AWS Chatbot is now Amazon Q Developer. [Learn more](service-rename.md) # Securing your AWS organization in Amazon Q Developer in chat applications Securing your AWS organization You can secure your AWS organization or organizational units (OUs) using organization policies. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, you can apply organization policies such as a chat applications policy and service control policies (SCPs) to any or all of your accounts. A chat applications policy defines which permissions models, chat platforms, and chat workspaces can be used to access your accounts. SCPs limit permissions for entities in member accounts, including each AWS account root user. Effective chat application permissions are the intersection between organization level controls (organization policies) and account level controls ([User role requirement](understanding-permissions.md#role-reqs), Amazon Q Developer in chat applications configuration resources). For more information about organization policies, see [ Managing policies with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) in the *AWS Organizations User Guide*. **Topics** + [ # Amazon Q Developer in chat applications organization policies ](chatbot-orgs-policy.md) + [ # Service control policies (SCPs) for Amazon Q Developer in chat applications ](scp.md) # Amazon Q Developer in chat applications organization policies Organization administrators can manage multiple Amazon Q Developer in chat applications settings across all accounts within an organization using Amazon Q Developer in chat applications chat applications policies (chat applications policies). Chat applications policies define where Amazon Q Developer in chat applications can deliver notifications and if it can respond to Amazon Q Developer in chat applications mention events. Using chat applications policies, administrators can: + Enforce which chat platforms can be used across your organization (Amazon Chime, Microsoft Teams, and Slack) + Restrict chat client access to specific workspaces and teams. + Restrict Slack channel visibility to either public or private channels. + Set and enforce specific role settings. Chat applications policies restrict and take precedence over account level settings like [role settings](understanding-permissions.md#role-settings) and [Channel guardrail policies](understanding-permissions.md#channel-guardrails). Administrators can define rules in a policy and apply those rules to an entire organization or a group of accounts, referred to as OUs. For more information, see [Managing organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) in the *AWS Organizations User Guide*. You can access and modify these policies from the Amazon Q Developer in chat applications console or the AWS Organizations console. For more information about organization policies, see [Managing policies in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) *AWS Organizations User Guide*. If your users try to perform an action restricted by your chat applications policy, they are informed via error message that they are disallowed due to the policy and we recommend that they contact their organization administrator. **Note** Amazon Q Developer in chat applications organization policies are validated at runtime, so existing resources are continuously checked for compliance. There is no overlap with existing IAM permissions as there aren’t currently any runtime-based IAM permissions for sending notifications or interacting with Amazon Q Developer in chat applications. **Note** Chat application policies are limited to AWS account access to Amazon Q Developer in chat applications. These policies don't manage Amazon Q Business access from chat applications. **Topics** + [ ## Example Amazon Q Developer in chat applications organization policy ](#example-org-policy) + [ ## Enabling chat applications policies ](#enable-org-pol) + [ ## Disabling chat applications policies ](#disable-org-pol) + [ # Tutorial: Creating chat applications policies in Amazon Q Developer in chat applications ](org-policy-tutorial.md) + [ # Editing chat applications policies in Amazon Q Developer in chat applications ](edit-org-pol.md) + [ # Deleting chat applications policies in Amazon Q Developer in chat applications ](delete-org-pol.md) ## Example Amazon Q Developer in chat applications organization policy The following policy allows restricted Amazon Q Developer in chat applications access for selected Slack workspaces and a Microsoft Teams tenant. ``` { "chatbot":{ "platforms":{ "slack":{ "client":{ "@@assign":"enabled" }, "workspaces": { // limit 255 "@@assign":[ "Slack-Workspace-Id1", "Slack-Workspace-Id2" ] }, "default":{ "supported_channel_types":{ "@@assign":[ "private" ] }, "supported_role_settings":{ "@@assign":[ "user_role" ] } }, "overrides":{ // limit 255 "Slack-Workspace-Id2":{ "supported_channel_types":{ "@@assign":[ "public", "private" ] }, "supported_role_settings":{ "@@assign":[ "channel_role", "user_role" ] } } } }, "microsoft_teams":{ "client":{ "@@assign":"enabled" }, "tenants":{ // limit 36 "Microsoft-Teams-Tenant-Id":{ // limit 36 "@@assign":[ "Microsoft-Teams-Team-Id" ] } }, "default":{ "supported_role_settings":{ "@@assign":[ "user_role" ] } }, "overrides":{ // limit 36 "Microsoft-Teams-Tenant-Id":{ "Microsoft-Teams-Team-Id":{ "supported_role_settings":{ "@@assign":[ "channel_role", "user_role" ] } } } } } }, "default":{ "client":{ "@@assign":"disabled" } } } } ``` **For Slack** + The Slack client is enabled. + The allowed Slack workspaces are *Slack-Workspace-Id1* and *Slack-Workspace-Id2*. + The default settings for Slack are to only allow private channels and User level IAM roles. + There is an override for the workspace *Slack-Workspace-Id2* that allows both public and private channels as well as both Channel level IAM roles and User level IAM roles. **For Microsoft Team** + The Microsoft Teams is enabled. + The allowed Teams tenants are *Microsoft-Teams-Tenant-Id* with the team *Microsoft-Teams-Team-Id*. + The default settings are to only allow User level IAM roles. + There is an override for the tenant *Microsoft-Teams-Tenant-Id* that allows both Channel level IAM roles and User level IAM roles for the team *Microsoft-Teams-Team-Id*. **Additional details** + The `default` block at the bottom sets the client to be disabled, which disables Amazon Q Developer in chat applications across the organization unless overridden at a lower level. This means Amazon Chime is disabled in this example. This default also disables any new chat platform that Amazon Q Developer in chat applications supports. For example, if Amazon Q Developer in chat applications supports a new chat platform, this default disables that newly supported chat platform as well. ## Enabling chat applications policies Before you can create chat applications policies, you must first enable them using the AWS Organizations console. For more information, see [Enabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html#enable-policy-type) in the *AWS Organizations User Guide*. ## Disabling chat applications policies If you no longer want to use chat applications policies in your organization, you can disable them to prevent accidental use. For more information, see [Disabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html#disable-policy-type) in the *AWS Organizations User Guide*. # Tutorial: Creating chat applications policies in Amazon Q Developer in chat applications Tutorial: Creating chat applications policies In this tutorial, you use the Amazon Q Developer in chat applications console to create a chat applications policy that: + Restricts chat client access to Slack + Specifies usable Slack workspaces + Restricts usage to private channels + Requires user-level roles Subsequently, all Amazon Q Developer in chat applications configurations in your organization must adhere to these specifications. **Topics** + [ ## Prerequisites ](#org-policy-tutorial-prq) + [ ## Step 1: Create a new chat applications policy ](#org-policy-tutorial-s1) + [ ## (Optional) Step 2: Testing your chat applications policy ](#org-policy-tutorial-s2) ## Prerequisites You must have already created an organization using AWS Organizations. For more information, see [Managing an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*. ## Step 1: Create a new chat applications policy **To create a new chat applications policy** 1. Open the Amazon Q Developer in chat applications console at [https://console.aws.amazon.com/chatbot/](https://console.aws.amazon.com/chatbot/). 1. In the left sidebar menu, choose **Organization settings**. 1. Choose **Chat applications policies**. 1. Choose **Create chat applications policies**. 1. 1. **Enable Amazon Q Developer in chat applications Orgs policies:** **Note** Before you can create and attach a policy to your organization, you must enable that policy type for use. This is a one-time task on the organization root. You can enable a policy type from only the organization’s management account. For more information, see [Enabling and disabling policy types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html) in the *AWS Organizations User Guide*. On the Chat applications policies page, choose **Enable**. 1. 1. **Enter your policy **Details**:** Enter a policy name. 1. (Optional) Enter a policy description. 1. (Optional) Add tags. 1. 1. **Configure chat client access:** In **Set Amazon Chime chat client access**, choose **Deny Chime access**. 1. In **Set Microsoft Teams client access**, choose **Deny access to all Teams**. 1. In **Set Slack chat client access**, choose **Restrict access to named Slack workspaces**: 1. Enter a Slack workspace ID. **Tip** You can find your workspace ID in the Amazon Q Developer in chat applications console by choosing the configured client in the left sidebar and looking under **Workspace details**. 1. (Optional) Choose **Add new workspace ID** to add another Slack workspace. 1. Choose **Add**. 1. Select **Enable usage to only private Slack channels**. 1. 1. **Set IAM permission types:** Select **Enable User level IAM role**. 1. Choose **Create policy**. ## (Optional) Step 2: Testing your chat applications policy If you already have an Amazon Q Developer in chat applications configuration, you can sign in as a user in any of your member accounts and try to perform any of the following actions: + Create an Amazon Q Developer in chat applications configuration for Microsoft Teams + Create a Slack Amazon Q Developer in chat applications configuration for a workspace you didn't specify in your policy + Create a Slack Amazon Q Developer in chat applications configuration that uses a channel role When you try to perform these actions, you should receive an error message that explains why you’re disallowed. # Editing chat applications policies in Amazon Q Developer in chat applications Editing chat applications policies If you need to make changes to your chat applications policy, you can edit it. **To edit chat applications policies** 1. Sign in to the Amazon Q Developer in chat applications console; 1. In the left sidebar meny, choose **Organization settings**. 1. Choose **Chat applications Policies**. 1. Select the name of the policy. 1. Choose **Edit policy**. 1. Make your edits. 1. Choose **Save changes**. # Deleting chat applications policies in Amazon Q Developer in chat applications Deleting chat applications policies If you no longer need a Chat applications policy, you can delete it. **To delete chat applications policies** 1. Sign in to the Amazon Q Developer in chat applications console; 1. In the left sidebar meny, choose **Organization settings**. 1. Choose **Chat applications Policies**. 1. Select the name of the policy. 1. Choose **Delete policy**. 1. Confirm your deletion by entering the policy name. 1. Choose **Delete**. # Service control policies (SCPs) for Amazon Q Developer in chat applications Service control policies Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. For more information, [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. SCPs for Amazon Q Developer in chat applications function similarly to channel guardrail policies, but are implemented on the organization level. You can use SCPs to secure your organizations by restricting what APIs can be used to configure Amazon Q Developer in chat applications and which services and operations can be run using Amazon Q Developer. This doesn’t impact resources that are already created or the ability to respond to commands in chat channels. The global condition key, `aws:ChatbotSourceArn`, is attached to all sessions created through Amazon Q Developer in chat applications. You can use this condition key to restrict which Amazon Q Developer in chat applications API operations can be run using Amazon Q Developer in chat applications as opposed to other platforms such as the CLI or console. **Note** SCPs for Amazon Q Developer in chat applications are limited to Amazon Q Developer access in chat applications and don't apply to Amazon Q Business access from chat applications. **Topics** + [ ## Example Service control policies ](#scp-example) ## Example Service control policies ### Example 1: Deny all IAM operations The following SCP denies all IAM operations invoked through all Amazon Q Developer in chat applications configurations. ``` { "Effect": "Deny", "Action": "iam:*", "Resource": "*", "Condition": { "ArnLike": { "aws:ChatbotSourceArn": "arn:aws:chatbot::*" } } } ``` ### Example 2: Deny S3 bucket put requests from a specified Slack channel The following SCP denies S3 put requests on the specified bucket for all requests originating from a Slack channel. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ExampleS3Deny", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "Condition": { "ArnLike": { "aws:ChatbotSourceArn": "arn:aws:chatbot::*:chat-configuration/slack-channel/*" } } } ] } ``` ------