Getting started with Amazon Chime
In my last post I wrote a summary of my posts on AWS Security.
In this post I’ll explain how to use Amazon Chime, which I was using to host an online class recently. I’ve been using Chime successfully for a long time but this post might help people understand a few things about how it works and overcome some issues when using it.
Set up Amazon Chime in the AWS Console
To administer Amazon Chime, login at https://aws.amazon.com or login with your AWS SSO account if you’re using that. If you’re not the IAM administrator of your AWS account, your admin will need to give you AWS IAM (identity and access management) access to use the service. I’ve been writing about IAM in detail in this series of blog posts:
You can find the specifics for AWS IAM access for Chime here:
You don’t schedule meetings in the AWS Chime Console. You define users in your organization that are allowed to schedule meetings. Then the cost for those meetings get billed to your AWS account.
The first thing to do is click “New Account” and create a new account in AWS Chime.
This is a bit confusing as you’re in an AWS account creating a Chime account.
You can limit Chime to specific regions but if you have people logging in from all over the world as I sometimes do you’ll get better performance by allowing access from different regions.
Amazon Chime Team and Enterprise Accounts
I’m honestly not sure at this point why you might need multiple accounts, but I suspect you can set up permissions for different accounts and maybe separate the billing if you have multiple departments. I don’t need that so I haven’t looked into it. It may be also that some people want both team and enterprise accounts.
You can find out the difference between these two types of accounts here:
Deleting an AWS Amazon Chime account
What is interesting is that once you create an Amazon Chime account in the console it appears that you cannot delete it. There’s no option to delete it from the main screen.
As it turns out you have to dig into the settings or an account to delete it.
After you do that the account will sit in a Delete pending state for a while:
Add users in the AWS console who can schedule Chime meetings
Next add users in your Chime account who are allowed to schedule meetings. Click on the account name where you want to add users.
Add the emails for the people you want to be able to schedule emails from your account.
Once you click Invite users, they will get an email and they will have to accept the invitation.
Can’t Schedule Meeting When Chime Pro Account Trial Ends
Be aware that if you sign up for the Chime enterprise account trial and it ends you might not be able to schedule meetings until you take additional steps. I ran into this in the middle of a class. I set up Amazon Chime in a new account because I was moving things around to organize my AWS accounts and billing. I scheduled a six week class. In the middle of the class I suddenly could not schedule a meeting and it wasn’t clear why. The error messages were not clear at all. The problem was that I had to take additional actions at the end of the free trial to use Chime.
I can’t remember what those steps were at this moment, unfortunately. Just be aware of this issue and plan ahead to resolve that issue if it happens to you. I made the mistake of trying to schedule on the day of class and it caused an issue. Now I always schedule and test at least a day prior to the start of classes. See the issues below which I had to spend a day resolving recently. Hopefully Amazon will fix all of this so you won’t have any issues.
Download and install the Chime App or use the web
To participate in a meeting users will have to download the Chime App or use the web. You can choose one of those options here:
Create a Chime User Account (an Amazon.com account)
This is where it starts getting confusing, to me and my students. If you want to use Chime you have to use an Amazon.com account.
Note that I’m talking about an account that you login with at https://amazon.com, not an AWS account that you use to login at AWS SSO or AWS IAM at https://aws.amazon.com. You need this Amazon.com account even though you already have another form of AWS account, in order to login to Amazon Chime.
I don’t want to mix my shopping accounts with business communication accounts, so I tried to create a new AWS account but had a number of problems (next section).
This confused students in my Azure classes who asked, shouldn’t we be using an Azure account? They also had Gmail addresses and it would have been nice to tell them they could log into Chime with either their Gmail or Azure user address. Maybe AWS will add that later.
You do have some other options to integrate with a corporate directory like Active Directory or Okta to allow users to login that way. But consider my use case or any marketing department scheduling a webinar. The users in that case will not be in the corporate directory.
Challenges creating an Amazon.com account
There are some things to be aware of when creating an Amazon.com account to use Chime.
If you have already used an email or phone number with another Amazon.com account you won’t be able to reuse it here. This cost me a lot of time when trying to set up AWS accounts quickly when trying to schedule a meeting with AWS Chime.
If you want to know if your phone number is already used with an Amazon.com account you can use the option to sign up with a phone number. It will tell you if the number is already associated with an Amazon.com account. Signing in with email will do the same thing.
The other thing I noticed is that you can log into an Amazon.com account after you create it and remove the phone number. That may cause problems if you lose access to your Amazon.com account or are trying to reset the password, for example, but it does allow you to associate the number with a new account.
Problems inviting a new AWS account to Amazon Chime
When I invited a user to Chime with an email that was not already associated with an Amazon.com account, the user account could not be verified. I could send the invitation and the user could accept it. The user could create an Amazon.com account. However, when the user got the verification email, verification failed.
It took me a while to figure this out but when I created the account first and then invited the user, then the user was able to accept the invitation and the account verified properly. I had set the user up with Pro permissions.
This is all a bit confusing because you might also be using that same email to login to AWS SSO. I didn’t test using that same email in AWS SSO to create an Amazon.com account and use it with Amazon Chime. Hopefully someone on the Amazon Chime team did.
Scheduling meetings with Amazon Chime
When I tried to schedule a meeting in Amazon Chime on the web I didn’t see the option. Apparently you have to schedule meetings in one of the applications you download and install.
To schedule a meeting for a time in advance:
- Choose the option to schedule a meeting from the top drop down menu.
- Choose a meeting type. I generate a new ID and don’t expose my personal meeting ID. You can optionally require a code for the moderator to start the meeting.
- Choose the time when you want the meeting to start.
- You can choose to schedule with Google Calendar or Outlook. I use Google.
- Copy and paste the meeting information into a new Google Calendar event. Copy the attendees into the meeting. Save the meeting.
Remember that if you want to schedule meetings, you need an Amazon.com account using the same email that was invited to use Chime in the AWS console. That way your Chime meetings get billed to that Amazon AWS account.
For other meeting scheduling options see this documentation.
You can allow attendees
Using a Delegator
One of the problems I had initially is that I created the meeting with an Amazon.com account that used a particular email. Then I tried to add the Google Calendar meeting on a calendar associated with another email. You’ll get an error message in email telling you that the meeting could not be scheduled.
To fix that problem make the second email address a delegate for the Amazon.com account that scheduled the meeting int he Chime app. Then that user can schedule the meeting on the calendar with the amazon chime email address + pin as attendee even though the other email scheduled the meeting in the Amazon chime app.
Amazon Chime Security
The primary security control you have with Amazon Chime is IAM and specifically IAM Policies. You’ll want to be careful to create policies that do not introduce the Confused Deputy Attack.
For infrastructure, security Amazon Chime references a deprecated white paper that links to a mountain of documents. Hopefully, Amazon will update that soon with more specific information about Amazon Chime.
For Chime SDK security see the followind documentaion.
Messages, voice, video, and content are encrypted using AES 256-bit encryption.
Amazon Chime Documentation
There’s a lot more to Amazon Chime. Check out the documentation for all the details.
Hopefully this post gave you a good idea how to get started with Amazon Chime.
Follow for updates.
Teri Radichel
If you liked this story please clap and follow:
******************************************************************
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
******************************************************************
© 2nd Sight Lab 2022
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
