS Chatbot console, and attach the policies there. You can also attach the policies to the AWS Chatbot IAM roles using the IAM console. The policies simplify AWS Chatbot role configuration and enable you to set up quickly.

You can use these IAM policies as templates to define your own policies. For example, all policies described here use a wildcard ("*") to apply the policy's permissions to all resources:

"Resource": [ "*" ]

You can define custom permissions in a policy to limit actions to specific resources in your AWS account. These are called resource-based permissions. For more information on defining resources in a policy, see the section IAM JSON Policy Elements: Resource in the IAM User Guide.

For more information on these policies, see Configuring an IAM Role for AWS Chatbot.

Using the AWS Chatbot read-only command permissions policy

The AWS Chatbot ReadOnly Command Permissions policy controls access to several important AWS services, including IAM, AWS Security Token Service (AWS STS), AWS Key Management Service (AWS KMS), and Amazon S3. It disallows all IAM operations when using AWS commands in Microsoft Teams and Slack. When you use the ReadOnly Command Permissions policy, you allow or deny the following permissions to users who run commands in chat channels:

  • IAM (Deny All)

  • AWS KMS (Deny All)

  • AWS STS (Deny All)

  • Amazon Cognito (allows Read-Only, denies GetSigningCertificate commands)

  • Amazon EC2 (allows Read-Only, denies GetPasswordData commands)

  • Amazon Elastic Container Registry (Amazon ECR) (allows Read-Only, denies GetAuthorizationToken commands)

  • Amazon GameLift (allows Read-Only, denies requests for credentials and GetInstanceAccess commands)

  • Amazon Lightsail (allows List, Read, denies several key pair operations and GetInstanceAccess)

  • Amazon Redshift (denies GetClusterCredentials commands)

  • Amazon S3 (allows Read-Only commands, denies GetBucketPolicy commands)

  • AWS Storage Gateway (allows Read-Only, denies DescribeChapCredentials commands)

The ReadOnly Command Permissions policy JSON code is shown following:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iam:*", "kms:*", "sts:*", "cognito-idp:GetSigningCertificate", "ec2:GetPasswordData", "ecr:GetAuthorizationToken", "gamelift:RequestUploadCredentials", "gamelift:GetInstanceAccess", "lightsail:DownloadDefaultKeyPair", "lightsail:GetInstanceAccessDetails", "lightsail:GetKeyPair", "lightsail:GetKeyPairs", "redshift:GetClusterCredentials", "s3:GetBucketPolicy", "storagegateway:DescribeChapCredentials" ], "Resource": [ "*" ] } ] }

Using the AWS Chatbot Lambda-Invoke policy

The AWS Chatbot Lambda-Invoke Command Permissions policy allows users to invoke AWS Lambda functions in chat channels. This policy is an AWS managed policy that is not specific to AWS Chatbot, though it appears in the AWS Chatbot console.

By default, invoked Lambda functions can perform any operation. You might need to define a more restrictive inline IAM policy that allows permissions to invoke specific Lambda functions, such as functions specifically developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose.

The following example shows the Lambda-Invoke Command Permissions policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:invokeAsync", "lambda:invokeFunction" ], "Resource": [ "*" ] } ] }

You can also define resource-based permissions to allow invoking of Lambda functions only against specific resources, instead of the "*" wildcard that applies the policy to all resources. Always follow the IAM practice of granting only the permissions required for your users to do their jobs.