AWS Chatbot
A service that integrates AWS notifications and command execution into Slack and Microsoft Teams, enabling ChatOps workflows
Overview
AWS Chatbot is a service that delivers AWS operational notifications to Slack and Microsoft Teams channels and enables execution of AWS CLI commands directly from the chat interface. It routes CloudWatch alarms, AWS Health events, Security Hub findings, and Budgets alerts through SNS topics to chat channels, allowing engineers to respond with commands on the spot - building a complete ChatOps workflow. IAM role-based access control lets you restrict the scope of executable commands on a per-channel basis.
Channel Configuration and IAM Role-Based Access Control
Chatbot setup involves two stages: authorizing the chat client (Slack workspace or Teams tenant) and creating channel configurations. For Slack, you first link your AWS account to the Slack workspace via OAuth, then create configurations for individual channels. Each channel configuration is associated with an IAM role that controls the scope of AWS operations executable from that channel. For example, you can assign a read-only IAM role to a production notification channel, blocking change operations like Lambda invocations or EC2 instance stops. Meanwhile, assigning a role with limited write permissions to an incident response channel allows emergency resource operations - a practical design for real-world use. Guardrail policies let you further narrow the permission scope of the IAM role. Channel configurations can be managed as code through CloudFormation, enabling consistent deployment across multiple accounts and channels.
SNS Notification Delivery and Format Customization
Chatbot subscribes to SNS topics to receive notifications. Notifications from major services including CloudWatch Alarms, AWS Health, Security Hub, Budgets, and CodePipeline are automatically converted into rich-formatted cards for display in chat. For CloudWatch Alarms, the alarm name, state transition, and a link to the metrics graph are displayed in a formatted card, letting engineers grasp the situation at a glance. By combining EventBridge rules with SNS, you can also route custom events (deployment completions, batch processing results, etc.) to chat. Notification filtering is controlled through SNS subscription filter policies, ensuring low-priority alarms don't flood the channel. In practice, separating critical alert channels from informational notification channels is essential so on-call engineers never miss notifications that truly require action.
Executing AWS CLI Commands from Chat
Chatbot's standout feature is the ability to execute AWS CLI commands directly from the chat interface. Typing @aws followed by a command in the Slack message field executes it with the permissions of the IAM role associated with the channel. For example, @aws lambda list-functions retrieves the list of Lambda functions in the account, and @aws ecs describe-services --cluster production checks the status of ECS services. Command results are posted to the channel, so all team members share visibility into what was executed and the outcome - improving transparency during incident response. Read commands (describe, list, get) are allowed by default, but change commands (create, delete, update) must be explicitly permitted in the channel configuration. Command execution is logged in CloudTrail, enabling post-hoc tracking of who executed which command and when. In larger organizations, some teams build approval workflows using Step Functions to gate command execution.