Amazon Chime - Administration Guide

Amazon Chime - Administration Guide
Amazon Chime
Administration Guide
Amazon Chime Administration Guide
Amazon Chime: Administration Guide
Copyright © 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner
that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not
owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by
Amazon.
Amazon Chime Administration Guide
Table of Contents
What Is Amazon Chime? ..................................................................................................................... 1
Administration Overview ............................................................................................................. 1
Get Started ....................................................................................................................................... 2
Step 1: Create an AWS Account ................................................................................................... 2
Step 2: Create an Amazon Chime Account ..................................................................................... 2
Step 3: Add Users to Your Amazon Chime Account ......................................................................... 3
Manage Your Accounts ........................................................................................................................ 5
Create an Amazon Chime Account ................................................................................................ 5
Rename Your Account ................................................................................................................. 6
Delete Your Account ................................................................................................................... 6
Use the Policies Page ................................................................................................................. 6
Claim a Domain ......................................................................................................................... 7
Connect to Active Directory ......................................................................................................... 7
Configure Multiple Email Addresses ...................................................................................... 8
Manage Users .................................................................................................................................. 10
View User Details ..................................................................................................................... 10
Manage User Access and Licenses ............................................................................................... 11
Manage Licenses .............................................................................................................. 11
Invite and Remove Users ................................................................................................... 12
Change Personal Meeting PINs ................................................................................................... 13
Manage ProTrials ...................................................................................................................... 13
Configure Conference Rooms ............................................................................................................. 14
View Reports ................................................................................................................................... 15
Control Access to the Console ............................................................................................................ 16
Create an IAM User .................................................................................................................. 16
Attach Required IAM User Policies .............................................................................................. 16
Read-Only Policy Example ....................................................................................................... 17
Amazon Chime Actions ............................................................................................................. 17
Log Service API Calls ........................................................................................................................ 20
Network Configuration and Bandwidth Requirements ........................................................................... 22
Purchase Amazon Chime ................................................................................................................... 24
Get Support .................................................................................................................................... 25
Resources ........................................................................................................................................ 26
Document History ............................................................................................................................ 27
iii
Amazon Chime Administration Guide
Administration Overview
What Is Amazon Chime?
Amazon Chime is a communications service that transforms online meetings with a secure, easy-to-use
application that you can trust. Amazon Chime works seamlessly across your devices so that you can stay
connected. You can use Amazon Chime for online meetings, video conferencing, calls, chat, and to share
content, both inside and outside your organization. Amazon Chime frees you to work productively from
anywhere.
For more information, see the Amazon Chime site.
Administration Overview
As an administrator, you use the Amazon Chime console to perform key tasks, such as creating Amazon
Chime accounts, managing Amazon Chime users, and managing Amazon Chime licenses. You must have
an AWS account to access the Amazon Chime console.
With Amazon Chime, you choose a subscription plan for your Amazon Chime users: Amazon Chime Plus
or Amazon Chime Pro. Pricing is per user per month, and if you change plans within a month, plans
are prorated daily. You can try Amazon Chime Pro for 30 days for free. You can change or cancel a
subscription at any time. For more information, see Plans and pricing.
1
Amazon Chime Administration Guide
Step 1: Create an AWS Account
Getting Started
The easiest way to get started with Amazon Chime is to download and use the Amazon Chime Pro
version for free for 30 days. For more information, see Download Amazon Chime.
If you have installed Amazon Chime and want to expand your pilot or proof of concept to include
administrator functionality, complete the following tasks:
Tasks
• Create an AWS Account (p. 2)
• Create an Amazon Chime Account (p. 2)
• Add users to your Amazon Chime Account (p. 3)
Step 1: Create an AWS Account
If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the
following procedure to create one.
To create an AWS account
1.
Open https://aws.amazon.com/, and then choose Create an AWS Account.
Note
This might be unavailable in your browser if you previously signed into the AWS
Management Console. In that case, choose Sign in to a different account, and then choose
Create a new AWS account.
2.
Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone
keypad.
Step 2: Create an Amazon Chime Account
After you've created your AWS account, you can create an Amazon Chime account.
To create an Amazon Chime account
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, choose New account.
3.
For Account Name, type a name for the account, and then choose Create account.
2
Amazon Chime Administration Guide
Step 3: Add Users to Your Amazon Chime Account
4.
The new account has the account type Team.
Step 3: Add Users to Your Amazon Chime Account
After you create an Amazon Chime account, you can add yourself and other users to your Amazon Chime
account. You are not charged for invited users, but start paying after a user accepts an invitation and
registers.
Note
If you plan to upgrade your account to an enterprise account, there is no need to invite users
through the administration console. Instead, you claim your domain(s), and any users that
register with your claimed domain become part of your account. For more information about
claiming your first domain and becoming an enterprise account, see Claim a Domain (p. 7).
To add users to your Amazon Chime account
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, select the name of your account.
3
Amazon Chime Administration Guide
Step 3: Add Users to Your Amazon Chime Account
3.
On the Users page, choose Invite users.
4.
You (or your user) receives an email invitation to join the Amazon Chime team that you created. The
email recipient chooses Accept in the email invitation.
5.
After a user chooses Accept in the email invitation, they are assigned an Amazon Chime Plus
license by default. To upgrade them to an Amazon Chime license Pro, see Manage User Access and
Licenses (p. 11).
• If the user has already signed up for an Amazon Chime, they can use the work email address that
they used to sign up for Amazon Chime.
• If the user hasn't downloaded the Amazon Chime client app (this can be done at any time), they
can choose Download Amazon Chime to download it and sign in if they have an account. If they
don't have an account, they can register to create one. For more information, see Step 2: Create an
Amazon Chime Account (p. 2).
6.
Repeat steps 1–5 for all users that you want to invite, including yourself.
4
Amazon Chime Administration Guide
Create an Amazon Chime Account
Managing Your Amazon Chime
Accounts
If you are using Amazon Chime as an individual user or as a group with no administrators, and you want
to expand your pilot or proof of concept to include administrator functionality or you want to buy Pro,
you must create an Amazon Chime account. You can decide whether you want to create a team account
or enterprise account.
A team account is the easiest way to start inviting users to your organization and pay for their Pro
or Plus licenses. You don’t have to claim a domain, and you can invite users from any email domain.
Everyone in the same team account is able to search and locate other registered Amazon Chime users
in the team. A team account is also the right choice for paying for Plus or Pro users outside of your
organization.
An enterprise account provides more control over your users from your company domains, and includes
the ability to connect to your Microsoft Active Directory for authentication and other capabilities.
They are best during a proof-of-concept period or for smaller pilots where you want to try some of the
basic administrative abilities available in the Amazon Chime administration console, but don’t want to
perform the extra step of claiming a domain or connecting to an Active Directory. Enterprise accounts
provide full management of users within your account, ensuring that all users that join Amazon Chime
using your claimed domains are included in your centrally managed Amazon Chime account. Enterprise
administrators also can suspend and activate users. Enterprise accounts require claiming at least one
email domain. They are best when you want to use the full administrative capabilities that Amazon
Chime has to offer, including the ability to prevent specific users from signing in. Enterprise accounts
simplify the process of adding users and are required for the additional benefits of managing your users
through Active Directory.
Note
You can convert your team account to enterprise by claiming one or more email domains. After
your account is converted, the ability to connect an Active Directory instance through AWS
Directory Service becomes available. You can decide whether to continue to have your users sign
in with Login with Amazon, or connect and authenticate via their Active Directory credentials.
Contents
• Create an Amazon Chime Account (p. 5)
• Rename Your Account (p. 6)
• Delete Your Account (p. 6)
• Use the Policies Page (p. 6)
• Claim a Domain (p. 7)
• Connect to Your Active Directory (p. 7)
Create an Amazon Chime Account
If you haven't created an account, you can create one from the Accounts page. For more information, see
Step 2: Create an Amazon Chime Account (p. 2).
If you want to immediately upgrade to an enterprise account, after completing Step 2: Create an
Amazon Chime Account (p. 2), skip to Claim a Domain (p. 7) to claim at least one domain. For more
information about team and enterprise accounts, see Managing Your Amazon Chime Accounts (p. 5).
5
Amazon Chime Administration Guide
Rename Your Account
After you create your account, use the following procedure to see it on the Accounts page in the Amazon
Chime console. This page provides basic information on the account, including the name and account
type. You can also rename or delete your account on this page.
To go to the Accounts page
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, select the name of the account.
Note
You can search for accounts by account name, or search for specific users across all of your
accounts using their email address.
Selecting an account open's that account’s page, where you can manage users and settings.
Rename Your Account
Use the following procedure to rename your account. The new name you choose appears in invitation
emails sent to users to join your team account.
To rename your account
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, select the name of the account.
3.
Choose Account actions, Rename account, enter the new account name, and choose Save.
Delete Your Account
Use the following steps to delete your account.
To delete your account
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, select the name of the account.
3.
In the navigation pane, choose Users.
4.
Select all of the users, and then choose User Actions, Remove all users.
Note
If you have an enterprise account, you must first delete any claimed domains, which
converts your account back to a team account. After all users are removed, can delete your
account. For more information about how to submit a ticket to support, see Get Support for
Amazon Chime (p. 25).
5.
In the navigation pane, choose Accounts, Account actions, and Delete account.
6.
Confirm that you want to delete your account.
Use the Policies Page
The Policies page allows you to choose whether users in your organization are able to share control of
their computer while in meetings. Attendees in meetings hosted by your users receives an error message
indicating that remote control is not available.
6
Amazon Chime Administration Guide
Claim a Domain
Claim a Domain
To create an Enterprise account and benefit from the greater control that it provides over your account
and users, you must claim at least one email domain. Follow these steps to claim your domain.
To claim a domain
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
3.
On the Accounts page, select the name of the team account.
In the navigation pane, choose Settings, Claimed domains.
4.
5.
On the Claimed domains page, choose Claim a new domain.
For Domain, type the domain that your organization uses for email addresses. Choose Verify this
domain.
6.
Follow the directions on the screen to add a TXT record to the DNS server for your domain. In
general, the process involves signing in to your domain's account, finding the DNS records for your
domain, and adding a TXT record with the name and value provided by Amazon Chime. For more
information about updating the DNS records for your domain, see the documentation for your DNS
provider or domain name registrar.
Amazon Chime checks for the existence of this record to verify that you own the domain. After the
domain is verified, its status changes from Pending verification to Verified.
Note
Propagation of the DNS change and verification by Amazon Chime can take up to 24 hours.
7.
If your organization uses additional domains or subdomains for email addresses, repeat this
procedure for each domain.
Connect to Your Active Directory
Benefits
Using your Active Directory has the following benefits:
• Amazon Chime users can sign in with their Active Directory credentials.
7
Amazon Chime Administration Guide
Configure Multiple Email Addresses
• Administrators can choose which credential security features to add, including password rotation,
password complexity rules, and multi-factor authorization.
• When users accounts are disabled in your Active Directory, their Amazon Chime accounts are
automatically disabled.
• You can specify which Active Directory groups receive Plus or Pro licenses.
• Multiple groups can be configured to receive Plus or Pro licenses.
• Users that are not members of either group can't sign into Amazon Chime.
• Users in both groups receive a Pro license.
Requirements
Before you can add your Active Directory to Amazon Chime, you must complete the following
requirements:
• Set up a directory with AWS Directory Service that is configured in the US East (N. Virginia) region. For
more information, see the AWS Directory Service Administration Guide. Amazon Chime can connect
using AD Connector or Microsoft AD.
• Set up an Amazon Chime enterprise account. For more information, see Claim a Domain (p. 7).
After you add a directory to Amazon Chime, when users log in using an email address from one of the
domains that you added to your Amazon Chime enterprise account, they are prompted to log in with
their directory credentials.
To connect to your Active Directory
1.
2.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
In the navigation pane, Settings, Active directory.
3.
For Cloud directory ID, select the AWS Directory Service directory to use for Amazon Chime, and
then choose Connect.
Note
4.
You can find your directory ID using the AWS Directory Service console.
After your directory has been connected, choose Add a new group. For Group, type a name for the
group. For License, select Plus or Pro. Choose Add Group.
5.
Repeat this procedure to create additional directory groups.
Configure Multiple Email Addresses
After you connect to your Active Directory, users that authenticate with Active Directory can use multiple
email addresses. They can use any of their work email addresses with Amazon Chime, as long as the
email address is using a domain that has been claimed by your Amazon Chime account, and is associated
with their user in Active Directory.
Amazon Chime continues to use the single email address in the EmailAddress attribute in Active
Directory as the user’s primary email address. This is the only one you can see in the interface. Users
can use any additional addresses in the ProxyAddress attribute, as long as the domain is claimed for the
account.
Incorrect Configuration Example
Username shirley.rodriguez is a member of an Amazon Chime account that has claimed two domains:
example.com and anotherdomain.com. In Active Directory, she has the following three email addresses
(one primary and two proxy):
8
Amazon Chime Administration Guide
Configure Multiple Email Addresses
• Primary email address: [email protected]
• Proxy email address 1: [email protected]
• Proxy email address 2: [email protected]
This user can sign into Amazon Chime using [email protected] or
[email protected] and her username shirley.rodriguez. If she attempts to sign in using
[email protected], she will be asked to Log in with Amazon and won't be part of your
managed account. This is why it's important to claim all of the domains your users use for email.
Other Amazon Chime users can add her as a contact, invite her to meetings, or add her as a delegate
using either her [email protected] or [email protected] email address.
Correct Configuration Example
Username shirley.rodriguez is a member of an Amazon Chime account that has claimed three domains:
example.com, example2.com, and anotherdomain.com. In Active Directory, she has the following three
email addresses:
• Primary email address: [email protected]
• Proxy email address 1: [email protected]
• Proxy email address 2: [email protected]
This user can sign into Amazon Chime using any of her work email addresses. Other users can also add
her as a contact, invite her to meetings, or add her as a delegate using any of her work email addresses.
9
Amazon Chime Administration Guide
View User Details
Manage Users
The Users page lists all of the users in your account. You can search for a specific user by searching for
their email address, view basic user data, and browse to view more information.
Administrators of accounts using Login with Amazon also see options to manage user licenses and
remove users from the account. These actions are managed through Active Directory for accounts where
Active Directory is configured.
Contents
• View User Details (p. 10)
• Manage User Access and Licenses (p. 11)
• Change Personal Meeting PINs (p. 13)
• Manage ProTrials (p. 13)
View User Details
You can use the User details page to enter detailed information about an individual user, or update a
specific user account. The following user information is available on the page.
Note
If a user hasn't accepted the invitation to a team account, not all information appears on this
page.
Field
Description
Example
Display name
The user's name that appears
in Amazon Chime. For LWA
users, this is the full name.
For Active Directory users, the
DISPLAY_NAME_ATTRIBUTE
is used.
Major, Mary
Email address
For LWA users, this is the
email address they used to
register. For Active Directory
users, the primary email
address from Active Directory
appears.
[email protected]
Registration
The user’s current registration
status. Possible values are
different for enterprise
accounts where invitations
are not sent and team
accounts where invitations
are sent.
Registered, Unregistered
(for a team account), or
Suspended (for an enterprise
account)
10
Amazon Chime Administration Guide
Manage User Access and Licenses
Field
Description
Example
License
License types for users are
Plus by default and Pro for
upgraded users. Users that
registered within the past 30
days, and have not had their
license type changed, appear
as ProTrial.
Pro, Plus, or ProTrial
Invited
For team accounts, this is
the date when the user was
invited to the account.
04/05/2017
Joined
The date when the user first
signed into Amazon Chime.
For ProTrial users, this is also
the date that their ProTrial
began.
04/10/2017
Personal PIN
This is the personal meeting
PIN that the user can use to
schedule meetings.
0123456789
Privacy setting
This is the presence setting
that the user selected.
Public or Private
Manage User Access and Licenses
Access to features within Amazon Chime is determined by the license type assigned to the user. The
ability to sign into Amazon Chime is managed by suspending or activating users. As an Amazon Chime
administrator, you can manage license types of users in your account, but the ability to suspend a user
account is only available to enterprise team administrators. Administrators of team accounts can remove
users from their accounts so they are no longer paying for the user’s license, but they can't suspend the
user and prevent them from signing in.
Manage Licenses
How license types are managed is determined by whether you have Active Directory configured. If
you have Active Directory configured for your account, license management is handled through group
memberships. If Active Directory is not configured, license types are managed through the Amazon
Chime console.
Team Accounts and Enterprise Login with Amazon
For administrators of team and enterprise LWA accounts, where users sign in with their Login with
Amazon (LwA) accounts, licenses are managed from either the Users or User details pages.
To manage Amazon Chime licenses for team accounts and enterprise LWA
1.
2.
3.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
On the Accounts page, select the name of the Amazon Chime account.
In the navigation pane, choose Users.
4.
Select the check boxes for the users and then choose User actions, Assign user license, Pro or Plus,
and Assign.
11
Amazon Chime Administration Guide
Invite and Remove Users
Enterprise Active Directory Accounts
The license type for users that sign in with their Active Directory credentials is determined by group
memberships. If they are a member of an Active Directory group that has been assigned Pro, they are
Pro. If they are a member of a group that has been assigned Plus, then they have Plus status. Users not in
any of the groups with Pro or Plus license tiers can't sign into Amazon Chime.
Invite and Remove Users
Team Accounts
After you create an Amazon Chime team account, you can invite. With a team account, you can use the
Amazon Chime console to invite users from any email domain.
To invite users to a team account
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, select the name of the team account.
3.
On the Users page, choose Invite users.
4.
Type the email addresses of the users to invite (separate multiple email addresses with a semicolon
;) and then choose Invite users.
Use the following procedure to remove users from a team account. This disassociates the user from
the account and removes any license that you purchased for them. The user can still access Amazon
Chime, but is no longer a paid member of your Amazon Chime account. The user can no longer use
autocomplete in Contacts to find new team users.
To remove users from a team account
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
On the Accounts page, select the name of the team account.
3.
On the Users page, select the users to remove and choose User actions, Remove user.
Enterprise Accounts
With an enterprise account, any users that register for Amazon Chime with an email address for your
claimed domains are automatically added to your account. If you configured Active Directory, the user
must not only have an email address that uses one of your claimed domains, but they must also be
members of the group you configured for Amazon Chime.
To invite users to an enterprise account
1.
Send an invitation email to the users in your organization and instruct them to follow the steps in
Create an Amazon Chime Account in the Amazon Chime User Guide.
2.
Users use an email address with the one of the domains that you claimed for your account.
3.
After your users complete the steps to create their Amazon Chime accounts, they automatically
appear on the Users page for the enterprise account.
Use the following procedure to suspend users from an enterprise account. This prevents them users from
logging in to Amazon Chime.
12
Amazon Chime Administration Guide
Change Personal Meeting PINs
To suspend users from an enterprise account
1.
2.
3.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
On the Accounts page, select the name of the enterprise account.
On the Users page, select the users to remove and choose User actions, Suspend user.
Change Personal Meeting PINs
A personal meeting PIN is a static ID generated when the user registers that makes it easy for an Amazon
Chime user to schedule meetings with other Amazon Chime users. Using a personal meeting PIN means
that meeting organizers don't have to remember meeting details for each new meeting that they
schedule.
If a user feels that their personal meeting PIN has been compromised, you can reset their PIN and
generate a new ID. After you update a personal meeting PIN, the user must update all meetings that
were scheduled using the old personal meeting PIN.
To change a personal meeting PIN
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
3.
On the Accounts page, select the name of the Amazon Chime account.
In the navigation pane, choose Users.
4.
5.
Search for the user who needs their PIN changed.
Choose the name of the user to open the User detail page.
6.
Choose User actions, Update Meeting PIN, Confirm.
Manage ProTrials
Users are eligible for a 30-day free trial and are given ProTrial status when they first register for Amazon
Chime. This gives them the same access to features within Amazon Chime as Pro users, but with a limited
set of dial-in numbers. A ProTrial ends when the 30-day period expires, or if the user’s administrator
changes the user’s license type tier from the console.
To allow your users to keep their ProTrial status for the full 30 days before deciding whether to assign
them Pro, don’t change their license type.
If you configured Active Directory for your account, users only have the 30-day ProTrial period if they are
in the Active Directory group that you assigned to Amazon Chime Plus.
13
Amazon Chime Administration Guide
Configure Conference Rooms
Amazon Chime can integrate with your in-room video hardware from Cisco, Tandberg, Polycom, Lifesize,
Vidyo, or others when you use the SIP or H.323 protocol.
Conference room VTC devices that support SIP must dial "meet.chime.in" to connect to Amazon
Chime. Devices that only support H.323 must dial 52.23.133.56 or 52.54.206.237. In both cases, if a
firewall is filtering traffic between the VTC device and Amazon Chime, open the H.323 ranges. For more
information, see Network Configuration and Bandwidth Requirements (p. 22).
The following table is a subset of the compatible VTC devices list.
Device
SIP
H.323
Comment
Cisco SX20
Yes
Yes
Audio/Video/Screen:
To and From OK
Cisco DX80
Yes
Yes
Audio/Video/Screen:
To and From OK
Tandberg C40
Yes
Yes
Audio/Video/Screen:
To and From OK
Polycom
RealPresence
Desktop
No
Yes
Audio/Video: OK,
Screen: From device
is OK
Polycom Debut
No
Yes
Audio/Video: OK,
Screen: From device
is OK
14
Amazon Chime Administration Guide
View Reports
To make more informed decisions and increase productivity for your organization, you can access usage
and feedback data directly from the console. Report data is updated daily, though there may be a delay
of up to 48 hours.
To view usage and feedback reports
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
Choose Reports, Dashboard.
3.
On the Usage and feedback report page, view the following data:
• Week of (Monday to Sunday) – The date range of the report.
• Registered users – The number of users that have signed up for Amazon Chime.
• Active users – The number of users who have either attended a meeting or sent a message with
Amazon Chime.
• Meetings held – The total number of meetings that have occurred.
• Meeting satisfaction – The percentage of positive responses given to the end-of-meeting survey.
15
Amazon Chime Administration Guide
Create an IAM User
Control Access to the Amazon Chime
Console
As an administrator, you must complete the following tasks to allow users in your account to access the
Amazon Chime console.
Create an IAM User
Services in AWS, such as Amazon Chime, require that you provide credentials when you access them. This
allows the service to determine whether you have permissions to access its resources. We recommend
that you avoid accessing AWS with your AWS account root credentials. Instead, use AWS Identity and
Access Management (IAM). Create one or more IAM users, add the users to an IAM group, and grant
permissions to the group by attaching IAM policies. All of the users in that group inherit the permissions.
Your IAM users can then access the AWS and Amazon Chime consoles using their account ID, IAM user
name, and password.
For more information about setting up an IAM user, see Creating Your First IAM Admin User and Group.
For information about IAM, see What is IAM?
Attach Required IAM User Policies
By default, IAM users don't have permission to access the Amazon Chime console. To provide access, you
must create IAM policies that grant IAM users permission to use the specific resources and actions they'll
need. You must then attach those policies to IAM users or groups that require those permissions.
When you attach a policy to a user or group, it allows or denies the users permission to perform the
specified tasks on the specified resources.
To make creating policies easier, Amazon Chime supports using the following AWS managed policies.
AWS managed policies are built for specific use cases and are automatically updated by the Amazon
Chime service team when new capabilities are added. When you use these policies, your users have
immediate access to the Amazon Chime console without the need to create or maintain your own
policies.
AWS Managed Policies for
Amazon Chime
Description
AmazonChimeFullAccess
Full access for Amazon Chime administrators who configure and
manage the service
AmazonChimeReadOnly
Read-only access to the console
AmazonChimeUserManagement
Full user management capabilities and read-only access to account
settings and configuration
To create your own policies, review the Amazon Chime Actions (p. 17) below for a list of all of the
actions that you can allow or deny in your policy. For more information about managing and creating
IAM policies, see Managing IAM Policies. For information about how to attach managed policies to an
IAM user, see Attaching and Detaching IAM Policies .
16
Amazon Chime Administration Guide
Read-Only Policy Example
Read-Only Policy Example
This example policy provides read-only access to the Amazon Chime console. You can use this as a base
for any customizations you choose to make.
Note
If you create a custom policy instead of using an AWS managed policy, when Amazon Chime
adds new actions, it does not automatically update your policy. Instead, you must review the
changes and manually update your policy.
{
}
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"chime:ListAccounts",
"chime:GetAccount",
"chime:GetAccountSettings",
"chime:ListUsers",
"chime:GetUser",
"chime:GetUserByEmail",
"chime:ListAccountUsageReportData",
"chime:ListDomains",
"chime:GetDomain",
"chime:ListGroups"
"chime:ListDirectories",
"chime:GetAccountResource"
],
"Effect": "Allow",
"Resource": "*"
}
]
Amazon Chime Actions
The following is the complete list of Amazon Chime actions that are available if you want to create a
custom policy for your console users. For more information about creating custom IAM policies, see
Creating IAM Policies.
Action
Description
Accounts
chime:CreateAccount
Creates a new Amazon Chime account.
chime:RenameAccount
Modifies the account name for your Amazon Chime enterprise or
team account.
chime:ListAccounts
Lists the Amazon Chime accounts associated with your AWS
account.
chime:GetAccount
Gets the account details for an Amazon Chime account.
chime:DeleteAccount
Deletes an Amazon Chime account.
Users
17
Amazon Chime Administration Guide
Amazon Chime Actions
Action
Description
chime:GetAccountSettings
Shows your Amazon Chime account settings.
chime:UpdateAccountSettingsModifies your Amazon Chime account settings.
chime:ListUsers
Lists the users in an Amazon Chime account.
chime:GetUser
Gets the user details for an Amazon Chime user.
chime:GetUserByEmail
Gets user details for an Amazon Chime user based on the email
address in an Amazon Chime enterprise or team account.
chime:InviteUsers
Invites new users to an Amazon Chime account.
chime:SuspendUsers
Suspend users from an Amazon Chime enterprise account.
chime:ActivateUsers
Activates users in an Amazon Chime enterprise account.
chime:UpdateUserLicenses
Manages the licenses for your Amazon Chime users.
chime:ResetPersonalPin
Resets the personal meeting PIN for an Amazon Chime user.
chime:LogoutUser
Signs a user out of all their devices.
Reports
chime:ListAccountUsageReportData
Lists Amazon Chime account usage reporting data.
Domains
chime:ListDomains
Lists domains associated with your Amazon Chime account.
chime:AddDomain
Adds a domain to your Amazon Chime account.
chime:GetDomain
Shows domain details for a domain associated with your Amazon
Chime account.
chime:DeleteDomain
Deletes a domain from your Amazon Chime account.
Amazon Chime Support
chime:SubmitSupportRequest Submits a support ticket from the Amazon Chime console.
Directories
chime:ListDirectories
Lists active Active Directories hosted in the AWS Directory Service
directory of your AWS account.
chime:ConnectDirectory
Connects an Active Directory to your Amazon Chime enterprise
account.
chime:DisconnectDirectory Disconnects the Active Directory from your Amazon Chime
enterprise account.
chime:ListGroups
Lists Active Directory user groups associated with your Amazon
Chime enterprise account.
chime:AddOrUpdateGroups
Adds new or updates existing Active Directory user groups
associated with your Amazon Chime enterprise account.
18
Amazon Chime Administration Guide
Amazon Chime Actions
Action
Description
chime:DeleteGroups
Deletes Active Directory user groups from your Amazon Chime
enterprise account.
AWS Account Delegation
chime:AcceptDelegate
Accepts requests to share management of an Amazon Chime
account with another AWS account.
chime:ValidateDelegate
Allows process to share the AWS account name and Amazon Chime
account name.
chime:ListDelegates
Displays shared account management status on the Account
Summary page.
chime:DeleteDelegate
Removes the shared AWS account management.
19
Amazon Chime Administration Guide
Log Amazon Chime Administration
Calls with AWS CloudTrail
The Amazon Chime administration console is integrated with AWS CloudTrail. CloudTrail is a service
that captures API calls made by or on behalf of Amazon Chime in your AWS account and delivers the log
files to an Amazon S3 bucket that you specify. CloudTrail captures all API calls from the Amazon Chime
administration console and logs the responses from mutating calls. For example, listDomain is readonly and you only see the request in CloudTrail. However, with addDomain, you see both the request
and the response. Using the information collected by CloudTrail, you can determine which requests were
made, the source IP address for the request, who made the request, and when it was made. For more
information, including how to configure and enable CloudTrail, see the AWS CloudTrail User Guide.
When CloudTrail logging is enabled in your AWS account, API calls made from the Amazon Chime
administration console on your behalf are tracked in log files. These records are written together with
other AWS service records in a log file. CloudTrail determines when to create and write to a new file
based on time period and file size. All actions taken in the administration console use API calls and are
logged by CloudTrail. You can store your log files in your bucket for as long as you want, or you can
define Amazon S3 lifecycle rules to archive or delete log files automatically. By default, your log files
are encrypted using Amazon S3 server-side encryption (SSE). To take quick action upon log file delivery,
you can choose to have CloudTrail publish Amazon SNS notifications when new log files are delivered.
For more information, see Configuring Amazon SNS Notifications for CloudTrail. You can also aggregate
AWS Directory Service log files from multiple AWS Regions and AWS accounts into a single S3 bucket.
For more information, see Receiving CloudTrail Log Files from Multiple Regions.
CloudTrail log files can contain one or more log entries, with each entry comprised of multiple JSONformatted events. A log entry represents a single request and contains information about the action
taken, who generated the request, where they were when they made the request, system information,
and information that varies depending on the type of request. For example, the addDomain call includes
information on the domain the user is adding. Every log entry also contains information about who
generated the request. The identity information in the log helps you determine whether the request was
made with root or IAM user credentials, with temporary security credentials for a role or federated user,
or by another AWS service. For more information, see the userIdentity field in the CloudTrail Log Event
Reference.
Log entries are not in any particular order and are not an ordered stack trace of the public API calls.
Entries for Amazon Chime are identified by the chime.amazonaws.com event source. Sensitive
information, such as passwords, authentication tokens, file comments, and file contents, are redacted in
log entries.
If you have configured Active Directory for your Amazon Chime account, see Logging AWS Directory
Service API Calls Using CloudTrail. This describes how to monitor for issues that might affect your
Amazon Chime users’ ability to sign in.
The following is an example of a CloudTrail log entry for Amazon Chime:
{"eventVersion":"1.05",
"userIdentity":{
"type":"IAMUser",
"principalId":" AAAAAABBBBBBBBEXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice ",
"accountId":"0123456789012",
"accessKeyId":"AAAAAABBBBBBBBEXAMPLE",
"sessionContext":{
20
Amazon Chime Administration Guide
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2017-07-24T17:57:43Z"
},
"sessionIssuer":{
"type":"Role",
"principalId":"AAAAAABBBBBBBBEXAMPLE",
"arn":"arn:aws:iam::123456789012:role/Joe",
"accountId":"123456789012",
"userName":"Joe"
}
}
} ,
"eventTime":"2017-07-24T17:58:21Z",
"eventSource":"chime.amazonaws.com",
"eventName":"AddDomain",
"awsRegion":"us-east-1",
"sourceIPAddress":"72.21.198.64",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"errorCode":"ConflictException",
"errorMessage":"Request could not be completed due to a conflict",
"requestParameters":{
"domainName":"example.com",
"accountId":"11aaaaaa1-1a11-1111-1a11-aaadd0a0aa00"
},
"responseElements":null,
"requestID":"be1bee1d-1111-11e1-1eD1-0dc1111f1ac1",
"eventID":"00fbeee1-123e-111e-93e3-11111bfbfcc1",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
21
Amazon Chime Administration Guide
Network Configuration and
Bandwidth Requirements
Amazon Chime requires the following hosts, ports, and protocols to support various services. If inbound
or outbound traffic is blocked, this might affect the inability to use various services, including audio,
video, screen sharing, or chat.
Amazon Chime has the following bandwidth requirements for media services that it provides:
• Audio
• 1:1 call: 54 kbps up and down
• Large call: no more than 32 kbps extra down for 50 callers
• Video
• 1:1 call: 650 kbps up and down
• HD mode: 1400 kbps up and down
• 3–4 people: 450 kbps up and (N-1)*400 kbps down
• 5–16 people: 184 kbps up and (N-1)*134 kbps down
• Up and down bandwidth adapts lower for network conditions
• Screen
22
Amazon Chime Administration Guide
• 1.2 mbps kbps up (presenting) and down (viewing) for high quality (adapts as low as 320 kbps for
network conditions)
• Remote control: 800 kbps fixed
23
Amazon Chime Administration Guide
Purchase Amazon Chime
You can purchase Amazon Chime for yourself and for other users and pay a monthly fee per user. Billing
starts after users have been added and are registered. What you pay depends on the subscription plan
that you choose. For more information, see Plans and pricing.
To purchase Amazon Chime
1.
Open the Amazon Chime console at https://console.chime.aws.amazon.com/.
2.
Complete the steps in Step 2: Create an Amazon Chime Account (p. 2).
3.
Complete the steps in Step 3: Add Users to Your Amazon Chime Account (p. 3).
Note
Be sure to add yourself to the account.
24
Amazon Chime Administration Guide
Get Support for Amazon Chime
If you are an administrator and need to contact support for Amazon Chime, choose one of the following
options:
• If you have an AWS Support account, go to Support Center and submit a ticket.
• Otherwise, open the AWS Management Console and choose Amazon Chime, Support, Submit
request.
It's helpful to provide the following information:
• A detailed description of the issue.
• The time the issue occurred, including your time zone.
• Your Amazon Chime version. To find your version number:
• In Windows, choose Help, About Amazon Chime.
• In macOS, choose Amazon Chime, About Amazon Chime.
• In iOS and Android, choose Settings, About.
• The log reference ID. To find this ID:
• In Windows and macOS, choose Help, Send Diagnostic Logs.
• In iOS and Android, choose Settings, Send Diagnostic Logs.
• If your issue is related to a meeting, the meeting ID.
25
Amazon Chime Administration Guide
Resources
To learn more about Amazon Chime, see the following resources:
• Amazon Chime Help Center
• Amazon Chime Training Videos
26
Amazon Chime Administration Guide
Document History for Amazon
Chime
The following table describes the documentation for this release of Amazon Chime.
• Latest documentation update: January 22, 2018
Change
Description
Date
Various IAM updates
Control Access to the Amazon
Chime Console (p. 16)
January 22, 2018
View report data about users
View Reports (p. 15)
January 16, 2018
Reorganization of content
Structural changes throughout
December 15, 2017
Log Amazon Chime
administration calls from the
console with AWS CloudTrail
Log Amazon Chime
Administration Calls with AWS
CloudTrail (p. 20)
September 27, 2017
Configure Amazon Chime
to interact with your Active
Directory
Connect to Your Active
Directory (p. 7)
May 5, 2017
Initial release
Initial release
February 14, 2017
27
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement