Actions, resources, and condition keys for Amazon Chime
Amazon Chime (service prefix: chime) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Chime
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptDelegate | Grants permission to accept the delegate invitation to share management of an Amazon Chime account with another AWS Account | Write | |||
| ActivateUsers | Grants permission to activate users in an Amazon Chime Enterprise account | Write | |||
| AddDomain | Grants permission to add a domain to your Amazon Chime account | Write | |||
| AddOrUpdateGroups | Grants permission to add new or update existing Active Directory or Okta user groups associated with your Amazon Chime Enterprise account | Write | |||
| AssociateChannelFlow | Grants permission to associate a flow with a channel | Write | |||
| AssociatePhoneNumberWithUser | Grants permission to associate a phone number with an Amazon Chime user | Write | |||
| AssociatePhoneNumbersWithVoiceConnector | Grants permission to associate multiple phone numbers with an Amazon Chime Voice Connector | Write | |||
| AssociatePhoneNumbersWithVoiceConnectorGroup | Grants permission to associate multiple phone numbers with an Amazon Chime Voice Connector Group | Write | |||
| AssociateSigninDelegateGroupsWithAccount | Grants permission to associate the specified sign-in delegate groups with the specified Amazon Chime account | Write | |||
| AuthorizeDirectory | Grants permission to authorize an Active Directory for your Amazon Chime Enterprise account | Write | |||
| BatchCreateAttendee | Grants permission to create new attendees for an active Amazon Chime SDK meeting | Write | |||
| BatchCreateChannelMembership | Grants permission to add multiple users and bots to a channel | Write | |||
| BatchCreateRoomMembership | Grants permission to batch add room members | Write | |||
| BatchDeletePhoneNumber | Grants permission to move up to 50 phone numbers to the deletion queue | Write | |||
| BatchSuspendUser | Grants permission to suspend up to 50 users from a Team or EnterpriseLWA Amazon Chime account | Write | |||
| BatchUnsuspendUser | Grants permission to remove the suspension from up to 50 previously suspended users for the specified Amazon Chime EnterpriseLWA account | Write | |||
| BatchUpdateAttendeeCapabilitiesExcept | Grants permission to update AttendeeCapabilities except the capabilities listed in an ExcludedAttendeeIds table | Write | |||
| BatchUpdatePhoneNumber | Grants permission to update phone number details within the UpdatePhoneNumberRequestItem object for up to 50 phone numbers | Write | |||
| BatchUpdateUser | Grants permission to update user details within the UpdateUserRequestItem object for up to 20 users for the specified Amazon Chime account | Write | |||
| ChannelFlowCallback | Grants permission to callback for a message on a channel | Write | |||
| Connect | Grants permission to establish a web socket connection for app instance user to the messaging session endpoint | Write | |||
| ConnectDirectory | Grants permission to connect an Active Directory to your Amazon Chime Enterprise account | Write |
ds:ConnectDirectory |
||
| CreateAccount | Grants permission to create an Amazon Chime account under the administrator's AWS account | Write | |||
| CreateApiKey | Grants permission to create a new SCIM access key for your Amazon Chime account and Okta configuration | Write | |||
| CreateAppInstance | Grants permission to create an app instance in the AWS account (tag-based access controls are only supported on identity-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateAppInstanceAdmin | Grants permission to promote a user or bot to an AppInstanceAdmin | Write | |||
| CreateAppInstanceBot | Grants permission to create a bot within an AppInstance (tag-based access controls are only supported on identity-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateAppInstanceUser | Grants permission to create a user within an AppInstance (tag-based access controls are only supported on identity-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateAttendee | Grants permission to create a new attendee for an active Amazon Chime SDK meeting | Write | |||
| CreateBot | Grants permission to create a bot for an Amazon Chime Enterprise account | Write | |||
| CreateCDRBucket | Grants permission to create a new Call Detail Record S3 bucket | Write |
s3:CreateBucket s3:ListAllMyBuckets |
||
| CreateChannel | Grants permission to create a channel for an app instance in the AWS account (tag-based access controls are only supported on messaging-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateChannelBan | Grants permission to ban a user or bot from a channel | Write | |||
| CreateChannelFlow | Grants permission to create a channel flow for an app instance in the AWS account (tag-based access controls are only supported on messaging-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateChannelMembership | Grants permission to add a user or bot to a channel | Write | |||
| CreateChannelModerator | Grants permission to create a channel moderator | Write | |||
| CreateMediaCapturePipeline | Grants permission to create a media capture pipeline (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write |
s3:GetBucketPolicy |
||
| CreateMediaConcatenationPipeline | Grants permission to create a media concatenation pipeline (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write |
s3:GetBucketPolicy |
||
| CreateMediaInsightsPipeline | Grants permission to create a media insights pipeline (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write |
chime:TagResource kinesisvideo:DescribeStream |
||
| CreateMediaInsightsPipelineConfiguration | Grants permission to create a media insights pipeline configuration (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write |
chime:TagResource iam:PassRole kinesis:DescribeStream s3:ListBucket |
||
| CreateMediaLiveConnectorPipeline | Grants permission to create a media live connector pipeline (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateMediaPipelineKinesisVideoStreamPool | Grants permission to create kinesis video stream pool (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write |
kinesis:DescribeStream kinesisvideo:CreateStream kinesisvideo:GetDataEndpoint kinesisvideo:ListStreams |
||
| CreateMediaStreamPipeline | Grants permission to create a media stream pipeline (tag-based access controls are only supported on media-pipelines-chime.<region>.amazonaws.com endpoints) | Write |
kinesisvideo:DescribeStream kinesisvideo:GetDataEndpoint kinesisvideo:PutMedia |
||
| CreateMeeting | Grants permission to create a new meeting in the specified media Region, with no initial attendees (tag-based access controls are only supported on meetings-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateMeetingDialOut | Grants permission to call a phone number to join the specified Amazon Chime SDK meeting | Write | |||
| CreateMeetingWithAttendees | Grants permission to create a new meeting in the specified media Region, with a set of attendees (tag-based access controls are only supported on meetings-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreatePhoneNumberOrder | Grants permission to create a phone number order with the Carriers | Write | |||
| CreateProxySession | Grants permission to create a proxy session for the specified Amazon Chime Voice Connector | Write | |||
| CreateRoom | Grants permission to create a room | Write | |||
| CreateRoomMembership | Grants permission to add a room member | Write | |||
| CreateSipMediaApplication | Grants permission to create an Amazon Chime SIP media application in the AWS account (tag-based access controls are only supported on voice-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateSipMediaApplicationCall | Grants permission to create outbound call for Amazon Chime SIP media application under the administrator's AWS account | Write | |||
| CreateSipRule | Grants permission to create an Amazon Chime SIP rule under the administrator's AWS account | Write | |||
| CreateUser | Grants permission to create a user under the specified Amazon Chime account | Write | |||
| CreateVoiceConnector | Grants permission to create a Voice Connector in the AWS account (tag-based access controls are only supported on voice-chime.<region>.amazonaws.com endpoints) | Write | |||
| CreateVoiceConnectorGroup | Grants permission to create a Amazon Chime Voice Connector Group under the administrator's AWS account | Write | |||
| CreateVoiceProfile | Grants permission to create a voice profile | Write | |||
| CreateVoiceProfileDomain | Grants permission to create a voice profile domain (tag-based access controls are only supported on voice-chime.<region>.amazonaws.com endpoints) | Write |
chime:TagResource kms:CreateGrant kms:DescribeKey |
||
| DeleteAccount | Grants permission to delete the specified Amazon Chime account | Write | |||
| DeleteAccountOpenIdConfig | Grants permission to delete the OpenIdConfig attributes from your Amazon Chime account | Write | |||
| DeleteApiKey | Grants permission to delete the specified SCIM access key associated with your Amazon Chime account and Okta configuration | Write | |||
| DeleteAppInstance | Grants permission to delete an AppInstance | Write | |||
| DeleteAppInstanceAdmin | Grants permission to demote an AppInstanceAdmin to a user or bot | Write | |||
| DeleteAppInstanceBot | Grants permission to delete an AppInstanceBot | Write | |||
| DeleteAppInstanceStreamingConfigurations | Grants permission to disable data streaming for the app instance | Write | |||
| DeleteAppInstanceUser | Grants permission to delete an AppInstanceUser | Write | |||
| DeleteAttendee | Grants permission to delete the specified attendee from an Amazon Chime SDK meeting | Write | |||
| DeleteCDRBucket | Grants permission to delete a Call Detail Record S3 bucket from your Amazon Chime account | Write |
s3:DeleteBucket |
||
| DeleteChannel | Grants permission to delete a channel | Write | |||
| DeleteChannelBan | Grants permission to remove a user or bot from a channel's ban list | Write | |||
| DeleteChannelFlow | Grants permission to delete a channel flow | Write | |||
| DeleteChannelMembership | Grants permission to remove a member from a channel | Write | |||
| DeleteChannelMessage | Grants permission to delete a channel message | Write | |||
| DeleteChannelModerator | Grants permission to delete a channel moderator | Write | |||
| DeleteDelegate | Grants permission to delete delegated AWS account management from your Amazon Chime account | Write | |||
| DeleteDomain | Grants permission to delete a domain from your Amazon Chime account | Write | |||
| DeleteEventsConfiguration | Grants permission to delete an events configuration for a bot to receive outgoing events | Write | |||
| DeleteGroups | Grants permission to delete Active Directory or Okta user groups from your Amazon Chime Enterprise account | Write | |||
| DeleteMediaCapturePipeline | Grants permission to delete a media capture pipeline | Write | |||
| DeleteMediaInsightsPipelineConfiguration | Grants permission to delete a media insights pipeline configuration | Write |
chime:ListVoiceConnectors |
||
| DeleteMediaPipeline | Grants permission to delete a media pipeline | Write | |||
| DeleteMediaPipelineKinesisVideoStreamPool | Grants permission to delete kinesis video stream pool | Write | |||
| DeleteMeeting | Grants permission to delete the specified Amazon Chime SDK meeting | Write | |||
| DeleteMessagingStreamingConfigurations | Grants permission to delete the data streaming configurations of an AppInstance | Write | |||
| DeletePhoneNumber | Grants permission to move a phone number to the deletion queue | Write | |||
| DeleteProxySession | Grants permission to delete a proxy session for the specified Amazon Chime Voice Connector | Write | |||
| DeleteRoom | Grants permission to delete a room | Write | |||
| DeleteRoomMembership | Grants permission to remove a room member | Write | |||
| DeleteSipMediaApplication | Grants permission to delete Amazon Chime SIP media application under the administrator's AWS account | Write | |||
| DeleteSipRule | Grants permission to delete Amazon Chime SIP rule under the administrator's AWS account | Write | |||
| DeleteVoiceConnector | Grants permission to delete the specified Amazon Chime Voice Connector | Write |
logs:CreateLogDelivery logs:DeleteLogDelivery logs:GetLogDelivery logs:ListLogDeliveries |
||
| DeleteVoiceConnectorEmergencyCallingConfiguration | Grants permission to delete emergency calling configuration for the specified Amazon Chime Voice Connector | Write | |||
| DeleteVoiceConnectorGroup | Grants permission to delete the specified Amazon Chime Voice Connector Group | Write | |||
| DeleteVoiceConnectorOrigination | Grants permission to delete the origination settings for the specified Amazon Chime Voice Connector | Write | |||
| DeleteVoiceConnectorProxy | Grants permission to delete proxy configuration for the specified Amazon Chime Voice Connector | Write | |||
| DeleteVoiceConnectorStreamingConfiguration | Grants permission to delete streaming configuration for the specified Amazon Chime Voice Connector | Write | |||
| DeleteVoiceConnectorTermination | Grants permission to delete the termination settings for the specified Amazon Chime Voice Connector | Write | |||
| DeleteVoiceConnectorTerminationCredentials | Grants permission to delete SIP termination credentials for the specified Amazon Chime Voice Connector | Write | |||
| DeleteVoiceProfile | Grants permission to delete a voice profile | Write | |||
| DeleteVoiceProfileDomain | Grants permission to delete a voice profile domain | Write | |||
| DeregisterAppInstanceUserEndpoint | Grants permission to deregister an endpoint for an app instance user | Write | |||
| DescribeAppInstance | Grants permission to get the full details of an AppInstance | Read | |||
| DescribeAppInstanceAdmin | Grants permission to get the full details of an AppInstanceAdmin | Read | |||
| DescribeAppInstanceBot | Grants permission to get the full details of an AppInstanceBot | Read | |||
| DescribeAppInstanceUser | Grants permission to get the full details of an AppInstanceUser | Read | |||
| DescribeAppInstanceUserEndpoint | Grants permission to describe an endpoint registered for an app instance user | Read | |||
| DescribeChannel | Grants permission to get the full details of a channel | Read | |||
| DescribeChannelBan | Grants permission to get the full details of a channel ban | Read | |||
| DescribeChannelFlow | Grants permission to get the full details of a channel flow | Read | |||
| DescribeChannelMembership | Grants permission to get the full details of a channel membership | Read | |||
| DescribeChannelMembershipForAppInstanceUser | Grants permission to get the details of a channel based on the membership of the specified user or bot | Read | |||
| DescribeChannelModeratedByAppInstanceUser | Grants permission to get the full details of a channel moderated by the specified user or bot | Read | |||
| DescribeChannelModerator | Grants permission to get the full details of a single ChannelModerator | Read | |||
| DisassociateChannelFlow | Grants permission to disassociate a flow from a channel | Write | |||
| DisassociatePhoneNumberFromUser | Grants permission to disassociate the primary provisioned number from the specified Amazon Chime user | Write | |||
| DisassociatePhoneNumbersFromVoiceConnector | Grants permission to disassociate multiple phone numbers from the specified Amazon Chime Voice Connector | Write | |||
| DisassociatePhoneNumbersFromVoiceConnectorGroup | Grants permission to disassociate multiple phone numbers from the specified Amazon Chime Voice Connector Group | Write | |||
| DisassociateSigninDelegateGroupsFromAccount | Grants permission to disassociate the specified sign-in delegate groups from the specified Amazon Chime account | Write | |||
| DisconnectDirectory | Grants permission to disconnect the Active Directory from your Amazon Chime Enterprise account | Write | |||
| GetAccount | Grants permission to get details for the specified Amazon Chime account | Read | |||
| GetAccountResource | Grants permission to get details for the account resource associated with your Amazon Chime account | Read | |||
| GetAccountSettings | Grants permission to get account settings for the specified Amazon Chime account ID | Read | |||
| GetAccountWithOpenIdConfig | Grants permission to get the account details and OpenIdConfig attributes for your Amazon Chime account | Read | |||
| GetAppInstanceRetentionSettings | Grants permission to get retention settings for an app instance | Read | |||
| GetAppInstanceStreamingConfigurations | Grants permission to get the streaming configurations for an app instance | Read | |||
| GetAttendee | Grants permission to get attendee details for a specified meeting ID and attendee ID | Read | |||
| GetBot | Grants permission to retrieve details for the specified bot | Read | |||
| GetCDRBucket | Grants permission to get details of a Call Detail Record S3 bucket associated with your Amazon Chime account | Read |
s3:GetBucketAcl s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketVersioning s3:GetBucketWebsite |
||
| GetChannelMembershipPreferences | Grants permission to get the preferences for a channel membership | Read | |||
| GetChannelMessage | Grants permission to get the full details of a channel message | Read | |||
| GetChannelMessageStatus | Grants permission to get the status of a channel message | Read | |||
| GetDomain | Grants permission to get domain details for a domain associated with your Amazon Chime account | Read | |||
| GetEventsConfiguration | Grants permission to retrieve details for an events configuration for a bot to receive outgoing events | Read | |||
| GetGlobalSettings | Grants permission to get global settings related to Amazon Chime for the AWS account | Read | |||
| GetMediaCapturePipeline | Grants permission to get an existing media capture pipeline | Read | |||
| GetMediaInsightsPipelineConfiguration | Grants permission to get a media insights pipeline configuration | Read | |||
| GetMediaPipeline | Grants permission to get an existing media pipeline | Read | |||
| GetMediaPipelineKinesisVideoStreamPool | Grants permission to get an existing media pipeline | Read | |||
| GetMeeting | Grants permission to get the meeting record for a specified meeting ID | Read | |||
| GetMeetingDetail | Grants permission to get attendee, connection, and other details for a meeting | Read | |||
| GetMessagingSessionEndpoint | Grants permission to get the endpoint for the messaging session | Read | |||
| GetMessagingStreamingConfigurations | Grants permission to get the data streaming configurations of an AppInstance | Read | |||
| GetPhoneNumber | Grants permission to get details for the specified phone number | Read | |||
| GetPhoneNumberOrder | Grants permission to get details for the specified phone number order | Read | |||
| GetPhoneNumberSettings | Grants permission to get phone number settings related to Amazon Chime for the AWS account | Read | |||
| GetProxySession | Grants permission to get details of the specified proxy session for the specified Amazon Chime Voice Connector | Read | |||
| GetRetentionSettings | Grants permission to retrieve the retention settings for the specified Amazon Chime account | Read | |||
| GetRoom | Grants permission to retrieve a room | Read | |||
| GetSipMediaApplication | Grants permission to get details of Amazon Chime SIP media application under the administrator's AWS account | Read | |||
| GetSipMediaApplicationAlexaSkillConfiguration | Grants permission to get Alexa Skill configuration settings for Amazon Chime SIP media application under the administrator's AWS account | Read | |||
| GetSipMediaApplicationLoggingConfiguration | Grants permission to get logging configuration settings for Amazon Chime SIP media application under the administrator's AWS account | Read | |||
| GetSipRule | Grants permission to get details of Amazon Chime SIP rule under the administrator's AWS account | Read | |||
| GetSpeakerSearchTask | Grants permission to get a speaker search task on the specified Amazon Chime resource | Read | |||
| GetTelephonyLimits | Grants permission to get telephony limits for the AWS account | Read | |||
| GetUser | Grants permission to get details for the specified user ID | Read | |||
| GetUserActivityReportData | Grants permission to get a summary of user activity on the user details page | Read | |||
| GetUserByEmail | Grants permission to get user details for an Amazon Chime user based on the email address in an Amazon Chime Enterprise or Team account | Read | |||
| GetUserSettings | Grants permission to get user settings related to the specified Amazon Chime user | Read | |||
| GetVoiceConnector | Grants permission to get details for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorEmergencyCallingConfiguration | Grants permission to get details of the emergency calling configuration for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorGroup | Grants permission to get details for the specified Amazon Chime Voice Connector Group | Read | |||
| GetVoiceConnectorLoggingConfiguration | Grants permission to get details of the logging configuration for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorOrigination | Grants permission to get details of the origination settings for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorProxy | Grants permission to get details of the proxy configuration for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorStreamingConfiguration | Grants permission to get details of the streaming configuration for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorTermination | Grants permission to get details of the termination settings for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceConnectorTerminationHealth | Grants permission to get details of the termination health for the specified Amazon Chime Voice Connector | Read | |||
| GetVoiceProfile | Grants permission to get a voice profile | Read | |||
| GetVoiceProfileDomain | Grants permission to get a voice profile domain | Read | |||
| GetVoiceToneAnalysisTask | Grants permission to get a voice tone analysis task on the specified Amazon Chime resource | Read | |||
| InviteDelegate | Grants permission to send an invitation to accept a request for AWS account delegation for an Amazon Chime account | Write | |||
| InviteUsers | Grants permission to invite as many as 50 users to the specified Amazon Chime account | Write | |||
| InviteUsersFromProvider | Grants permission to invite users from a third party provider to your Amazon Chime account | Write | |||
| ListAccountUsageReportData | Grants permission to list Amazon Chime account usage reporting data | List | |||
| ListAccounts | Grants permission to list the Amazon Chime accounts under the administrator's AWS account | List | |||
| ListApiKeys | Grants permission to list the SCIM access keys defined for your Amazon Chime account and Okta configuration | List | |||
| ListAppInstanceAdmins | Grants permission to list administrators in the app instance | List | |||
| ListAppInstanceBots | Grants permission to list all AppInstanceBots created under a single app instance | List | |||
| ListAppInstanceUserEndpoints | Grants permission to list the endpoints registered for an app instance user | List | |||
| ListAppInstanceUsers | Grants permission to list all AppInstanceUsers created under a single app instance | List | |||
| ListAppInstances | Grants permission to list all Amazon Chime app instances created under a single AWS account | List | |||
| ListAttendeeTags | Grants permission to list the tags applied to an Amazon Chime SDK attendee resource | List | |||
| ListAttendees | Grants permission to list up to 100 attendees for a specified Amazon Chime SDK meeting | List | |||
| ListAvailableVoiceConnectorRegions | Grants permission to list the available AWS Regions in which you can create an Amazon Chime SDK Voice Connector | List | |||
| ListBots | Grants permission to list the bots associated with the administrator's Amazon Chime Enterprise account | List | |||
| ListCDRBucket | Grants permission to list Call Detail Record S3 buckets | List |
s3:ListAllMyBuckets s3:ListBucket |
||
| ListCallingRegions | Grants permission to list the calling regions available for the administrator's AWS account | List | |||
| ListChannelBans | Grants permission to list all the users and bots banned from a particular channel | List | |||
| ListChannelFlows | Grants permission to list all the Channel Flows created under a single Chime AppInstance | List | |||
| ListChannelMemberships | Grants permission to list all channel memberships in a channel | List | |||
| ListChannelMembershipsForAppInstanceUser | Grants permission to list all channels that a particular user or bot is a part of | List | |||
| ListChannelMessages | Grants permission to list all the messages in a channel | Read | |||
| ListChannelModerators | Grants permission to list all the moderators for a channel | List | |||
| ListChannels | Grants permission to list all the Channels created under a single Chime AppInstance | List | |||
| ListChannelsAssociatedWithChannelFlow | Grants permission to list all the Channels associated with a single Chime Channel Flow | List | |||
| ListChannelsModeratedByAppInstanceUser | Grants permission to list all channels moderated by a user or bot | List | |||
| ListDelegates | Grants permission to list account delegate information associated with your Amazon Chime account | List | |||
| ListDirectories | Grants permission to list active Active Directories hosted in the Directory Service of your AWS account | List | |||
| ListDomains | Grants permission to list domains associated with your Amazon Chime account | List | |||
| ListGroups | Grants permission to list Active Directory or Okta user groups associated with your Amazon Chime Enterprise account | List | |||
| ListMediaCapturePipelines | Grants permission to list media capture pipelines | List | |||
| ListMediaInsightsPipelineConfigurations | Grants permission to list all media insights pipeline configurations | List | |||
| ListMediaPipelineKinesisVideoStreamPools | Grants permission to list media pipelines | List | |||
| ListMediaPipelines | Grants permission to list media pipelines | List | |||
| ListMeetingEvents | Grants permission to list all events that occurred for a specified meeting | List | |||
| ListMeetingTags | Grants permission to list the tags applied to an Amazon Chime SDK meeting resource | List | |||
| ListMeetings | Grants permission to list up to 100 active Amazon Chime SDK meetings | List | |||
| ListMeetingsReportData | Grants permission to list meetings ended during the specified date range | List | |||
| ListPhoneNumberOrders | Grants permission to list the phone number orders under the administrator's AWS account | List | |||
| ListPhoneNumbers | Grants permission to list the phone numbers under the administrator's AWS account | List | |||
| ListProxySessions | Grants permission to list proxy sessions for the specified Amazon Chime Voice Connector | List | |||
| ListRoomMemberships | Grants permission to list all room members | List | |||
| ListRooms | Grants permission to list rooms | List | |||
| ListSipMediaApplications | Grants permission to list all Amazon Chime SIP media applications under the administrator's AWS account | List | |||
| ListSipRules | Grants permission to list all Amazon Chime SIP rules under the administrator's AWS account | List | |||
| ListSubChannels | Grants permission to list all the SubChannels under a single Channel | List | |||
| ListSupportedPhoneNumberCountries | Grants permission to list the phone number countries supported by the AWS account | List | |||
| ListTagsForResource | Grants permission to list the tags applied to an Amazon Chime resource | Read | |||
| ListUsers | Grants permission to list the users that belong to the specified Amazon Chime account | List | |||
| ListVoiceConnectorGroups | Grants permission to list the Amazon Chime Voice Connector Groups under the administrator's AWS account | List | |||
| ListVoiceConnectorTerminationCredentials | Grants permission to list the SIP termination credentials for the specified Amazon Chime Voice Connector | List | |||
| ListVoiceConnectors | Grants permission to list the Amazon Chime Voice Connectors under the administrator's AWS account | List | |||
| ListVoiceProfileDomains | Grants permission to list voice profile domains | List | |||
| ListVoiceProfiles | Grants permission to list voice profiles | List | |||
| LogoutUser | Grants permission to log out the specified user from all of the devices they are currently logged into | Write | |||
| PutAppInstanceRetentionSettings | Grants permission to enable data retention for the app instance | Write | |||
| PutAppInstanceStreamingConfigurations | Grants permission to configure data streaming for the app instance | Write | |||
| PutAppInstanceUserExpirationSettings | Grants permission to put expiration settings for an AppInstanceUser | Write | |||
| PutChannelExpirationSettings | Grants permission to put expiration settings for a channel | Write | |||
| PutChannelMembershipPreferences | Grants permission to put the preferences for a channel membership | Write | |||
| PutEventsConfiguration | Grants permission to update details for an events configuration for a bot to receive outgoing events | Write | |||
| PutMessagingStreamingConfigurations | Grants permission to put the data streaming configurations of an AppInstance | Write | |||
| PutRetentionSettings | Grants permission to create or update retention settings for the specified Amazon Chime account | Write | |||
| PutSipMediaApplicationAlexaSkillConfiguration | Grants permission to update Alexa Skill configuration settings for Amazon Chime SIP media application under the administrator's AWS account | Write | |||
| PutSipMediaApplicationLoggingConfiguration | Grants permission to update logging configuration settings for Amazon Chime SIP media application under the administrator's AWS account | Write | |||
| PutVoiceConnectorEmergencyCallingConfiguration | Grants permission to add emergency calling configuration for the specified Amazon Chime Voice Connector | Write | |||
| PutVoiceConnectorLoggingConfiguration | Grants permission to add logging configuration for the specified Amazon Chime Voice Connector | Write |
logs:CreateLogDelivery logs:CreateLogGroup logs:DeleteLogDelivery logs:DescribeLogGroups logs:GetLogDelivery logs:ListLogDeliveries |
||
| PutVoiceConnectorOrigination | Grants permission to update the origination settings for the specified Amazon Chime Voice Connector | Write | |||
| PutVoiceConnectorProxy | Grants permission to add proxy configuration for the specified Amazon Chime Voice Connector | Write | |||
| PutVoiceConnectorStreamingConfiguration | Grants permission to add streaming configuration for the specified Amazon Chime Voice Connector | Write |
chime:GetMediaInsightsPipelineConfiguration |
||
| PutVoiceConnectorTermination | Grants permission to update the termination settings for the specified Amazon Chime Voice Connector | Write | |||
| PutVoiceConnectorTerminationCredentials | Grants permission to add SIP termination credentials for the specified Amazon Chime Voice Connector | Write | |||
| RedactChannelMessage | Grants permission to redact message content | Write | |||
| RedactConversationMessage | Grants permission to redact the specified Chime conversation Message | Write | |||
| RedactRoomMessage | Grants permission to redacts the specified Chime room Message | Write | |||
| RegenerateSecurityToken | Grants permission to regenerate the security token for the specified bot | Write | |||
| RegisterAppInstanceUserEndpoint | Grants permission to register an endpoint for an app instance user | Write |
mobiletargeting:GetApp |
||
| RenameAccount | Grants permission to modify the account name for your Amazon Chime Enterprise or Team account | Write | |||
| RenewDelegate | Grants permission to renew the delegation request associated with an Amazon Chime account | Write | |||
| ResetAccountResource | Grants permission to reset the account resource in your Amazon Chime account | Write | |||
| ResetPersonalPIN | Grants permission to reset the personal meeting PIN for the specified user on an Amazon Chime account | Write | |||
| RestorePhoneNumber | Grants permission to restore the specified phone number from the deltion queue back to the phone number inventory | Write | |||
| RetrieveDataExports | Grants permission to download the file containing links to all user attachments returned as part of the "Request attachments" action | Read | |||
| SearchAvailablePhoneNumbers | Grants permission to search phone numbers that can be ordered from the carrier | Read | |||
| SearchChannels | Grants permission to search channels that an AppInstanceUser belongs to, or search channels across the AppInstance for an AppInstaceAdmin | List | |||
| SendChannelMessage | Grants permission to send a message to a particular channel that the member is a part of | Write | |||
| StartDataExport | Grants permission to submit the "Request attachments" request | Write | |||
| StartMeetingTranscription | Grants permission to start transcription for a meeting | Write | |||
| StartSpeakerSearchTask | Grants permission to start a speaker search task on the specified Amazon Chime resource | Write | |||
| StartVoiceToneAnalysisTask | Grants permission to start a voice tone analysis task on the specified Amazon Chime resource | Write | |||
| StopMeetingTranscription | Grants permission to stop transcription for a meeting | Write | |||
| StopSpeakerSearchTask | Grants permission to stop a speaker search task on the specified Amazon Chime resource | Write | |||
| StopVoiceToneAnalysisTask | Grants permission to stop a voice tone analysis task on the specified Amazon Chime resource | Write | |||
| SubmitSupportRequest | Grants permission to submit a customer service support request | Write | |||
| SuspendUsers | Grants permission to suspend users from an Amazon Chime Enterprise account | Write | |||
| TagAttendee | Grants permission to apply the specified tags to the specified Amazon Chime SDK attendee | Tagging | |||
| TagMeeting | Grants permission to apply the specified tags to the specified Amazon Chime SDK meeting | Tagging | |||
| TagResource | Grants permission to apply the specified tags to the specified resource (tag-based access controls are only supported on *-chime.<region>.amazonaws.com endpoints) | Tagging | |||
| UnauthorizeDirectory | Grants permission to unauthorize an Active Directory from your Amazon Chime Enterprise account | Write | |||
| UntagAttendee | Grants permission to untag the specified tags from the specified Amazon Chime SDK attendee | Tagging | |||
| UntagMeeting | Grants permission to untag the specified tags from the specified Amazon Chime SDK meeting | Tagging | |||
| UntagResource | Grants permission to untag the specified tags from the specified resource (tag-based access controls are only supported on *-chime.<region>.amazonaws.com endpoints) | Tagging | |||
| UpdateAccount | Grants permission to update account details for the specified Amazon Chime account | Write | |||
| UpdateAccountOpenIdConfig | Grants permission to update the OpenIdConfig attributes for your Amazon Chime account | Write | |||
| UpdateAccountResource | Grants permission to update the account resource in your Amazon Chime account | Write | |||
| UpdateAccountSettings | Grants permission to update the settings for the specified Amazon Chime account | Write | |||
| UpdateAppInstance | Grants permission to update AppInstance metadata | Write | |||
| UpdateAppInstanceBot | Grants permission to update the details for an AppInstanceBot | Write | |||
| UpdateAppInstanceUser | Grants permission to update the details for an AppInstanceUser | Write | |||
| UpdateAppInstanceUserEndpoint | Grants permission to update an endpoint registered for an app instance user | Write | |||
| UpdateAttendeeCapabilities | Grants permission to the capabilties that you want to update | Write | |||
| UpdateBot | Grants permission to update the status of the specified bot | Write | |||
| UpdateCDRSettings | Grants permission to update your Call Detail Record S3 bucket | Write |
s3:CreateBucket s3:DeleteBucket s3:ListAllMyBuckets |
||
| UpdateChannel | Grants permission to update a channel's attributes | Write | |||
| UpdateChannelFlow | Grants permission to update a channel flow | Write | |||
| UpdateChannelMessage | Grants permission to update the content of a message | Write | |||
| UpdateChannelReadMarker | Grants permission to set the timestamp to the point when a user last read messages in a channel | Write | |||
| UpdateGlobalSettings | Grants permission to update the global settings related to Amazon Chime for the AWS account | Write | |||
| UpdateMediaInsightsPipelineConfiguration | Grants permission to update the status of a media insights pipeline configuration | Write |
chime:ListVoiceConnectors iam:PassRole kinesis:DescribeStream s3:ListBucket |
||
| UpdateMediaInsightsPipelineStatus | Grants permission to update the status of a media insights pipeline | Write | |||
| UpdateMediaPipelineKinesisVideoStreamPool | Grants permission to update kinesis video stream pool | Write | |||
| UpdatePhoneNumber | Grants permission to update phone number details for the specified phone number | Write | |||
| UpdatePhoneNumberSettings | Grants permission to update phone number settings related to Amazon Chime for the AWS account | Write | |||
| UpdateProxySession | Grants permission to update a proxy session for the specified Amazon Chime Voice Connector | Write | |||
| UpdateRoom | Grants permission to update a room | Write | |||
| UpdateRoomMembership | Grants permission to update room membership role | Write | |||
| UpdateSipMediaApplication | Grants permission to update properties of Amazon Chime SIP media application under the administrator's AWS account | Write | |||
| UpdateSipMediaApplicationCall | Grants permission to update an Amazon Chime SIP media application call under the administrator's AWS account | Write | |||
| UpdateSipRule | Grants permission to update properties of Amazon Chime SIP rule under the administrator's AWS account | Write | |||
| UpdateSupportedLicenses | Grants permission to update the supported license tiers available for users in your Amazon Chime account | Write | |||
| UpdateUser | Grants permission to update user details for a specified user ID | Write | |||
| UpdateUserLicenses | Grants permission to update the licenses for your Amazon Chime users | Write | |||
| UpdateUserSettings | Grants permission to update user settings related to the specified Amazon Chime user | Write | |||
| UpdateVoiceConnector | Grants permission to update Amazon Chime Voice Connector details for the specified Amazon Chime Voice Connector | Write | |||
| UpdateVoiceConnectorGroup | Grants permission to update Amazon Chime Voice Connector Group details for the specified Amazon Chime Voice Connector Group | Write | |||
| UpdateVoiceProfile | Grants permission to update a voice profile | Write | |||
| UpdateVoiceProfileDomain | Grants permission to update a voice profile domain | Write | |||
| ValidateAccountResource | Grants permission to validate the account resource in your Amazon Chime account | Read | |||
| ValidateE911Address | Grants permission to validate an address to be used for 911 calls made with Amazon Chime Voice Connectors | Read |
Resource types defined by Amazon Chime
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| meeting |
arn:${Partition}:chime::${AccountId}:meeting/${MeetingId}
|
|
| app-instance |
arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}
|
|
| app-instance-user |
arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}/user/${AppInstanceUserId}
|
|
| app-instance-bot |
arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}/bot/${AppInstanceBotId}
|
|
| channel |
arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}/channel/${ChannelId}
|
|
| channel-flow |
arn:${Partition}:chime:${Region}:${AccountId}:app-instance/${AppInstanceId}/channel-flow/${ChannelFlowId}
|
|
| media-pipeline |
arn:${Partition}:chime:${Region}:${AccountId}:media-pipeline/${MediaPipelineId}
|
|
| media-insights-pipeline-configuration |
arn:${Partition}:chime:${Region}:${AccountId}:media-insights-pipeline-configuration/${ConfigurationName}
|
|
| media-pipeline-kinesis-video-stream-pool |
arn:${Partition}:chime:${Region}:${AccountId}:media-pipeline-kinesis-video-stream-pool/${PoolName}
|
|
| voice-profile-domain |
arn:${Partition}:chime:${Region}:${AccountId}:voice-profile-domain/${VoiceProfileDomainId}
|
|
| voice-profile |
arn:${Partition}:chime:${Region}:${AccountId}:voice-profile/${VoiceProfileId}
|
|
| voice-connector |
arn:${Partition}:chime:${Region}:${AccountId}:vc/${VoiceConnectorId}
|
|
| sip-media-application |
arn:${Partition}:chime:${Region}:${AccountId}:sma/${SipMediaApplicationId}
|
Condition keys for Amazon Chime
Amazon Chime defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by a tag's key and value in a request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the tag keys in a request | ArrayOfString |
