**End of support notice**: On February 20, 2026, AWS will end support for the Amazon Chime service. After February 20, 2026, you will no longer be able to access the Amazon Chime console or Amazon Chime application resources. For more information, visit the [blog post](https://aws.amazon.com/blogs/messaging-and-targeting/update-on-support-for-amazon-chime/). **Note:** This does not impact the availability of the [Amazon Chime SDK service](https://aws.amazon.com/chime/chime-sdk/).
# Security in Amazon Chime
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon Chime, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Chime. The following topics show you how to configure Amazon Chime to meet your security and compliance objectives. You also learn how to use other AWSAWS services that help you to monitor and secure your Amazon Chime resources.
**Topics**
+ [Identity and access management for Amazon Chime](security-iam.md)
+ [How Amazon Chime works with IAM](security_iam_service-with-iam.md)
+ [Cross-service confused deputy prevention](confused-deputy.md)
+ [Amazon Chime resource-based policies](#security_iam_service-with-iam-resource-based-policies)
+ [Authorization based on Amazon Chime tags](#security_iam_service-with-iam-tags)
+ [Amazon Chime IAM roles](#security_iam_service-with-iam-roles)
+ [Amazon Chime identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [Troubleshooting Amazon Chime identity and access](security_iam_troubleshoot.md)
+ [Using service-linked roles for Amazon Chime](using-service-linked-roles.md)
+ [Logging and monitoring in Amazon Chime](monitoring-overview.md)
+ [Compliance validation for Amazon Chime](compliance.md)
+ [Resilience in Amazon Chime](disaster-recovery-resiliency.md)
+ [Infrastructure security in Amazon Chime](infrastructure-security.md)
+ [Understanding Amazon Chime automatic updates](chime-auto-update.md)
# Identity and access management for Amazon Chime
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Chime resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting Amazon Chime identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How Amazon Chime works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Amazon Chime identity-based policy examples](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### AWS managed policies for Amazon Chime
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
### Access Control Lists (ACLs)
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How Amazon Chime works with IAM
Before you use IAM to manage access to Amazon Chime, you should understand what IAM features are available to use with Amazon Chime. To get a high-level view of how Amazon Chime and other AWS services work with IAM, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**Topics**
+ [Amazon Chime identity-based policies](#security_iam_service-with-iam-id-based-policies)
+ [Resources](#security_iam_service-with-iam-id-based-policies-resources)
+ [Examples](#security_iam_service-with-iam-id-based-policies-examples)
## Amazon Chime identity-based policies
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon Chime supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
### Condition keys
Amazon Chime does not provide any service-specific condition keys. To see all AWS global condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
## Resources
Amazon Chime does not support specifying resource ARNs in a policy.
## Examples
To view examples of Amazon Chime identity-based policies, see [Amazon Chime identity-based policy examples](security_iam_id-based-policy-examples.md).
# Cross-service confused deputy prevention
The confused deputy problem is an information security issue that occurs when an entity without permission to perform an action calls a more-privileged entity to perform the action. This can allow malicious actors to run commands or modify resources they otherwise would not have permission to run or access. For more information, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the *AWS Identity and Access Management User Guide*.
In AWS, cross-service impersonation can lead to a confused deputy scenario. Cross-service impersonation happens when one service (the *calling service*) calls another service (the *called service*). A malicious actor can use the calling service to alter resources in another service by using permissions that they normally would not have.
AWS provides service principals with managed access to resources on your account to help you protect your resources' security. We recommend using the `aws:SourceAccount` global condition context key in your resource policies. These keys limit the permissions that Amazon Chime gives another service to that resource.
The following example shows an S3 bucket policy that uses the `aws:SourceAccount` global condition context key in the configured `CallDetailRecords` S3 bucket to help prevent the confused deputy problem.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonChimeAclCheck668426",
"Effect": "Allow",
"Principal": {
"Service": "chime.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::your-cdr-bucket"
},
{
"Sid": "AmazonChimeWrite668426",
"Effect": "Allow",
"Principal": {
"Service": "chime.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-cdr-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": "112233446677"
}
}
}
]
}
```
------
## Amazon Chime resource-based policies
Amazon Chime does not support resource-based policies.
## Authorization based on Amazon Chime tags
Amazon Chime does not support tagging resources or controlling access based on tags.
## Amazon Chime IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions.
### Using temporary credentials with Amazon Chime
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
Amazon Chime supports using temporary credentials.
### Service-linked roles
[Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services that complete actions on your behalf. Service-linked roles appear in your IAM account, and the services own the roles. An IAM administrator can view but not edit the permissions for service-linked roles.
Amazon Chime supports service-linked roles. For details about creating or managing Amazon Chime service-linked roles, see [Using service-linked roles for Amazon Chime](using-service-linked-roles.md).
### Service roles
This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.
Amazon Chime does not support service roles.
# Amazon Chime identity-based policy examples
By default, IAM users and roles don't have permission to create or modify Amazon Chime resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.
To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Using the Amazon Chime console](#security_iam_id-based-policy-examples-console)
+ [Allow users full access to Amazon Chime](#security_iam_id-based-policy-examples-full-access)
+ [Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Allow users to access user management actions](#security_iam_id-based-policy-examples-user-management)
+ [AWS managed policy: AmazonChimeVoiceConnectorServiceLinkedRolePolicy](#cvc-linked-role-policy)
+ [Amazon Chime updates to AWS managed policies](#security-iam-awsmanpol-updates)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete Amazon Chime resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Using the Amazon Chime console
To access the Amazon Chime console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Amazon Chime resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy.
To ensure that those entities can still use the Amazon Chime console, also attach the following AWS managed **AmazonChimeReadOnly** policy to the entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"chime:List*",
"chime:Get*",
"chime:SearchAvailablePhoneNumbers"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
## Allow users full access to Amazon Chime
The following AWS managed **AmazonChimeFullAccess** policy grants an IAM user full access to Amazon Chime resources. The policy gives the user access to all Amazon Chime operations, as well as other operations that Amazon Chime needs to be able to perform on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"chime:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:GetLogDelivery",
"logs:ListLogDeliveries",
"logs:DescribeResourcePolicies",
"logs:PutResourcePolicy",
"logs:CreateLogGroup",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:GetTopicAttributes"
],
"Resource": [
"arn:aws:sns:*:*:ChimeVoiceConnector-Streaming*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes",
"sqs:CreateQueue"
],
"Resource": [
"arn:aws:sqs:*:*:ChimeVoiceConnector-Streaming*"
]
}
]
}
```
------
## Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Allow users to access user management actions
Use the AWS managed **AmazonChimeUserManagement** policy to grant users access to user management actions in the Amazon Chime console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"chime:ListAccounts",
"chime:GetAccount",
"chime:GetAccountSettings",
"chime:UpdateAccountSettings",
"chime:ListUsers",
"chime:GetUser",
"chime:GetUserByEmail",
"chime:InviteUsers",
"chime:InviteUsersFromProvider",
"chime:SuspendUsers",
"chime:ActivateUsers",
"chime:UpdateUserLicenses",
"chime:ResetPersonalPIN",
"chime:LogoutUser",
"chime:ListDomains",
"chime:GetDomain",
"chime:ListDirectories",
"chime:ListGroups",
"chime:SubmitSupportRequest",
"chime:ListDelegates",
"chime:ListAccountUsageReportData",
"chime:GetMeetingDetail",
"chime:ListMeetingEvents",
"chime:ListMeetingsReportData",
"chime:GetUserActivityReportData",
"chime:UpdateUser",
"chime:BatchUpdateUser",
"chime:BatchSuspendUser",
"chime:BatchUnsuspendUser",
"chime:AssociatePhoneNumberWithUser",
"chime:DisassociatePhoneNumberFromUser",
"chime:GetPhoneNumber",
"chime:ListPhoneNumbers",
"chime:GetUserSettings",
"chime:UpdateUserSettings",
"chime:CreateUser",
"chime:AssociateSigninDelegateGroupsWithAccount",
"chime:DisassociateSigninDelegateGroupsFromAccount"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonChimeVoiceConnectorServiceLinkedRolePolicy
The `AmazonChimeVoiceConnectorServiceLinkedRolePolicy` enables Amazon Chime Voice Connectors to stream media to Amazon Kinesis Video Streams, provide streaming notifications, and synthesize speech using Amazon Polly. This policy grants the Amazon Chime Voice Connector service permissions to access customer’s Amazon Kinesis Video Streams, send notification events to the Amazon Simple Notification Service and Amazon Simple Queue Service, and use Amazon Polly to synthesize speech when using the Amazon Chime SDK Voice Applications `Speak` and `SpeakAndGetDigits` actions. For more information, see [Amazon Chime SDK identity-based policy examples](https://docs.aws.amazon.com/chime-sdk/latest/ag/using-service-linked-roles-stream.html) in the *Amazon Chime SDK Administrator Guide*.
## Amazon Chime updates to AWS managed policies
The following table lists and describes the updates made to the Amazon Chime IAM policy.
| Change | Description | Date |
| --- | --- | --- |
| `AmazonChimeVoiceConnectorServiceLinkedRolePolicy` – Update to an existing policy | Amazon Chime Voice Connectors added new permissions to allow you to use Amazon Polly to synthesize speech.These permissions are required to use the `Speak` and `SpeakAndGetDigits` actions in Amazon Chime SDK Voice Applications. | March 15, 2022 |
| `AmazonChimeVoiceConnectorServiceLinkedRolePolicy` – Update to an existing policy | Amazon Chime Voice Connector added new permissions to allow access to Amazon Kinesis Video Streams and send notification events to SNS and SQS. These permissions are required for Amazon Chime Voice Connectors to stream media to Amazon Kinesis Video Streams and provide streaming notifications. | December 20, 2021 |
| Change to existing policy. [Creating IAM users or roles with the Chime SDK policy](https://docs.aws.amazon.com/chime/latest/dg/iam-users-roles.html). | Amazon Chime added new actions added to support expanded validation. A number of actions were added to allow listing and tagging of attendees and meeting resources, and for starting and stopping meeting transcription. | September 23, 2021 |
| Amazon Chime started tracking changes | Amazon Chime started tracking changes for its AWS managed policies. | September 23, 2021 |
# Troubleshooting Amazon Chime identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Chime and IAM.
**Topics**
+ [I am not authorized to perform an action in Amazon Chime](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I want to allow people outside of my AWS account to access my Amazon Chime resources](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Amazon Chime
If you receive an error that you're not authorized to perform an action, your policies must be updated to allow you to perform the action.
The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but doesn't have the fictional `chime:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: chime:GetWidget on resource: my-example-widget
```
In this case, the policy for the `mateojackson` user must be updated to allow access to the `my-example-widget` resource by using the `chime:GetWidget` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Chime.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Chime. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want to allow people outside of my AWS account to access my Amazon Chime resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Amazon Chime supports these features, see [How Amazon Chime works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Using service-linked roles for Amazon Chime
Amazon Chime uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon Chime. Service-linked roles are predefined by Amazon Chime and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Amazon Chime more efficient because you aren't required to manually add the necessary permissions. Amazon Chime defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Chime can assume its roles. The defined permissions include the trust policy and the permissions policy. The permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your Amazon Chime resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [Using roles with shared Alexa for Business devices](using-service-linked-roles-a4b.md)
+ [Using roles with live transcription](using-service-linked-roles-transcription.md)
+ [Using roles with Amazon Chime SDK media pipelines](using-service-linked-roles-media-pipeline.md)
# Using roles with shared Alexa for Business devices
The information in the following sections explains how to use service-linked roles and grant Amazon Chime access to the Alexa for Business resources in your AWS account.
**Topics**
+ [Service-linked role permissions for Amazon Chime](#service-linked-role-permissions-a4b)
+ [Creating a service-linked role for Amazon Chime](#create-service-linked-role-a4b)
+ [Editing a service-linked role for Amazon Chime](#edit-service-linked-role-a4b)
+ [Deleting a service-linked role for Amazon Chime](#delete-service-linked-role-a4b)
+ [Supported Regions for Amazon Chime service-linked roles](#slr-regions-a4b)
## Service-linked role permissions for Amazon Chime
Amazon Chime uses the service-linked role named **AWSServiceRoleForAmazonChime** – Allows access to AWS services and resources used or managed by Amazon Chime, such as Alexa for Business shared devices.
The AWSServiceRoleForAmazonChime service-linked role trusts the following services to assume the role:
+ `chime.amazonaws.com`
The role permissions policy allows Amazon Chime to complete the following action on the specified resource:
+ Action: `iam:CreateServiceLinkedRole` on `arn:aws:iam::*:role/aws-service-role/chime.amazonaws.com/AWSServiceRoleForAmazonChime`
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for Amazon Chime
You don't need to manually create a service-linked role. When you turn on Alexa for Business for a shared device in Amazon Chime in the AWS Management Console, the AWS CLI, or the AWS API, Amazon Chime creates the service-linked role for you.
You can also use the IAM console to create a service-linked role with the **Amazon Chime** use case. In the AWS CLI or the AWS API, create a service-linked role with the `chime.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for Amazon Chime
Amazon Chime does not allow you to edit the AWSServiceRoleForAmazonChime service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Amazon Chime
If you no longer require a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
### Cleaning up a service-linked role
Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role.
**Note**
If Amazon Chime is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete Amazon Chime resources used by the AWSServiceRoleForAmazonChime (console)**
+ Turn off Alexa for Business for all shared devices in your Amazon Chime account.
1. Open the Amazon Chime console at [https://chime.aws.amazon.com/](https://chime.aws.amazon.com).
1. Choose **Users**, **Shared devices**.
1. Select a device.
1. Choose **Actions**.
1. Choose **Disable Alexa for Business.**
### Manually delete the service-linked role
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonChime service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Amazon Chime service-linked roles
Amazon Chime supports using service-linked roles in all of the regions where the service is available. For more information, see [Amazon Chime endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/chime.html#chime_region).
# Using roles with live transcription
The information in the following sections explains how to create and manage a service-linked role for Amazon Chime live transcription. For more information about the live transcription service, see [Using Amazon Chime SDK live transcription](https://docs.aws.amazon.com/chime/latest/dg/meeting-transcription.html).
**Topics**
+ [Service-Linked Role Permissions for Nova Act](#service-linked-role-permissions-transcription)
+ [Creating a Service-Linked Role for Nova Act](#create-service-linked-role-transcription)
+ [Editing a Service-Linked Role for Nova Act](#edit-slr)
+ [Deleting a Service-Linked Role for Nova Act](#delete-slr)
+ [Supported Regions for Amazon Chime Service-Linked Roles](#slr-regions-transcription)
## Service-Linked Role Permissions for Nova Act
Nova Act uses a service-linked role named **AWSServiceRoleForAmazonChimeTranscription – Allows Amazon Chime to access Amazon Transcribe and Amazon Transcribe Medical on your behalf.**
The AWSServiceRoleForAmazonChimeTranscription service-linked role trusts the following services to assume the role:
+ `transcription.chime.amazonaws.com`
The role permissions policy allows Amazon Chime to complete the following actions on the specified resources:
+ Action: `transcribe:StartStreamTranscription` on `all AWS resources`
+ Action: `transcribe:StartMedicalStreamTranscription` on `all AWS resources`
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a Service-Linked Role for Nova Act
You use the IAM console to create a service-linked role with the **Chime Transcription** use case.
**Note**
You must have IAM administrative permissions to complete these steps. If you don't, contact a system administrator.
**To create the role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, choose **Roles**, then choose **Create role**.
1. Choose the **AWS Service** role type, then choose **Chime**, then choose **Chime Transcription**.
1. Choose **Next**.
1. Choose **Next**.
1. Edit the description as needed, then choose **Create role**.
You can also use the AWS CLI or the AWS API to create a service-linked role named transcription.chime.amazonaws.com.
In the CLI, run this command: `aws iam create-service-linked-role --aws-service-name transcription.chime.amazonaws.com`.
For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a Service-Linked Role for Nova Act
Amazon Chime does not allow you to edit the AWSServiceRoleForAmazonChimeTranscription service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can use IAM to edit the role's description. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a Service-Linked Role for Nova Act
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonChimeTranscription service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Amazon Chime Service-Linked Roles
Amazon Chime supports using service-linked roles in all of the regions where the service is available. For more information, see [Amazon Chime endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/chime.html#chime_region), and [Using Amazon Chime SDK media Regions](https://docs.aws.amazon.com/chime/latest/dg/chime-sdk-meetings-regions.html).
# Using roles with Amazon Chime SDK media pipelines
The information in the following sections explains how to create and manage a service-linked role for Amazon Chime SDK Media Pipelines.
**Topics**
+ [Service-linked role permissions for Amazon Chime SDK media pipelines](#slr-permissions)
+ [Creating a service-linked role for Amazon Chime SDK media pipelines](#create-slr)
+ [Editing a service-linked role for Amazon Chime SDK media pipelines](#edit-slr)
+ [Deleting a service-linked role for Amazon Chime SDK media pipelines](#delete-slr)
+ [Supported Regions for Amazon Chime SDK media pipelines service-linked roles](#slr-regions)
## Service-linked role permissions for Amazon Chime SDK media pipelines
Amazon Chime uses the service-linked role named **AWSServiceRoleForAmazonChimeSDKMediaPipelines** – Allows Amazon Chime SDK media pipelines to access Amazon Chime SDK meetings on your behalf.
The AWSServiceRoleForAmazonChimeSDKMediaPipelines service-linked role trusts the following services to assume the role:
+ `mediapipelines.chime.amazonaws.com`
The role allows Amazon Chime to complete the following actions on the specified resources:
+ Action: `chime:CreateAttendee` on `all AWS resources`
+ Action: `chime:DeleteAttendee` on `all AWS resources`
+ Action: `chime:GetMeeting` on `all AWS resources`
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for Amazon Chime SDK media pipelines
You use the IAM console to create a service-linked role with the **Amazon Chime SDK Media Pipelines\$1** use case.
**Note**
You must have IAM administrative permissions to complete these steps. If you don't, contact a system administrator.
**To create the role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, choose **Roles**, then choose **Create role**.
1. Choose the **AWS Service** role type, then choose **Chime**, then choose **Chime SDK Media Pipelines**.
1. Choose **Next**.
1. Choose **Next**.
1. Edit the description as needed, then choose **Create role**.
You can also use the AWS CLI or the AWS API to create a service-linked role named mediapipelines.chime.amazonaws.com.
In the AWS CLI, run this command: `aws iam create-service-linked-role --aws-service-name mediapipelines.chime.amazonaws.com`.
For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for Amazon Chime SDK media pipelines
Amazon Chime does not allow you to edit the AWSServiceRoleForAmazonChimeSDKMediaPipelines service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Amazon Chime SDK media pipelines
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonChimeSDKMediaPipelines service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Amazon Chime SDK media pipelines service-linked roles
Amazon Chime SDK supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [Amazon Chime endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/chime.html#chime_region).
# Logging and monitoring in Amazon Chime
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon Chime and your other AWS solutions. AWS provides the following tools to monitor Amazon Chime, report issues, and take automatic actions when appropriate:
+ *Amazon CloudWatch* monitors in real time your AWS resources and the applications that you run on AWS. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ *Amazon EventBridge* delivers a near real-time stream of system events that describe changes in AWS resources. EventBridge enables automated event-driven computing. This lets you write rules that watch for certain events, and trigger automated actions in other AWS services when these events happen. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
+ *Amazon CloudWatch Logs* lets you monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account. It then delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
**Topics**
+ [Monitoring Amazon Chime with Amazon CloudWatch](monitoring-cloudwatch.md)
+ [Automating Amazon Chime with EventBridge](automating-chime-with-cloudwatch-events.md)
+ [Logging Amazon Chime API calls with AWS CloudTrail](cloudtrail.md)
# Monitoring Amazon Chime with Amazon CloudWatch
You can monitor Amazon Chime using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective about how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
## CloudWatch metrics for Amazon Chime
Amazon Chime sends the following metrics to CloudWatch.
The `AWS/ChimeVoiceConnector` namespace includes the following metrics for phone numbers assigned to your AWS account and to Amazon Chime Voice Connectors.
| Metric | Description |
| --- | --- |
| `InboundCallAttempts` | The number of inbound calls attempted. Units: Count |
| `InboundCallFailures` | The number of inbound call failures. Units: Count |
| `InboundCallsAnswered` | The number of inbound calls that are answered. Units: Count |
| `InboundCallsActive` | The number of inbound calls that are currently active. Units: Count |
| `OutboundCallAttempts` | The number of outbound calls attempted. Units: Count |
| `OutboundCallFailures` | The number of outbound call failures. Units: Count |
| `OutboundCallsAnswered` | The number of outbound calls that are answered. Units: Count |
| `OutboundCallsActive` | The number of outbound calls that are currently active. Units: Count |
| `Throttles` | The number of times your account is throttled when attempting to make a call. Units: Count |
| `Sip1xxCodes` | The number of SIP messages with 1xx-level status codes. Units: Count |
| `Sip2xxCodes` | The number of SIP messages with 2xx-level status codes. Units: Count |
| `Sip3xxCodes` | The number of SIP messages with 3xx-level status codes. Units: Count |
| `Sip4xxCodes` | The number of SIP messages with 4xx-level status codes. Units: Count |
| `Sip5xxCodes` | The number of SIP messages with 5xx-level status codes. Units: Count |
| `Sip6xxCodes` | The number of SIP messages with 6xx-level status codes. Units: Count |
| `CustomerToVcRtpPackets` | The number of RTP packets sent from the customer to the Amazon Chime Voice Connector infrastructure. Units: Count |
| `CustomerToVcRtpBytes` | The number of bytes sent from the customer to the Amazon Chime Voice Connector infrastructure in RTP packets. Units: Count |
| `CustomerToVcRtcpPackets` | The number of RTCP packets sent from the customer to the Amazon Chime Voice Connector infrastructure. Units: Count |
| `CustomerToVcRtcpBytes` | The number of bytes sent from the customer to the Amazon Chime Voice Connector infrastructure in RTCP packets. Units: Count |
| `CustomerToVcPacketsLost` | The number of packets lost in transit from the customer to the Amazon Chime Voice Connector infrastructure. Units: Count |
| `CustomerToVcJitter` | The average jitter for packets sent from the customer to the Amazon Chime Voice Connector infrastructure. Units: Microseconds |
| `VcToCustomerRtpPackets` | The number of RTP packets sent from the Amazon Chime Voice Connector infrastructure to the customer. Units: Count |
| `VcToCustomerRtpBytes` | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the customer in RTP packets. Units: Count |
| `VcToCustomerRtcpPackets` | The number of RTCP packets sent from the Amazon Chime Voice Connector infrastructure to the customer. Units: Count |
| `VcToCustomerRtcpBytes` | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the customer in RTCP packets. Units: Count |
| `VcToCustomerPacketsLost` | The number of packets lost in transit from the Amazon Chime Voice Connector infrastructure to the customer. Units: Count |
| `VcToCustomerJitter` | The average jitter for packets sent from the Amazon Chime Voice Connector infrastructure to the customer. Units: Microseconds |
| `RTTBetweenVcAndCustomer` | The average round-trip time between the customer and the Amazon Chime Voice Connector infrastructure. Units: Microseconds |
| `MOSBetweenVcAndCustomer` | The estimated Mean opinion score (MOS) associated with voice streams between the customer and the Amazon Chime Voice Connector infrastructure. Units: Score between 1.0-4.4. A higher score indicates better perceived audio quality. |
| `RemoteToVcRtpPackets` | The number of RTP packets sent from the remote end to the Amazon Chime Voice Connector infrastructure. Units: Count |
| `RemoteToVcRtpBytes` | The number of bytes sent from the remote end to the Amazon Chime Voice Connector infrastructure in RTP packets. Units: Count |
| `RemoteToVcRtcpPackets` | The number of RTCP packets sent from the remote end to the Amazon Chime Voice Connector infrastructure. Units: Count |
| `RemoteToVcRtcpBytes` | The number of bytes sent from the remote end to the Amazon Chime Voice Connector infrastructure in RTCP packets. Units: Count |
| `RemoteToVcPacketsLost` | The number of packets lost in transit from the remote end to the Amazon Chime Voice Connector infrastructure. Units: Count |
| `RemoteToVcJitter` | The average jitter for packets sent from the remote end to the Amazon Chime Voice Connector infrastructure. Units: Microseconds |
| `VcToRemoteRtpPackets` | The number of RTP packets sent from the Amazon Chime Voice Connector infrastructure to the remote end. Units: Count |
| `VcToRemoteRtpBytes` | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the remote end in RTP packets. Units: Count |
| `VcToRemoteRtcpPackets` | The number of RTCP packets sent from the Amazon Chime Voice Connector infrastructure to the remote end. Units: Count |
| `VcToRemoteRtcpBytes` | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the remote end in RTCP packets. Units: Count |
| `VcToRemotePacketsLost` | The number of packets lost in transit from the Amazon Chime Voice Connector infrastructure to the remote end. Units: Count |
| `VcToRemoteJitter` | The average jitter for packets sent from the Amazon Chime Voice Connector infrastructure to the remote end. Units: Microseconds |
| `RTTBetweenVcAndRemote` | The average round-trip time between the remote end and the Amazon Chime Voice Connector infrastructure. Units: Microseconds |
| `MOSBetweenVcAndRemote` | The estimated Mean opinion score (MOS) associated with voice streams between the remote end and the Amazon Chime Voice Connector infrastructure. Units: Units: Score between 1.0-4.4. A higher score indicates better perceived audio quality. |
## CloudWatch dimensions for Amazon Chime
The CloudWatch dimensions that you can use with Amazon Chime are listed as follows.
| Dimension | Description |
| --- | --- |
| `VoiceConnectorId` | The identifier of the Amazon Chime Voice Connector to display metrics for. |
| `Region` | The AWS Region associated with the event. |
## CloudWatch logs for Amazon Chime
You can send Amazon Chime Voice Connector metrics to CloudWatch Logs. For more information, see [Editing Amazon Chime Voice Connector settings](https://docs.aws.amazon.com/chime-sdk/latest/ag/edit-voicecon.html) in the *Amazon Chime SDK Administration Guide*.
**Media quality metric logs**
You can opt to receive media quality metric logs for your Amazon Chime Voice Connector. When you do, Amazon Chime sends detailed, per-minute metrics for all of your Amazon Chime Voice Connector calls to a CloudWatch Logs log group that is created for you. The log group name is `/aws/ChimeVoiceConnectorLogs/${VoiceConnectorID}`. The following fields are included in the logs, in JSON format.
| Field | Description |
| --- | --- |
| voice\$1connector\$1id | The Amazon Chime Voice Connector ID carrying the call. |
| event\$1timestamp | The time when the metrics are emitted, in number of milliseconds since the UNIX epoch (midnight on January 1, 1970) in UTC. |
| call\$1id | Corresponds to the Transaction ID. |
| from\$1sip\$1user | The initiating user for the call. |
| from\$1country | The initiating country for the call. |
| to\$1sip\$1user | The receiving user for the call. |
| to\$1country | The receiving country for the call. |
| endpoint\$1id | An opaque identifier indicating the other endpoint of the call. Use with CloudWatch Logs Insights. For more information, see [Analyzing log data with CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html) in the *Amazon CloudWatch Logs User Guide*. |
| aws\$1region | The AWS Region for the call. |
| cust2vc\$1rtp\$1packets | The number of RTP packets sent from the customer to the Amazon Chime Voice Connector infrastructure. |
| cust2vc\$1rtp\$1bytes | The number of bytes sent from the customer to the Amazon Chime Voice Connector infrastructure in RTP packets. |
| cust2vc\$1rtcp\$1packets | The number of RTCP packets sent from the customer to the Amazon Chime Voice Connector infrastructure. |
| cust2vc\$1rtcp\$1bytes | The number of bytes sent from the customer to the Amazon Chime Voice Connector infrastructure in RTCP packets. |
| cust2vc\$1packets\$1lost | The number of packets lost in transit from the customer to the Amazon Chime Voice Connector infrastructure. |
| cust2vc\$1jitter | The average jitter for packets sent from the customer to the Amazon Chime Voice Connector infrastructure. |
| vc2cust\$1rtp\$1packets | The number of RTP packets sent from the Amazon Chime Voice Connector infrastructure to the customer. |
| vc2cust\$1rtp\$1bytes | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the customer in RTP packets. |
| vc2cust\$1rtcp\$1packets | The number of RTCP packets sent from the Amazon Chime Voice Connector infrastructure to the customer. |
| vc2cust\$1rtcp\$1bytes | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the customer in RTCP packets. |
| vc2cust\$1packets\$1lost | The number of packets lost in transit from the Amazon Chime Voice Connector infrastructure to the customer. |
| vc2cust\$1jitter | The average jitter for packets sent from the Amazon Chime Voice Connector infrastructure to the customer. |
| rtt\$1btwn\$1vc\$1and\$1cust | The average round-trip time between the customer and the Amazon Chime Voice Connector infrastructure. |
| mos\$1btwn\$1vc\$1and\$1cust | The estimated Mean opinion score (MOS) associated with voice streams between the customer and the Amazon Chime Voice Connector infrastructure. |
| rem2vc\$1rtp\$1packets | The number of RTP packets sent from the remote end to the Amazon Chime Voice Connector infrastructure. |
| rem2vc\$1rtp\$1bytes | The number of bytes sent from the remote end to the Amazon Chime Voice Connector infrastructure in RTP packets. |
| rem2vc\$1rtcp\$1packets | The number of RTCP packets sent from the remote end to the Amazon Chime Voice Connector infrastructure. |
| rem2vc\$1rtcp\$1bytes | The number of bytes sent from the remote end to the Amazon Chime Voice Connector infrastructure in RTCP packets. |
| rem2vc\$1packets\$1lost | The number of packets lost in transit from the remote end to the Amazon Chime Voice Connector infrastructure. |
| rem2vc\$1jitter | The average jitter for packets sent from the remote end to the Amazon Chime Voice Connector infrastructure. |
| vc2rem\$1rtp\$1packets | The number of RTP packets sent from the Amazon Chime Voice Connector infrastructure to the remote end. |
| vc2rem\$1rtp\$1bytes | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the remote end in RTP packets. |
| vc2rem\$1rtcp\$1packets | The number of RTCP packets sent from the Amazon Chime Voice Connector infrastructure to the remote end. |
| vc2rem\$1rtcp\$1bytes | The number of bytes sent from the Amazon Chime Voice Connector infrastructure to the remote end in RTCP packets. |
| vc2rem\$1packets\$1lost | The number of packets lost in transit from the Amazon Chime Voice Connector infrastructure to the remote end. |
| vc2rem\$1jitter | The average jitter for packets sent from the Amazon Chime Voice Connector infrastructure to the remote end. |
| rtt\$1btwn\$1vc\$1and\$1rem | The average round-trip time between the remote end and the Amazon Chime Voice Connector infrastructure. |
| mos\$1btwn\$1vc\$1and\$1rem | The estimated Mean opinion score (MOS) associated with voice streams between the remote end and the Amazon Chime Voice Connector infrastructure. |
**SIP message logs**
You can opt to receive SIP message logs for your Amazon Chime Voice Connector. When you do, Amazon Chime captures inbound and outbound SIP messages and sends them to a CloudWatch Logs log group that is created for you. The log group name is `/aws/ChimeVoiceConnectorSipMessages/${VoiceConnectorID}`. The following fields are included in the logs, in JSON format.
| Field | Description |
| --- | --- |
| voice\$1connector\$1id | The Amazon Chime Voice Connector ID. |
| aws\$1region | The AWS Region associated with the event. |
| event\$1timestamp | The time when the message is captured, in number of milliseconds since the UNIX epoch (midnight on January 1, 1970) in UTC. |
| call\$1id | The Amazon Chime Voice Connector call ID. |
| sip\$1message | The full SIP message that is captured. |
# Automating Amazon Chime with EventBridge
Amazon EventBridge lets you automate your AWS services and respond automatically to system events, such as application availability issues or resource changes. For more information about the meeting events, see [Meeting events](https://docs.aws.amazon.com/chime/latest/dg/using-events.html) in the *Amazon Chime Developer Guide*.
When Amazon Chime generates events, it sends them to EventBridge for *best effort delivery*, meaning Amazon Chime tries to send all events to EventBridge, but in rare cases an event might not be delivered. For more information, refer to [Events from AWS services](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html) in the *Amazon EventBridge User Guide*.
**Note**
If you need to encrypt data, you must use Amazon S3-Managed Keys. We don't support server-side encryption using Customer Master Keys stored in the AWS Key Management Service.
## Automating Amazon Chime Voice Connectors with EventBridge
The actions that can be automatically triggered for Amazon Chime Voice Connectors include the following:
+ Invoking an AWS Lambda function
+ Launching an Amazon Elastic Container Service task
+ Relaying the event to Amazon Kinesis Video Streams
+ Activating an AWS Step Functions state machine
+ Notifying an Amazon SNS topic or an Amazon SQS queue
Some examples of using EventBridge with Amazon Chime Voice Connectors include:
+ Activating a Lambda function to download audio for a call after the call is ended.
+ Launching an Amazon ECS task to enable real-time transcription after a call is started.
For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
## Amazon Chime Voice Connector streaming events
Amazon Chime Voice Connectors support sending events to EventBridge when the events discussed in this section occur.
### Amazon Chime Voice Connector streaming starts
Amazon Chime Voice Connectors send this event when media streaming to Kinesis Video Streams starts.
**Example Event data**
The following is example data for this event.
```
{
"version": "0",
"id": "12345678-1234-1234-1234-111122223333",
"detail-type": "Chime VoiceConnector Streaming Status",
"source": "aws.chime",
"account": "111122223333",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [],
"detail": {
"callId": "1112-2222-4333",
"direction": "Outbound",
"fromNumber": "+12065550100",
"inviteHeaders": {
"from": "\"John\" ;tag=abcdefg",
"to": "",
"call-id": "1112-2222-4333",
"cseq": "101 INVITE",
"contact": ";",
"content-type": "application/sdp",
"content-length": "246"
},
"isCaller": false,
"mediaType": "audio/L16",
"sdp": {
"mediaIndex": 0,
"mediaLabel": "1"
},
"siprecMetadata": "<&xml version=\"1.0\" encoding=\"UTF-8\"&>;\r\n",
"startFragmentNumber": "1234567899444",
"startTime": "yyyy-mm-ddThh:mm:ssZ",
"streamArn": "arn:aws:kinesisvideo:us-east-1:123456:stream/ChimeVoiceConnector-abcdef1ghij2klmno3pqr4-111aaa-22bb-33cc-44dd-111222/111122223333",
"toNumber": "+13605550199",
"transactionId": "12345678-1234-1234",
"voiceConnectorId": "abcdef1ghij2klmno3pqr4",
"streamingStatus": "STARTED",
"version": "0"
}
}
```
### Amazon Chime Voice Connector streaming ends
Amazon Chime Voice Connectors send this event when media streaming to Kinesis Video Streams ends.
**Example Event data**
The following is example data for this event.
```
{
"version": "0",
"id": "12345678-1234-1234-1234-111122223333",
"detail-type": "Chime VoiceConnector Streaming Status",
"source": "aws.chime",
"account": "111122223333",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [],
"detail": {
"streamingStatus": "ENDED",
"voiceConnectorId": "abcdef1ghij2klmno3pqr4",
"transactionId": "12345678-1234-1234",
"callId": "1112-2222-4333",
"direction": "Inbound",
"fromNumber": "+12065550100",
"inviteHeaders": {
"from": "\"John\" ;tag=abcdefg",
"to": "",
"call-id": "1112-2222-4333",
"cseq": "101 INVITE",
"contact": "",
"content-type": "application/sdp",
"content-length": "246"
},
"isCaller": false,
"mediaType": "audio/L16",
"sdp": {
"mediaIndex": 0,
"mediaLabel": "1"
},
"siprecMetadata": "<&xml version=\"1.0\" encoding=\"UTF-8\"&>\r\n",
"startFragmentNumber": "1234567899444",
"startTime": "yyyy-mm-ddThh:mm:ssZ",
"endTime": "yyyy-mm-ddThh:mm:ssZ",
"streamArn": "arn:aws:kinesisvideo:us-east-1:123456:stream/ChimeVoiceConnector-abcdef1ghij2klmno3pqr4-111aaa-22bb-33cc-44dd-111222/111122223333",
"toNumber": "+13605550199",
"version": "0"
}
}
```
### Amazon Chime Voice Connector streaming updates
Amazon Chime Voice Connectors send this event when media streaming to Kinesis Video Streams is updated.
**Example Event data**
The following is example data for this event.
```
{
"version": "0",
"id": "12345678-1234-1234-1234-111122223333",
"detail-type": "Chime VoiceConnector Streaming Status",
"source": "aws.chime",
"account": "111122223333",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [],
"detail": {
"callId": "1112-2222-4333",
"updateHeaders": {
"from": "\"John\" ;;tag=abcdefg",
"to": "",
"call-id": "1112-2222-4333",
"cseq": "101 INVITE",
"contact": "",
"content-type": "application/sdp",
"content-length": "246"
},
"siprecMetadata": "<&xml version=\"1.0\" encoding=\"UTF-8\"&>\r\n",
"streamingStatus": "UPDATED",
"transactionId": "12345678-1234-1234",
"version": "0",
"voiceConnectorId": "abcdef1ghij2klmno3pqr4"
}
}
```
### Amazon Chime Voice Connector streaming fails
Amazon Chime Voice Connectors send this event when media streaming to Kinesis Video Streams fails.
**Example Event data**
The following is example data for this event.
```
{
"version": "0",
"id": "12345678-1234-1234-1234-111122223333",
"detail-type": "Chime VoiceConnector Streaming Status",
"source": "aws.chime",
"account": "111122223333",
"time": "yyyy-mm-ddThh:mm:ssZ",
"region": "us-east-1",
"resources": [],
"detail": {
"streamingStatus":"FAILED",
"voiceConnectorId":"abcdefghi",
"transactionId":"12345678-1234-1234",
"callId":"1112-2222-4333",
"direction":"Inbound",
"failTime":"yyyy-mm-ddThh:mm:ssZ",
"failureReason": "Internal failure",
"version":"0"
}
}
```
# Logging Amazon Chime API calls with AWS CloudTrail
Amazon Chime is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon Chime. CloudTrail captures all API calls for Amazon Chime as events, including calls from the Amazon Chime console and from code calls to the Amazon Chime APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon Chime. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Amazon Chime, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
## Amazon Chime information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When API calls are made from the Amazon Chime administration console, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Amazon Chime, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the : Event data collected in CloudTrail logs. For more information, see:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail log files from multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All Amazon Chime actions are logged by CloudTrail and are documented in the [https://docs.aws.amazon.com/chime/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/chime/latest/APIReference/Welcome.html). For example, calls to the `CreateAccount`, `InviteUsers` and `ResetPersonalPIN` sections generate entries in the CloudTrail log files. Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or IAM user credentials.
+ Whether the request was made with temporary security credentials for a role, or a federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## Understanding Amazon Chime log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files are not an ordered stack trace of the public API calls, so they do not appear in any specific order.
Entries for Amazon Chime are identified by the **chime.amazonaws.com** event source.
If you have configured Active Directory for your Amazon Chime account, see [Logging AWS Directory Service API calls using CloudTrail](https://docs.aws.amazon.com/directoryservice/latest/devguide/cloudtrail_logging.html). This describes how to monitor for issues that might affect your Amazon Chime users’ ability to sign in.
The following example shows a CloudTrail log entry for Amazon Chime:
```
{"eventVersion":"1.05",
"userIdentity":{
"type":"IAMUser",
"principalId":" AAAAAABBBBBBBBEXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice ",
"accountId":"0123456789012",
"accessKeyId":"AAAAAABBBBBBBBEXAMPLE",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2017-07-24T17:57:43Z"
},
"sessionIssuer":{
"type":"Role",
"principalId":"AAAAAABBBBBBBBEXAMPLE",
"arn":"arn:aws:iam::123456789012:role/Joe",
"accountId":"123456789012",
"userName":"Joe"
}
}
} ,
"eventTime":"2017-07-24T17:58:21Z",
"eventSource":"chime.amazonaws.com",
"eventName":"AddDomain",
"awsRegion":"us-east-1",
"sourceIPAddress":"72.21.198.64",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"errorCode":"ConflictException",
"errorMessage":"Request could not be completed due to a conflict",
"requestParameters":{
"domainName":"example.com",
"accountId":"11aaaaaa1-1a11-1111-1a11-aaadd0a0aa00"
},
"responseElements":null,
"requestID":"be1bee1d-1111-11e1-1eD1-0dc1111f1ac1",
"eventID":"00fbeee1-123e-111e-93e3-11111bfbfcc1",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
```
# Compliance validation for Amazon Chime
Third-party auditors assess the security and compliance of AWS services as part of multiple AWS compliance programs, such as SOC, PCI, FedRAMP, and HIPAA.
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in Amazon Chime
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
In addition to the AWS global infrastructure, Amazon Chime offers different features to help support your data resiliency and backup needs. For more information, see [Managing Amazon Chime Voice Connector groups](https://docs.aws.amazon.com/chime-sdk/latest/ag/voice-connector-groups.html) and [Streaming Amazon Chime Voice Connector media to Kinesis](https://docs.aws.amazon.com/chime-sdk/latest/ag/start-kinesis-vc.html) in the *Amazon Chime SDK Administration Guide*.
# Infrastructure security in Amazon Chime
As a managed service, Amazon Chime is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Amazon Chime through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# Understanding Amazon Chime automatic updates
Amazon Chime provides different ways to update its clients. The method varies, depending on whether your users run Amazon Chime in a browser, on your desktop, or on a mobile device.
The Amazon Chime web application – [https://app.chime.aws](https://app.chime.aws) – always loads with the latest features and security fixes.
The Amazon Chime desktop client checks for updates whenever a user chooses **Quit** or **Sign Out**. This applies to Windows and macOS machines. As users run the client, it checks for updates every three hours. Users can also check for updates by choosing **Check for Updates** on the Windows Help menu or on the macOS **Amazon Chime** menu.
When the desktop client detects an update, Amazon Chime prompts users to install it unless they're in an ongoing meeting. Users are in an *ongoing meeting* when:
+ They're attending a meeting.
+ They were invited to a meeting that is still in progress.
Amazon Chime prompts them to install the latest version, and it gives them a 15-second countdown so they can postpone the installation. Choose **Try Later** to postpone the update.
When users postpone an update, and they aren't in an ongoing meeting, the client checks for the update after three hours and prompts them again to install. The installation begins when the countdown ends.
**Note**
On a macOS machine, users need to choose **Restart Now** to begin the update.
**On a mobile device** – Amazon Chime mobile applications use the update options provided by the App Store and Google Play to deliver the latest version of the Amazon Chime client. You can also distribute updates through your mobile device management system. This topic assumes that you know how.