article

BethChimeAWS avatar image
BethChimeAWS Posted · · edited ·

Amazon Chime actions for IAM policies

Controlling Access to Amazon Chime admin console using IAM

Access to the Amazon Chime administration console is managed through the AWS Identity and Access Management (IAM) service. AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

To provide access to the Amazon Chime Console to others, you create IAM users for them to use to log into the AWS account and then access the Amazon Chime console. Using IAM you can grant permissions for these users at a granular level to block or provide read and write access permissions to various details and actions of your Amazon Chime account(s), such as changing permissions, adding users, resetting a users meeting PIN. You create IAM policies that are applied to individual users or groups.

If you are new to IAM see Creating Your First IAM Admin User and Group . For more information about IAM policies, see Access Management. For more information about managing and creating custom IAM policies, see Working with Policies.

The easiest way to manage access for your users who will be provide support services or managing the Amazon Chime account via the Amazon Chime administration console is to use one of the following AWS managed policies preconfigured for Amazon Chime. AWS managed policies are built for specific use cases and will be automatically updated by the Amazon Chime service team when new capabilities are added so your users have immediate access without changes to a custom policy.

Amazon Chime Managed Policies
Amazon Chime provides three AWS managed policies which can be leveraged by customers using IAM roles to control access to the user management and account setup and configuration capabilities from the Amazon Chime administration console.
  • AmazonChimeFullAccess provides full access to Amazon Chime user management and account configuration.
  • AmazonChimeReadOnly provides read only access to Amazon Chime user management and account configuration.
  • AmazonChimeUserManagement provides full user management capabilities and read only access to account settings and configuration.
See the Amazon Chime Actions table below for actions associated with the above managed policies.

Example
The following screens show a group called Admin with three users:

The Permissions tab shows that the users in the Admin group will have all the actions granted and managed in the AmazonChimeFullAccess managed policy.

Amazon Chime Actions
The following is a list of the Amazon Chime actions for Accounts, Users, Domains, Active Directory and Amazon Chime Support. Account Delegation actions are only valid for customers who purchase Amazon Chime from CenturyLink.

Managed Policy Column: FA: Full Access; UM: UserManagement; RO: ReadOnly
Action Description Managed Policy
Accounts
chime:CreateAccount Grants permission to create an Amazon Chime account under the administrator's AWS account. FA
chime:RenameAccount Grants permission to modify the account name for your Amazon Chime Enterprise or Team account. FA
chime:ListAccounts Grants permission to list the Amazon Chime accounts under the administrator's AWS account. FA, UM, RO
chime:GetAccount Grants permission to get details for the specified Amazon Chime account. FA, UM, RO
chime:DeleteAccount Grants permission to delete the specified Amazon Chime account. FA
Users
chime:GetAccountSettings Grants permission to get account settings for the specified Amazon Chime account ID. FA, UM, RO
chime:UpdateAccountSettings Grants permission to update the settings for the specified Amazon Chime account. FA, UM
chime:ListUsers Grants permission to list the users that belong to the specified Amazon Chime account. FA, UM, RO
chime:GetUser Grants permission to get details for the specified user ID. FA, UM, RO
chime:UpdateUser Grants permission to update details for a specified user ID. FA, UM
chime:GetUserByEmail Grants permission to get user details for an Amazon Chime user based on the email address in an Amazon Chime Enterprise or Team account. FA, UM, RO
chime:GetUserSettings Grants permission to get user settings related to the specified Amazon Chime user. FA, UM, RO
chime:UpdateUserSettings Grants permission to update user settings related to the specified Amazon Chime user. FA, UM
chime:InviteUsers Grants permission to invite as many as 50 users to the specified Amazon Chime account. FA, UM
chime:SuspendUsers Grants permission to suspend users from an Amazon Chime Enterprise account. FA, UM
chime:BatchSuspendUser Grants permission to suspend up to 50 users from a Team or EnterpriseLWA Amazon Chime account. FA, UM
chime:BatchUnsuspendUser Grants permission to remove the suspension from up to 50 previously suspended users for the specified Amazon Chime EnterpriseLWA account. FA, UM
chime:BatchUpdateUser Grants permission to update user details within the UpdateUserRequestItem object for up to 20 users for the specified Amazon Chime account. FA, UM
chime:ActivateUsers Grants permission to activate users in an Amazon Chime Enterprise account. FA, UM
chime:UpdateUserLicenses Grants permission to update the licenses for your Amazon Chime users. FA, UM
chime:ResetPersonalPin Grants permission to reset the personal meeting PIN for the specified user on an Amazon Chime account. FA, UM
chime:LogoutUser Grants permission to log out the specified user from all of the devices they are currently logged into. FA, UM
Reporting
chime:ListAccountUsageReportData Grants permission to list Amazon Chime account usage reporting data. FA, UM, RO
chime:GetUserActivityReportData Grants permission to get a summary of user activity on the user details page. FA, UM, RO
chime:GetMeetingDetail Grants permission to get attendee, connection, and other details for a meeting. FA, UM
chime:ListMeetingEvents Grants permission to list all events that occurred for a specified meeting. FA, UM
chime:ListMeetingReportData Grants permission to list meetings ended during the specified date range. FA, UM
Attachments
chime:StartDataExport Grants permission to submit the "Request attachments" request. FA
chime:RetrieveDataExport Grants permission to download the file containing links to all user attachments returned as part of the "Request attachments" action. FA
Domains
chime:ListDomains Grants permission to list domains associated with your Amazon Chime account. FA, UM, RO
chime:AddDomain Grants permission to add a domain to your Amazon Chime account. FA
chime:GetDomain Grants permission to get domain details for a domain associated with your Amazon Chime account. FA, UM, RO
chime:DeleteDomain Grants permission to delete a domain from your Amazon Chime account. FA
Active Directory
chime:AuthorizeDirectory Grants permission to authorize an Active Directory for your Amazon Chime Enterprise account. FA
chime:UnauthorizeDirectory Grants permission to unauthorize an Active Directory from your Amazon Chime Enterprise account. FA
chime:ListDirectories Grants permission to list active Active Directories hosted in the Directory Service of your AWS account. FA, UM, RO
chime:ConnectDirectory Grants permission to connect an Active Directory to your Amazon Chime Enterprise account. FA
chime:DisconnectDirectory Grants permission to disconnect the Active Directory from your Amazon Chime Enterprise account. FA
chime:ListGroups Grants permission to list Active Directory or Okta user groups associated with your Amazon Chime Enterprise account. FA, UM, RO
chime:AddOrUpdateGroups Grants permission to add new or update existing Active Directory or Okta user groups associated with your Amazon Chime Enterprise account. FA
chime:DeleteGroups Grants permission to delete Active Directory or Okta user groups from your Amazon Chime Enterprise account. FA
Okta
chime:ListApiKeys Grants permission to list the SCIM access keys defined for your Amazon Chime account and Okta configuration. FA
chime:CreateApiKey Grants permission to create a new SCIM access key for your Amazon Chime account and Okta configuration. FA
chime:DeleteApiKey Grants permission to delete the specified SCIM access key associated with your Amazon Chime account and Okta configuration. FA
chime:GetAccountWithOpenIdConfig Grants permission to get the account details and OpenIdConfig attributes for your Amazon Chime account. FA
chime:UpdateAccountOpenIdConfig Grants permission to update the OpenIdConfig attributes for your Amazon Chime account. FA
chime:DeleteAccountOpenIdConfig Grants permission to delete the OpenIdConfig attributes from your Amazon Chime account. FA
Calling
chime:CreatePhoneNumberOrder Grants permission to create a phone number order with the Carriers. FA
chime:GetPhoneNumberOrder Grants permission to get details for the specified phone number order. FA, RO
chime:ListPhoneNumberOrders Grants permission to list the phone number orders for the account. FA, RO
chime:ListPhoneNumbers Grants permission to list the phone numbers under the administrator's AWS account. FA, UM, RO
chime:GetPhoneNumber Grants permission to get details for the specified phone number. FA, UM, RO
chime:DeletePhoneNumber Grants permission to move a phone number to the deletion queue. FA
chime:SearchAvailablePhoneNumbers Grants permission to search available phone numbers for ordering from the carrier. FA, RO
chime:AssociatePhoneNumberWithUser Grants permission to associate a phone number with an Amazon Chime user. FA, UM
chime:DisassociatePhoneNumberFromUser Grants permission to disassociate the primary provisioned number from the specified Amazon Chime user FA, UM
chime:RestorePhoneNumber Grants permission to restore the specified phone number from the deletion queue back to the phone number inventory. FA
chime:BatchUpdatePhoneNumber Grants permission to update phone number details within the UpdatePhoneNumberRequestItem object for up to 50 phone numbers. FA
chime:BatchDeletePhoneNumber Grants permission to move up to 50 phone numbers to the deletion queue. FA
chime:GetTelephonyLimits Grants permission to get telephony limits for the AWS account. FA
chime:ListCallingRegions Grants permission to list the calling regions available for the administrator's AWS account. FA, RO
chime:CreateVoiceConnector Grants permission to create a voice connector under the administrator's AWS account. FA
chime:GetVoiceConnector Grants permission to get details for the specified voice connector. FA, RO
chime:GetVoiceConnectorOrigination Grants permission to get details of the origination settings for the specified voice connector. FA, RO
chime:GetVoiceConnectorTermination Grants permission to get details of the termination settings for the specified voice connector. FA, RO
chime:GetVoiceConnectorTerminationHealth Grants permission to get details of the termination health for the specified voice connector. FA, RO
chime:ListVoiceConnectorTerminationCredentials Grants permission to list the SIP termination credentials for the specified voice connector. FA, RO
chime:ListVoiceConnectors Grants permission to list the voice connectors under the administrator's AWS account. FA, RO
chime:PutVoiceConnectorOrigination Grants permission to update the origination settings for the specified voice connector. FA
chime:PutVoiceConnectorTermination Grants permission to update the termination settings for the specified voice connector. FA
chime:PutVoiceConnectorTerminationCredentials Grants permission to add SIP termination credentials for the specified voice connector. FA
chime:UpdateVoiceConnector Grants permission to update voice connector details for the specified voice connector. FA
chime:AssociatePhoneNumbersWithVoiceConnector Grants permission to associate a phone number with an Amazon Chime user. FA
chime:UpdatePhoneNumber Grants permission to update phone number details for the specified phone number. FA
chime:GetGlobalSettings Grants permission to get global settings related to Amazon Chime for the AWS account (CDRs). FA
chime:UpdateGlobalSettings Grants permission to update the global settings related to Amazon Chime for the AWS account (CDRs). FA
chime:GetCDRBucket Grants permission to get details of a Call Detail Record S3 bucket associated with your Amazon Chime account. FA, RO
chime:ListCDRBucket Grants permission to list Call Detail Record S3 buckets. FA, RO
chime:DeleteVoiceConnector Grants permission to delete the specified voice connector. FA
chime:DeleteVoiceConnectorOrigination Grants permission to delete the origination settings for the specified voice connector. FA
chime:DeleteVoiceConnectorTermination Grants permission to delete the termination settings for the specified voice connector. FA
chime:DeleteVoiceConnectorTerminationCredentials Grants permission to delete SIP termination credentials for the specified voice connector. FA
chime:DisassociatePhoneNumbersFromVoiceConnector Grants permission to disassociate multiple phone numbers from the specified voice connector. FA
Amazon Chime Support
chime:SubmitSupportRequest Grants permission to submit a customer service support request. FA, UM
AWS Account Delegation (*) Only used in conjunction with partner resellers.
chime:AcceptDelegate (Partner’s Customer) Grants permission to accept the delegate invitation to share management of an Amazon Chime account with another AWS Account. (*) FA
chime:ListDelegates (Partner and Customer) Grants permission to list account delegate information associated with your Amazon Chime account. (*) FA, UM, RO
chime:DeleteDelegate (Partner and Customer) Grants permission to delete delegated AWS account management from your Amazon Chime account. (*) FA
consoleaccessiampolicies
iam-policy-01.png (221.4 KiB)
iam-policy-02.png (201.3 KiB)
10 |600 characters needed characters left characters exceeded

Up to 25 attachments (including images) can be used with a maximum of 10.0 MiB each and 96.4 MiB total.

Documentation

View the Amazon Chime User, Administration Guide and API Reference on the AWS Documentation site.

Website

Find more information about the Amazon Chime solution, pricing, customer references, getting started, and other resources.

Article

Contributors

BethChimeAWS contributed to this article

Related Articles