Amazon Chime SDK - Administration Guide

Administration Guide

Amazon Chime SDK

Amazon Chime SDK Administration Guide

Amazon Chime SDK: Administration Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service

that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any

manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are

the property of their respective owners, who may or may not be aﬃliated with, connected to, or

sponsored by Amazon.

Amazon Chime SDK Administration Guide

Table of Contents

What is the Amazon Chime SDK? ................................................................................................... 1

Pricing ............................................................................................................................................................. 1

Prerequisites ..................................................................................................................................... 2

Creating an Amazon Web Services account ............................................................................................ 2

Sign up for an AWS account ................................................................................................................ 2

Create a user with administrative access ........................................................................................... 3

Security ............................................................................................................................................. 5

Identity and access management ............................................................................................................. 6

Audience .................................................................................................................................................... 6

Authenticating with identities .............................................................................................................. 7

Managing access using policies .......................................................................................................... 10

How the Amazon Chime SDK works with IAM ..................................................................................... 13

Amazon Chime SDK identity-based policies ................................................................................... 13

Resources ................................................................................................................................................ 14

Examples ................................................................................................................................................. 14

Using encryption with voice analytics ................................................................................................... 14

Understanding encryption at rest ..................................................................................................... 14

Understanding how voice analytics uses grants ............................................................................ 15

Key policy for voice analytics ............................................................................................................. 15

Using encryption context .................................................................................................................... 16

Monitoring encryption keys ................................................................................................................ 18

Cross-service confused deputy prevention ........................................................................................... 23

Amazon Chime SDK resource-based policies ....................................................................................... 24

Authorization based on Amazon Chime SDK tags .............................................................................. 25

Amazon Chime SDK IAM roles ................................................................................................................ 25

Using temporary credentials with the Amazon Chime SDK ......................................................... 25

Service-linked roles .............................................................................................................................. 25

Service roles ........................................................................................................................................... 25

Identity-based policy examples .............................................................................................................. 25

Policy best practices ............................................................................................................................. 26

AWS managed Amazon Chime SDK policy ...................................................................................... 27

AWS managed policy: AmazonChimeVoiceConnectorServiceLinkedRolePolicy ....................... 28

AWS managed policy: AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy ................. 29

Policy updates ....................................................................................................................................... 31

iii

Amazon Chime SDK Administration Guide

Troubleshooting .......................................................................................................................................... 35

I am not authorized to perform an action in the Amazon Chime SDK ...................................... 35

I am not authorized to perform iam:PassRole ............................................................................... 36

Using service-linked roles ......................................................................................................................... 36

Using the Amazon Chime SDK Voice Connector service linked role policy ............................... 37

Using roles with live transcription .................................................................................................... 41

Using roles with media pipelines ...................................................................................................... 43

Using the AmazonChimeSDKEvents service-linked role ............................................................... 46

Logging and monitoring ........................................................................................................................... 48

Monitoring with CloudWatch ............................................................................................................. 48

Automating with EventBridge ............................................................................................................ 62

Using AWS CloudTrail to log API calls ............................................................................................. 67

Compliance validation ............................................................................................................................... 69

Resilience ...................................................................................................................................................... 71

Infrastructure security ............................................................................................................................... 71

Getting started .............................................................................................................................. 72

Setting up phone numbers for your Amazon Chime SDK account .................................................. 72

Managing phone numbers ............................................................................................................ 73

Provisioning phone numbers ................................................................................................................... 74

Requesting international phone numbers ............................................................................................ 77

Submitting required documents ........................................................................................................ 78

Outbound calling restrictions ............................................................................................................. 79

Country requirements for phone numbers ..................................................................................... 80

Porting existing phone numbers ............................................................................................................ 97

Prerequisites for porting numbers .................................................................................................... 98

Porting phone numbers into the Amazon Chime SDK ................................................................. 98

Submitting required documents ........................................................................................................ 78

Viewing request status ...................................................................................................................... 101

Assigning ported numbers ............................................................................................................... 102

Porting phone numbers out of the Amazon Chime SDK ........................................................... 102

Phone number porting status deﬁnitions ..................................................................................... 105

Managing phone number inventory .................................................................................................... 106

Assigning phone numbers to Voice Connectors .......................................................................... 107

Reassigning Voice Connector numbers .......................................................................................... 108

Unassigning Voice Connector phone numbers ............................................................................. 109

Reassigning phone numbers ............................................................................................................ 109

Amazon Chime SDK Administration Guide

Assigning phone numbers to SIP media applications ................................................................. 110

Viewing phone number details ....................................................................................................... 110

Changing a phone number's product type ................................................................................... 110

Changing a phone number's assignment type ............................................................................. 111

Setting outbound calling names ..................................................................................................... 112

Deleting phone numbers ....................................................................................................................... 113

Restoring deleted phone numbers ....................................................................................................... 113

Optimize your outbound calling reputation ...................................................................................... 114

Step 1: Know the preferred contact method ............................................................................... 114

Step 2: Brand your calls .................................................................................................................... 115

Step 3: Select meaningful caller IDs .............................................................................................. 115

Step 4: Call valid numbers ............................................................................................................... 115

Step 5: Call at optimal times ........................................................................................................... 115

Step 6: Monitor call ID reputations ................................................................................................ 116

Step 7: Use multiple numbers ......................................................................................................... 116

Step 8: Engage with App Vendors .................................................................................................. 116

Step 9: Add messaging to your outreach strategy to let customers know who you are ....... 117

Step 10: Validate your strategy ....................................................................................................... 117

Managing Voice Connectors ........................................................................................................ 118

Before you begin ..................................................................................................................................... 119

Creating Voice Connectors ..................................................................................................................... 120

Using tags with Voice Connectors ........................................................................................................ 120

Adding tags to Voice Connectors .................................................................................................... 121

Editing tags .......................................................................................................................................... 121

Removing tags ..................................................................................................................................... 121

Editing Voice Connector settings ......................................................................................................... 122

Assigning and unassigning phone numbers ....................................................................................... 128

Deleting Voice Connectors ..................................................................................................................... 129

Conﬁguring Voice Connectors to use call analytics .......................................................................... 129

Managing Voice Connector groups ...................................................................................................... 130

Creating an Amazon Chime SDK Voice Connector group .......................................................... 131

Editing an Amazon Chime SDK Voice Connector group ............................................................. 131

Assigning and unassigning phone numbers to a Voice Connector group ............................... 132

Deleting an Amazon Chime SDK Voice Connector group .......................................................... 133

Streaming media to Kinesis ................................................................................................................... 134

Starting media streaming ................................................................................................................. 135

Amazon Chime SDK Administration Guide

SIP-based media recording and network-based recording compatibility ................................ 136

Using Amazon Chime SDK voice analytics with Voice Connectors ........................................... 136

Using Voice Connector conﬁguration guides ..................................................................................... 138

Managing call analytics .............................................................................................................. 139

Creating call analytics conﬁgurations ................................................................................................. 139

Prerequisites ........................................................................................................................................ 140

Creating a call analytics conﬁguration .......................................................................................... 140

Using call analytics conﬁgurations ...................................................................................................... 147

Updating call analytics conﬁgurations ................................................................................................ 147

Deleting call analytics conﬁgurations ................................................................................................. 148

Enabling voice analytics ......................................................................................................................... 148

Managing voice proﬁle domains .......................................................................................................... 150

Creating voice proﬁle domains ........................................................................................................ 151

Editing voice proﬁle domains .......................................................................................................... 152

Deleting voice proﬁle domains ........................................................................................................ 152

Using tags with voice proﬁle domains ........................................................................................... 153

Understanding the voice analytics consent notice ...................................................................... 154

Setting up emergency calling ..................................................................................................... 156

Validating addresses for emergency calls ........................................................................................... 156

Setting up third-party emergency routing numbers ........................................................................ 157

Using PIDF-LO in emergency calls ....................................................................................................... 158

Managing SIP media applications .............................................................................................. 161

Understanding SIP applications and rules .......................................................................................... 162

Using SIP media applications ................................................................................................................ 162

Creating a SIP media application .................................................................................................... 163

Using tags with SIP media applications ........................................................................................ 164

Viewing a SIP media application ..................................................................................................... 166

Updating a SIP media application .................................................................................................. 166

Deleting a SIP media application .................................................................................................... 167

Managing SIP rules ...................................................................................................................... 168

Creating a SIP rule .................................................................................................................................. 168

Viewing a SIP rule ................................................................................................................................... 170

Updating a SIP rule ................................................................................................................................. 170

Enabling a SIP rule .................................................................................................................................. 170

Disabling a SIP rule ................................................................................................................................. 171

Deleting a SIP rule .................................................................................................................................. 172

Amazon Chime SDK Administration Guide

Managing global settings ........................................................................................................... 174

Conﬁguring call detail records .............................................................................................................. 174

Amazon Chime SDK Voice Connector call detail records ................................................................ 175

Amazon Chime SDK Voice Connector streaming detail records ..................................................... 176

Network conﬁguration and bandwidth requirements .............................................................. 177

Common ..................................................................................................................................................... 177

Amazon Chime SDK WebRTC media sessions .................................................................................... 177

Amazon Chime SDK Voice Connector ................................................................................................. 178

SIP Signaling ........................................................................................................................................ 178

Media ..................................................................................................................................................... 179

Amazon Voice Focus for carriers media destinations and ports ............................................... 180

Bandwidth requirements ........................................................................................................................ 180

Administrative support ............................................................................................................... 182

Document history ........................................................................................................................ 183

vii

Amazon Chime SDK Administration Guide

What is the Amazon Chime SDK?

The Amazon Chime SDK provides a set of real-time communications components that developers

can use to add messaging, audio, video, and screen sharing capabilities to their web or mobile

applications. For instance, developers can add video to a health application so patients can consult

with doctors on health issues remotely, or create customized audio prompts for integration with a

public switched telephone network (PSTN). By using the Amazon Chime SDK, developers can help

eliminate the cost, complexity, and the friction of creating and maintaining their own real-time

communication infrastructure and services.

For more information, see the AWS Amazon Chime SDK page.

Pricing

The Amazon Chime SDK oﬀers pay-for-use pricing with no upfront fees. Developers implementing

the SDK can choose to implement some or all of the available media modalities (audio, video, and

screen share) for a single rate. Messaging, media pipelines, speech enhancement, and PSTN audio

capabilities are also available with pay-for-use pricing. For more information, see Amazon Chime

SDK pricing.

Pricing 1

Amazon Chime SDK Administration Guide

Prerequisites

You must have an AWS account to access the Amazon Chime SDK console and create an Amazon

Chime administrator account.

Creating an Amazon Web Services account

Before you can create an administrator account for the Amazon Chime SDK, you must ﬁrst create

an AWS account.

Topics

• Sign up for an AWS account

• Create a user with administrative access

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code

on the phone keypad.

When you sign up for an AWS account, an AWS account root user is created. The root user

has access to all AWS services and resources in the account. As a security best practice, assign

administrative access to a user, and use only the root user to perform tasks that require root

user access.

AWS sends you a conﬁrmation email after the sign-up process is complete. At any time, you can

view your current account activity and manage your account by going to https://aws.amazon.com/

and choosing My Account.

Creating an Amazon Web Services account 2

Amazon Chime SDK Administration Guide

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity

Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

1. Sign in to the AWS Management Console as the account owner by choosing Root user and

entering your AWS account email address. On the next page, enter your password.

For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User

Guide.

2. Turn on multi-factor authentication (MFA) for your root user.

For instructions, see Enable a virtual MFA device for your AWS account root user (console) in

the IAM User Guide.

Create a user with administrative access

1. Enable IAM Identity Center.

For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User

Guide.

2. In IAM Identity Center, grant administrative access to a user.

For a tutorial about using the IAM Identity Center directory as your identity source, see

Conﬁgure user access with the default IAM Identity Center directory in the AWS IAM Identity

Center User Guide.

• To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email

address when you created the IAM Identity Center user.

For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in

the AWS Sign-In User Guide.

Create a user with administrative access 3

Amazon Chime SDK Administration Guide

Assign access to additional users

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-

privilege permissions.

For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

2. Assign users to a group, and then assign single sign-on access to the group.

For instructions, see Add groups in the AWS IAM Identity Center User Guide.

Create a user with administrative access 4

Amazon Chime SDK Administration Guide

Security in Amazon Chime SDK

Cloud security at AWS is the highest priority. As an AWS customer, you beneﬁt from a data center

and network architecture that is built to meet the requirements of the most security-sensitive

organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes

this as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS

services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-

party auditors regularly test and verify the eﬀectiveness of our security as part of the AWS

Compliance Programs. To learn about the compliance programs that apply to the Amazon Chime

SDK, see AWS Services in Scope by Compliance Program.

• Security in the cloud – Your responsibility is determined by the AWS service that you use. You

are also responsible for other factors including the sensitivity of your data, your company’s

requirements, and applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when

using the Amazon Chime SDK. The following topics show you how to conﬁgure the Amazon Chime

SDK to meet your security and compliance objectives. You also learn how to use other AWS services

that help you to monitor and secure your Amazon Chime SDK resources.

Topics

• Identity and access management for the Amazon Chime SDK

• How the Amazon Chime SDK works with IAM

• Using encryption with voice analytics

• Cross-service confused deputy prevention

• Amazon Chime SDK resource-based policies

• Authorization based on Amazon Chime SDK tags

• Amazon Chime SDK IAM roles

• Amazon Chime SDK identity-based policy examples

• Troubleshooting Amazon Chime SDK identity and access

• Using service-linked roles for Amazon Chime SDK

Amazon Chime SDK Administration Guide

• Logging and monitoring in the Amazon Chime SDK

• Compliance validation for the Amazon Chime SDK

• Resilience in the Amazon Chime SDK

• Infrastructure security in the Amazon Chime SDK

Identity and access management for the Amazon Chime SDK

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely

control access to AWS resources. IAM administrators control who can be authenticated (signed in)

and authorized (have permissions) to use Amazon Chime SDK resources. IAM is an AWS service that

you can use with no additional charge.

Topics

• Audience

• Authenticating with identities

• Managing access using policies

Audience

How you use AWS Identity and Access Management (IAM) diﬀers, depending on the work that you

do in the Amazon Chime SDK.

Service user – If you use the Amazon Chime SDK service to do your job, then your administrator

provides you with the credentials and permissions that you need. As you use more Amazon Chime

SDK features to do your work, you might need additional permissions. Understanding how access is

managed can help you request the right permissions from your administrator. If you cannot access

a feature in Amazon Chime SDK, see Troubleshooting Amazon Chime SDK identity and access.

Service administrator – If you're in charge of Amazon Chime SDK resources at your company, you

probably have full access to the Amazon Chime SDK. It's your job to determine which Amazon

Chime SDK features and resources your employees should access. You must then submit requests

to your IAM administrator to change the permissions of your service users. Review the information

on this page to understand the basic concepts of IAM. To learn more about how your company can

use IAM with the Amazon Chime SDK, see How the Amazon Chime SDK works with IAM.

Identity and access management 6

Amazon Chime SDK Administration Guide

IAM administrator – If you're an IAM administrator, you might want to learn details about how you

can write policies to manage access to the Amazon Chime SDK. To view example Amazon Chime

SDK identity-based policies that you can use in IAM, see Amazon Chime SDK identity-based policy

examples.

Authenticating with identities

Authentication is how you sign in to AWS using your identity credentials. You must be

authenticated (signed in to AWS) as the AWS account root user, as an IAM user, or by assuming an

IAM role.

You can sign in to AWS as a federated identity by using credentials provided through an identity

source. AWS IAM Identity Center (IAM Identity Center) users, your company's single sign-on

authentication, and your Google or Facebook credentials are examples of federated identities.

When you sign in as a federated identity, your administrator previously set up identity federation

using IAM roles. When you access AWS by using federation, you are indirectly assuming a role.

Depending on the type of user you are, you can sign in to the AWS Management Console or the

AWS access portal. For more information about signing in to AWS, see How to sign in to your AWS

account in the AWS Sign-In User Guide.

If you access AWS programmatically, AWS provides a software development kit (SDK) and a

command line interface (CLI) to cryptographically sign your requests by using your credentials. If

you don't use AWS tools, you must sign requests yourself. For more information about using the

recommended method to sign requests yourself, see Signing AWS API requests in the IAM User

Guide.

Regardless of the authentication method that you use, you might be required to provide additional

security information. For example, AWS recommends that you use multi-factor authentication

(MFA) to increase the security of your account. To learn more, see Multi-factor authentication in the

AWS IAM Identity Center User Guide and Using multi-factor authentication (MFA) in AWS in the IAM

User Guide.

AWS account root user

When you create an AWS account, you begin with one sign-in identity that has complete access to

all AWS services and resources in the account. This identity is called the AWS account root user and

is accessed by signing in with the email address and password that you used to create the account.

We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your

Authenticating with identities 7

Amazon Chime SDK Administration Guide

root user credentials and use them to perform the tasks that only the root user can perform. For

the complete list of tasks that require you to sign in as the root user, see Tasks that require root

user credentials in the IAM User Guide.

IAM users and groups

An IAM user is an identity within your AWS account that has speciﬁc permissions for a single person

or application. Where possible, we recommend relying on temporary credentials instead of creating

IAM users who have long-term credentials such as passwords and access keys. However, if you have

speciﬁc use cases that require long-term credentials with IAM users, we recommend that you rotate

access keys. For more information, see Rotate access keys regularly for use cases that require long-

term credentials in the IAM User Guide.

An IAM group is an identity that speciﬁes a collection of IAM users. You can't sign in as a group. You

can use groups to specify permissions for multiple users at a time. Groups make permissions easier

to manage for large sets of users. For example, you could have a group named IAMAdmins and give

that group permissions to administer IAM resources.

Users are diﬀerent from roles. A user is uniquely associated with one person or application, but

a role is intended to be assumable by anyone who needs it. Users have permanent long-term

credentials, but roles provide temporary credentials. To learn more, see When to create an IAM user

(instead of a role) in the IAM User Guide.

IAM roles

An IAM role is an identity within your AWS account that has speciﬁc permissions. It is similar to an

IAM user, but is not associated with a speciﬁc person. You can temporarily assume an IAM role in

the AWS Management Console by switching roles. You can assume a role by calling an AWS CLI or

AWS API operation or by using a custom URL. For more information about methods for using roles,

see Using IAM roles in the IAM User Guide.

IAM roles with temporary credentials are useful in the following situations:

• Federated user access – To assign permissions to a federated identity, you create a role

and deﬁne permissions for the role. When a federated identity authenticates, the identity

is associated with the role and is granted the permissions that are deﬁned by the role. For

information about roles for federation, see Creating a role for a third-party Identity Provider

in the IAM User Guide. If you use IAM Identity Center, you conﬁgure a permission set. To control

what your identities can access after they authenticate, IAM Identity Center correlates the

Authenticating with identities 8

Amazon Chime SDK Administration Guide

permission set to a role in IAM. For information about permissions sets, see Permission sets in

the AWS IAM Identity Center User Guide.

• Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily

take on diﬀerent permissions for a speciﬁc task.

• Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a

diﬀerent account to access resources in your account. Roles are the primary way to grant cross-

account access. However, with some AWS services, you can attach a policy directly to a resource

(instead of using a role as a proxy). To learn the diﬀerence between roles and resource-based

policies for cross-account access, see Cross account resource access in IAM in the IAM User Guide.

• Cross-service access – Some AWS services use features in other AWS services. For example, when

you make a call in a service, it's common for that service to run applications in Amazon EC2 or

store objects in Amazon S3. A service might do this using the calling principal's permissions,

using a service role, or using a service-linked role.

• Forward access sessions (FAS) – When you use an IAM user or role to perform actions in

AWS, you are considered a principal. When you use some services, you might perform an

action that then initiates another action in a diﬀerent service. FAS uses the permissions of the

principal calling an AWS service, combined with the requesting AWS service to make requests

to downstream services. FAS requests are only made when a service receives a request that

requires interactions with other AWS services or resources to complete. In this case, you must

have permissions to perform both actions. For policy details when making FAS requests, see

Forward access sessions.

• Service role – A service role is an IAM role that a service assumes to perform actions on your

behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For

more information, see Creating a role to delegate permissions to an AWS service in the IAM

User Guide.

• Service-linked role – A service-linked role is a type of service role that is linked to an AWS

service. The service can assume the role to perform an action on your behalf. Service-linked

roles appear in your AWS account and are owned by the service. An IAM administrator can

view, but not edit the permissions for service-linked roles.

• Applications running on Amazon EC2 – You can use an IAM role to manage temporary

credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API

requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role

to an EC2 instance and make it available to all of its applications, you create an instance proﬁle

that is attached to the instance. An instance proﬁle contains the role and enables programs that

are running on the EC2 instance to get temporary credentials. For more information, see Using

Authenticating with identities 9

Amazon Chime SDK Administration Guide

an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM

User Guide.

To learn whether to use IAM roles or IAM users, see When to create an IAM role (instead of a user)

in the IAM User Guide.

Managing access using policies

You control access in AWS by creating policies and attaching them to AWS identities or resources.

A policy is an object in AWS that, when associated with an identity or resource, deﬁnes their

permissions. AWS evaluates these policies when a principal (user, root user, or role session) makes

a request. Permissions in the policies determine whether the request is allowed or denied. Most

policies are stored in AWS as JSON documents. For more information about the structure and

contents of JSON policy documents, see Overview of JSON policies in the IAM User Guide.

Administrators can use AWS JSON policies to specify who has access to what. That is, which

principal can perform actions on what resources, and under what conditions.

By default, users and roles have no permissions. To grant users permission to perform actions on

the resources that they need, an IAM administrator can create IAM policies. The administrator can

then add the IAM policies to roles, and users can assume the roles.

IAM policies deﬁne permissions for an action regardless of the method that you use to perform the

operation. For example, suppose that you have a policy that allows the iam:GetRole action. A

user with that policy can get role information from the AWS Management Console, the AWS CLI, or

the AWS API.

Identity-based policies

Identity-based policies are JSON permissions policy documents that you can attach to an identity,

such as an IAM user, group of users, or role. These policies control what actions users and roles can

perform, on which resources, and under what conditions. To learn how to create an identity-based

policy, see Creating IAM policies in the IAM User Guide.

Identity-based policies can be further categorized as inline policies or managed policies. Inline

policies are embedded directly into a single user, group, or role. Managed policies are standalone

policies that you can attach to multiple users, groups, and roles in your AWS account. Managed

policies include AWS managed policies and customer managed policies. To learn how to choose

Managing access using policies 10

Amazon Chime SDK Administration Guide

between a managed policy or an inline policy, see Choosing between managed policies and inline

policies in the IAM User Guide.

Resource-based policies

Resource-based policies are JSON policy documents that you attach to a resource. Examples of

resource-based policies are IAM role trust policies and Amazon S3 bucket policies. In services that

support resource-based policies, service administrators can use them to control access to a speciﬁc

resource. For the resource where the policy is attached, the policy deﬁnes what actions a speciﬁed

principal can perform on that resource and under what conditions. You must specify a principal

in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS

services.

Resource-based policies are inline policies that are located in that service. You can't use AWS

managed policies from IAM in a resource-based policy.

AWS managed policies for the Amazon Chime SDK

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to

write policies yourself. It takes time and expertise to create IAM customer managed policies that

provide your team with only the permissions they need. To get started quickly, you can use our

AWS managed policies. These policies cover common use cases and are available in your AWS

account. For more information about AWS managed policies, see AWS managed policies in the IAM

User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in

AWS managed policies. Services occasionally add additional permissions to an AWS managed

policy to support new features. This type of update aﬀects all identities (users, groups, and roles)

where the policy is attached. Services are most likely to update an AWS managed policy when

a new feature is launched or when new operations become available. Services do not remove

permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For

example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services

and resources. When a service launches a new feature, AWS adds read-only permissions for new

operations and resources. For a list and descriptions of job function policies, see AWS managed

policies for job functions in the IAM User Guide.

Managing access using policies 11

Amazon Chime SDK Administration Guide

Access Control Lists (ACLs)

Access control lists (ACLs) control which principals (account members, users, or roles) have

permissions to access a resource. ACLs are similar to resource-based policies, although they do not

use the JSON policy document format.

Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more

about ACLs, see Access control list (ACL) overview in the Amazon Simple Storage Service Developer

Guide.

Other policy types

AWS supports additional, less-common policy types. These policy types can set the maximum

permissions granted to you by the more common policy types.

• Permissions boundaries – A permissions boundary is an advanced feature in which you set

the maximum permissions that an identity-based policy can grant to an IAM entity (IAM user

or role). You can set a permissions boundary for an entity. The resulting permissions are the

intersection of an entity's identity-based policies and its permissions boundaries. Resource-based

policies that specify the user or role in the Principal ﬁeld are not limited by the permissions

boundary. An explicit deny in any of these policies overrides the allow. For more information

about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.

• Service control policies (SCPs) – SCPs are JSON policies that specify the maximum permissions

for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a

service for grouping and centrally managing multiple AWS accounts that your business owns. If

you enable all features in an organization, then you can apply service control policies (SCPs) to

any or all of your accounts. The SCP limits permissions for entities in member accounts, including

each AWS account root user. For more information about Organizations and SCPs, see Service

control policies in the AWS Organizations User Guide.

• Session policies – Session policies are advanced policies that you pass as a parameter when you

programmatically create a temporary session for a role or federated user. The resulting session's

permissions are the intersection of the user or role's identity-based policies and the session

policies. Permissions can also come from a resource-based policy. An explicit deny in any of these

policies overrides the allow. For more information, see Session policies in the IAM User Guide.

Managing access using policies 12

Amazon Chime SDK Administration Guide

Multiple policy types

When multiple types of policies apply to a request, the resulting permissions are more complicated

to understand. To learn how AWS determines whether to allow a request when multiple policy

types are involved, see Policy evaluation logic in the IAM User Guide.

How the Amazon Chime SDK works with IAM

Before you use IAM to manage access to the Amazon Chime SDK, learn the IAM features available

for use with the Amazon Chime SDK. To get a high-level view of how the Amazon Chime SDK and

other AWS services work with IAM, see AWS services that work with IAM in the IAM User Guide.

Topics

• Amazon Chime SDK identity-based policies

• Resources

• Examples

Amazon Chime SDK identity-based policies

With IAM identity-based policies, you can specify allowed or denied actions and resources as well

as the conditions under which actions are allowed or denied. The Amazon Chime SDK supports

speciﬁc actions, resources, and condition keys. To learn about all of the elements that you use in a

JSON policy, see IAM JSON policy elements reference in the IAM User Guide.

Actions

Administrators can use AWS JSON policies to specify who has access to what. That is, which

principal can perform actions on what resources, and under what conditions.

The Action element of a JSON policy describes the actions that you can use to allow or deny

access in a policy. Policy actions usually have the same name as the associated AWS API operation.

There are some exceptions, such as permission-only actions that don't have a matching API

operation. There are also some operations that require multiple actions in a policy. These

additional actions are called dependent actions.

Include actions in a policy to grant permissions to perform the associated operation.

For more information about actions, see Actions, resources, and condition keys for Amazon Chime

in the Service Authorization Reference.

How the Amazon Chime SDK works with IAM 13

Amazon Chime SDK Administration Guide

Condition keys

The Amazon Chime SDK provides a set of service-speciﬁc condition keys. For more information, see

Condition keys for Amazon Chime in the Service Authorization Reference.

Resources

The Amazon Chime SDK supports specifying resource ARNs in a policy. For more information, see

Resource types deﬁned by Amazon Chime

Examples

To view examples of Amazon Chime SDK identity-based policies, see Amazon Chime SDK identity-

based policy examples.

Using encryption with voice analytics

Amazon Chime SDK voice analytics stores the audio ﬁles used to generate voice embedding. The

ﬁles are encrypted using a symmetric customer managed key that you create, own, and manage.

Because you have full control over this layer of encryption, you can perform such tasks as:

• Establishing and maintaining key policies

• Establishing and maintaining IAM policies and grants

• Enabling and disabling key policies

• Rotating key cryptographic material

• Adding tags

• Creating key aliases

• Scheduling keys for deletion

For more information, see Customer managed keys in the AWS Key Management Service Developer

Guide.

Understanding encryption at rest

By default, voice analytics encrypts all user data at rest. When creating a new voice proﬁle domain,

you must provide a symmetric customer managed key that the service uses to encrypt your data at

rest. You own, manage and control the key.

Resources 14

Amazon Chime SDK Administration Guide

The key only encrypts the audio ﬁles used to enroll speakers in voice embeddings.

Voice analytics accesses the key by creating grants. For more information about grants, see the

next section.

Understanding how voice analytics uses grants

Voice analytics requires a grant to use your customer managed key. When you create a voice proﬁle

domain, the associated Amazon Chime SDK Voice Connector creates a grant on your behalf by

sending a CreateGrant request to the AWS KMS. The grant is required in order to use your key for

the following internal operations:

• Sending DescribeKey requests to AWS KMS to verify that the symmetric customer managed key

ID provided is valid.

• Sending GenerateDataKey requests to KMS key to create data keys with which to encrypt objects.

• Sending Decrypt requests to AWS KMS to decrypt the encrypted data keys so that they can be

used to encrypt your data.

• Sending RetireGrant requests to AWS KMS to retire the grants used for a voice proﬁle domain.

• Storing ﬁles in Amazon S3 with server side encryption.

You can revoke access to the grant, or remove the service's access to your key at any time. If you

do, voice analytics won't be able to access any of the data encrypted by the key. That aﬀects all the

operations that depend on that data, leading to AccessDeniedException errors and failures in

the speaker search workﬂows.

Key policy for voice analytics

Key policies control access to your customer managed key. Every customer managed key must

have exactly one key policy, with policy statements that determine who can use the key and how

they can use it. When you create your key, you can specify a key policy. For more information, see

Working with key policies in the AWS Key Management Service Developer Guide.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Allow key access to Amazon Chime SDK voice analytics.",

Understanding how voice analytics uses grants 15

Amazon Chime SDK Administration Guide

"Effect": "Allow",

"Principal": {

"AWS": "your_user_or_role_ARN"

"Action": [

"kms:CreateGrant",

"kms:Decrypt",

"kms:DescribeKey"

"Resource": "*",

"Condition": {

"StringEquals": {

"kms:ViaService": [

"chimevoiceconnector.region.amazonaws.com"

]

}

]

}

For information about specifying permissions in a policy, see Specifying KMS keys in IAM policy

statements in the AWS Key Management Service Developer Guide.

For information about troubleshooting key access, see Troubleshooting key access in the AWS Key

Management Service Developer Guide.

Using encryption context

An encryption context is an optional set of key-value pairs that contain additional contextual

information about the data. AWS KMS uses the encryption context to support authenticated

encryption.

When you include an encryption context in an encryption request, AWS KMS binds the encryption

context to the encrypted data. To decrypt data, you include the same encryption context in the

request.

Voice analytics uses the same encryption context in all AWS KMS cryptographic operations, where

the key is aws:chime:voice-profile-domain:arn and the value is the resource Amazon

Resource Name (ARN).

The following example shows a typical encryption context.

Using encryption context 16

Amazon Chime SDK Administration Guide

"encryptionContext": {

"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-west-2:111122223333:voice-

profile-domain/sample-domain-id"

}

You can also use the encryption context in audit records and logs to identify how the customer

managed key is being used. The encryption context also appears in logs generated by CloudTrail or

CloudWatch Logs.

Using encryption context to control access to your key

You can use the encryption context in key policies and IAM policies as conditions to control access

to your symmetric customer managed key. You can also use encryption context constraints in a

grant.

Voice analytics uses an encryption context constraint in grants to control access to the customer

managed keys in your account or Region. The grant constraint requires that the operations that the

grant allows use the speciﬁed encryption context.

The following example key policy statements grant access to a customer managed key for a

speciﬁc encryption context. The condition in the policy statement requires that the grants have an

encryption context constraint that speciﬁes the encryption context.

{

"Sid": "Enable DescribeKey",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"

"Action": "kms:DescribeKey",

"Resource": "*"

{

"Sid": "Enable CreateGrant",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"

"Action": "kms:CreateGrant",

"Resource": "*",

"Condition": {

"StringEquals": {

Using encryption context 17

Amazon Chime SDK Administration Guide

"kms:EncryptionContext:aws:chime:voice-profile-domain:arn":

"arn:aws:chime:us-west-2:111122223333:voice-profile-domain/sample-domain-id"

}

Monitoring encryption keys

Amazon Chime SDK Voice Connectors send requests to AWS KMS, and you can track those requests

in CloudTrail or CloudWatch logs.

CreateGrant

When you use a customer managed key to create a voice proﬁle domain resource, the

associated Voice Connector sends a CreateGrant request on your behalf to access the KMS

key in your AWS account. The grant that the Voice Connector creates is speciﬁc to the resource

associated with the customer managed key. The Voice Connector also uses the RetireGrant

operation to remove a grant when you delete a resource.

The following example records a CreateGrant operation.

{

"eventVersion": "1.08",

"userIdentity": {

"type": "AssumedRole",

"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",

"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",

"accountId": "111122223333",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",

"sessionContext": {

"sessionIssuer": {

"type": "Role",

"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",

"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",

"accountId": "111122223333",

"userName": "Admin"

"webIdFederationData": {},

"attributes": {

"mfaAuthenticated": "false",

"creationDate": "2021-04-22T17:02:00Z"

}

Monitoring encryption keys 18

Amazon Chime SDK Administration Guide

"invokedBy": "AWS Internal"

"eventTime": "2021-04-22T17:07:02Z",

"eventSource": "kms.amazonaws.com",

"eventName": "CreateGrant",

"awsRegion": "us-west-2",

"sourceIPAddress": "172.12.34.56",

"userAgent": "ExampleDesktop/1.0 (V1; OS)",

"requestParameters": {

"constraints": {

"encryptionContextSubset": {

"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-

west-2:111122223333:voice-profile-domain/sample-domain-id"

}

"retiringPrincipal": "chimevoiceconnector.region.amazonaws.com",

"operations": [

"GenerateDataKey",

"Decrypt",

"DescribeKey",

"RetireGrant"

"keyId": "arn:aws:kms:us-

west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",

"granteePrincipal": "chimevoiceconnector.region.amazonaws.com",

"retiringPrincipal": "chimevoiceconnector.region.amazonaws.com"

"responseElements": {

"grantId":

"0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"

"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",

"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",

"readOnly": false,

"resources": [

{

"accountId": "111122223333",

"type": "AWS::KMS::Key",

"ARN": "arn:aws:kms:us-

west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"

}

"eventType": "AwsApiCall",

Monitoring encryption keys 19

Amazon Chime SDK Administration Guide

"managementEvent": true,

"eventCategory": "Management",

"recipientAccountId": "111122223333"

}

GenerateDataKey

When you create a voice proﬁle domain and assign a customer managed key to the domain,

the associated Voice Connector creates a unique data key to encrypt each speaker’s enrollment

audio. The Voice Connector sends a GenerateDataKey request to AWS KMS that speciﬁes the

key for the resource.

The following example records a GenerateDataKey operation.

{

"eventVersion": "1.08",

"userIdentity": {

"type": "AWSService",

"invokedBy": "AWS Internal"

"eventTime": "2021-04-22T17:07:02Z",

"eventSource": "kms.amazonaws.com",

"eventName": "GenerateDataKey",

"awsRegion": "us-west-2",

"sourceIPAddress": "172.12.34.56",

"userAgent": "ExampleDesktop/1.0 (V1; OS)",

"requestParameters": {

"encryptionContext": {

"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-

west-2:111122223333:voice-profile-domain/sample-domain-id"

"keySpec": "AES_256",

"keyId": "arn:aws:kms:us-

west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"

"responseElements": null,

"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",

"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",

"readOnly": true,

"resources": [

{

"accountId": "111122223333",

"type": "AWS::KMS::Key",

Monitoring encryption keys 20

Amazon Chime SDK Administration Guide

"ARN": "arn:aws:kms:us-

west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"

}

"eventType": "AwsApiCall",

"managementEvent": true,

"eventCategory": "Management",

"recipientAccountId": "111122223333",

"sharedEventID": "57f5dbee-16da-413e-979f-2c4c6663475e"

}

Decrypt

When a voice proﬁle in a voice proﬁle domain needs to have its voice print upgraded because of

a newer voice recognition model, the associated Voice Connector calls the Decrypt operation

to use the stored encrypted data key to access the encrypted data.

The following example records a Decrypt operation.

{

"eventVersion": "1.08",

"userIdentity": {

"type": "AWSService",

"invokedBy": "AWS Internal"

"eventTime": "2021-10-12T23:59:34Z",

"eventSource": "kms.amazonaws.com",

"eventName": "Decrypt",

"awsRegion": "us-west-2",

"sourceIPAddress": "172.12.34.56",

"userAgent": "ExampleDesktop/1.0 (V1; OS)",

"requestParameters": {

"encryptionContext": {

"keyId": "arn:aws:kms:us-

west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111",

"encryptionContext": {

"aws:chime:voice-profile-domain:arn": "arn:aws:chime:us-

west-2:111122223333:voice-profile-domain/sample-domain-id"

"encryptionAlgorithm": "SYMMETRIC_DEFAULT"

"responseElements": null,

"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",

Monitoring encryption keys 21

Amazon Chime SDK Administration Guide

"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",

"readOnly": true,

"resources": [{

"accountId": "111122223333",

"type": "AWS::KMS::Key",

"ARN": "arn:aws:kms:us-

west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"

}],

"eventType": "AwsApiCall",

"managementEvent": true,

"recipientAccountId": "111122223333",

"sharedEventID": "35d58aa1-26b2-427a-908f-025bf71241f6",

"eventCategory": "Management"

}

DescribeKey

Voice Connectors use the DescribeKey operation to verify that the key associated with a voice

proﬁle domain exists in the account and Region.

The following example records a DescribeKey operation.

{

"eventVersion": "1.08",

"userIdentity": {

"type": "AssumedRole",

"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",

"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",

"accountId": "111122223333",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",

"sessionContext": {

"sessionIssuer": {

"type": "Role",

"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",

"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",

"accountId": "111122223333",

"userName": "Admin"

"webIdFederationData": {},

"attributes": {

"mfaAuthenticated": "false",

"creationDate": "2021-04-22T17:02:00Z"

}

Monitoring encryption keys 22

Amazon Chime SDK Administration Guide

"invokedBy": "AWS Internal"

"eventTime": "2021-04-22T17:07:02Z",

"eventSource": "kms.amazonaws.com",

"eventName": "DescribeKey",

"awsRegion": "us-west-2",

"sourceIPAddress": "172.12.34.56",

"userAgent": "ExampleDesktop/1.0 (V1; OS)",

"requestParameters": {

"keyId": "00dd0db0-0000-0000-ac00-b0c000SAMPLE"

"responseElements": null,

"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",

"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",

"readOnly": true,

"resources": [

{

"accountId": "111122223333",

"type": "AWS::KMS::Key",

"ARN": "arn:aws:kms:us-

west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"

}

"eventType": "AwsApiCall",

"managementEvent": true,

"eventCategory": "Management",

"recipientAccountId": "111122223333"

}

Cross-service confused deputy prevention

The confused deputy problem is an information security issue that occurs when an entity without

permission to perform an action calls a more-privileged entity to perform the action. This can

allow malicious actors to run commands or modify resources they otherwise would not have

permission to run or access. For more information, see The confused deputy problem in the AWS

Identity and Access Management User Guide.

In AWS, cross-service impersonation can lead to a confused deputy scenario. Cross-service

impersonation happens when one service (the calling service) calls another service (the called

service). A malicious actor can use the calling service to alter resources in another service by using

permissions that they normally would not have.

Cross-service confused deputy prevention 23

Amazon Chime SDK Administration Guide

AWS provides service principals with managed access to resources on your account to help you

protect your resources' security. We recommend using the aws:SourceAccount global condition

context key in your resource policies. These keys limit the permissions that the Amazon Chime SDK

gives another service to that resource.

The following example shows an S3 bucket policy that uses the aws:SourceAccount global

condition context key in the conﬁgured CallDetailRecords S3 bucket to help prevent the

confused deputy problem.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "AmazonChimeAclCheck668426",

"Effect": "Allow",

"Principal": {

"Service": "chime.amazonaws.com"

"Action": "s3:GetBucketAcl",

"Resource": "arn:aws:s3:::your-cdr-bucket"

{

"Sid": "AmazonChimeWrite668426",

"Effect": "Allow",

"Principal": {

"Service": "chime.amazonaws.com"

"Action": "s3:PutObject",

"Resource": "arn:aws:s3:::your-cdr-bucket/*",

"Condition": {

"StringEquals": {

"s3:x-amz-acl": "bucket-owner-full-control",

"aws:SourceAccount": "112233446677"

}

]

}

Amazon Chime SDK resource-based policies

The Amazon Chime SDK supports resource-based policies for the following resource types.

Amazon Chime SDK resource-based policies 24

Amazon Chime SDK Administration Guide

Authorization based on Amazon Chime SDK tags

The Amazon Chime SDK supports tagging for these resource types.

Amazon Chime SDK IAM roles

An IAM role is an entity within your AWS account that has speciﬁc permissions.

Using temporary credentials with the Amazon Chime SDK

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a

cross-account role. You obtain temporary security credentials by calling AWS STS API operations

such as AssumeRole or GetFederationToken.

The Amazon Chime SDK supports using temporary credentials.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services that complete actions

on your behalf. Service-linked roles appear in your IAM account, and the services own the roles. An

IAM administrator can view but not edit the permissions for service-linked roles.

The Amazon Chime SDK supports service-linked roles. For details about creating or managing

those roles, see Using service-linked roles for Amazon Chime SDK.

Service roles

This feature allows a service to assume a service role on your behalf. This role allows the service to

access resources in other services to complete an action on your behalf. Service roles appear in your

IAM account and are owned by the account. This means that an IAM administrator can change the

permissions for this role. However, doing so might break the functionality of the service.

The Amazon Chime SDK does not support service roles.

Amazon Chime SDK identity-based policy examples

By default, IAM users and roles don't have permission to create or modify Amazon Chime SDK

resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS

API. An IAM administrator must create IAM policies that grant users and roles permission to

Authorization based on Amazon Chime SDK tags 25

Amazon Chime SDK Administration Guide

perform speciﬁc API operations on the speciﬁed resources they need. The administrator must then

attach those policies to the IAM users or groups that require those permissions.

To learn how to create an IAM identity-based policy using these example JSON policy documents,

see Creating policies on the JSON tab in the IAM User Guide.

Topics

• Policy best practices

• AWS managed Amazon Chime SDK policy

• AWS managed policy: AmazonChimeVoiceConnectorServiceLinkedRolePolicy

• AWS managed policy: AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy

• Amazon Chime updates to AWS managed policies

Policy best practices

Identity-based policies are very powerful. They determine whether someone can create, access,

or delete Amazon Chime SDK resources in your account. These actions can incur costs for your

AWS account. When you create or edit identity-based policies, follow these guidelines and

recommendations:

• Get started using AWS managed policies – To start using the Amazon Chime SDK quickly,

use AWS managed policies to give your employees the permissions they need. These policies

are already available in your account and are maintained and updated by AWS. For more

information, see Get started using permissions with AWS managed policies in the IAM User Guide.

• Grant least privilege – When you create custom policies, grant only the permissions required

to perform a task. Start with a minimum set of permissions and grant additional permissions

as necessary. Doing so is more secure than starting with permissions that are too lenient and

then trying to tighten them later. For more information, see Grant least privilege in the IAM User

Guide.

• Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor

authentication (MFA) to access sensitive resources or API operations. For more information, see

Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

• Use policy conditions for extra security – To the extent that it's practical, deﬁne the conditions

under which your identity-based policies allow access to a resource. For example, you can write

conditions to specify a range of allowable IP addresses that a request must come from. You can

also write conditions to allow requests only within a speciﬁed date or time range, or to require

Policy best practices 26

Amazon Chime SDK Administration Guide

the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the

IAM User Guide.

AWS managed Amazon Chime SDK policy

You use the AWS managed AmazonChimeVoiceConnectorServiceLinkedRolePolicy to

grant users access to Amazon Chime SDK actions. For more information, see Example IAM roles in

the Amazon Chime SDK Developer Guide, and Actions, resources, and condition keys for Amazon

Chime in the Service Authorization Reference.

// Policy ARN: arn:aws:iam::aws:policy/AmazonChimeSDK

// Description: Provides access to Amazon Chime SDK operations

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"chime:CreateMediaCapturePipeline",

"chime:CreateMediaConcatenationPipeline",

"chime:CreateMediaLiveConnectorPipeline",

"chime:CreateMeeting",

"chime:CreateMeetingWithAttendees",

"chime:DeleteMediaCapturePipeline",

"chime:DeleteMediaPipeline",

"chime:DeleteMeeting",

"chime:GetMeeting",

"chime:ListMeetings",

"chime:CreateAttendee",

"chime:BatchCreateAttendee",

"chime:DeleteAttendee",

"chime:GetAttendee",

"chime:GetMediaCapturePipeline",

"chime:GetMediaPipeline",

"chime:ListAttendees",

"chime:ListAttendeeTags",

"chime:ListMediaCapturePipelines",

"chime:ListMediaPipelines",

"chime:ListMeetingTags",

"chime:ListTagsForResource",

"chime:StartMeetingTranscription",

"chime:StopMeetingTranscription",

"chime:TagAttendee",

AWS managed Amazon Chime SDK policy 27

Amazon Chime SDK Administration Guide

"chime:TagMeeting",

"chime:TagResource",

"chime:UntagAttendee",

"chime:UntagMeeting",

"chime:UntagResource"

"Effect": "Allow",

"Resource": "*"

}

]

}

AWS managed policy:

AmazonChimeVoiceConnectorServiceLinkedRolePolicy

The AmazonChimeVoiceConnectorServiceLinkedRolePolicy enables Amazon Chime

SDK Voice Connectors to stream media to Amazon Kinesis Video Streams, provide streaming

notiﬁcations, and synthesize speech using Amazon Polly. This policy grants the Amazon Chime

SDK Voice Connector service permissions to access customer’s Amazon Kinesis Video Streams, send

notiﬁcation events to the Amazon Simple Notiﬁcation Service (SNS) and Amazon Simple Queue

Service (SQS), and use Amazon Polly to synthesize speech when using the Amazon Chime SDK

Voice Applications Speak and SpeakAndGetDigits actions.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": ["chime:GetVoiceConnector*"],

"Resource": ["*"]

{

"Effect": "Allow",

"Action": [

"kinesisvideo:GetDataEndpoint",

"kinesisvideo:PutMedia",

"kinesisvideo:UpdateDataRetention",

"kinesisvideo:DescribeStream",

"kinesisvideo:CreateStream"

"Resource": ["arn:aws:kinesisvideo:*:*:stream/ChimeVoiceConnector-*"]

AWS managed policy: AmazonChimeVoiceConnectorServiceLinkedRolePolicy 28

Amazon Chime SDK Administration Guide

{

"Effect": "Allow",

"Action": ["kinesisvideo:ListStreams"],

"Resource": ["*"]

{

"Effect": "Allow",

"Action": ["SNS:Publish"],

"Resource": ["arn:aws:sns:*:*:ChimeVoiceConnector-Streaming*"]

{

"Effect": "Allow",

"Action": ["sqs:SendMessage"],

"Resource": ["arn:aws:sqs:*:*:ChimeVoiceConnector-Streaming*"]

{

"Effect": "Allow",

"Action": ["polly:SynthesizeSpeech"],

"Resource": ["*"]

{

"Effect": "Allow",

"Action": [

"chime:CreateMediaInsightsPipeline",

"chime:GetMediaInsightsPipelineConfiguration"

"Resource": ["*"]

}

]

}

For more information, see Using the Amazon Chime SDK Voice Connector service linked role policy.

AWS managed policy:

AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy

You can't attach the AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy to your

IAM entities.

This policy allows Kinesis Video Streams to stream data to Amazon Chime SDK meetings and

publish metrics to CloudWatch. It also allows Amazon Chime SDK media pipelines to access

AWS managed policy: AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy 29

Amazon Chime SDK Administration Guide

Amazon Chime SDK meetings on your behalf. For more information, see Using roles with Amazon

Chime SDK media pipelines in this guide.

Permissions details

This policy includes the following permissions.

•

cloudwatch – Grants permission to put CloudWatch metrics.

•

kinesisvideo – Grants permissions to get data endpoints, put media, update data retention

intervals, describe data streams, create data streams, and list data streams.

•

chime – Grants permissions to get meetings, create attendees, and delete attendees.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "AllowPutMetricsForChimeSDKNamespace",

"Effect": "Allow",

"Action": "cloudwatch:PutMetricData",

"Resource": "*",

"Condition": {

"StringEquals": {

"cloudwatch:namespace": "AWS/ChimeSDK"

}

{

"Sid": "AllowKinesisVideoStreamsAccess",

"Effect": "Allow",

"Action": [

"kinesisvideo:GetDataEndpoint",

"kinesisvideo:PutMedia",

"kinesisvideo:UpdateDataRetention",

"kinesisvideo:DescribeStream",

"kinesisvideo:CreateStream"

"Resource": [

"arn:aws:kinesisvideo:*:*:stream/ChimeMediaPipelines-*"

]

{

"Sid": "AllowKinesisVideoStreamsListAccess",

AWS managed policy: AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy 30

Amazon Chime SDK Administration Guide

"Effect": "Allow",

"Action": [

"kinesisvideo:ListStreams"

"Resource": [

"*"

]

{

"Sid": "AllowChimeMeetingAccess",

"Effect": "Allow",

"Action": [

"chime:GetMeeting",

"chime:CreateAttendee",

"chime:DeleteAttendee"

"Resource": "*"

}

]

}

Amazon Chime updates to AWS managed policies

The following table lists and describes the updates made to the Amazon Chime SDK IAM policy.

Change Description Date

AmazonChimeSDKMedi

aPipelinesServiceLinkedRole

Policy – Updates to an

existing policy

The AmazonChimeSDKMedi

aPipelinesServiceL

inkedRolePolicy

added permissions that

allow Amazon Chime SDK

meetings to publish metrics

to CloudWatch for use in

service dashboards. For more

information, see Using roles

with Amazon Chime SDK

media pipelines.

December 8, 2023

Policy updates 31

Amazon Chime SDK Administration Guide

Change Description Date

AmazonChimeSDKMedi

aPipelinesServiceLinkedRole

Policy – Updates to an

existing policy

The AmazonChimeSDKMedi

aPipelinesServiceL

inkedRolePolicy added

permissions that allow Kinesis

Video Streams to stream

audio, video, and screen-sh

are data to Amazon Chime

SDK meetings. For more

information, see Using roles

with Amazon Chime SDK

media pipelines.

August 20, 2023

AmazonChimeVoiceCo

nnectorServiceLinkedRolePol

icy – Update to an existing

policy

The AmazonChimeVoiceCo

nnectorServiceLink

edRolePolicy added

permissions that allow

access to the GetMediaI

nsightsPipelineConﬁguratio

n API. Amazon Chime Voice

Connectors require those

permissions in order to get

media insights pipeline

conﬁgurations. For more

information, see Conﬁguring

Voice Connectors to use call

analytics.

April 14, 2023

Policy updates 32

Amazon Chime SDK Administration Guide

Change Description Date

New and updated service

linked roles

Developers can use the

AmazonChimeSDKEvents

service linked role to access

streaming services such as

Kinesis Firehose. For more

information, see Using the

AmazonChimeSDKEven

ts service-linked role. We

also added the AmazonChi

meVoiceConnectorServiceLink

edRolePolicy name to Using

service linked roles. For

more information, see Using

the AmazonChimeVoiceCo

nnectorServiceLinkedRolePol

icy.

March 27, 2023

Amazon Chime SDK identity-

based policy examples –

Update to an existing policy.

The AWS managed Amazon

Chime SDK policy added

permissions that allow

you to use Amazon Chime

SDK Media Pipeline APIs to

create, read and delete media

pipelines.

January 5, 2023

Added the AmazonChi

meSDKMediaPipeline

sServiceLinkedRolePolicy –

new managed policy.

The Amazon Chime SDK

added a service-linked role

that allows you to use media

capture pipelines in Amazon

Chime SDK meetings.

April 27, 2022

Policy updates 33

Amazon Chime SDK Administration Guide

Change Description Date

AWS managed policy:

AmazonChimeVoiceCo

nnectorServiceLinkedRolePol

icy – Update to an existing

policy.

Amazon Chime SDK Voice

Connectors added permissio

ns to allow you to use

Amazon Polly to synthesiz

e speech. These permissions

are required to use the Speak

and SpeakAndGetDigits

actions in Amazon Chime SDK

Voice Applications.

March 15, 2022

AmazonChimeVoiceCo

nnectorServiceLinkedRolePol

icy – Update to an existing

policy

Amazon Chime SDK Voice

Connector added permissions

that allow access to Amazon

Kinesis Video Streams and

send notiﬁcation events to

Amazon Simple Notiﬁcat

ion Service (Amazon SNS)

and Amazon Simple Query

Service (Amazon SQS). These

permissions are required

for Amazon Chime SDK

Voice Connectors to stream

media to Amazon Kinesis

Video Streams and provide

streaming notiﬁcations.

December 20, 2021

Policy updates 34

Amazon Chime SDK Administration Guide

Change Description Date

Change to existing policy.

Creating IAM users or roles

with the Chime SDK policy.

The Amazon Chime SDK

added new actions to support

expanded validation.

A number of actions were

added to allow listing and

tagging of attendees and

meeting resources, and

for starting and stopping

meeting transcription.

September 23, 2021

The Amazon Chime SDK

started tracking changes

The Amazon Chime SDK

started tracking changes for

its AWS managed policies.

September 23, 2021

Troubleshooting Amazon Chime SDK identity and access

Use the following information to help you diagnose and ﬁx common issues that you might

encounter when working with the Amazon Chime SDK and IAM.

Topics

• I am not authorized to perform an action in the Amazon Chime SDK

• I am not authorized to perform iam:PassRole

I am not authorized to perform an action in the Amazon Chime SDK

If you receive an error that you're not authorized to perform an action, your policies must be

updated to allow you to perform the action.

The following example error occurs when the mateojackson IAM user tries to use the console

to view details about a ﬁctional my-example-widget resource but doesn't have the ﬁctional

chime:GetWidget permissions.

Troubleshooting 35

Amazon Chime SDK Administration Guide

User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform:

chime:GetWidget on resource: my-example-widget

In this case, the policy for the mateojackson user must be updated to allow access to the my-

example-widget resource by using the chime:GetWidget action.

If you need help, contact your AWS administrator. Your administrator is the person who provided

you with your sign-in credentials.

I am not authorized to perform iam:PassRole

If you receive an error that you're not authorized to perform the iam:PassRole action, then you

must contact your administrator for assistance. Your administrator is the person that provided you

with your user name and password. Ask that person to update your policies to allow you to pass a

role to the Amazon Chime SDK.

Some AWS services allow you to pass an existing role to that service, instead of creating a new

service role or service-linked role. To do this, you must have permissions to pass the role to the

service.

The following example error occurs when an IAM user named marymajor tries to use the service

to perform an action in the Amazon Chime SDK. However, the action requires the service to have

permissions granted by a service role. Mary does not have permissions to pass the role to the

service.

User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform:

iam:PassRole

In this case, Mary asks her administrator to update her policies to allow her to perform the

iam:PassRole action.

Using service-linked roles for Amazon Chime SDK

The Amazon Chime SDK uses AWS Identity and Access Management (IAM) service-linked roles. A

service-linked role is a unique type of IAM role that is linked directly to the Amazon Chime SDK.

Service-linked roles are predeﬁned by the Amazon Chime SDK and include all the permissions that

the service requires to call other AWS services on your behalf.

I am not authorized to perform iam:PassRole 36

Amazon Chime SDK Administration Guide

A service-linked role makes setting up the Amazon Chime SDK more eﬃcient because you

aren't required to manually add the necessary permissions. The Amazon Chime SDK deﬁnes the

permissions of its service-linked roles, and unless deﬁned otherwise, only the Amazon Chime SDK

can assume its roles. The deﬁned permissions include the trust policy and the permissions policy.

The permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after ﬁrst deleting their related resources. This protects

your Amazon Chime SDK resources because you can't inadvertently remove permission to access

the resources.

For information about other services that support service-linked roles, see AWS services that work

with IAM. Look for the services that have Yes in the Service-Linked Role column. Choose a Yes with

a link to view the service-linked role documentation for that service.

Topics

• Using the Amazon Chime SDK Voice Connector service linked role policy

• Using roles with live transcription

• Using roles with Amazon Chime SDK media pipelines

• Using the AmazonChimeSDKEvents service-linked role

Using the Amazon Chime SDK Voice Connector service linked role

policy

The information in the following sections explains how to:

• Use the Amazon Chime SDK Voice Connector service linked role policy to stream Amazon Chime

SDK Voice Connector media to Kinesis.

• Synthesize speech with Amazon Polly and the Speak and SpeakAndGetDigits actions.

Topics

• Service-linked role permissions for Amazon Chime SDK Voice Connectors

• Creating a service-linked role for Amazon Chime SDK Voice Connectors

• Editing a service-linked role for Amazon Chime SDK Voice Connectors

• Deleting a service-linked role for Amazon Chime SDK Voice Connectors

Using the Amazon Chime SDK Voice Connector service linked role policy 37

Amazon Chime SDK Administration Guide

• Supported Regions for Amazon Chime SDK service-linked roles

Service-linked role permissions for Amazon Chime SDK Voice Connectors

Amazon Chime SDK Voice Connectors use the service-linked role named

AWSServiceRoleForAmazonChimeVoiceConnector – Allows Amazon Chime SDK Voice Connectors

to call AWS services on your behalf. For more information about how to start media streaming for

your Amazon Chime SDK Voice Connector, see Streaming Amazon Chime SDK Voice Connector

media to Kinesis.

The AWSServiceRoleForAmazonChimeVoiceConnector service-linked role trusts the following

services to assume the role:

•

voiceconnector.chime.amazonaws.com

The AmazonChimeVoiceConnectorServiceLinkedRolePolicy allows the Amazon Chime SDK to

complete the following actions on the speciﬁed resources:

•

Action: chime:GetVoiceConnector* on all AWS resources

•

Action: kinesisvideo:* on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/ChimeVoiceConnector-*

•

Action: polly:SynthesizeSpeech on all AWS resources

•

Action: chime:CreateMediaInsightsPipeline on all AWS resources

•

Action: chime:GetMediaInsightsPipelineConfiguration on all AWS resources

•

Action: kinesisvideo:CreateStream on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:PutMedia on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:UpdateDataRetention on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:DescribeStream on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:GetDataEndpoint on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/ChimeMediaPipelines-*

Using the Amazon Chime SDK Voice Connector service linked role policy 38

Amazon Chime SDK Administration Guide

•

Action: kinesisvideo:ListStreams on arn:aws:kinesisvideo:us-

east-1:111122223333:stream/*

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create,

edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in

the IAM User Guide.

Creating a service-linked role for Amazon Chime SDK Voice Connectors

You don't need to manually create a service-linked role. When you start Kinesis media streaming

for your Amazon Chime SDK Voice Connector, or create or update an Amazon Chime SDK SIP media

application in the AWS Management Console, the AWS CLI, or the AWS API, Amazon Chime creates

the service-linked role for you.

You can also use the IAM console to create a service-linked role with the Chime Voice

Connector use case. In the AWS CLI or the AWS API, create a service-linked role with the

voiceconnector.chime.amazonaws.com service name. For more information, see Creating

a service-linked role in the IAM User Guide. If you delete this service-linked role, you can use this

same process to create the role again.

Editing a service-linked role for Amazon Chime SDK Voice Connectors

The Amazon Chime SDK does not allow you to edit the

AWSServiceRoleForAmazonChimeVoiceConnector service-linked role. After you create a service-

linked role, you cannot change the name of the role because various entities might reference the

role. However, you can edit the description of the role using IAM. For more information, see Editing

a service-linked role in the IAM User Guide.

Deleting a service-linked role for Amazon Chime SDK Voice Connectors

If you no longer need to use a feature or service that requires a service-linked role, we recommend

that you delete that role. That way you don’t have an unused entity that is not actively monitored

or maintained. However, you must clean up your service-linked role before you can manually delete

it.

Cleaning up a service-linked role

Before you can use IAM to delete a service-linked role, you must ﬁrst delete any resources used by

the role.

Using the Amazon Chime SDK Voice Connector service linked role policy 39

Amazon Chime SDK Administration Guide

Note

If the Amazon Chime SDK service is using the role when you try to delete the resources,

then the deletion might fail. If that happens, wait for a few minutes and try the operation

again.

To delete Amazon Chime SDK resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (console)

• Stop media streaming for all the Amazon Chime SDK Voice Connectors in your Amazon Chime

SDK account.

a. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/

home.

b. In the navigation pane, under SIP Trunking, choose Voice connectors.

c. Choose the name of the Amazon Chime SDK Voice Connector.

d. Choose the Streaming tab.

e. Under Send to Kinesis Video Streams, choose Stop.

f. Choose Save.

To delete Amazon Chime SDK resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (AWS CLI)

•

Use the delete-voice-connector-streaming-configuration command in the AWS CLI

to stop media streaming for all Amazon Chime SDK Voice Connectors in your account.

aws chime delete-voice-connector-streaming-configuration --voice-connector-

id abcdef1ghij2klmno3pqr4

To delete Amazon Chime SDK resources used by the

AWSServiceRoleForAmazonChimeVoiceConnector (API)

• Use the DeleteVoiceConnectorStreamingConﬁguration API to stop media streaming for all

Amazon Chime SDK Voice Connectors in your account.

Using the Amazon Chime SDK Voice Connector service linked role policy 40

Amazon Chime SDK Administration Guide

Manually delete the service-linked role

Use the IAM console, the AWS CLI, or the AWS API operation to delete the

AWSServiceRoleForAmazonChimeVoiceConnector service-linked role. For more information, see

Deleting a service-linked role in the IAM User Guide.

Supported Regions for Amazon Chime SDK service-linked roles

Amazon Chime SDK supports using service-linked roles in all of the AWS Regions where the service

is available. For more information, see Amazon Chime endpoints and quotas.

Using roles with live transcription

The information in the following sections explains how to create and manage a service-linked role

for the Amazon Chime SDK live transcription. For more information about the live transcription

service, see Using Amazon Chime SDK live transcription.

Topics

• Service-Linked Role Permissions for Amazon Chime SDK Live Transcription

• Creating a Service-Linked Role for Amazon Chime SDK Live Transcription

• Editing a Service-Linked Role for Amazon Chime SDK Live Transcription

• Deleting a Service-Linked Role for Amazon Chime SDK Live Transcription

• Supported Regions for Amazon Chime Service-Linked Roles

Service-Linked Role Permissions for Amazon Chime SDK Live Transcription

Amazon Chime SDK Live Transcription uses a service-linked role named

AWSServiceRoleForAmazonChimeTranscription – Allows the Amazon Chime SDK to access

Amazon Transcribe and Amazon Transcribe Medical on your behalf.

The AWSServiceRoleForAmazonChimeTranscription service-linked role trusts the following services

to assume the role:

•

transcription.chime.amazonaws.com

The role permissions policy allows the Amazon Chime SDK to complete the following actions on

the speciﬁed resources:

Using roles with live transcription 41

Amazon Chime SDK Administration Guide

•

Action: transcribe:StartStreamTranscription on all AWS resources

•

Action: transcribe:StartMedicalStreamTranscription on all AWS resources

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create,

edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in

the IAM User Guide.

Creating a Service-Linked Role for Amazon Chime SDK Live Transcription

You use the IAM console to create a service-linked role with the Chime Transcription use case.

Note

You must have IAM administrative permissions to complete these steps. If you don't,

contact a system administrator.

To create the role

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane of the IAM console, choose Roles, then choose Create role.

3. Choose the AWS Service role type, then choose Chime Transcription.

The IAM policy appears.

4. Select the checkbox next to the policy, then choose Next: Tags.

5. Choose Next: Review.

6. Edit the description as needed, then choose Create role.

You can also use the AWS CLI or the AWS API to create a service-linked role named

transcription.chime.amazonaws.com.

In the CLI, run this command: aws iam create-service-linked-role --aws-service-

name transcription.chime.amazonaws.com.

For more information, see Creating a Service-Linked Role in the IAM User Guide. If you delete this

service-linked role, you can use this same process to create the role again.

Using roles with live transcription 42

Amazon Chime SDK Administration Guide

Editing a Service-Linked Role for Amazon Chime SDK Live Transcription

The Amazon Chime SDK does not allow you to edit the

AWSServiceRoleForAmazonChimeTranscription service-linked role. After you create a service-

linked role, you cannot change the name of the role because various entities might reference the

role. However, you can use IAM to edit the role's description. For more information, see Editing a

Service-Linked Role in the IAM User Guide.

Deleting a Service-Linked Role for Amazon Chime SDK Live Transcription

If you no longer need to use a feature or service that requires a service-linked role, we recommend

that you delete that role. That way you don’t have an unused entity that is not actively monitored

or maintained.

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the AWS API to delete the

AWSServiceRoleForAmazonChimeTranscription service-linked role. For more information, see

Deleting a Service-Linked Role in the IAM User Guide.

Supported Regions for Amazon Chime Service-Linked Roles

The Amazon Chime SDK supports using service-linked roles in all of the regions where the service

is available. For more information, see Amazon Chime endpoints and quotas, and Using Amazon

Chime SDK media Regions.

Using roles with Amazon Chime SDK media pipelines

The information in the following sections explains how to create and manage a service-linked role

for Amazon Chime SDK Media Pipelines.

Topics

• Service-linked role permissions for Amazon Chime SDK media pipelines

• Creating a service-linked role for Amazon Chime SDK media pipelines

• Editing a service-linked role for Amazon Chime SDK media pipelines

• Deleting a service-linked role for Amazon Chime SDK media pipelines

• Supported Regions for Amazon Chime SDK media pipelines service-linked roles

Using roles with media pipelines 43

Amazon Chime SDK Administration Guide

Service-linked role permissions for Amazon Chime SDK media pipelines

The Amazon Chime SDK uses the service-linked role named

AWSServiceRoleForAmazonChimeSDKMediaPipelines – Allows Amazon Chime SDK media

pipelines to access AWS services on your behalf.

The AWSServiceRoleForAmazonChimeSDKMediaPipelines service-linked role trusts the

following services to assume the role:

•

mediapipelines.chime.amazonaws.com

The role allows the Amazon Chime SDK to complete the following actions on the speciﬁed

resources:

•

Action: cloudwatch:PutMetricData on all AWS resources

•

Action: chime:CreateAttendee on all AWS resources

•

Action: chime:DeleteAttendee on all AWS resources

•

Action: chime:GetMeeting on all AWS resources

•

Action: kinesisvideo:CreateStream on

arn:aws:kinesisvideo:*:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:PutMedia on arn:aws:kinesisvideo:*:111122223333:stream/

ChimeMediaPipelines-*

•

Action: kinesisvideo:UpdateDataRetention on

arn:aws:kinesisvideo:*:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:DescribeStream on

arn:aws:kinesisvideo:*:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:GetDataEndpoint on

arn:aws:kinesisvideo:*:111122223333:stream/ChimeMediaPipelines-*

•

Action: kinesisvideo:ListStreams on

arn:aws:kinesisvideo:*:111122223333:stream/*

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to create,

edit, or delete a service-linked role. For more information about conﬁguring permissions, see

Service-Linked Role Permissions in the IAM User Guide.

Using roles with media pipelines 44

Amazon Chime SDK Administration Guide

For more information about the

AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy, see AWS managed policy:

AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy, earlier in this guide.

Creating a service-linked role for Amazon Chime SDK media pipelines

You use the IAM console to create a service-linked role with the Amazon Chime SDK Media

Pipelines use case.

Note

You must have IAM administrative permissions to complete these steps. If you don't,

contact a system administrator.

To create the role

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane of the IAM console, choose Roles, then choose Create role.

3. Choose the AWS Service role type, then choose Chime, then choose Chime SDK Media

Pipelines.

4. Choose Next.

5. Choose Next.

6. Edit the description as needed, then choose Create role.

You can also use the AWS CLI or the AWS API to create a service-linked role named

mediapipelines.chime.amazonaws.com.

In the AWS CLI, run this command: aws iam create-service-linked-role --aws-

service-name mediapipelines.chime.amazonaws.com.

For more information, see Creating a Service-Linked Role in the IAM User Guide. If you delete this

service-linked role, you can use this same process to create the role again.

Editing a service-linked role for Amazon Chime SDK media pipelines

The Amazon Chime SDK doesn't allow you to edit the

AWSServiceRoleForAmazonChimeSDKMediaPipelines service-linked role. After you

Using roles with media pipelines 45

Amazon Chime SDK Administration Guide

create a service-linked role, you cannot change the name of the role because various entities

might reference the role. However, you can edit the description of the role using IAM. For more

information, see Editing a Service-Linked Role in the IAM User Guide.

Deleting a service-linked role for Amazon Chime SDK media pipelines

When you don't need to use a feature or service that requires a service-linked role, we recommend

deleting that role. That way you don’t have an unused entity that isn't actively monitored or

maintained.

To manually delete the service-linked role using IAM

Use the IAM console, the AWS CLI, or the AWS API to delete the

AWSServiceRoleForAmazonChimeSDKMediaPipelines service-linked role. For more

information, see Deleting a Service-Linked Role in the IAM User Guide.

Supported Regions for Amazon Chime SDK media pipelines service-linked roles

The Amazon Chime SDK supports using service-linked roles in all of the AWS Regions where the

service is available. For more information, see Amazon Chime endpoints and quotas.

Using the AmazonChimeSDKEvents service-linked role

The Amazon Chime SDK uses a service-linked role named AmazonChimeSDKEvents. The role

grants access to the AWS services and resources used or managed by the Amazon Chime SDK, such

as the Kinesis ﬁrehose used for data streaming.

The AmazonChimeSDKEvents service-linked role allows the Amazon Chime SDK to complete

kinesis:PutRecord and kinesis:PutRecordBatch on streams with this format:

arn:aws:firehose:::deliverystream/AmazonChimeSDKEvents-*.

You must conﬁgure permissions to allow an IAM entity such as a user, group, or role to create, edit,

or delete a service-linked role. For more information, see Service-linked role permissions in the IAM

User Guide.

Creating the service-linked role

The service-linked role is part of the Chime SDK Events CloudFormation template in the quick-

create link.

Using the AmazonChimeSDKEvents service-linked role 46

Amazon Chime SDK Administration Guide

You can also use the IAM console to create a service-linked role with the Amazon Chime

SDK Events use case. In the AWS CLI or the AWS API, create a service-linked role with the

events.chime.amazonaws.com service name. For more information, see Using service-linked

roles in the IAM User Guide. If you delete this role, you can repeat this process to create it again.

Editing the service-linked role

After you create a service-linked role, you can only edit its description, and you do that using IAM.

For more information, see Using service-linked roles in the IAM User Guide.

Deleting the service-linked role

As a best practice, delete the Amazon Chime SDKEvents role when you no longer need a feature

or service that requires it. Otherwise, you have an unused entity that is not actively monitored or

maintained.

To manually delete the role, you ﬁrst delete the resources that the role uses. The following sets of

steps explain how to do both tasks.

Deleting role resources

You delete resources by deleting the Kinesis ﬁrehose used to stream data.

Note

Deletions can fail if you try to delete resources while the role uses them. If a deletion fails,

wait a few minutes and try the operation again.

To delete the role resources

• Turn oﬀ the Kinesis ﬁrehose by invoking the following API.

aws firehose delete-delivery-stream --delivery-stream-name delivery_stream_name

To delete the service-linked role

• Use the IAM console, AWS CLI, or the AWS API to delete the AmazonChimeSDKEvents service-

linked role. For more information, see Using service-linked roles and Deleting a service-linked

role in the IAM user Guide.

Using the AmazonChimeSDKEvents service-linked role 47

Amazon Chime SDK Administration Guide

Logging and monitoring in the Amazon Chime SDK

Monitoring is an important part of maintaining the reliability, availability, and performance of the

Amazon Chime SDK and your other AWS solutions. AWS provides the following tools to monitor

the Amazon Chime SDK, report issues, and take automatic actions when appropriate:

• Amazon CloudWatch monitors in real time your AWS resources and the applications that you

run on AWS. You can collect and track metrics, create customized dashboards, and set alarms

that notify you or take actions when a speciﬁed metric reaches a threshold that you specify.

For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2

instances and automatically launch new instances when needed. For more information, see the

Amazon CloudWatch User Guide.

• Amazon EventBridge delivers a near real-time stream of system events that describe changes in

AWS resources. EventBridge enables automated event-driven computing. This lets you write rules

that watch for certain events, and trigger automated actions in other AWS services when these

events happen. For more information, see the Amazon EventBridge User Guide.

• Amazon CloudWatch Logs lets you monitor, store, and access your log ﬁles from Amazon EC2

instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log

ﬁles and notify you when certain thresholds are met. You can also archive your log data in highly

durable storage. For more information, see the Amazon CloudWatch Logs User Guide.

• AWS CloudTrail captures API calls and related events made by or on behalf of your AWS account.

It then delivers the log ﬁles to an Amazon S3 bucket that you specify. You can identify which

users and accounts called AWS, the source IP address from which the calls were made, and when

the calls occurred. For more information, see the AWS CloudTrail User Guide.

Topics

• Monitoring the Amazon Chime SDK with Amazon CloudWatch

• Automating the Amazon Chime SDK with EventBridge

• Using AWS CloudTrail to log API calls

Monitoring the Amazon Chime SDK with Amazon CloudWatch

You can use CloudWatch to monitor the Amazon Chime SDK. CloudWatch collects raw data and

processes it into readable, near real-time metrics. Those statistics are kept for 15 months, so that

you can access historical information and gain a better perspective about how your web application

Logging and monitoring 48

Amazon Chime SDK Administration Guide

or service is performing. You can also set alarms that watch for certain thresholds, and send

notiﬁcations or take actions when those thresholds are met. For more information, see the Amazon

CloudWatch User Guide.

CloudWatch metrics for the Amazon Chime SDK

The Amazon Chime SDK sends the following metrics to CloudWatch The Amazon Chime SDK sends

the metrics once per minute for the duration of a call, and it sends all of the metrics listed here.

The AWS/ChimeVoiceConnector namespace includes the following metrics for phone numbers

assigned to your AWS account, and to Amazon Chime SDK Voice Connectors.

Note

The SDK sends packet-loss values once per minute for the duration of a call. The loss values

accumulate for the duration of the call. For example, if a packet loss occurs at 11:01, that

loss value carries forward for the remaining minutes of the call. At the end of the call, you

receive a single packet-loss metric.

Metric Description

InboundCallAttempts

The number of inbound calls attempted.

Units: Count

InboundCallFailures

The number of inbound call failures.

Units: Count

InboundCallsAnswered

The number of inbound calls that are

answered.

Units: Count

InboundCallsActive

The number of inbound calls that are currently

active.

Units: Count

Monitoring with CloudWatch 49

Amazon Chime SDK Administration Guide

Metric Description

OutboundCallAttempts

The number of outbound calls attempted.

Units: Count

OutboundCallFailures

The number of outbound call failures.

Units: Count

OutboundCallsAnswered

The number of outbound calls that are

answered.

Units: Count

OutboundCallsActive

The number of outbound calls that are

currently active.

Units: Count

Throttles

The number of times your account is throttled

when attempting to make a call.

Units: Count

Sip1xxCodes

The number of SIP messages with 1xx-level

status codes.

Units: Count

Sip2xxCodes

The number of SIP messages with 2xx-level

status codes.

Units: Count

Sip3xxCodes

The number of SIP messages with 3xx-level

status codes.

Units: Count

Monitoring with CloudWatch 50

Amazon Chime SDK Administration Guide

Metric Description

Sip4xxCodes

The number of SIP messages with 4xx-level

status codes.

Units: Count

Sip5xxCodes

The number of SIP messages with 5xx-level

status codes.

Units: Count

Sip6xxCodes

The number of SIP messages with 6xx-level

status codes.

Units: Count

CustomerToVcRtpPackets

The number of RTP packets sent from the

customer to the Amazon Chime SDK Voice

Connector infrastructure.

Units: Count

CustomerToVcRtpBytes

The number of bytes sent from the customer

to the Amazon Chime SDK Voice Connector

infrastructure in RTP packets.

Units: Count

CustomerToVcRtcpPackets

The number of RTCP packets sent from the

customer to the Amazon Chime SDK Voice

Connector infrastructure.

Units: Count

CustomerToVcRtcpBytes

The number of bytes sent from the customer

to the Amazon Chime SDK Voice Connector

infrastructure in RTCP packets.

Units: Count

Monitoring with CloudWatch 51

Amazon Chime SDK Administration Guide

Metric Description

CustomerToVcPacketsLost

The number of packets lost in transit from

the customer to the Amazon Chime SDK Voice

Connector infrastructure. Values are sent

every minute until the call ends. The value

count is cumulative.

Units: Count

CustomerToVcJitter

The average jitter for packets sent from the

customer to the Amazon Chime SDK Voice

Connector infrastructure.

Units: Microseconds

VcToCustomerRtpPackets

The number of RTP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer.

Units: Count

VcToCustomerRtpBytes

The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the customer in RTP packets.

Units: Count

VcToCustomerRtcpPackets

The number of RTCP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer.

Units: Count

VcToCustomerRtcpBytes

The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the customer in RTCP packets.

Units: Count

Monitoring with CloudWatch 52

Amazon Chime SDK Administration Guide

Metric Description

VcToCustomerPacketsLost

The number of packets lost in transit from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer. Values are sent every

minute until the call ends. The value count is

cumulative.

Units: Count

VcToCustomerJitter

The average jitter for packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer.

Units: Microseconds

RTTBetweenVcAndCustomer

The average round-trip time between the

customer and the Amazon Chime SDK Voice

Connector infrastructure.

Units: Microseconds

MOSBetweenVcAndCustomer

The estimated Mean opinion score (MOS)

associated with voice streams between the

customer and the Amazon Chime SDK Voice

Connector infrastructure.

Units: Score between 1.0-4.4. A higher score

indicates better perceived audio quality.

RemoteToVcRtpPackets

The number of RTP packets sent from the

remote end to the Amazon Chime SDK Voice

Connector infrastructure.

Units: Count

Monitoring with CloudWatch 53

Amazon Chime SDK Administration Guide

Metric Description

RemoteToVcRtpBytes

The number of bytes sent from the remote

end to the Amazon Chime SDK Voice

Connector infrastructure in RTP packets.

Units: Count

RemoteToVcRtcpPackets

The number of RTCP packets sent from the

remote end to the Amazon Chime SDK Voice

Connector infrastructure.

Units: Count

RemoteToVcRtcpBytes

The number of bytes sent from the remote

end to the Amazon Chime SDK Voice

Connector infrastructure in RTCP packets.

Units: Count

RemoteToVcPacketsLost

The number of packets lost in transit from

the remote end to the Amazon Chime SDK

Voice Connector infrastructure. Values are sent

every minute until the call ends. The value

count is cumulative.

Units: Count

RemoteToVcJitter

The average jitter for packets sent from the

remote end to the Amazon Chime SDK Voice

Connector infrastructure.

Units: Microseconds

VcToRemoteRtpPackets

The number of RTP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end.

Units: Count

Monitoring with CloudWatch 54

Amazon Chime SDK Administration Guide

Metric Description

VcToRemoteRtpBytes

The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the remote end in RTP packets.

Units: Count

VcToRemoteRtcpPackets

The number of RTCP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end.

Units: Count

VcToRemoteRtcpBytes

The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the remote end in RTCP packets.

Units: Count

VcToRemotePacketsLost

The number of packets lost in transit from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end. Values are sent every

minute until the call ends. The value count is

cumulative.

Units: Count

VcToRemoteJitter

The average jitter for packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end.

Units: Microseconds

RTTBetweenVcAndRemote

The average round-trip time between the

remote end and the Amazon Chime SDK Voice

Connector infrastructure.

Units: Microseconds

Monitoring with CloudWatch 55

Amazon Chime SDK Administration Guide

Metric Description

MOSBetweenVcAndRemote

The estimated Mean opinion score (MOS)

associated with voice streams between the

remote end and the Amazon Chime SDK Voice

Connector infrastructure.

Units: Units: Score between 1.0-4.4. A higher

score indicates better perceived audio quality.

CloudWatch dimensions for the Amazon Chime SDK

The CloudWatch dimensions that you can use with the Amazon Chime SDK are listed as follows.

Dimension Description

VoiceConnectorId

The identiﬁer of the Amazon Chime SDK Voice

Connector to display metrics for.

Region

The AWS Region associated with the event.

CloudWatch logs for the Amazon Chime SDK

You can conﬁgure your Amazon Chime SDK Voice Connectors to send metrics to CloudWatch Logs.

When you do, you can also receive media-quality metric logs for those Voice Connectors.

The Amazon Chime SDK sends detailed metrics once per minute. The Amazon Chime SDK

sends them for all the calls made with the conﬁgured Voice Connectors, and it sends them to a

CloudWatch Logs log group that we create for you.

The log group name uses this format: /aws/ChimeVoiceConnectorLogs/

${VoiceConnectorID}.

For more information about conﬁguring Voice Connectors to send metrics, see Editing Amazon

Chime SDK Voice Connector settings.

Monitoring with CloudWatch 56

Amazon Chime SDK Administration Guide

Note

Packet loss metrics accumulate for the duration of a call. For example, if a packet loss

occurs at 11:01, that loss value carries forward for the remaining minutes of the call. At the

end of the call, you receive a single packet-loss metric.

The Amazon Chime SDK includes the following ﬁelds in the logs, in JSON format.

Field Description

voice_connector_id The Amazon Chime SDK Voice Connector ID

carrying the call.

event_timestamp The time when the metrics are emitted, in

number of milliseconds since the UNIX epoch

(midnight on January 1, 1970) in UTC.

call_id Corresponds to the Transaction ID.

from_sip_user The initiating user for the call.

from_country The initiating country for the call.

to_sip_user The receiving user for the call.

to_country The receiving country for the call.

endpoint_id An opaque identiﬁer indicating the other

endpoint of the call. Use with CloudWatc

h Logs Insights. For more information, see

Analyzing log data with CloudWatch Logs

Insights in the Amazon CloudWatch Logs User

Guide.

aws_region The AWS Region for the call.

Monitoring with CloudWatch 57

Amazon Chime SDK Administration Guide

Field Description

cust2vc_rtp_packets The number of RTP packets sent from the

customer to the Amazon Chime SDK Voice

Connector infrastructure.

cust2vc_rtp_bytes The number of bytes sent from the customer

to the Amazon Chime SDK Voice Connector

infrastructure in RTP packets.

cust2vc_rtcp_packets The number of RTCP packets sent from the

customer to the Amazon Chime SDK Voice

Connector infrastructure.

cust2vc_rtcp_bytes The number of bytes sent from the customer

to the Amazon Chime SDK Voice Connector

infrastructure in RTCP packets.

cust2vc_packets_lost The number of packets lost in transit from

the customer to the Amazon Chime SDK Voice

Connector infrastructure. Values are sent

every minute until the call ends. The value

count is cumulative.

cust2vc_jitter The average jitter for packets sent from the

customer to the Amazon Chime SDK Voice

Connector infrastructure.

vc2cust_rtp_packets The number of RTP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer.

vc2cust_rtp_bytes The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the customer in RTP packets.

vc2cust_rtcp_packets The number of RTCP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer.

Monitoring with CloudWatch 58

Amazon Chime SDK Administration Guide

Field Description

vc2cust_rtcp_bytes The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the customer in RTCP packets.

vc2cust_packets_lost The number of packets lost in transit from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer. Values are sent every

minute until the call ends. The value count is

cumulative.

vc2cust_jitter The average jitter for packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the customer.

rtt_btwn_vc_and_cust The average round-trip time between the

customer and the Amazon Chime SDK Voice

Connector infrastructure.

mos_btwn_vc_and_cust The estimated Mean opinion score (MOS)

associated with voice streams between the

customer and the Amazon Chime SDK Voice

Connector infrastructure.

rem2vc_rtp_packets The number of RTP packets sent from the

remote end to the Amazon Chime SDK Voice

Connector infrastructure.

rem2vc_rtp_bytes The number of bytes sent from the remote

end to the Amazon Chime SDK Voice

Connector infrastructure in RTP packets.

rem2vc_rtcp_packets The number of RTCP packets sent from the

remote end to the Amazon Chime SDK Voice

Connector infrastructure.

Monitoring with CloudWatch 59

Amazon Chime SDK Administration Guide

Field Description

rem2vc_rtcp_bytes The number of bytes sent from the remote

end to the Amazon Chime SDK Voice

Connector infrastructure in RTCP packets.

rem2vc_packets_lost The number of packets lost in transit from

the remote end to the Amazon Chime SDK

Voice Connector infrastructure. Values are sent

every minute until the call ends. The value

count is cumulative.

rem2vc_jitter The average jitter for packets sent from the

remote end to the Amazon Chime SDK Voice

Connector infrastructure.

vc2rem_rtp_packets The number of RTP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end.

vc2rem_rtp_bytes The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the remote end in RTP packets.

vc2rem_rtcp_packets The number of RTCP packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end.

vc2rem_rtcp_bytes The number of bytes sent from the Amazon

Chime SDK Voice Connector infrastructure to

the remote end in RTCP packets.

vc2rem_packets_lost The number of packets lost in transit from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end. Values are sent every

minute until the call ends. The value count is

cumulative.

Monitoring with CloudWatch 60

Amazon Chime SDK Administration Guide

Field Description

vc2rem_jitter The average jitter for packets sent from the

Amazon Chime SDK Voice Connector infrastru

cture to the remote end.

rtt_btwn_vc_and_rem The average round-trip time between the

remote end and the Amazon Chime SDK Voice

Connector infrastructure.

mos_btwn_vc_and_rem The estimated Mean opinion score (MOS)

associated with voice streams between the

remote end and the Amazon Chime SDK Voice

Connector infrastructure.

SIP message logs

You can opt to receive SIP message logs for your Amazon Chime SDK Voice Connector. When

you do, the Amazon Chime SDK captures inbound and outbound SIP messages and sends

them to a CloudWatch Logs log group that is created for you. The log group name is /aws/

ChimeVoiceConnectorSipMessages/${VoiceConnectorID}. The following ﬁelds are

included in the logs, in JSON format.

Field Description

voice_connector_id The Amazon Chime SDK Voice Connector ID.

aws_region The AWS Region associated with the event.

event_timestamp The time when the message is captured, in

number of milliseconds since the UNIX epoch

(midnight on January 1, 1970) in UTC.

call_id The Amazon Chime SDK Voice Connector call

ID.

sip_message The full SIP message that is captured.

Monitoring with CloudWatch 61

Amazon Chime SDK Administration Guide

Automating the Amazon Chime SDK with EventBridge

Amazon EventBridge lets you automate your AWS services and respond automatically to system

events, such as application availability issues or resource changes. For more information about the

meeting events, see Meeting events in the Amazon Chime SDK Developer Guide.

When the Amazon Chime SDK generates events, it sends them to EventBridge for best eﬀort

delivery, meaning the Amazon Chime SDK tries to send all events to EventBridge, but in rare cases

an event might not be delivered. For more information, refer to Events from AWS services in the

Amazon EventBridge User Guide.

Note

If you need to encrypt data, you must use Amazon S3-Managed Keys. We don't support

server-side encryption using Customer Master Keys stored in the AWS Key Management

Service.

Automating Amazon Chime SDK Voice Connectors with EventBridge

The actions that can be automatically triggered for Amazon Chime SDK Voice Connectors include

the following:

• Invoking an AWS Lambda function

• Launching an Amazon Elastic Container Service task

• Relaying the event to Amazon Kinesis Video Streams

• Activating an AWS Step Functions state machine

• Notifying an Amazon SNS topic or an Amazon SQS queue

Some examples of using EventBridge with Amazon Chime SDK Voice Connectors include:

• Activating a Lambda function to download audio for a call after the call is ended.

• Launching an Amazon ECS task to enable real-time transcription after a call is started.

For more information, see the Amazon EventBridge User Guide.

Automating with EventBridge 62

Amazon Chime SDK Administration Guide

Amazon Chime SDK Voice Connector streaming events

Amazon Chime SDK Voice Connectors support sending events to EventBridge when the events

discussed in this section occur.

Amazon Chime SDK Voice Connector streaming starts

Amazon Chime SDK Voice Connectors send this event when media streaming to Kinesis Video

Streams starts.

Example Event data

The following is example data for this event.

{

"version": "0",

"id": "12345678-1234-1234-1234-111122223333",

"detail-type": "Chime VoiceConnector Streaming Status",

"source": "aws.chime",

"account": "111122223333",

"time": "yyyy-mm-ddThh:mm:ssZ",

"region": "us-east-1",

"resources": [],

"detail": {

"callId": "1112-2222-4333",

"direction": "Outbound",

"fromNumber": "+12065550100",

"inviteHeaders": {

"from": "\"John\" <sip:+12065550100@10.24.34.0>;tag=abcdefg",

"to":

"<sip:+13605550199@abcdef1ghij2klmno3pqr4M.voiceconnector.chime.aws:5060>",

"call-id": "1112-2222-4333",

"cseq": "101 INVITE",

"contact": "<sip:[email protected]:6090>;",

"content-type": "application/sdp",

"content-length": "246"

"isCaller": false,

"mediaType": "audio/L16",

"sdp": {

"mediaIndex": 0,

"mediaLabel": "1"

Automating with EventBridge 63

Amazon Chime SDK Administration Guide

"siprecMetadata": "<&xml version=\"1.0\" encoding=\"UTF-8\"&>;\r\n<recording

xmlns='urn:ietf:params:xml:ns:recording:1'>",

"startFragmentNumber": "1234567899444",

"startTime": "yyyy-mm-ddThh:mm:ssZ",

"streamArn": "arn:aws:kinesisvideo:us-east-1:123456M:stream/

ChimeVoiceConnector-abcdef1ghij2klmno3pqr4-111aaa-22bb-33cc-44dd-111222/111122223333",

"toNumber": "+13605550199",

"transactionId": "12345678-1234-1234",

"voiceConnectorId": "abcdef1ghij2klmno3pqr4",

"streamingStatus": "STARTED",

"version": "0"

}

Amazon Chime SDK Voice Connector streaming ends

Amazon Chime SDK Voice Connectors send this event when media streaming to Kinesis Video

Streams ends.

Example Event data

The following is example data for this event.

{

"version": "0",

"id": "12345678-1234-1234-1234-111122223333",

"detail-type": "Chime VoiceConnector Streaming Status",

"source": "aws.chime",

"account": "111122223333",

"time": "yyyy-mm-ddThh:mm:ssZ",

"region": "us-east-1",

"resources": [],

"detail": {

"streamingStatus": "ENDED",

"voiceConnectorId": "abcdef1ghij2klmno3pqr4",

"transactionId": "12345678-1234-1234",

"callId": "1112-2222-4333",

"direction": "Inbound",

"fromNumber": "+12065550100",

"inviteHeaders": {

"from": "\"John\" <sip:+12065550100@10.24.34.0>;tag=abcdefg",

"to": "<sip:

+13605550199@abcdef1ghij2klmno3pqr4.voiceconnector.chime.aws:5060>",

Automating with EventBridge 64

Amazon Chime SDK Administration Guide

"call-id": "1112-2222-4333",

"cseq": "101 INVITE",

"contact": "<sip:[email protected]:6090>",

"content-type": "application/sdp",

"content-length": "246"

"isCaller": false,

"mediaType": "audio/L16",

"sdp": {

"mediaIndex": 0,

"mediaLabel": "1"

"siprecMetadata": "<&xml version=\"1.0\" encoding=\"UTF-8\"&>\r\n<recording

xmlns='urn:ietf:params:xml:ns:recording:1'>",

"startFragmentNumber": "1234567899444",

"startTime": "yyyy-mm-ddThh:mm:ssZ",

"endTime": "yyyy-mm-ddThh:mm:ssZ",

"streamArn": "arn:aws:kinesisvideo:us-east-1:123456:stream/

ChimeVoiceConnector-abcdef1ghij2klmno3pqr4-111aaa-22bb-33cc-44dd-111222/111122223333",

"toNumber": "+13605550199",

"version": "0"

}

Amazon Chime SDK Voice Connector streaming updates

Amazon Chime SDK Voice Connectors send this event when media streaming to Kinesis Video

Streams is updated.

Example Event data

The following is example data for this event.

{

"version": "0",

"id": "12345678-1234-1234-1234-111122223333",

"detail-type": "Chime VoiceConnector Streaming Status",

"source": "aws.chime",

"account": "111122223333",

"time": "yyyy-mm-ddThh:mm:ssZ",

"region": "us-east-1",

"resources": [],

"detail": {

Automating with EventBridge 65

Amazon Chime SDK Administration Guide

"callId": "1112-2222-4333",

"updateHeaders": {

"from": "\"John\" <sip:+12065550100@10.24.34.0>;;tag=abcdefg",

"to": "<sip:

+13605550199@abcdef1ghij2klmno3pqr4.voiceconnector.chime.aws:5060>",

"call-id": "1112-2222-4333",

"cseq": "101 INVITE",

"contact": "<sip:[email protected]:6090>",

"content-type": "application/sdp",

"content-length": "246"

"siprecMetadata": "<&xml version=\"1.0\" encoding=\"UTF-8\"&>\r\n<recording

xmlns='urn:ietf:params:xml:ns:recording:1'>",

"streamingStatus": "UPDATED",

"transactionId": "12345678-1234-1234",

"version": "0",

"voiceConnectorId": "abcdef1ghij2klmno3pqr4"

}

Amazon Chime SDK Voice Connector streaming fails

Amazon Chime SDK Voice Connectors send this event when media streaming to Kinesis Video

Streams fails.

Example Event data

The following is example data for this event.

{

"version": "0",

"id": "12345678-1234-1234-1234-111122223333",

"detail-type": "Chime VoiceConnector Streaming Status",

"source": "aws.chime",

"account": "111122223333",

"time": "yyyy-mm-ddThh:mm:ssZ",

"region": "us-east-1",

"resources": [],

"detail": {

"streamingStatus":"FAILED",

"voiceConnectorId":"abcdefghi",

"transactionId":"12345678-1234-1234",

"callId":"1112-2222-4333",

"direction":"Inbound",

Automating with EventBridge 66

Amazon Chime SDK Administration Guide

"failTime":"yyyy-mm-ddThh:mm:ssZ",

"failureReason": "Internal failure",

"version":"0"

}

Using AWS CloudTrail to log API calls

The Amazon Chime SDK is integrated with AWS CloudTrail, a service that provides a record of

actions taken in the Amazon Chime SDK by a user, role, or AWS service. CloudTrail captures all API

calls for the Amazon Chime SDK as events, including calls from the Amazon Chime SDK console

and code calls to the Amazon Chime SDK APIs.

If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3

bucket, including events for the Amazon Chime SDK. If you don't conﬁgure a trail, you can still

view the most recent events in the CloudTrail console on the Event history page. The information

includes each request, the IP addresses from which the requests were made, and who made the

request.

CloudTrail is enabled on your AWS account when you create the account. When the Amazon Chime

administration console makes an API call, CloudTrail records that activity in an event. To see the

events, start the CloudTrail console and go to Event history . You can view, search, and download

recent events in your AWS account. For more information, see Viewing events with CloudTrail event

history.

To learn more about CloudTrail, see the AWS CloudTrail User Guide.

Creating a trail

The following topics explain how to use the CloudTrail console to create a trail. By default, when

you create a trail in the console, the trail logs events from all Regions in the AWS partition and

delivers the log ﬁles to the Amazon S3 bucket that you specify.

Follow these topics in the order listed.

1. Overview for creating a trail

2. CloudTrail supported services and integrations

3. Conﬁguring Amazon SNS notiﬁcations for CloudTrail

4. Receiving CloudTrail log ﬁles from multiple Regions and Receiving CloudTrail log ﬁles from

multiple accounts

Using AWS CloudTrail to log API calls 67

Amazon Chime SDK Administration Guide

Data captured by a trail

CloudTrail logs all Amazon Chime SDK actions. For information about the actions, refer to Amazon

Chime SDK API Reference. For example, calls to the CreateAttendee, action generate entries in

the CloudTrail log ﬁles. Every event contains information about who generated the request. The

identity information helps you determine the following:

• Whether the request was made with root or IAM user credentials.

• Whether the request was made with temporary security credentials for a role or federated user.

• Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity element.

Understanding Amazon Chime SDK log ﬁle entries

A trail is a conﬁguration that enables delivery of events as log ﬁles to an Amazon S3 bucket that

you specify. CloudTrail log ﬁles contain one or more log entries. An event represents a single

request from any source and includes information about the requested action, the date and time of

the action, request parameters, and so on. CloudTrail log ﬁles are not an ordered stack trace of the

public API calls, so they do not appear in any speciﬁc order.

Entries for the Amazon Chime SDK are identiﬁed by the chime.amazonaws.com event source.

If you have conﬁgured Active Directory for your Amazon Chime SDK account, see Logging AWS

Directory Service API calls using CloudTrail. This describes how to monitor for issues that might

aﬀect your Amazon Chime SDK users’ ability to sign in.

The following example shows a CloudTrail log entry for Amazon Chime SDK:

{"eventVersion":"1.05",

"userIdentity":{

"type":"IAMUser",

"principalId":"AAAAAABBBBBBBBEXAMPLE",

"arn":"arn:aws:iam::123456789012:user/Alice",

"accountId":"0123456789012",

"accessKeyId":"AAAAAABBBBBBBBEXAMPLE",

"sessionContext":{

"attributes":{

"mfaAuthenticated":"false",

Using AWS CloudTrail to log API calls 68

Amazon Chime SDK Administration Guide

"creationDate":"2017-07-24T17:57:43Z"

"sessionIssuer":{

"type":"Role",

"principalId":"AAAAAABBBBBBBBEXAMPLE",

"arn":"arn:aws:iam::123456789012:role/Joe",

"accountId":"123456789012",

"userName":"Joe"

}

} ,

"eventTime":"2017-07-24T17:58:21Z",

"eventSource":"chime.amazonaws.com",

"eventName":"AddDomain",

"awsRegion":"us-east-1",

"sourceIPAddress":"72.21.198.64",

"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",

"errorCode":"ConflictException",

"errorMessage":"Request could not be completed due to a conflict",

"requestParameters":{

"domainName":"example.com",

"accountId":"11aaaaaa1-1a11-1111-1a11-aaadd0a0aa00"

"responseElements":null,

"requestID":"be1bee1d-1111-11e1-1eD1-0dc1111f1ac1",

"eventID":"00fbeee1-123e-111e-93e3-11111bfbfcc1",

"eventType":"AwsApiCall",

"recipientAccountId":"123456789012"

}

Compliance validation for the Amazon Chime SDK

Third-party auditors assess the security and compliance of AWS services as part of multiple AWS

compliance programs, such as SOC, PCI, FedRAMP, and HIPAA.

To learn whether an AWS service is within the scope of speciﬁc compliance programs, see AWS

services in Scope by Compliance Program and choose the compliance program that you are

interested in. For general information, see AWS Compliance Programs.

You can download third-party audit reports using AWS Artifact. For more information, see

Downloading Reports in AWS Artifact.

Compliance validation 69

Amazon Chime SDK Administration Guide

Your compliance responsibility when using AWS services is determined by the sensitivity of your

data, your company's compliance objectives, and applicable laws and regulations. AWS provides the

following resources to help with compliance:

• Security and Compliance Quick Start Guides – These deployment guides discuss architectural

considerations and provide steps for deploying baseline environments on AWS that are security

and compliance focused.

• Architecting for HIPAA Security and Compliance on Amazon Web Services – This whitepaper

describes how companies can use AWS to create HIPAA-eligible applications.

Note

Not all AWS services are HIPAA eligible. For more information, see the HIPAA Eligible

Services Reference.

• AWS Compliance Resources – This collection of workbooks and guides might apply to your

industry and location.

• AWS Customer Compliance Guides – Understand the shared responsibility model through the

lens of compliance. The guides summarize the best practices for securing AWS services and map

the guidance to security controls across multiple frameworks (including National Institute of

Standards and Technology (NIST), Payment Card Industry Security Standards Council (PCI), and

International Organization for Standardization (ISO)).

• Evaluating Resources with Rules in the AWS Conﬁg Developer Guide – The AWS Conﬁg service

assesses how well your resource conﬁgurations comply with internal practices, industry

guidelines, and regulations.

• AWS Security Hub – This AWS service provides a comprehensive view of your security state within

AWS. Security Hub uses security controls to evaluate your AWS resources and to check your

compliance against security industry standards and best practices. For a list of supported services

and controls, see Security Hub controls reference.

• Amazon GuardDuty – This AWS service detects potential threats to your AWS accounts,

workloads, containers, and data by monitoring your environment for suspicious and malicious

activities. GuardDuty can help you address various compliance requirements, like PCI DSS, by

meeting intrusion detection requirements mandated by certain compliance frameworks.

• AWS Audit Manager – This AWS service helps you continuously audit your AWS usage to simplify

how you manage risk and compliance with regulations and industry standards.

Compliance validation 70

Amazon Chime SDK Administration Guide

Resilience in the Amazon Chime SDK

The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions

provide multiple physically separated and isolated Availability Zones, which are connected with

low-latency, high-throughput, and highly redundant networking. With Availability Zones, you

can design and operate applications and databases that automatically fail over between zones

without interruption. Availability Zones are more highly available, fault tolerant, and scalable than

traditional single or multiple data center infrastructures.

For more information about AWS Regions and Availability Zones, see AWS Global Infrastructure.

In addition to the AWS global infrastructure, the Amazon Chime SDK oﬀers diﬀerent features to

help support your data resiliency and backup needs. For more information, see Managing Amazon

Chime SDK Voice Connector groups and Streaming Amazon Chime SDK Voice Connector media to

Kinesis.

Infrastructure security in the Amazon Chime SDK

As a managed service, is protected by AWS global network security. For information about AWS

security services and how AWS protects infrastructure, see AWS Cloud Security. To design your AWS

environment using the best practices for infrastructure security, see Infrastructure Protection in

Security Pillar AWS Well‐Architected Framework.

You use AWS published API calls to access through the network. Clients must support the

following:

• Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

• Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diﬃe-Hellman) or

ECDHE (Elliptic Curve Ephemeral Diﬃe-Hellman). Most modern systems such as Java 7 and later

support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is

associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to

generate temporary security credentials to sign requests.

Resilience 71

Amazon Chime SDK Administration Guide

Getting started

The information in the following topics explains how to get started with the administrative tasks

provided by the Amazon Chime SDK.

Topics

• Setting up phone numbers for your Amazon Chime SDK account

Setting up phone numbers for your Amazon Chime SDK

account

The following phone options are available for Amazon Chime SDK administrative accounts:

Amazon Chime SDK Voice Connector

Provides Session Initiation Protocol (SIP) trunking services for an existing phone system. Port in

existing phone numbers or provision new phone numbers in the Amazon Chime SDK console.

That includes emergency numbers. For more information, refer to Managing Amazon Chime

SDK Voice Connectors and Setting up emergency calling.

Amazon Chime SDK SIP media applications

Amazon Chime SDK SIP media applications make it easier and faster for you to create custom

signaling and media instructions that you would normally build on your private branch

telephone exchange (PBX). For more information, refer to Managing SIP media applications

Setting up phone numbers for your Amazon Chime SDK account 72

Amazon Chime SDK Administration Guide

Managing phone numbers in Amazon Chime SDK

The topics in this section explain how to manage phone numbers for use with the Amazon Chime

SDK.

You can obtain numbers in the following ways:

• Provision numbers by ordering them from a pool of numbers provided by the Amazon Chime

SDK. You can only do this in countries that don't have identiﬁcation requirements.

• Port existing numbers over from another carrier into the Amazon Chime SDK.

• Order international phone numbers.

The provisioning and porting processes add the numbers to your inventory. You then use the

numbers with Amazon Chime SDK Voice Connectors, Amazon Chime SDK Voice Connector groups

or Amazon Chime SDK SIP media applications.

Note

You can port toll-free numbers for use with Amazon Chime SDK Voice Connectors, and with

Amazon Chime SIP media applications. Amazon Chime Business Calling doesn't support

toll-free numbers. For more information, see Porting existing phone numbers, later in this

guide.

To use a phone number with an Amazon Chime SDK Voice Connector or Amazon Chime SDK Voice

Connector group you use the Amazon Chime SDK console to assign the number. For information

about Voice Connectors, see Managing Amazon Chime SDK Voice Connectors. For information

about assigning numbers to Voice Connectors, see Assigning numbers to a Voice Connector or

Voice Connector group.

Note

You also use Voice Connectors to enable emergency calling from Amazon Chime. However,

the Amazon Chime SDK doesn’t oﬀer emergency calling services outside of the United

States. To modify the emergency calling services that the Amazon Chime SDK provides for

the United States, you can obtain an emergency call routing number from a third-party

Amazon Chime SDK Administration Guide

emergency service provider, give that number to the Amazon Chime SDK, then assign the

number to an Amazon Chime SDK Voice Connector. For more information, see Setting up

third-party emergency routing numbers.

To use a phone number with a SIP media application, you add it to the SIP rule associated with the

application. For more information about SIP media applications, see Using SIP media applications.

For more information about adding phone numbers to SIP rules, see Creating a SIP rule.

Note

Amazon Chime SDK Voice Connectors, and Amazon Chime SDK SIP media applications have

bandwidth requirements. For more information, see Bandwidth requirements.

Contents

• Provisioning phone numbers

• Requesting international phone numbers

• Porting existing phone numbers

• Managing phone number inventory

• Deleting phone numbers

• Restoring deleted phone numbers

• Optimize your outbound calling reputation

Provisioning phone numbers

You use the Amazon Chime SDK console to provision phone numbers for your Amazon Chime SDK

account. Choose from the following approaches:

• Amazon Chime SDK Voice Connectors – Integrate with an existing phone system. For more

information, see Managing Amazon Chime SDK Voice Connectors.

• Amazon Chime SDK SIP media applications – Integrate with Amazon Chime SDK meetings and

interactive voice response services such as Amazon Lex. For more information, see Managing SIP

media applications.

Provisioning phone numbers 74

Amazon Chime SDK Administration Guide

You provision phone numbers from a pool of numbers provided by the Amazon Chime SDK. When

provisioning ﬁnishes, the phone numbers appear in your inventory, and you can assign them to

individual users.

Important

You only follow these steps for countries that do not have identiﬁcation requirements.

For information about provisioning phone numbers in countries with identiﬁcation

requirements, see Requesting international phone numbers.

To provision phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone numbers, choose Phone number management.

3. Choose the Orders tab, then choose Provision phone numbers.

4. In the Provision phone numbers dialog box, choose Voice Connector, or SIP Media

Application Dial-In, then choose Next.

Note

The product type assigned to a phone number aﬀects your billing. If you set a default

calling name, the system assigns it to newly provisioned phone numbers in the United

States. Also, for SIP media application outbound calls, the caller ID must match a

number in your inventory. Alternately, it must match the original caller ID from an

inbound call that was sent back by the associated Lambda function. For example, the

function could use the CallAndBridge action. For more information, see Setting

outbound calling names in this guide, and CallAndBridge in the Amazon Chime SDK

Developer Guide.

5. On the Provision phone numbers page, do the following:

• Open the Select Application Type list and choose one of the options, Voice Connector or

SIP Media Application Dial-in.

Your choice aﬀects the countries that you see in step 6.

• (Optional) Under Phone number(s) details, in the Name box, enter a descriptive name for

the phone number, such as a cost center or oﬃce location.

Provisioning phone numbers 75

Amazon Chime SDK Administration Guide

This ﬁeld diﬀers from outbound calling names. For more information about outbound

calling names, refer to Setting outbound calling names in this guide.

6. Under Number Search, open the Country list and select a country, then do one of the

following:

• For numbers outside the U.S.:

a. Open the Type list and select an option.

Depending on the country you select, one of the types may not be available. For

example, you can only select local numbers for Canada and toll-free numbers for

Italy.

b. Choose the Search button.

• For U.S. numbers:

a. Open the Type list and select an option.

b. Open the Area list and choose Location or Area code.

• If you choose Location, open the State list and choose a state, then enter a city

and choose the Search button.

Note

If the search doesn't return numbers, clear the City ﬁeld and search again.

• If you choose Area code, enter an area code in the Area Code box and choose the

Search button.

7. From the resulting list, select one or more phone numbers.

8. (Optional) Under Phone number(s) details, enter a name for the number or numbers. If you

selected multiple numbers in the previous steps, the name applies to all of them.

9. Choose Create Phone Number Order.

The phone numbers appear in the Orders and Pending tabs while the provisioning occurs. When

provisioning ﬁnishes, the numbers appear on the Inventory tab.

Provisioning phone numbers 76

Amazon Chime SDK Administration Guide

Requesting international phone numbers

The steps in this section explain how to request international phone numbers for use with the

Amazon Chime SDK. You can only use international numbers with the SIP Media Application Dial-

In product type.

To purchase international numbers, regulations in many countries require you to have the

following items:

• A local address

• Proof of your identity, from the Amazon Chime SDK or our carriers

Allow 2-6 weeks for the Amazon Chime SDK to fulﬁll your request. For more information about the

documentation requirements for various countries, see the section called “Country requirements

for phone numbers”.

To request international phone numbers in countries with identiﬁcation requirements

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Contact Us, choose Support.

That takes you to the AWS Support console.

Note

You can also go directly to the AWS Support Center page. If you do, choose Create

case, then follow the steps below.

3. If it isn't already selected, choose Account and billing.

4. For Service, choose Chime SDK (Number Management).

5. For Category, choose Phone Number Requests, then choose Next step: Additional

information.

6. For Subject, enter Provisioning international numbers.

7. For Issue or Description, enter the following:

• Individual or Business

• Name (Individual Name or Business Name)

Requesting international phone numbers 77

Amazon Chime SDK Administration Guide

• Type of number (Local or Toll-Free)

• Country

• Quantity of phone numbers

8. Under Email, enter the email address associated with your Amazon Chime administrator

account, then choose Submit request.

AWS Support responds to your support request via email to let you know whether the phone

numbers can be provisioned. Once the numbers are provisioned, you can view them in the

Amazon Chime SDK console. Under Phone numbers, choose Phone number management.

Your numbers appear on the Inventory page.

9. Use SIP rules to assign the phone numbers to the appropriate SIP media application.

Submitting required documents

After you receive the requested phone numbers, you submit any required documents. The

following steps explain how.

Note

AWS Support provides a secure Amazon S3 link for uploading all requested documents. Do

not proceed until you receive the link.

To submit documents

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. Sign in to your AWS account, then open the Amazon S3 upload link generated speciﬁcally for

your account.

Note

The link expires after ten days. It is generated speciﬁcally for the account that created

the case. The link requires an authorized user from the account to perform the upload.

3. Choose Add Files, then select the identity documents related to your request.

4. Expand the Permissions section, and choose Specify individual ACL permissions.

Submitting required documents 78

Amazon Chime SDK Administration Guide

5. At the end of the Access control list (ACL) section, choose Add grantee, then paste the key

provided by AWS Support into the Grantee box.

6. Under Objects, choose the Read checkbox, then choose Upload.

After you provide the Letter of Agency (LOA), AWS Support conﬁrms with your existing phone

carrier that the information on the LOA is correct. If the information provided on the LOA does not

match the information that your phone carrier has on ﬁle, AWS Support contacts you to update the

information provided on the LOA.

Outbound calling restrictions

China

Chinese carriers are increasingly blocking international routes into China. The Amazon Chime SDK

continues to support our existing customers, but all customers approved to call China must meet

the following conditions:

Eligibility criteria

Unsupported use cases

• Short duration calls and alerting of less than 15 seconds.

• High volume of calls, especially over a short period of time, using the same outbound caller ID

(more than 5 calls per minute).

• Any form of cold calling.

• Any calls to invalid phone numbers. All numbers called must be validated as accurate.

• Repeated calls using the same FROM and/or TO numbers.

• Attempts to call China from any number that has not been pre-approved.

Supported use cases

• Direct calls to known business entities, such as a hotel or IT support function.

• Calling users who attempt to engage with your business, such as university placement schemes

or product purchases.

Outbound calling restrictions 79

Amazon Chime SDK Administration Guide

Data required for setup

Follow these steps to obtain permission to call Chinese telephone numbers (+86):

• Provide an exact and complete list of phone numbers used to call China.

• The number must be a DID provided by the Amazon Chime SDK. No other number is

acceptable.

• The number cannot be a DID provided by Hong Kong, Macau, Taiwan, China, or Singapore.

Note

The above list may change at any time.

• For each number, you must record an announcement that identiﬁes the name of your business

so that anyone calling the number will hear the recording and know what company is placing the

call.

• You must provide AWS with a detailed description of your use case for calling China, and you

must conﬁrm that you meet the eligibility criteria described in this topic.

Consequences of violating the criteria

The Amazon Chime SDK has a zero-tolerance policy for calling into China. Amazon will suspend

your Amazon Chime SDK account if you use the service for any of the restricted use cases listed

above. Your Amazon Chime SDK administrators must communicate this policy to other members of

your organization so that they are also aware of these restrictions. Ignorance of the rules is not an

acceptable reason for a breach.

Service assurance

If Chinese carriers block major international routes without prior warning and impact the ability to

call China, the exclusions in the Amazon Chime SDK Service Level Agreement take eﬀect.

Country requirements for phone numbers

Outside the US, regulations often require a local address and speciﬁc identiﬁcation documents in

order to purchase and use a phone number. The address can be a business or personal address. The

following tables list the countries that require identiﬁcation. When you request international phone

numbers or you port existing phone numbers, the Amazon Chime SDK support works with you to

submit the necessary documents.

Country requirements for phone numbers 80

Amazon Chime SDK Administration Guide

Note

Make sure you provide the identities and addresses of the end-users who use your phone

numbers.

Topics

• Australia

• Austria

• Canada

• Denmark

• Finland

• Germany

• Ireland

• Italy

• New Zealand

• Nigeria

• Puerto Rico

• South Korea

• Sweden

• Switzerland

• United Kingdom

Australia

The following tables list and describe the requirements for ordering and porting phone numbers in

Australia.

Ordering phone numbers

Country requirements for phone numbers 81

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Local Yes • Business address

• Proof of location

Business addresses

must have the same

geographic zone as

their corresponding

phone numbers.

Amazon Chime

SDK SDK SIP media

application dial-in

Toll-free Yes • Business address

International

addresses accepted.

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Austria

The following tables list and describe the requirements for ordering and porting phone numbers in

Austria.

Ordering phone numbers

Country requirements for phone numbers 82

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Local Yes • Business address

• Proof of telecom

services such as

an Invoice from a

network operator

with another

phone number in

the same area.

—OR—

An invoice from an

internet provider

for Internet access

with a ﬁxed IP

address located in

the right area.

Business addresses

must have the same

geographic zone as

their corresponding

phone numbers.

National preﬁxes: +43

720

Yes • Business address

Address must be

located in the

country.

SIP media application

dial-in

Toll-free Yes • Business address

Country requirements for phone numbers 83

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Foreign address

acceptable

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Canada

The following tables list and describe the requirements for ordering and porting phone numbers in

Canada.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

SIP Media Application

Dial-In

Local No N/A

Toll-free No N/A N/A

Porting phone numbers

Country requirements for phone numbers 84

Amazon Chime SDK Administration Guide

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Denmark

The following tables list and describe the requirements for ordering and porting phone numbers in

Denmark.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Local No N/ASIP Media Application

Dial-In

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Country requirements for phone numbers 85

Amazon Chime SDK Administration Guide

Finland

The following tables list and describe the requirements for ordering and porting phone numbers in

Finland.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Local Yes • Business address

• Proof of location

Business addresses

must be located in

the same geographi

c regions as their

corresponding phone

numbers.

National preﬁxes

+358 075

No N/A

SIP Media Application

Dial-In

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Country requirements for phone numbers 86

Amazon Chime SDK Administration Guide

Germany

The following tables list and describe the requirements for ordering and porting phone numbers in

Germany.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Local Yes • Business address

• A copy of your

business registrat

ion, or a copy of

your ID, if you're an

individual

• Proof of address,

such as a utility bill

Business addresses

must have the same

geographic zone as

their corresponding

phone numbers.

SIP Media Application

Dial-In

National preﬁxes: +49

Yes • Business address

• A copy of your

business registrat

ion, or a copy of

your ID, if you're an

individual

• Proof of address,

such as a utility bill

Country requirements for phone numbers 87

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Address must be

located in the

country.

Toll-free Yes • Business address

• Proof of address,

such as a utility bill

Address must be

located in the

country.

You must ﬁrst obtain

the number directly

from the local

regulator. Details

about the process are

provided when you

make the request.

Porting phone numbers

Supported product types Number types Required ID

SIP Media Application Dial-In Local • Last invoice from current

provider

• Letter of Authorization

• Business address

• A copy of your business

registration

• Copy of the company

representative's ID

Country requirements for phone numbers 88

Amazon Chime SDK Administration Guide

Supported product types Number types Required ID

Business addresses must have

the same geographic zone as

their corresponding phone

numbers.

Toll-free • Last invoice from current

provider

• Letter of Authorization

• Number certiﬁcate from

NRAs

You must ﬁrst obtain the

number directly from the

local regulator. Details about

the process are provided

when you make the request

Ireland

The following tables list and describe the requirements for ordering and porting phone numbers in

Ireland.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

SIP Media Application

Dial-In

Local Yes • Business address

Business addresses

must be located in

the same geographi

c regions as their

Country requirements for phone numbers 89

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

corresponding phone

numbers.

Universal access and

VOIP preﬁxes: +353

0818, +353 076

Yes • Business address

Address must be

located in the

country.

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Italy

The following tables list and describe the requirements for ordering and porting phone numbers in

Italy.

Ordering phone numbers

Country requirements for phone numbers 90

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Local Yes • Business address

• Proof of location

• Copy of business

registration

• Passport or end-

user ID

Business addresses

must be located in

the same geographi

c regions as their

corresponding phone

numbers.

SIP Media Application

Dial-In

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

• Copy of the company

representative's passport or

• Copy of the local business

registration, or proof of

address for an individual

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

Country requirements for phone numbers 91

Amazon Chime SDK Administration Guide

Supported product types Number types Required ID

• Letter of Authorization

New Zealand

The following tables list and describe the requirements for ordering and porting phone numbers in

New Zealand.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Local No N/ASIP Media Application

Dial-In

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local Not supportedSIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Nigeria

The following tables list and describe the requirements for ordering phone numbers in Nigeria.

Ordering phone numbers

Country requirements for phone numbers 92

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

SIP Media Application

Dial-In

Local Yes • Business address

Foreign address

acceptable.

Puerto Rico

The following tables list and describe the requirements for ordering and porting phone numbers in

Puerto Rico.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Business Calling

Amazon Chime SDK

Voice Connector

Local No N/A

Toll-free No N/A N/A

South Korea

The following tables list and describe the requirements for ordering phone numbers in South

Korea.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

SIP Media Application

Dial-In

Toll-free Yes • Business address

Country requirements for phone numbers 93

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

• Proof of location

Address must be

located in the

country.

Sweden

The following tables list and describe the requirements for ordering and porting phone numbers in

Sweden.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Local No N/ASIP Media Application

Dial-In

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Country requirements for phone numbers 94

Amazon Chime SDK Administration Guide

Switzerland

The following tables list and describe the requirements for ordering and porting phone numbers in

Switzerland.

Ordering phone numbers

Supported product

types

Number types ID requirements Acceptable ID types

Local Yes • Business address

• Proof of location

• A copy of business

registration, or a

copy of your ID, if

you're an individual

Business addresses

must have the same

geographic zone as

their corresponding

phone numbers.

Business number

preﬁxes: +41 051,

+41 058

Yes • Business address

Address must be

located in the

country.

SIP Media Application

Dial-In

Toll-free Yes • Business address

• A copy of business

registration, or a

copy of your ID, if

you're an individual

Country requirements for phone numbers 95

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Foreign address

acceptable

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

• Business address

Foreign addresses acceptable

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

• Business address

• Certiﬁcate from NRAs

Address must be within the

country.

United Kingdom

The following tables list and describe the requirements for ordering and porting phone numbers in

the United Kingdom.

Ordering phone numbers

Country requirements for phone numbers 96

Amazon Chime SDK Administration Guide

Supported product

types

Number types ID requirements Acceptable ID types

Local No N/ASIP Media Application

Dial-In

Toll-free No N/A

Porting phone numbers

Supported product types Number types Required ID

Local • Last invoice from current

provider

• Letter of Authorization

SIP Media Application Dial-In

Toll-free • Last invoice from current

provider

• Letter of Authorization

Porting existing phone numbers

Important

Starting Friday, March, 01, 2024, Amazon Chime SDK phone number porting requests

moved to the Account and billing section of the AWS Support Center console. To create

a new support case for phone number porting, choose Account and billing, open the

Services dropdown menu, and choose Chime (Number Management).

In addition to provisioning phone numbers, you can also port numbers from your phone

carrier into your Amazon Chime SDK inventory. This includes toll-free numbers. You can use

ported numbers with Amazon Chime SDK Voice Connectors, and Amazon Chime SDK SIP media

applications.

The following sections explain how to port phone numbers.

Porting existing phone numbers 97

Amazon Chime SDK Administration Guide

Topics

• Prerequisites for porting numbers

• Porting phone numbers into the Amazon Chime SDK

• Submitting required documents

• Viewing request status

• Assigning ported numbers

• Porting phone numbers out of the Amazon Chime SDK

• Phone number porting status deﬁnitions

Prerequisites for porting numbers

You must have the following in order to port numbers:

• A Letter of Agency (LOA). You must have an LOA for US and international phone numbers.

Download the Letter of Agency (LOA) form and ﬁll it out. If you are porting phone numbers from

diﬀerent carriers, ﬁll out a separate LOA for each carrier.

Note

A number of countries have documentation requirements for porting phone numbers.

For more information, see Country requirements for phone numbers, in this guide.

• Before you can port phone numbers for Amazon Chime SDK Voice Connectors, you must create a

Voice Connector. For more information, see Creating an Amazon Chime SDK Voice Connector.

Porting phone numbers into the Amazon Chime SDK

You create a support request to port existing phone numbers into the Amazon Chime SDK.

To port existing phone numbers into the Amazon Chime SDK

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Contact Us, choose Support.

That takes you to the AWS Support console.

Prerequisites for porting numbers 98

Amazon Chime SDK Administration Guide

Note

You can also go directly to the AWS Support Center page. If you do, choose Create

case, then follow the steps below.

3. Under How can we help, do the following:

a. Choose Account and billing.

b. From the Service list, choose Chime SDK (Number Management).

c. From the Category list, choose Phone Number Port In.

d. Choose Next step: Additional information.

4. Under Additional information, do the following

Under Subject, enter Porting phone numbers in.

b. Under Description, enter the following information:

For porting US numbers:

• Billing Telephone Number (BTN) of the account.

• Authorizing person’s name. This is the person in charge of account billing with the

current carrier.

• Current carrier, if known.

• Service account number, if this information is present with the current carrier.

• Service PIN, if available.

• Service address and customer name, as they appear in your current carrier contract.

• Requested date and time for the port.

• (Optional) If you want to port your BTN, indicate one of the following options:

• I am porting my BTN and I want to replace it with a new BTN that I am providing. I

can conﬁrm that this new BTN is on the same account with the current carrier.

• I am porting my BTN and I want to close out my account with my current carrier.

• I am porting my BTN because my account is currently set up so that each phone

number is its own BTN. (Select this option only when your account with the current

carrier is set up this way.)

Porting phone numbers into the Amazon Chime SDK 99

Amazon Chime SDK Administration Guide

• After you choose one of the options listed above, attach your Letter of Agency (LOA)

to the request.

For porting international numbers:

• You must use the SIP Media Application Dial-In product type for non-US phone

numbers.

• Type of number (Local or Toll-Free)

• Existing phone numbers to port in.

• Estimate usage volume

• Country

c. From the Phone number type list, select Business Calling, SIP Media Application Dial-In,

or Voice Connector.

d. Under Phone number, enter at least one phone number, even if you're porting multiple

numbers.

e. Under Porting Date, enter the desired porting date.

f. Under Porting Time, enter the desired time.

g. Choose Next step: Solve now or contact us.

5. Under Solve now or contact us, choose Contact us.

6. From the Preferred contact language list, choose a language

7. Choose Web or Phone. If you choose Phone, enter your phone number. When ﬁnished, choose

Submit.

AWS Support lets you know whether your phone numbers can be ported from your existing phone

carrier. If you can, you need to submit any required documents. The steps in the next section

explain how to submit those documents.

Submitting required documents

After AWS Support says you can port phone numbers, you need to submit any required documents.

The following steps explain how.

Submitting required documents 100

Amazon Chime SDK Administration Guide

Note

AWS Support provides a secure Amazon S3 link for uploading all requested documents. Do

not proceed until you receive the link.

To submit documents

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. Sign in to your AWS account, then open the Amazon S3 upload link generated speciﬁcally for

your account.

Note

The link expires after ten days. It is generated speciﬁcally for the account that created

the case. The link requires an authorized user from the account to perform the upload.

3. Choose Add Files, then select the identity documents related to your request.

4. Expand the Permissions section, and choose Specify individual ACL permissions.

5. At the end of the Access control list (ACL) section, choose Add grantee, then paste the key

provided by AWS Support into the Grantee box.

6. Under Objects, choose the Read checkbox, then choose Upload.

After you provide the Letter of Agency (LOA), AWS Support conﬁrms with your existing phone

carrier that the information on the LOA is correct. If the information provided on the LOA does not

match the information that your phone carrier has on ﬁle, AWS Support contacts you to update the

information provided on the LOA.

Viewing request status

To use the Amazon Chime SDK console to view the status of your porting requests.

To view the status

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Phone number management.

3. Choose the Orders tab.

Viewing request status 101

Amazon Chime SDK Administration Guide

The Status column shows the status of your request. AWS Support also contacts you with updates

and requests for further information, as needed. For more information, see Phone number porting

status deﬁnitions, later in this section.

Assigning ported numbers

After your existing phone carrier conﬁrms that the LOA is correct, they review and approve the

requested port. Then they provide AWS Support with a Firm Order Commit (FOC) date and time for

the port to occur.

To assign numbers

• • Assign Amazon Chime SDK Voice Connector numbers to your Voice Connectors.

• For Amazon Chime SDK SIP Media Application Dial-In numbers, use SIP rules to assign

numbers. For more information about SIP rules, refer to Creating SIP rules.

The phone numbers are not activated for use until after the Firm Order Commit (FOC) date

is established, as shown in the following steps. For more information, see Managing phone

number inventory and Creating an Amazon Chime SDK Voice Connector.

AWS Support contacts you with the FOC to conﬁrm that the date and time works for you.

Note

The phone numbers cannot place or receive calls until you assign them.

On the FOC date, the ported phone numbers are activated for use with the Amazon Chime SDK.

Porting phone numbers out of the Amazon Chime SDK

You can port US and non-US numbers out of the Amazon Chime SDK. You follow a diﬀerent

process for each type of number. Expand the following sections as needed to learn more.

Porting out US numbers

You port numbers out of Amazon Chime by initiating a porting request with your winning carrier.

When submitting information to your winning carrier, include your AWS account ID as the account

ID associated with the phone number being ported.

Assigning ported numbers 102

Amazon Chime SDK Administration Guide

When the porting process ﬁnishes and your winning carrier has the numbers, you must unassign

and delete those numbers from your inventory. For more information, see Unassigning Voice

Connector phone numbers and Deleting phone numbers in this guide.

Important

• The ability to port numbers out depends on the winning carrier’s ability to accept those

numbers.

• Verifying the authenticity of the winning carrier's port-out request is critical for the

security of your phone number. If the account details are not correct (for example, there's

an account ID mismatch), your port-out request may be rejected, causing delays and

requiring you to resubmit your request.

(Optional) Requesting a PIN to protect your number

For additional security, you can contact us to apply a PIN to your number. The winning carrier then

uses that PIN. Follow these steps:

To request a PIN

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Contact Us, choose Support.

That takes you to the AWS Support console.

Note

You can also go directly to the AWS Support Center page. If you do, choose Create

case, then follow the steps below.

3. Under How can we help, do the following:

a. Choose Account and billing.

b. From the Service list, choose Chime SDK (Number Management).

c. From the Category list, choose Phone Number Port Out.

d. Choose Next step: Additional information.

4. Under Additional information, do the following

Porting phone numbers out of the Amazon Chime SDK 103

Amazon Chime SDK Administration Guide

Under Subject, enter Porting phone numbers out.

b. Under Description, enter the following.

I would like to assign a pin to my phone number: Pin: ABCD123 Phone

Number: 1234567890

Note

You must provide an alphanumeric PIN of 4 - 10 characters.

AWS Support associates a PIN with the phone number. When requesting the port with your

winning carrier, provide your AWS account ID and PIN. We will use that information to validate any

port requests received for your number.

Porting out international numbers

The following steps explain now to port international numbers out of the Amazon Chime SDK.

To port phone numbers out

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Contact Us, choose Support.

That takes you to the AWS Support console.

Note

You can also go directly to the AWS Support Center page. If you do, choose Create

case, then follow the steps below.

3. Under How can we help, do the following:

a. Choose Account and billing.

b. From the Service list, choose Chime SDK (Number Management).

c. From the Category list, choose Phone Number Port Out.

d. Choose Next step: Additional information.

Porting phone numbers out of the Amazon Chime SDK 104

Amazon Chime SDK Administration Guide

4. Under Additional information, do the following:

Under Subject, enter Porting phone numbers out.

b. Under Description, enter any relevant data.

AWS Support responds with the appropriate next steps. You receive responses based on your

selected contact methods and any email addresses you entered for additional contacts.

When the porting process ﬁnishes and the phone numbers are ported to your new carrier, unassign

and delete the phone numbers from your Amazon Chime SDK inventory. For more information, see

Unassigning Voice Connector phone numbers and Deleting phone numbers.

Phone number porting status deﬁnitions

After you submit a request to port existing phone numbers into the Amazon Chime SDK, you can

view the status of your porting request in the Amazon Chime SDK console under Calling, Phone

number management, Pending.

Porting statuses and deﬁnitions include the following:

CANCELLED

AWS Support cancelled the porting order because of an issue with the port, such as a

cancellation request from the carrier or from you. AWS Support contacts you with details.

CANCEL_REQUESTED

AWS Support is processing a cancellation of the porting order because of an issue with the port,

such as a cancellation request from the carrier or from you. AWS Support contacts you with

details.

CHANGE_REQUESTED

AWS Support is processing your change request, and the carrier response is pending. Allow for

additional processing time.

COMPLETED

Your porting order is completed, and your phone numbers are activated.

EXCEPTION

AWS Support contacts you for additional details needed to complete the port request. Allow for

additional processing time.

Phone number porting status deﬁnitions 105

Amazon Chime SDK Administration Guide

FOC

The FOC date is conﬁrmed with the carrier. AWS Support contacts you to conﬁrm the date.

PENDING DOCUMENTS

AWS Support contacts you for additional documents needed to complete the port request.

Allow for additional processing time.

SUBMITTED

Your porting order is submitted, and the carrier response is pending.

Managing phone number inventory

The information in the following sections explains how to provision and manage the phone

numbers used with Amazon Chime SDK Voice Connectors, Amazon Chime SDK Voice Connector

groups, and SIP media applications.

When you change a user's Amazon Chime Business Calling phone number or phone number

permissions, we recommend providing the user with their new phone number or permissions

information. Before users can access their new phone number or permissions features, they must

sign out of their Amazon Chime account and sign in again.

Topics

• Assigning numbers to a Voice Connector or Voice Connector group

• Reassigning Voice Connector numbers

• Unassigning Voice Connector phone numbers

• Reassigning phone numbers

• Assigning phone numbers to SIP media applications

• Viewing phone number details

• Changing a phone number's product type

• Changing a phone number's assignment type

• Setting outbound calling names

Managing phone number inventory 106

Amazon Chime SDK Administration Guide

Assigning numbers to a Voice Connector or Voice Connector group

The following steps explain how to assign phone numbers to Amazon Chime SDK Voice Connectors

and Voice Connector groups. Assigning numbers enables you to place calls.

You can assign individual numbers or groups of numbers to Voice Connectors and Voice Connector

groups. The following sets of steps explain how.

To assign individual phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, choose the phone number that you want to assign, then choose Edit.

4. (Optional) In the Calling name box, enter a name for the phone number.

5. Under Product type, ensure that Voice Connector is selected

6. Under Assignment type, choose Voice Connector or Voice Connector group, then do one of

the following.

a. If you chose Voice Connector, open the Voice Connector options list and select a Voice

Connector.

b. If you chose Voice Connector group, open the Voice Connector group options list and

select a Voice Connector group.

7. Choose Save.

To assign groups of phone numbers

1. On the Inventory tab, select the check boxes next to the phone numbers that you want to

assign.

Note

The phone numbers must have the Voice Connector product type. Also, check the

Status column and make sure you only select unassigned numbers.

2. Choose Assign, and in the Assignment Type dialog box, choose Voice connector or Voice

connector group.

Assigning phone numbers to Voice Connectors 107

Amazon Chime SDK Administration Guide

3. Choose Assign, and in the Assign phone numbers dialog box, choose Voice Connector or

Voice Connector group, then choose Next.

4. Select the Voice Connector or Voice Connector group, then choose Assign.

Reassigning Voice Connector numbers

You can reassign phone numbers from one Amazon Chime SDK Voice Connector or Amazon Chime

SDK Voice Connector group to another. The numbers must have the Voice Connector product type.

You can reassign individual numbers or groups of numbers, and the following steps explain how to

do both.

To reassign individual numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, select the phone number that you want to reassign.

4. Choose Edit.

5. Under Assignment type choose Voice Connector or Voice Connector group. Next.

6. Do one of the following:

a. If you chose Voice Connector, open the Voice Connector options list and select a new

Voice Connector.

b. If you chose Voice Connector group, open the Voice Connector group options list and

select a new Voice Connector group.

7. Choose Save.

To reassign groups of phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, select the check boxes next to the phone numbers that you want to

reassign, then choose Reassign.

4. In the Reassign dialog box, choose Voice Connector or Voice Connector group, then choose

Next.

Reassigning Voice Connector numbers 108

Amazon Chime SDK Administration Guide

5. Select a Voice Connector or Voice Connector group, then choose Reassign.

Unassigning Voice Connector phone numbers

The following procedures explain how to unassign phone numbers from Amazon Chime SDK Voice

Connectors and Voice Connector groups. You can't unassign phone numbers used by SIP media

applications. Instead, you delete the SIP rule. For more information about deleting SIP rules, refer

to Deleting a SIP rule in this guide.

Note

Unassigning numbers and deleting SIP rules disables the users' telephony capabilities.

However, unassigned numbers remain available in your inventory, and you will be billed

according to their product type.

To unassign individual Voice Connector phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, choose the phone number that you want to unassign.

4. Choose Edit, and under Assignment type, choose Voice connector or Voice connector group.

5. Open the Voice connector options or Voice connector group options list and choose None

(unassign), the ﬁrst option in the list.

Reassigning phone numbers

After you assign a phone number to an Amazon Chime SDK Voice Connector or Voice Connector

Group, you can reassign that number to another Voice Connector or group without having to

unassign the number.

To reassign a phone number

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. Select the checkbox next to the number that you want to reassign, then choose Reassign..

Unassigning Voice Connector phone numbers 109

Amazon Chime SDK Administration Guide

4. In the Reassign dialog box, select Voice Connector or Voice Connector group, then choose

Next.

5. Select the desired Voice Connector or Voice Connector group, then choose Reassign.

Assigning phone numbers to SIP media applications

To assign phone numbers to SIP media applications, you add them to the SIP rules associated with

the applications. For more information, see Managing SIP media applications.

Viewing phone number details

You view the details of your inventory phone numbers for several reasons. For example, you can

see the Voice Connector or SIP Media Application that a number is assigned to. You can also see if

text messages are enabled.

To view phone number details

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, select the phone number that you want to view.

Note

You can also do the following:

1. Select the checkbox next to the phone number that you want to view.

2. Open the Actions list and choose View details.

Changing a phone number's product type

If you have unassigned Amazon Chime SDK Voice Connector phone numbers, you can switch them

from one product type to another.

Note

For non-US numbers, you must use the SIP Media Application Dial-In product type.

Assigning phone numbers to SIP media applications 110

Amazon Chime SDK Administration Guide

To change product types

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, select the phone number that you want to change.

4. On the Details page, choose Edit.

5. In the Edit product type dialog box, choose Voice Connector, or SIP Media Application Dial-

In, then choose Save.

Changing a phone number's assignment type

If you have unassigned Amazon Chime SDK Voice Connector, or Amazon Chime SDK SIP media

application phone numbers, you can switch them from one product type to another.

Note

For non-US numbers, you must use the SIP Media Application Dial-In product type.

To change assignment types

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, select the phone number that you want to change.

4. On the Details page, choose Edit.

5. Under Assignment type, choose Voice Connector, or Voice Connector group.

Depending on your choice, the Voice Connector options or Voice Connector group options

list appears.

6. Open the list and choose a Voice Connector or Voice Connector group.

7. Choose Save.

Changing a phone number's assignment type 111

Amazon Chime SDK Administration Guide

Setting outbound calling names

You can assign calling names to the phone numbers in your inventory. This applies to toll-based

numbers only, and excludes toll-free numbers. The names appear to recipients of outbound calls.

You can update the names every seven days.

Note

When you use an Amazon Chime SDK Voice Connector to place a call, that call is routed

through a public switched telephone network to the telephone carrier of the called

party. Some carriers don't support caller ID names, and some carriers don't use the Voice

Connectors' CNAM database. As a result, a called party may not see calling names, or they

might see a calling name diﬀerent from the one you set.

US carriers are increasingly blocking or labeling phone numbers that exhibit spam or fraud

characteristics, such as high call volumes and short or unanswered calls. To reduce the risk

of your calls being similarly categorized, consider registering your outbound calls with the

Free Caller Registry service.

The following sets of steps explain how to add outbound calling names.

To set an outbound calling name

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, choose the number that you want to add the name to.

4. On the Details page, choose Edit.

5. In the Calling name box, enter a name. You can use up to 15 characters.

6. Choose Save.

Allow 72 hours for the system to add the name.

To update a default calling name

• Repeat the procedure above. Allow 72 hours for the system to update the name.

Setting outbound calling names 112

Amazon Chime SDK Administration Guide

Deleting phone numbers

Important

You must unassign phone numbers before you can delete them. Do one of the following:

• If you use a Voice Connector or Voice Connector group, you unassign the number. For

more information, refer to Unassigning Voice Connector phone numbers in this guide.

• If you use a SIP media application, you delete the SIP rule that contains the number. For

more information, refer to Deleting a SIP rule in this guide.

Deleting a number moves it your deletion queue where it's held for 7 days. During that time, you

can move the number back to your inventory. After 7 days, the system automatically deletes the

number from the holding queue and disassociates it from your account. That returns the number

to the Amazon Chime SDK number pool. If you need to reclaim a number after the system deletes

it from the holding queue, follow the steps in Provisioning phone numbers, but be aware that the

number may not be available.

To delete unassigned phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. On the Inventory tab, choose the number that you want to delete, then choose Delete.

4. In the Delete phone numbers dialog box, select the check box next to I understand the

impact of this action, and choose Delete.

The system holds deleted phone numbers in the Deletion queue for 7 days, then permanently

deletes them.

Restoring deleted phone numbers

You can restore deleted phone numbers from the Deletion queue for up to 7 days after they are

deleted. Restoring a phone number moves it back into your Inventory.

After the 7-day period, the deletion queue moves the numbers back into the number pool.

Deleting phone numbers 113

Amazon Chime SDK Administration Guide

To restore deleted phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Phone Numbers, choose Phone number management.

3. Choose the Deletion queue tab, and select the phone number or numbers to restore.

4. Choose Move to inventory.

Optimize your outbound calling reputation

When making outbound business calls, one of the most diﬃcult tasks is understanding why

customers don't answer calls when you dial out. Is the customer deliberately not answering, or are

they busy on a work call or answering the door? For businesses it's impossible to know, but you can

take action to help increase call success.

The following topics recommend ways to improve your outbound call answer rates.

Topics

• Step 1: Know your customer's preferred contact method

• Step 2: Brand your calls

• Step 3: Select caller IDs that mean something to your customer

• Step 4: Make sure your campaign calls valid numbers

• Step 5: Make outbound calls at optimal times

• Step 6: Monitor the reputation of your caller IDs

• Step 7: Use multiple numbers as a caller ID

• Step 8: Engage with App Vendors

• Step 9: Add messaging to your outreach strategy to let customers know who you are

• Step 10: Validate your outbound calling strategy

Step 1: Know your customer's preferred contact method

One of the biggest mistakes that businesses make is not knowing whether the customer wants to

be contacted by telephone call. When the customer engaged with you, did you check whether they

want to be reached by phone, e-mail, or text?

Optimize your outbound calling reputation 114

Amazon Chime SDK Administration Guide

Businesses with multi-channel engagement outperform 70% on average compared to business

without multi-channel engagement.

Step 2: Brand your calls

By using call branding solutions, you can provide enhanced call displays that include your business

name, logos, reason for the call, and your service. Branding your calls can increase call answer rates

by 30%.

The Amazon Chime SDK and Amazon Connect partner with solutions providers such as First Orion

and Neustar to oﬀer branded calling services. To discuss the services directly with our partners,

visit their websites:

• First Orion

• Neustar

Step 3: Select caller IDs that mean something to your customer

Not every business is the same. What works for some might not work for others. But there are

correlations in how successful outbound campaigns are based on your caller ID. The following

suggestions can help you create meaningful caller IDs:

• Area localization. Use a caller ID in the same area as the prospect.

• City localization. Use a caller ID in the same city as the prospect.

• Recognizable golden toll free numbers such as 0800 123 0000.

Step 4: Make sure your campaign calls valid numbers

Many businesses don't have a process for updating customer details. With people more mobile

than ever, it's essential for businesses to update contact information. If customers don't answer

your calls, we recommend using Amazon Pinpoint to validate your phone numbers. The customer

may no longer be at the phone number you are calling.

Step 5: Make outbound calls at optimal times

Make sure that calls are placed at the best times. Generally speaking, don't call before 10:00AM or

after 5:00PM, as people are at their busiest or need their quiet time. Customers should be called

Step 2: Brand your calls 115

Amazon Chime SDK Administration Guide

when it's a good for them, depending on their proﬁle. This may mean that you call one customer

around noon and another in the afternoon.

In addition, regulations such as TCPA (in the US) and OFCOM (in the UK) provide guidance on when

not to call end customers. We strongly recommend that you abide by such regulations.

Step 6: Monitor the reputation of your caller IDs

We recommend monitoring the reputation of your caller IDs through a service such as Free Caller

Registry.

Even with the most legitimate outbound call campaigns, if you make enough calls, some people

will ﬂag your caller ID as spam. This can manifest in two ways:

1. Automatic blocking. Block lists are implemented on a vendor-by-vendor basis. For example,

when a certain threshold of reports is reached with application providers such as Hiya.com on

Samsung devices, up to 20% of your prospects will become instantly unreachable.

2. Complaints. People can use numerous websites to complain about calls from speciﬁc caller IDs.

A number of your prospects will search your caller ID online when you call them. If it has a bad

reputation, they will be less likely to answer.

The fastest way to recover from a ﬂagged caller ID is to switch to a new phone number. See the

next step.

Step 7: Use multiple numbers as a caller ID

Today, businesses typically embrace an intelligent, more eﬃcient manner of dialing.

For example, one method uses multiple phone numbers when placing outbound calls. Customers

are more likely to answer a call if they feel that they are not being called repeatedly by the same

number.

Step 8: Engage with App Vendors

One of the most diﬃcult issues with the industry as it currently stands is that a large number of

vendors provide in-app services to block calls. If one of these in-app services marks your number as

spam, you have to pay the premium fees to remove your number from their spam list.

Some of the third party vendors are joining in partnership to increase call answer rates.

Step 6: Monitor call ID reputations 116

Amazon Chime SDK Administration Guide

Step 9: Add messaging to your outreach strategy to let customers know

who you are

When calls go unanswered, you can use SMS to contact prospects. Try the following ideas to

increase answer rates.

1. Before calling, send an SMS that tells the customer who you are and when you will call.

Optionally, allow the customer to reschedule to a more convenient time.

2. If the prospect doesn't answer, send an SMS to allow them to reschedule the call or request a

call back.

3. Use promotional oﬀers or discounts that resonate with your prospects.

Step 10: Validate your outbound calling strategy

By making data-driven decisions and continuously iterating, you'll have the best chance to deliver

real business value. Treat each change to your outbound calling strategy as an experiment, and

ensure you can measure and compare the eﬀectiveness of your changes.

One of the best things with Amazon Connect is the service is readily available to experiment. You

can establish a baseline, then compare any changes to help you to assess how you can succeed.

Step 9: Add messaging to your outreach strategy to let customers know who you are 117

Amazon Chime SDK Administration Guide

Managing Amazon Chime SDK Voice Connectors

What is an Amazon Chime SDK Voice Connector?

An Amazon Chime SDK Voice Connector provides Session Initiation Protocol (SIP) trunking service

for your existing phone system. You can manage your Voice Connectors from the Amazon Chime

SDK console and access it over your internet connection, or you can use AWS Direct Connect. For

more information, see What is AWS Direct Connect? in the AWS Direct Connect User Guide.

Important

Voice Connectors do not support SMS.

Voice Connector outbound and inbound calling

After you create a Voice Connector, edit the termination and origination settings to allow outbound

or inbound calls, or both. You then assign phone numbers to the Voice Connector. You can use the

Amazon Chime SDK console to port in existing phone numbers or provision new phone numbers.

For more information, see Porting existing phone numbers, Provisioning phone numbers, and

Assigning and unassigning Amazon Chime SDK Voice Connector phone numbers.

Note

• Amazon Chime SDK Voice Connectors have outbound international calling restrictions.

For more information, refer to Outbound calling restrictions.

• Voice Connectors support outbound calling in E.164 format and do not require an

international dialing access code, such as 011. You pay a per-minute rate based on the

destination country of the call. For a current list of supported countries, and the per-

minute rate for each country, see https://aws.amazon.com/chime/voice-connector/

pricing/. Voice Connector PSTN calling does not support private numbering schemes

such as 4, 5, or 6-digit extension numbers.

Voice Connector groups

You can also create an Voice Connector group and add Voice Connectors to it. You can use

Voice Connectors created in diﬀerent AWS Regions. This creates a fault-tolerant mechanism for

118

Amazon Chime SDK Administration Guide

fallback if availability events occur. For more information, see Managing Amazon Chime SDK Voice

Connector groups.

Logging and monitoring Voice Connector data

Optionally, you can send logs from your Voice Connector to CloudWatch Logs, and turn on

media streaming from your Amazon Chime SDK Voice Connector to Amazon Kinesis. For more

information, see CloudWatch logs for the Amazon Chime SDK and Streaming Amazon Chime SDK

Voice Connector media to Kinesis.

Contents

• Before you begin

• Creating an Amazon Chime SDK Voice Connector

• Using tags with Voice Connectors

• Editing Amazon Chime SDK Voice Connector settings

• Assigning and unassigning Amazon Chime SDK Voice Connector phone numbers

• Deleting an Amazon Chime SDK Voice Connector

• Conﬁguring Voice Connectors to use call analytics

• Managing Amazon Chime SDK Voice Connector groups

• Streaming Amazon Chime SDK Voice Connector media to Kinesis

• Using Amazon Chime SDK Voice Connector conﬁguration guides

Before you begin

To use an Amazon Chime SDK Voice Connector, you must have an IP Private Branch Exchange

(PBX), Session Border Controller (SBC), or other voice infrastructure with internet access that

supports Session Initiation Protocol (SIP). Make sure that you have enough bandwidth to support

peak call volume. For information about bandwidth requirements, see Bandwidth requirements.

To ensure security for calls sent from AWS to your on-premises phone system, we recommend

conﬁguring an SBC between AWS and your phone system. Allow list SIP traﬃc to the SBC from the

Amazon Chime SDK Voice Connector signaling and media IP addresses. For more information, see

the recommended ports and protocols for Amazon Chime SDK Voice Connector.

Amazon Chime SDK Voice Connectors expect phone numbers to be in E.164 format.

Before you begin 119

Amazon Chime SDK Administration Guide

Creating an Amazon Chime SDK Voice Connector

You use the Amazon Chime SDK console to create Amazon Chime SDK Voice Connectors.

To create a Voice Connector

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose Create new voice connector.

4. Under Voice connector name, enter a name for the Voice Connector.

5. Under Encryption, select Enabled or Disabled.

6. (Optional) Under Tags, choose Add new tag, then do the following.

1. Under Key, enter the tag's key.

2. Under Value, enter the tag's value.

3. As needed, choose Add new tag to add more tags to the Voice Connector.

For more information about tags, refer to Adding tags to Voice Connectors.

7. Choose Create Voice Connector.

Note

Enabling encryption conﬁgures your Voice Connector to use TLS transport for SIP signaling

and Secure RTP (SRTP) for media. Inbound calls use TLS transport, and unencrypted

outbound calls are blocked.

Using tags with Voice Connectors

The topics in this section explain how to use tags with your existing Amazon Chime SDK Voice

Connectors. Tags allow you to assign metadata to your AWS resources, such as Voice Connectors. A

tag consists of a key and an optional value that stores information about the resource, or the data

retained on that resource. You deﬁne all keys and values. For example, you can create a tag key

named CostCenter with a value of 98765 and use the pair for cost allocation purposes. You can

add up to 50 tags to a Voice Connector.

Creating Voice Connectors 120

Amazon Chime SDK Administration Guide

Adding tags to Voice Connectors

You can add tags to existing Amazon Chime SDK Voice Connectors.

To add tags to Voice Connectors

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice Connectors.

3. Choose the name of Voice Connector that you want use.

4. Choose the Tags tab, then choose Manage tags.

5. Choose Add new tag, then enter a key and optional value.

6. As needed, choose Add new tag to create another tag.

7. When ﬁnished, choose Save changes.

Editing tags

If you have the necessary permissions, you can edit any tags in your AWS account regardless of who

created them. However, IAM policies may prevent you from doing so.

To edit tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice Connectors.

3. Choose the name of Voice Connector that you want use.

4. Choose the Tags tab, then choose Manage tags.

5. In the Key or Value boxes, enter a new value.

6. When ﬁnished, choose Save changes.

Removing tags

If you have the necessary permissions, you can remove any tags in your AWS account regardless of

who created them. However, IAM policies may prevent you from doing so.

To remove tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

Adding tags to Voice Connectors 121

Amazon Chime SDK Administration Guide

2. In the navigation pane, under SIP Trunking, choose Voice Connectors.

3. Choose the name of Voice Connector that you want use.

4. Choose the Tags tab, then choose Manage tags.

5. Choose Remove next to the tag that you want to remove.

6. Choose Save changes.

Editing Amazon Chime SDK Voice Connector settings

After you create an Amazon Chime SDK Voice Connector, you must edit the termination and

origination settings that allow outbound and inbound calls. You can also conﬁgure a number of

other settings, such as streaming to Kinesis and using emergency call routing. You use the Amazon

Chime console to edit all settings.

To edit Amazon Chime SDK Voice Connector settings

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Amazon Chime SDK Voice Connector to edit.

4. The Amazon Chime console groups Voice Connector settings on a set of tabs. Expand the

sections below for information about using each tab.

Editing general settings

Use the General tab to change a Voice Connector's name, enable or disable encryption, and import

the wildcard root certiﬁcate into your SIP infrastructure.

To change general settings

1. (Optional) Under Details, enter a new name for the Voice Connector.

2. (Optional) Under Encryption, choose Enabled or Disabled. For more information about

encryption, expand the next section.

3. Choose Save.

4. (Optional) Choose the Download here link to download the wildcard root certiﬁcate. We

assume that you know how to add it to your SIP infrastructure.

Editing Voice Connector settings 122

Amazon Chime SDK Administration Guide

Using encryption with Voice Connectors

When you enable encryption for an Amazon Chime SDK Voice Connector, you use TLS for SIP

signaling and Secure RTP (SRTP) for media. The Voice Connector service uses TLS port 5061.

When enabled, all inbound calls use TLS, and unencrypted outbound calls are blocked. You

must import the Amazon Chime root certiﬁcate. The Amazon Chime SDK Voice Connector

service uses a wildcard certiﬁcate *.voiceconnector.chime.aws in US Regions,

and *.region.vc.chime.aws in other Regions. For example, the service uses *.ap-

southeast-1.vc.chime.aws in the Asia Paciﬁc (Singapore) Region. We implement SRTP as

described in RFC 4568.

Note

Voice Connectors support TLS 1.2

For outbound calls, the service uses the SRTP default AWS counter cipher and HMAC-SHA1

message authentication. We support the following cipher suites for inbound and outbound calls:

• AES_CM_128_HMAC_SHA1_80

• AES_CM_128_HMAC_SHA1_32

• AES_CM_192_HMAC_SHA1_80

• AES_CM_192_HMAC_SHA1_32

• AES_CM_256_HMAC_SHA1_80

• AES_CM_256_HMAC_SHA1_32

You must use at least one cipher, but you can include all of them in preference order at no

additional charge for Voice Connector encryption.

We also support these additional TLS cipher suites:

• AES256-GCM-SHA384

• AES256-SHA256

• AES256-SHA

• AES128-GCM-SHA256

Editing Voice Connector settings 123

Amazon Chime SDK Administration Guide

• AES128-SHA256

• AES128-SHA

• ECDHE-RSA-AES256-GCM-SHA384

• ECDHE-RSA-AES128-GCM-SHA256

• ECDHE-RSA-AES256-SHA384

• DHE-RSA-AES256-GCM-SHA384

• DHE-RSA-AES256-SHA256

• ECDHE-RSA-AES128-SHA256

• DHE-RSA-AES128-GCM-SHA256

• DHE-RSA-AES128-SHA256

Editing termination settings

You use the Termination settings to enable and conﬁgure outbound calls from your Amazon

Chime SDK Voice Connector.

Note

Your Outbound host name resolves to a set of IP addresses that may change as EC2

instances go in or out of service, so don’t cache records for longer than the DNS Time to

Live interval. Caching for longer may result in call failures.

Choose Save again.

To edit termination settings

1. Select Enabled.

2. (Optional) Under Allowed hosts list, choose New, enter the CIDR notations and values that

you want to allow, then choose Add. Note that the IP address values must be publically

routable addresses.

—OR—

Choose Edit and change the CIDR notation.

Editing Voice Connector settings 124

Amazon Chime SDK Administration Guide

—OR—

Choose Delete to remove the host.

3. Under Calls per second, select another value, if available.

4. Under Calling plan, open the Countries list and choose the countries that the Voice Connector

can call.

5. Under Credentials, choose New, enter a username and password, then choose Save.

6. Under Caller ID override, choose Edit, select a phone number, then choose Save.

7. Under Last options ping, view the last SIP options message sent by your SIP infrastructure.

Editing origination settings

Origination settings apply to inbound calls to your Amazon Chime SDK Voice Connector. You can

conﬁgure inbound routes for your SIP hosts to receive inbound calls. Inbound calls are routed to

hosts in your SIP infrastructure by the priority and weight you set for each host. Calls are routed

in priority order ﬁrst, with 1 the highest priority. If hosts are equal in priority, calls are distributed

among them based on their relative weight.

Note

Encryption-enabled Voice Connectors use TLS (TCP) protocol for all calls.

To edit origination settings

1. Select Enabled.

2. Under Inbound routes, choose New.

3. Enter the values for Host, Port, Protocol, Priority, and Weight.

4. Choose Add.

5. Choose Save.

Editing emergency calling settings

To enable emergency calling, you ﬁrst need to enable termination and origination. See the sections

above for information about doing so.

Editing Voice Connector settings 125

Amazon Chime SDK Administration Guide

You need at least one emergency call routing number from a third-party emergency service

provider to complete these steps. For more information about obtaining numbers, see Setting up

third-party emergency routing numbers.

Choose Add.

To edit emergency calling settings

1. Choose Add.

2. Under Call send method, select an item from the list, if available.

3. Enter the emergency routing number.

4. Enter the test routing number. We recommend obtaining a test routing number.

5. Under Country, choose the routing number's country, if available.

6. Choose Add.

Editing phone numbers

You can assign and unassign Voice Connector phone numbers. The following steps assume you

have at least one phone number in your Amazon Chime inventory. If not, see Provisioning phone

numbers.

To assign phone numbers

1. Choose Assign from inventory.

2. Select one or more phone numbers.

3. Choose Assign from inventory.

The selected number or numbers appear in your list of numbers.

To unassign phone numbers

1. Select one or more phone numbers.

2. Choose Unassign.

3. When asked to conﬁrm the operation, choose Unassign.

Editing Voice Connector settings 126

Amazon Chime SDK Administration Guide

Editing streaming settings

The Streaming settings enable Amazon Kinesis Video Streams. The service stores, encrypts, and

indexes your streaming audio data.

To edit streaming settings

1. Under details, choose Start.

2. Under Streaming notiﬁcation, select one or more targets from the lists.

3. Under Data retention period, choose No data retention, or set a retention interval.

4. Under Call Insights, choose Activate, then do the following:

1. Under Access permissions, select a role from the list.

2. Under Kinesis Data Stream, select a stream from the list.

3. (Optional) Under Amazon Transcribe custom language model, select a model from the list.

4. Under Personally identiﬁable information type, choose an option.

5. Under Filter partial results, choose an option.

6. Under Send real time notiﬁcation, choose Start, then choose an option from the Call

direction and Speaker lists.

7. As needed, choose Add a word/phrase, then enter the word or phrase that you want to be

notiﬁed about.

5. Choose Save.

Editing logging settings

The Amazon Chime SDK disables logging for Voice Connectors by default. When you enable

logging, the system sends the data to an Amazon CloudWatch log group. For more information

about logging, see Monitoring the Amazon Chime SDK with Amazon CloudWatch

To edit logging settings

1. Under SIP metric logs, choose Enabled.

2. Under Media metric logs, choose Enabled.

Editing Voice Connector settings 127

Amazon Chime SDK Administration Guide

Editing tag settings

You can add 50 tags to a Voice Connector, and you can choose the keys and optional values for the

tags.

To edit tag settings

1. Choose Manage tags.

2. Do any of the following:

• To add a tag, choose Add new tag, then enter a key and an optional value.

• To remove a tag, choose Remove next to the tag that you want to delete.

3. When ﬁnished, choose Save changes.

Assigning and unassigning Amazon Chime SDK Voice Connector

phone numbers

You can assign and unassign phone numbers to and from an Amazon Chime SDK Voice Connector.

To assign phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector.

4. Choose Phone numbers.

5. Select one or more phone numbers to assign to the Voice Connector.

6. Choose Assign.

You can also choose Reassign to reassign phone numbers with the Voice Connector product type

from one Voice Connector or Voice Connector group to another.

To unassign phone numbers

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector.

Assigning and unassigning phone numbers 128

Amazon Chime SDK Administration Guide

4. Choose Phone numbers.

5. Select one or more phone numbers to unassign from the Voice Connector.

6. Select Unassign.

7. Select the check box, and choose Unassign.

Deleting an Amazon Chime SDK Voice Connector

Before you can delete an Amazon Chime SDK Voice Connector, you must unassign all phone

numbers from it. For more information on unassigning phone numbers from a Voice Connector, see

the previous topic.

To delete a Voice Connector

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose Phone numbers, Delete voice connector.

4. Select the check box, and choose Delete.

Conﬁguring Voice Connectors to use call analytics

Note

To complete the steps in this section, you must ﬁrst create a call analytics conﬁguration.

For information about creating conﬁgurations, see Creating call analytics conﬁgurations.

You can use Amazon Chime SDK Call Analytics with Amazon Chime SDK Voice Connector to

automatically generate insights with Amazon Transcribe and Amazon Transcribe Call Analytics

with voice analytics. You do this by associating your call analytics conﬁguration with an Amazon

Chime SDK voice connector. For each call, the Voice Connector invokes call analytics in accordance

with the conﬁguration that you specify. You can associate one conﬁguration with multiple Voice

Connectors, or create a unique conﬁguration for each Voice Connector.

Call Analytics uses the Amazon Chime Voice Connector service-linked role to invoke the

CreateMediaInsightsPipeline API on your behalf.

Deleting Voice Connectors 129

Amazon Chime SDK Administration Guide

To conﬁgure a Voice Connector

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice Connectors.

3. Choose the name of the Voice Connector that you want to associate with a conﬁguration, then

choose the Streaming tab.

4. If it isn't already selected, choose Start to begin streaming to Kinesis Video Streams.

5. Under Call Analytics, select Activate, and on the menu that appears, choose your Call

Analytics Conﬁguration ARN.

6. Choose Save.

Note

After enabling, disabling, or modifying a conﬁguration associated with a Voice Connector,

allow 5 minutes for the new settings to propagate through the service and take eﬀect.

Managing Amazon Chime SDK Voice Connector groups

How an Amazon Chime SDK Voice Connector group works

Voice Connector groups only handle inbound PSTN calls to your SIP based phone system. The

groups provide fault-tolerant, cross-region call routing. A Voice Connector group contains two or

more Voice Connectors, and can include Voice Connectors created in diﬀerent AWS Regions. This

allows incoming PSTN calls to fail over across AWS Regions if availability events aﬀect service in

one region.

For example, say that you create a Voice Connector group and assign two Voice Connectors to

it, one in the US East (N. Virginia) Region, and the other in the US West (Oregon) Region. You

conﬁgure both Voice Connectors with origination settings that point to your SIP host(s).

Now say that a call comes in to the Voice Connector in the US East (N. Virginia) Region. If that

Region has a connectivity issue, the call automatically reroutes to the Voice Connector in the US

West (Oregon) Region.

Get started with an Amazon Chime SDK Voice Connector group

Managing Voice Connector groups 130

Amazon Chime SDK Administration Guide

To get started, ﬁrst create Voice Connectors in diﬀerent AWS Regions. Then, create a Voice

Connector group and assign the Voice Connectors to it. You can also provision phone numbers

for your Voice Connector group from your Amazon Chime SDK Phone number management

inventory. For more information, see Provisioning phone numbers. For more information about

creating Amazon Chime SDK Voice Connectors in diﬀerent AWS Regions, see Managing Amazon

Chime SDK Voice Connectors.

Contents

• Creating an Amazon Chime SDK Voice Connector group

• Editing an Amazon Chime SDK Voice Connector group

• Assigning and unassigning phone numbers to a Voice Connector group

• Deleting an Amazon Chime SDK Voice Connector group

Creating an Amazon Chime SDK Voice Connector group

You can create up to three Amazon Chime SDK Voice Connector groups for your account.

To create a group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose Create group.

4. In the dialog box that appears, under Voice connector group name, enter a name for the

group.

5. Choose Create.

Editing an Amazon Chime SDK Voice Connector group

After you create an Amazon Chime SDK Voice Connector group, you can add or remove Amazon

Chime SDK Voice Connectors for it. You can also edit the priority for the Voice Connectors in the

group.

To add Voice Connectors to a group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

Creating an Amazon Chime SDK Voice Connector group 131

Amazon Chime SDK Administration Guide

3. Choose the name of the Voice Connector group that you want to edit.

4. Choose the Voice connectors tab, open the Actions list, then choose Add.

5. In the dialog box that appears, select the checkbox next to the Voice Connector that you want

to use.

6. Choose Add.

7. Repeat steps 4 through 6 to add Voice Connectors to the group.

To edit Voice Connector priority in a group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Amazon Chime SDK Voice Connector group that you want to edit.

4. Under Actions, choose Edit priority.

5. In the dialog box that appears, enter a diﬀerent priority ranking for each Voice Connector. 1 is

the highest priority. Higher priority Voice Connectors are attempted ﬁrst.

6. Choose Save.

To remove Voice Connectors from a group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector group that you want to edit.

4. Open the Actions list and choose Remove.

5. In the dialog box that appears, select the check boxes next to the Voice Connectors that you

want to remove.

6. Choose Remove.

Assigning and unassigning phone numbers to a Voice Connector group

You use the Amazon Chime SDK console to assign and unassign phone numbers to a Voice

Connector group.

Assigning and unassigning phone numbers to a Voice Connector group 132

Amazon Chime SDK Administration Guide

To assign phone numbers to a Voice Connector group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector group to edit.

4. Choose Phone numbers.

5. Choose Assign from inventory.

6. Select one or more phone numbers to assign to the Voice Connector group.

7. Choose Assign from inventory.

You can also choose Reassign to reassign phone numbers with the Voice Connector product

type. This lets you reassign these numbers from one Voice Connector or Voice Connector group to

another.

To unassign phone numbers from a Voice Connector group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector group to edit.

4. Choose Phone numbers.

5. Select the phone numbers that you want from the Voice Connector group, and choose

Unassign.

6. Choose Unassign.

Deleting an Amazon Chime SDK Voice Connector group

Before you can delete an Amazon Chime SDK Voice Connector group, you must unassign all

Amazon Chime SDK Voice Connectors and phone numbers from it. For more information, see the

previous section.

To delete a Voice Connector group

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector group to delete.

Deleting an Amazon Chime SDK Voice Connector group 133

Amazon Chime SDK Administration Guide

4. Choose Delete group.

5. Select the check box, and choose Delete.

Streaming Amazon Chime SDK Voice Connector media to

Kinesis

You can stream phone call audio from Amazon Chime SDK Voice Connectors to Amazon Kinesis

Video Streams for analytics, machine learning and other processing. Developers can store and

encrypt audio data in Kinesis Video Streams, and access the data using the Kinesis Video Streams

API operation. For more information, see the Kinesis Video Streams Developer Guide.

Note

• Voice Connector streaming does not restrict phone number formats. You can stream calls

from numbers in E.164 and non-E.164 formats. For example, Voice Connector streaming

can support 4, 5, or 6-digit extension numbers, or 11-digit private wire numbers. For

more information, refer to SIP-based media recording and network-based recording

compatibility, later in this guide.

• Voice Connector streaming supports G.711 A-law and G.711 µ-law audio encoding.

Use the Amazon Chime SDK console to start media streaming for your Voice Connector. When

media streaming begins, your Voice Connector uses an AWS Identity and Access Management (IAM)

service-linked role to grant permissions to stream media to Kinesis Video Streams. Then, call audio

from each Voice Connector telephone call leg is streamed in real time to separate Kinesis Video

Streams.

Use the Kinesis Video Streams Parser Library to download the media streams sent from your Voice

Connector. Filter the streams by the following persistent fragments metadata:

• TransactionId

• VoiceConnectorId

For more information, see Kinesis Video Streams Parser Library and Using streaming metadata with

Kinesis Video Streams in the Amazon Kinesis Video Streams Developer Guide.

Streaming media to Kinesis 134

Amazon Chime SDK Administration Guide

For more information about using IAM service-linked roles with Voice Connectors, see Using the

Amazon Chime SDK Voice Connector service linked role policy. For more information about using

Amazon CloudWatch with the Amazon Chime SDK, see Logging and monitoring in the Amazon

Chime SDK.

When you enable media streaming for your Voice Connector, the Amazon Chime SDK creates

an IAM service-linked role called AWSServiceRoleForAmazonChimeVoiceConnector. If you have

conﬁgured call detail record logging for Voice Connectors in the Amazon Chime SDK console,

streaming detail records are sent to your conﬁgured Amazon S3 bucket. For more information, see

Amazon Chime SDK Voice Connector streaming detail records.

Starting media streaming

You use the Amazon Chime SDK console to start media streaming for a Voice Connector.

To start media streaming

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector.

4. Choose the Streaming tab.

5. In the Details section, under Sending to Kinesis Video Streams, choose Start.

6. Under Data retention period, choose Retain data for, and enter a retention period.

7. Choose Save.

You use the Amazon Chime SDK console to turn oﬀ media streaming. If you no longer need to use

media streaming for any of your Voice Connectors, we recommend that you also delete the related

service-linked role. For more information, see Deleting a service-linked role for Amazon Chime SDK

Voice Connectors.

To stop media streaming for your Voice Connector

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector.

4. Choose the Streaming tab.

5. In the Details section, under Sending to Kinesis Video Streams, choose Stop.

Starting media streaming 135

Amazon Chime SDK Administration Guide

6. Choose Save.

SIP-based media recording and network-based recording compatibility

You can use an Amazon Chime SDK Voice Connector to stream media to Kinesis Video Streams.

You can stream from a SIP-based media recording (SIPREC) compatible voice infrastructure or the

network-based recording (NBR) feature associated with Cisco Uniﬁed Border Element (CUBE).

You must have a Private Branch Exchange (PBX), Session Border Controller (SBC), or contact center

that supports the SIPREC protocol or NBR feature. The PBX or SBC must be able to send signaling

and media to AWS public IP addresses. For more information, see Before you begin.

To set up streaming of RTP audio streams forked with SIPREC or NBR

1. Create a Voice Connector. For more information, see Creating an Amazon Chime SDK Voice

Connector.

2. Start media streaming for your Amazon Chime SDK Voice Connector. For more information,

see Starting media streaming.

3. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

4. In the navigation pane, under SIP Trunking, choose Voice connectors.

5. Select the Voice Connector and note its Outbound host name. For example,

abcdef1ghij2klmno3pqr4.voiceconnector.chime.aws.

6. Do one of the following:

• For SIPREC – Conﬁgure your PBX, SBC, or other voice infrastructure to fork RTP streams with

SIPREC to the Outbound host name of your Voice Connector.

• For NBR – Conﬁgure your PBX, SBC, or other voice infrastructure to fork RTP streams with

NBR to the Outbound host name of your Voice Connector. Send an additional header or

URI parameter of X-Voice-Connector-Record-Only with the value true in the SIP

INVITE.

Using Amazon Chime SDK voice analytics with Voice Connectors

You use Amazon Chime SDK call analytics with your Voice Connectors to automatically generate

insights into your calls. Speciﬁcally, you can identify users and predict their tone, either positive,

negative, or neutral.

SIP-based media recording and network-based recording compatibility 136

Amazon Chime SDK Administration Guide

Call analytics works with Amazon Transcribe, Amazon Transcribe Call Analytics, and Amazon Chime

SDK voice analytics.

The process follows these broad steps:

1. Create a call analytics conﬁguration, a static structure that contains the instructions for

processing data.

2. Associate the conﬁguration with one or more Voice Connectors. You can associate one

conﬁguration with multiple Voice Connectors, or create a unique conﬁguration for each Voice

Connector.

3. The Voice Connector invokes call analytics in accordance with the conﬁguration.

Call analytics uses the Amazon Chime Voice Connector service-linked role to invoke the

CreateMediaInsightsPipeline API on your behalf.

Note

The following steps explain how to associate a call analytics session with a Voice Connector.

To complete them, you ﬁrst need to create a call analytics conﬁguration. To do that, see

Creating call analytics conﬁgurations in this guide. The creation process assigns an ARN to

the conﬁguration. Copy the ARN for use in these steps.

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice Connectors, then choose a Voice

Connector.

3. Choose the Streaming tab.

4. Under Sending to Kinesis Video Streams, choose Start.

5. Under Call Analytics, choose Activate, choose a conﬁguration from the list, then choose Save.

Using Amazon Chime SDK voice analytics with Voice Connectors 137

Amazon Chime SDK Administration Guide

Using Amazon Chime SDK Voice Connector conﬁguration

guides

We test Amazon Chime SDK Voice Connectors on a wide range of private branch exchange, session

border controller, and contact center systems. We publish those tested conﬁgurations in a set of

Conﬁguration Guides.

The Conﬁguration Guides cover the conﬁguration steps used for each system test. We perform

these types of tests:

• Enable SIP trunking over a Voice Connector from a third-party SIP platform.

• Enable SIPREC over a Voice Connector for use with audio streams.

For more information, see the Amazon Chime SDK Conﬁguration Guides.

Using Voice Connector conﬁguration guides 138

Amazon Chime SDK Administration Guide

Managing Amazon Chime SDK call analytics

The topics in the section explain how to manage Amazon Chime SDK call analytics. You use

call analytics to generate call insights from real-time audio. You can also analyze stored calls.

In addition, you can use Amazon Chime SDK voice analytics to identify callers and predict their

sentiment, either positive, negative, or neutral.

Topics

• Creating call analytics conﬁgurations

• Using call analytics conﬁgurations

• Updating call analytics conﬁgurations

• Deleting call analytics conﬁgurations

• Enabling voice analytics

• Managing voice proﬁle domains

Creating call analytics conﬁgurations

To use call analytics, you start by creating a conﬁguration, a static structure that holds the

information needed to create a call analytics pipeline. You can use the Amazon Chime SDK console

to create a conﬁguration, or call the CreateMediaInsightsPipelineConﬁguration API.

A call analytics conﬁguration includes details about audio processors, such as recording, voice

analytics, or Amazon Transcribe. It also includes insight destinations and alert event conﬁguration.

Optionally, you can save your call data to an Amazon S3 bucket for further analysis.

However, conﬁgurations do not include speciﬁc audio sources. That allows you reuse the

conﬁguration across multiple call analytics workﬂows. For example, you can use the same call

analytics conﬁguration with diﬀerent Voice Connectors or across diﬀerent Amazon Kinesis Video

Streams (KVS) sources.

You use the conﬁgurations to create pipelines when SIP calls occur through a Voice Connector, or

when new media is sent to an Amazon Kinesis Video Stream (KVS). The pipelines, in turn, process

the media according to the speciﬁcations in the conﬁguration.

You can stop a pipeline programmatically at any time. Pipelines also stop processing media when

a Voice Connector call ends. In addition, you can pause a pipeline. Doing so disables calls to the

Creating call analytics conﬁgurations 139

Amazon Chime SDK Administration Guide

underlying Amazon machine learning services and resumes them when desired. However, call

recording runs while you pause a pipeline.

Topics

• Prerequisites

• Creating a call analytics conﬁguration

Prerequisites

To use call analytics with Amazon Transcribe, Amazon Transcribe Analytics, or Amazon Chime SDK

voice analytics, you must have the following items:

• An Amazon Chime SDK Voice Connector. If not, see Creating an Amazon Chime SDK Voice

Connector, earlier in this guide.

• Amazon EventBridge targets. If not, refer to Monitoring the Amazon Chime SDK with Amazon

CloudWatch, earlier in this guide.

• A service-linked role that allows the Voice Connector to access actions on the EventBridge

targets. For more information, refer to Using the Amazon Chime SDK Voice Connector service

linked role policy, earlier in this guide.

• An Amazon Kinesis Data Stream. If not, see Create a Kinesis Video Stream in the Amazon Kinesis

Video Stream Developer Guide. Voice analytics and transcription require a Kinesis stream.

• To analyze calls oﬄine, you must create an Amazon Chime SDK data lake. To do that, refer to

Creating an Amazon Chime SDK data lake in the Amazon Chime SDK Developer Guide.

Creating a call analytics conﬁguration

After you create the conﬁguration, you enable call analytics by associating a Voice Connector with

the conﬁguration. Once you do that, call analytics starts automatically when a call comes in to that

Voice Connector. For more information, refer to Conﬁguring Voice Connectors to use call analytics,

earlier in this guide.

The following sections explain how to complete each step of the process. Expand them in the order

listed.

Prerequisites 140

Amazon Chime SDK Administration Guide

Specify conﬁguration details

To specify conﬁguration details

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Call Analytics, choose Conﬁgurations, then choose Create

conﬁguration.

3. Under Basic information, do the following:

a. Enter a name for the conﬁguration. The name should reﬂect your use case and any tags.

b. (Optional) Under Tags, choose Add new tag, then enter your tag keys and optional values.

You deﬁne the keys and values. Tags can help you query the conﬁguration.

c. Choose Next.

Conﬁguring recording

To conﬁgure recording

• On the Conﬁgure recording page, do the following:

a. Choose the Activate call recording checkbox. This enables recording for Voice Connector

calls or KVS streams and sending the data to your Amazon S3 bucket.

b. Under File format, choose WAV with PCM for the best audio quality.

—or—

Choose OGG with OPUS to compress the audio and optimize storage.

c. (Optional) As needed, choose the Create an Amazon S3 bucket link and follow those

steps to create an Amazon S3 bucket.

d. Enter the URI of your Amazon S3 bucket, or choose Browse to locate a bucket.

e. (Optional) Choose Activate voice enhancement to help improve the audio quality of your

recordings.

f. Choose Next.

For more information about voice enhancement, expand the next section.

Creating a call analytics conﬁguration 141

Amazon Chime SDK Administration Guide

Understanding voice enhancement

Voice enhancement helps improve the audio quality of the recorded phone calls in your customers'

Amazon S3 buckets. Phone calls are narrowband-ﬁltered and sampled at an 8 kHz rate. Voice

enhancement boosts the sampling rate from 8kHz to 16kHz and uses a machine learning model to

expand the frequency content from narrowband to wideband to make the speech more natural-

sounding. Voice enhancement also uses a noise reduction model called Amazon Voice Focus to help

reduce background noise in the enhanced audio.

When voice enhancement is enabled, voice enhancement processing is performed after the call

recording is completed. The enhanced audio ﬁle is written to your Amazon S3 bucket as the

original recording and and has the suﬃx _enhanced added to the base ﬁle name of the original

recording. Voice enhancement can process calls up to 30 minutes long. Enhanced recordings will

not be generated for calls that are longer than 30 minutes.

For information about using voice enhancement programmatically, refer to Using APIs to create

call analytics conﬁgurations, in the Amazon Chime SDK Developer Guide.

For more information about voice enhancement, refer to Understanding voice enhancement , in the

https://docs.aws.amazon.com/chime/latest/dg/.

Conﬁgure analytics services

Amazon Transcribe provides text transcriptions of calls. You can then use the transcripts to

augment other machine learning services such as Amazon Comprehend or your own machine

learning models.

Note

Amazon Transcribe also provides automatic language recognition. However, You can't

use that feature with custom language models or content redaction. Also, if you use

language identiﬁcation with other features, you can only use the languages that those

features support. For more information, refer to Language identiﬁcation with streaming

transcriptions, in the Amazon Transcribe Developer Guide.

Amazon Transcribe Call Analytics is a machine-learning powered API that provides call transcripts,

sentiment, and real-time conversation insights. The service eliminates the need for note-taking,

and it can enable immediate action on detected issues. The service also provides post-call analytics,

Creating a call analytics conﬁguration 142

Amazon Chime SDK Administration Guide

such as caller sentiment, call drivers, non-talk time, interruptions, talk speed, and conversation

characteristics.

Note

By default, post-call analytics streams call recordings to your Amazon S3 bucket. To avoid

creating duplicate recordings, do not enable call recording and post-call analytics at the

same time.

Finally, Transcribe Call Analytics can automatically tag conversations based on speciﬁc phrases and

help redact sensitive information from audio and text. For more information on the call analytics

media processors, insights generated by these processors, and output destinations, refer to Call

analytics processor and output destinations, in the Amazon Chime SDK Developer Guide.

To conﬁgure analytics services

1. On the Conﬁgure analytics services page, select the check boxes next to Voice analytics or

Transcription services. You can select both items.

Select the Voice analytics, checkbox to enable any combination of Speaker search and Voice

tone analysis.

Select the Transcription services checkbox to enable Amazon Transcribe or Transcribe Call

Analytics.

a. To enable Speaker search

• Select the Yes, I agree to the Consent Acknowledgement for Amazon Chime SDK

voice analytics checkbox, then choose Accept.

b. To enable Voice tone analysis

• Select the Voice tone analysis checkbox.

c. To enable Amazon Transcribe

i. Choose the Amazon Transcribe button.

ii. Under Language settings, do either of the following:

Creating a call analytics conﬁguration 143

Amazon Chime SDK Administration Guide

A. If your callers speak a single language, choose Speciﬁc language, then open the

Language list and select the language.

B. If your callers speak multiple languages, you can automatically identify them.

Choose Automatic language detection.

C. Open the Language options for automatic language identiﬁcation list and

select at least two languages.

D. (Optional) Open the Preferred language list and specify a preferred language.

When the languages you selected in the previous step have matching conﬁdence

scores, the service transcribes the preferred language.

E. (Optional) Expand Content removal settings, select one or more options, then

choose one or more of the additional options that appear. Helper text explains

each option.

F. (Optional) Expand Additional settings, select one or more options, then choose

one or more of the additional options that appear. Helper text explains each

option.

d. To enable Amazon Transcribe Call Analytics

i. Choose the Amazon Transcribe Call Analytics button.

ii. Open the Language list and select a language.

iii. (Optional) Expand Content removal settings, select one or more options, then choose

one or more of the additional options that appear. Helper text explains each option.

iv. (Optional) Expand Additional settings, select one or more options, then choose one

or more of the additional options that appear. Helper text explains each option.

v. (Optional) Expand Post-call analytics settings and do the following:

A. Choose the Post-call analysis checkbox.

B. Enter the URI of your Amazon S3 bucket.

C. Select a content redaction type.

2. When you ﬁnish making your selections, choose Next.

Conﬁgure output details

After you ﬁnish the media processing steps, you select a destination for the analytics output.

Call analytics provides live insights via Amazon Kinesis Data Streams, and optionally through a

Creating a call analytics conﬁguration 144

Amazon Chime SDK Administration Guide

data warehouse in an Amazon S3 bucket of your choice. To create the data warehouse, you use a

CloudFormation Template. The template helps you create the infrastructure that delivers the call

metadata and insights to your Amazon S3 bucket. For more information about creating the data

warehouse, refer to Creating an Amazon Chime data lake and Call analytics data model, in the

Amazon Chime SDK Developer Guide.

If you enable voice analytics when you create a conﬁguration, you can also add a voice analytics

notiﬁcation destinations such as AWS Lambda, Amazon Simple Queue Service, or Amazon Simple

Notiﬁcation Service. The following steps explain how.

To conﬁgure output details

1. Open the Kinesis data stream list and select your data stream.

Note

If you want to visualize your data, you must select the Kinesis data stream used by the

Amazon S3 bucket and Amazon Kinesis Data Firehose.

2. (Optional) Expand Additional voice analytics notiﬁcation destinations and select any

combination of AWS Lambda, Amazon SNS, and Amazon SQS destinations.

3. (Optional) Under Analyze and visualize insights, select the Perform historical analysis with

data lake checkbox.

4. When ﬁnished, choose Next.

Conﬁgure access permissions

To enable call analytics, the machine learning service and other resources must have permissions

to access data media and deliver insights. For more information, refer to Using the call analytics

resource access role, in the Amazon Chime SDK Developer Guide.

To conﬁgure access permissions

1. On the Conﬁgure access permissions page, do one of the following:

1. Select Create and use a new service role.

2. In the Service role name suﬃx box, enter a descriptive suﬃx for the role.

Creating a call analytics conﬁguration 145

Amazon Chime SDK Administration Guide

—or—

1. Select Use an existing service role.

2. Open the Service role list and select a role.

2. Choose Next.

(Optional) Conﬁgure real-time alerts

Important

To use real-time alerts, you must ﬁrst enable Amazon Transcribe or Amazon Transcribe Call

Analytics.

You can create a set of rules that send real-time alerts to Amazon EventBridge. When an insight

generated by Amazon Transcribe or Amazon Transcribe Call Analytics matches your speciﬁed

rule during an analytics session, an alert is sent. Alerts have the detail type Media Insights

Rules Matched. EventBridge supports integration with downstream services such as Amazon

Lambda, Amazon SQS, and Amazon SNS to trigger notiﬁcations for the end user or initiate other

custom business logic. For more information, refer to Automating the Amazon Chime SDK with

EventBridge, later in this section.

To conﬁgure alerts

1. Under Real-time alerts, choose Active real-time alerts.

2. Under Rules, select Create rule.

3. In the Rule name box, enter a name for the rule.

4. Open the Rule type list and select the type of rule you want to use.

5. Use the controls that appear to add keywords to the rule and apply logic, such as mentioned

or not mentioned.

6. Choose Next.

Creating a call analytics conﬁguration 146

Amazon Chime SDK Administration Guide

Review and create

To create the conﬁguration

1. Review the settings in each section. As needed choose Edit to change a setting.

2. Choose Create conﬁguration.

Your conﬁguration appears on the Conﬁgurations page of the Amazon Chime SDK console.

Using call analytics conﬁgurations

After you create a conﬁguration, you use it by associating it with one or more Amazon Chime SDK

Voice Connectors. For more information, refer to Conﬁguring Voice Connectors to use call analytics,

earlier in this guide.

Updating call analytics conﬁgurations

The steps in this section explain how to update a call analytics conﬁguration.

To update a conﬁguration

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Call Analytics, choose Conﬁgurations, then choose the

conﬁguration that you want to update.

3. In the upper-right corner, choose Edit.

4. Follow the steps in Creating call analytics conﬁgurations as needed to change the

conﬁguration settings.

You might need to modify the policies on the service role to be compatible with the updated

conﬁguration or choose a new service role.

5. When ﬁnished, choose Update conﬁguration.

Using call analytics conﬁgurations 147

Amazon Chime SDK Administration Guide

Note

If the conﬁguration is associated with a Voice Connector, the Voice Connector uses that

conﬁguration automatically. However, if you enable, disable, or adjust a voice analytics

notiﬁcation target, allow ﬁve minutes for those new settings to take eﬀect.

Deleting call analytics conﬁgurations

The steps in this section explain how to permanently delete an Amazon Chime SDK call analytics

conﬁguration.

Important

You cannot undo a deletion.

To delete a conﬁguration

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under Call Analytics, choose Conﬁgurations, then choose the radio

button next to the conﬁguration that you want to delete.

3. Choose Delete.

In the Delete conﬁguration dialog box, enter confirm to conﬁrm the deletion, then choose

Delete.

Enabling voice analytics

Important

As a condition of using this feature, you acknowledge that the collection, use, storage, and

retention of your caller’s biometric identiﬁers and biometric information (“biometric data”)

in the form of a digital voice proﬁle requires the caller’s informed consent via a written

release. Such consent is required under various state laws, including biometrics laws in

Illinois, Texas, Washington and other state privacy laws.

Deleting call analytics conﬁgurations 148

Amazon Chime SDK Administration Guide

You must provide a written release to each caller through a process that clearly reﬂects

each caller’s informed consent before using Amazon Chime SDK voice analytics service, as

required under the terms of your agreement with AWS governing your use of the service.

Note

To enable voice analytics, you must have at least one Amazon Chime SDK Voice Connector

and at least one Amazon Chime SDK call analytics conﬁguration. For more information

about creating Voice Connectors, see Creating an Amazon Chime SDK Voice Connector.

For information about creating a call analytics conﬁguration, see Creating call analytics

conﬁgurations. For information about updating a conﬁguration, see

The topics in this section explain how to enable Amazon Chime SDK voice analytics for Amazon

Chime SDK Voice Connectors. Voice analytics uses machine learning to enable some or all of the

following:

• Speaker search – Converts a caller's voice into a vector embedding. It then compares the

embedding to a database of known voice embeddings. If it ﬁnds a match or matches, it returns

a ranked list of high-likelihood voice proﬁle ID matches, along with a corresponding set of

conﬁdence scores.

Note

Speaker search is not designed for authentication or identity veriﬁcation use cases, such

as verifying the identity of a speaker with extremely high accuracy.

• Voice tone analysis – Predicts the sentiment expressed in a speech signal based on a combined

analysis of linguistic and tonal information.

Note

As a reminder, you must comply with all legal requirements when using voice tone

analysis. This includes obtaining consent from the speaker as required by law, and not

using the feature to make decisions about the speaker that would produce legal or

Enabling voice analytics 149

Amazon Chime SDK Administration Guide

similarly signiﬁcant impacts, such as employment, housing, credit worthiness, or ﬁnancial

oﬀers.

To enable voice analytics, administrators use the Amazon Chime SDK console to do the following:

• Conﬁgure Voice Connectors to use one or more of the features listed above.

• Create notiﬁcation targets. Notiﬁcation targets asynchronously receive voice analysis events, and

you must have at least one target.

• Create voice proﬁle domains. Voice proﬁle domains contain sets of voice proﬁles. In turn, a

voice proﬁle consists of a vector embedding of a caller's voice, plus a unique ID. By default, you

can create 3 voice proﬁle domains, and each domain can house 20,000 voice proﬁles. You can

request an increase for both limits as needed.

Developers can use a set of APIs to do those same tasks. For more information, see Using the

Amazon Chime SDK PSTN voice analytics service, in the Amazon Chime SDK Developer guide.

Managing voice proﬁle domains

Amazon Chime SDK speaker search creates voice proﬁles, vector maps of a caller's voice. A voice

proﬁle domain represents a collection of voice proﬁles. You must create a voice proﬁle domain

before developers can call the StartSpeakerSearchTask API.

Important

The speaker search feature involves the creation of a voice embedding, which can be used

to compare the voice of a caller against previously stored voice data. The collection, use,

storage, and retention of biometric identiﬁers and biometric information in the form of

a digital embedding may require the caller’s informed consent via a written release. Such

consent is required under various state laws, including biometrics laws in Illinois, Texas,

Washington and other state privacy laws. Before using the speaker search feature, you must

provide all notices, and obtain all consents as required by applicable law, and under the

AWS service terms governing your use of the feature.

You must provide a written release to each caller through a process that clearly reﬂects

each caller’s informed consent before using Amazon Chime SDK voice analytics service, as

required under the terms of your agreement with AWS governing your use of the service.

Managing voice proﬁle domains 150

Amazon Chime SDK Administration Guide

The following topics explain how to create and manage voice proﬁle domains.

Topics

• Creating voice proﬁle domains

• Editing voice proﬁle domains

• Deleting voice proﬁle domains

• Using tags with voice proﬁle domains

• Understanding the voice analytics consent notice

Creating voice proﬁle domains

The steps in this section explain how to create voice proﬁle domains. Remember the following:

• Domain names can't exceed 256 characters.

• Domain descriptions can't exceed 512 characters.

The Amazon Chime SDK console displays an error message if you exceed either limit.

Note

You must use a symmetric KMS key to encrypt all your domains. For more information,

see Using encryption with voice analytics. Also, your end users must consent to having

their voice recorded before you start a voice analytics session. For more information about

consent, see Understanding the voice analytics consent notice.

To create a voice proﬁle domain

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Voice proﬁle domains.

3. Choose Create voice proﬁle domain.

4. Under Consent Acknowledgement, choose Yes, I agree to the Consent Acknowledgement for

Amazon Chime Speaker Search.

5. Under Setup, enter a name and description for the domain, then choose a KMS key.

Creating voice proﬁle domains 151

Amazon Chime SDK Administration Guide

6. (Optional) Under Tags, choose Add new tag, then enter a key and optional value. Repeat as

needed to add more tags.

7. When ﬁnished, choose Create voice proﬁle domain.

Editing voice proﬁle domains

You can edit any voice proﬁle domain, regardless of who created it.

To edit a voice proﬁle domain

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Voice proﬁle domains.

3. Select the checkbox next to the domain that you want to edit, then choose Edit.

4. As needed, change the domain's name and description, then choose Save.

Deleting voice proﬁle domains

You can delete any voice proﬁle domain, regardless of who created it.

Important

When you delete a domain, you also delete all its voice proﬁles, and you can't undo the

deletion.

To delete a voice proﬁle domain

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Voice proﬁle domains.

3. Select the checkbox next to the domain that you want to delete, then choose Delete.

4. In the dialog box that appears, choose I understand that this action cannot be reversed, then

choose Delete.

Editing voice proﬁle domains 152

Amazon Chime SDK Administration Guide

Using tags with voice proﬁle domains

The topics in this section explain how to use tags with your existing Amazon Chime SDK voice

proﬁle domains. Tags allow you to assign metadata to your domains. A tag consists of a key and an

optional value that stores information about the resource, or the data retained on that resource.

You deﬁne all keys and values. For example, you can create a tag key named CostCenter with a

value of 98765 and use the pair for cost allocation purposes. You can add up to 50 tags to a voice

proﬁle domain.

Adding tags to voice proﬁle domains

Follow these steps to add tags to an existing voice proﬁle domain.

To add tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Voice proﬁle domains.

3. Choose the domain that you want to add tags to.

4. Choose Manage tags, then choose Add new tag.

5. Enter a value in the Key box and an optional value in the Value box.

6. As needed, choose Add new tag to create another tag.

7. When ﬁnished, choose Save changes.

Editing voice proﬁle domain tags

If you have the necessary permissions, you can edit any tags in your AWS account, regardless of

who created them. However, IAM policies may prevent you from doing so.

To edit tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Voice proﬁle domains..

3. Choose the domain that has the tags you want to edit.

4. Choose Manage tags.

5. As needed, change the values in the Key and Value boxes.

Using tags with voice proﬁle domains 153

Amazon Chime SDK Administration Guide

—OR—

Choose Add new tag and add one or more tags.

6. When ﬁnished, choose Save changes.

Removing voice proﬁle domain tags

If you have the necessary permissions, you can remove any tags in your AWS account regardless of

who created them. However, IAM policies may prevent you from doing so.

To remove tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose Voice proﬁle domains..

3. Choose the domain that has the tags you want to edit.

4. Choose Manage tags.

5. Choose Remove under each of the tags that you want to delete.

6. When ﬁnished, choose Save changes.

Understanding the voice analytics consent notice

When you create a voice proﬁle domain or call analytics conﬁguration that uses voice analytics, you

see this consent acknowledgement:

As a condition of using this feature, you acknowledge that the collection, use, storage, and retention

of a speaker’s biometric identiﬁers and biometric information (“biometric data”) in the form of a

digital embedding may require the speaker’s informed consent, including via a written release. Such

consent is required under various state laws, including biometrics laws in Illinois, Texas, Washington

and other state privacy laws. Before using speaker search, you must provide all necessary notices to

and obtain all necessary consents from each speaker as required by applicable law, and as set forth in

our Service Terms governing your use of the feature.

You must provide a written release to each caller through a process that clearly reﬂects each caller's

informed consent before using Amazon Chime SDK voice analytics service, as required under the

terms of your agreement with AWS governing your use of the service.

Understanding the voice analytics consent notice 154

Amazon Chime SDK Administration Guide

For each speaker in Illinois, as required under the Biometric Information Privacy Act (“BIPA”), you

must provide the following information in writing as a written release through a process that clearly

reﬂects each caller’s informed consent before using speaker search:

“[Your company name (“Company”)] uses Amazon Web Services as a service provider for voice search

services. Biometric identiﬁers and biometric information (“biometric data”) may be collected, stored,

and used by Amazon Web Services on behalf of [Company] for the purpose of comparing the voice of

a caller against previously stored voice data. Biometric data that is generated as part of this process

will be retained for up to three years after your last interaction with [Company], or longer only if

allowed or required by applicable law, and thereafter destroyed. Except as required or permitted

by applicable law, [Company] will instruct Amazon Web Services to permanently destroy biometric

data that is stored on [Company’s] behalf when the initial purpose for collecting or obtaining such

data has been satisﬁed, within three years after your last interaction with the services, or after being

informed by you that such data should be destroyed, whichever comes ﬁrst. Biometric data may be

transmitted between [Company] and Amazon Web Services as necessary to provide and receive this

service. You hereby provide your express, informed, written release and consent for [Company] and

Amazon Web Services to collect, use, and store your biometric data as described herein.”

By checking the box below you agree to provide the preceding information in writing to, and obtain an

executed written release, from each speaker in Illinois as required by BIPA.

Understanding the voice analytics consent notice 155

Amazon Chime SDK Administration Guide

Setting up emergency calling

The Amazon Chime SDK provides two ways to set up emergency calls. Both methods only apply to

calls made in or to the U.S.

• Validated addresses – Enter and validate the physical address that calls may come from. If you

choose this option, the validated address becomes available for all Amazon Chime SDK Voice

Connectors. The Amazon Chime SDK then routes calls to the nearest Public Safety Answering

Point.

• Third-party routing – Add emergency call routing numbers to an Amazon Chime SDK Voice

Connector. If you choose this option, a third-party service of your choosing routes the calls, and

you don't need to validate an address. You can use this method to make emergency calls from

outside the U.S., but the calls must go to an endpoint in the U.S.

Note

If you don't use addresses or routing numbers, address validation may be carried out at the

start of a 911 call to ensure it is routed to the appropriate Public Safety Answering Point

(PSAP), meaning help may take longer to arrive.

The following sections explain how to use both options.

Topics

• Validating addresses for emergency calls

• Setting up third-party emergency routing numbers

• Using PIDF-LO in emergency calls

Validating addresses for emergency calls

To use building addresses for emergency calls, you enter and validate the addresses that the calls

can originate from. The Amazon Chime SDK then routes the calls to the nearest local Public Safety

Answering Point (PSAP). Remember the following:

• You only need to validate an address once, but you can validate it multiple times.

Validating addresses for emergency calls 156

Amazon Chime SDK Administration Guide

• You only validate a building's address. Don't include suite or apartment numbers.

• You can only validate addresses in the U.S.

Note

We strongly recommend using your validated addresses in PIDF-LO objects in your SIP

requests. For more information, see Using PIDF-LO in emergency calls.

To validate an address

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

In the navigation pane, under Phone Numbers, choose Emergency Calling.

Under Validate Address, enter your building's address.

Note

Enter the address exactly as it appears in the SIP Invite. This ensures the address will be

recognized when someone calls.

Choose Validate.

Setting up third-party emergency routing numbers

To use emergency call routing numbers, you need the following:

• An Amazon Chime SDK Voice Connector.

• An emergency call routing number from a third-party service provider. This must be a U.S.

number, and you supply that number to the Amazon Chime SDK. You can create an Amazon

Chime SDK Voice Connector just for emergency calls.

After setup, when you place a call to emergency services, the Amazon Chime SDK uses your

emergency number to route calls to your third-party emergency services provider via a public

switched telephone network. Your third-party emergency service provider then routes your call to

emergency services.

Setting up third-party emergency routing numbers 157

Amazon Chime SDK Administration Guide

Setting up emergency call routing numbers outside the United States requires that you

perform the following prerequisites:

• Obtain emergency call routing numbers from a third-party emergency service provider. Ensure

they're US numbers.

• Turn on and conﬁgure termination and origination settings for a Voice Connector. To do that, see

Editing Amazon Chime SDK Voice Connector settings.

To set up emergency call routing numbers for your Voice Connector

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Voice connectors.

3. Choose the name of the Voice Connector.

4. Choose the Emergency calling tab.

5. Under Third Party Emergency Service Provider Conﬁguration, choose Add.

6. For Call send method, choose DNIS (Dialed Number Identiﬁcation Service).

7. For Emergency call routing number for calling emergency services, enter the third-party

phone number for calling emergency services, in E.164 format.

8. For Test routing number for testing calls to emergency services, enter the third-party phone

number for testing calls to emergency services, in E.164 format.

9. For Country, select United States.

10. Choose Add.

Using PIDF-LO in emergency calls

Amazon Chime SDK Voice Connectors support enhanced 911 (E911) calling. When you place

emergency calls through a Voice Connector, you can send caller location information by including

a GEOPRIV Presence Information Data Format Location Object (PIDF-LO) in your SIP requests. The

object must include the Geolocation-Routing header, set to Yes. We strongly recommend

validating the address. If you don't use addresses or routing numbers, address validation may

be carried out at the start of a 911 call to ensure it is routed to the appropriate Public Safety

Answering Point (PSAP), meaning help may take longer to arrive.

The following example shows a SIP invite with a PIDF-LO object that includes an address.

Using PIDF-LO in emergency calls 158

Amazon Chime SDK Administration Guide

INVITE sip:911@abcdef1ghij2klmno3pqr4.voiceconnector.chime.aws;transport=TCP SIP/2.0

Via: SIP/2.0/TCP IPaddress:12345;rport;branch=z9hG4bKKXN2D41yvDUKH

From: +15105186683 ><sip:+15105186683@IPaddress:12345>;tag=tag

To: <sip:911@abcdef1ghij2klmno3pqr4.voiceconnector.chime.aws>;transport=TCP

Call-ID: 12abcdef-3456-7891-012g-h7i8j9k6l0a1

CSeq: 43615607 INVITE

Contact: <sip:IPaddress:12345>

Max-Forwards: 70

Geolocation-Routing: Yes

Geolocation: <cid:a1ef610291734f98a467b973819e90ed>;[email protected]

Content-Type: multipart/mixed;boundary=unique-boundarystring

Content-Length: 271

Accept: application/sdp, application/pidf+xml

--unique-boundarystring

Content-Type: application/sdp

v=0

o=FreeSWITCH 1636327400 1636327401 IN IP4 IPaddress

s=FreeSWITCH

c=IN IP4 IPaddress

t=0 0

m=audio 11398 RTP/SAVP 9 0 101

a=rtpmap:0 PCMU/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=sendrecv

a=ptime:20

--unique-boundarystring

Content-Type: application/pidf+xml

Content-ID: <[email protected]>

<?xml version="1.0" encoding="utf-8"?>

<presence xmlns="urn:ietf:params:xml:ns:pidf"

xmlns:gp="urn:ietf:params:xml:ns:pidf:geopriv10"

xmlns:bp="urn:ietf:params:xml:ns:pidf:geopriv10:basicPolicy"

xmlns:ca="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr"

entity="sip:[email protected]">

<gp:geopriv>

<gp:location-info>

<ca:civicAddress>

<ca:country>US</ca:country>

Using PIDF-LO in emergency calls 159

Amazon Chime SDK Administration Guide

<ca:A1>WA</ca:A1>

<ca:A3>Seattle</ca:A3>

<ca:HNO>1812</ca:HNO>

<ca:RD>Example</ca:RD>

<ca:STS>Ave</ca:STS>

<ca:NAM>Low Flying Turtle</ca:NAM>

<ca:PC>98101</ca:PC>

</ca:civicAddress>

</gp:location-info>

</gp:geopriv>

</status>

</tuple>

</presence>

--unique-boundarystring--

Using PIDF-LO in emergency calls 160

Amazon Chime SDK Administration Guide

Managing SIP media applications

You can use the Amazon Chime SDK console to create Session Initiation Protocol (SIP) media

applications. SIP media applications make it easier and faster for you to create custom signaling

and media instructions that you would normally build on your private branch telephone exchange

(PBX).

You also use the console to create SIP rules. SIP rules specify how a SIP media application can

connect to an Amazon Chime SDK meeting. Calls can go to and from public DID or toll-free phone

numbers that are provisioned from your Amazon Chime SDK inventory, or to and from a Request

URI hostname, the name assigned to an Amazon Chime SDK Voice Connector. The Amazon Chime

SDK runs the SIP rules when a user places or receives a call. For information about using SIP rules,

refer to Managing SIP rules.

You must be an AWS Lambda user before you can create SIP media applications. The SIP media

applications use Lambda functions for the following reasons:

• You can write complex logic that involves decision-making. For example, a caller can use a

touchtone phone to dial in to a meeting. In turn, that phone number triggers Lambda functions

that ask for a meeting PIN and route the caller to the correct meeting.

• You can deploy Lambda functions without a server infrastructure.

For more information about AWS Lambda, see Getting started with AWS Lambda.

Note

Amazon Chime SDK SIP media applications have outbound international calling

restrictions. For more information, refer to Outbound calling restrictions.

Topics

• Understanding SIP applications and rules

• Using SIP media applications

161

Amazon Chime SDK Administration Guide

Understanding SIP applications and rules

To use the Session Initiation Protocol (SIP) with the Amazon Chime SDK, you create SIP media

applications and SIP rules. You create both in the Amazon Chime SDK console.

The following diagram shows how the applications and rules work. It shows how SIP rules can

route calls from phone numbers and Request URI hostnames to diﬀerent SIP applications.

Numbers in the image correspond to numbers in the text below the image.

You can only assign phone numbers from your Chime inventory and Voice Connectors (1) to SIP

rules (2). Also, you must provision a phone number or Amazon Chime SDK Voice Connector in your

PSTN Audio service, and the steps in Creating a SIP media application explain how to do that. Upon

receiving a call to a phone number, the SIP rule invokes a SIP media application and its associated

Lambda function (4). The Lambda function runs code that invokes actions, such as playing on-hold

music or joining a meeting, or muting a call. To provide multi-region resiliency, SIP rules (2) can

specify alternate target SIP media applications in diﬀerent AWS regions (3) by order of priority

for failover. If one target fails, the PSTN Audio service tries the next one. Note that each alternate

target must reside in a diﬀerent AWS Region.

Using SIP media applications

A SIP media application is a managed object that passes values from a SIP rule to a target AWS

Lambda function. You can create, view, update, and delete SIP media applications. Be aware that

you can view the details of any application, and other administrators can view your applications.

Understanding SIP applications and rules 162

Amazon Chime SDK Administration Guide

Note

You need an AWS Lambda function before you can create a SIP media application. For more

information, see Getting started with AWS Lambda.

Topics

• Creating a SIP media application

• Using tags with SIP media applications

• Viewing a SIP media application

• Updating a SIP media application

• Deleting a SIP media application

Creating a SIP media application

You create a SIP media application when you need to enable calling to and from a Request URI

hostname, Amazon Chime SDK Voice Connector group, or a private phone number.

To create a SIP media application

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In navigation pane, under PSTN Audio, choose SIP media applications, and on the page that

appears, choose Create SIP media application.

3. Under Name, enter a name for your application.

4. Copy one of the following values and paste it into the ARN box:

• The ARN of a Lambda function

• The ARN of the alias of a Lambda function

• The ARN of a version of a Lambda function

Note

You can create alias and version ARNs when you build a Lambda function, and you

must have an alias or version ARN if you want to enable Lambda concurrency. For

more information about Lambda function aliases, version aliases, and concurrency,

Creating a SIP media application 163

Amazon Chime SDK Administration Guide

refer to Lambda function aliases, Lambda function versions, and Managing Lambda

provisioned concurrency in the AWS Lambda Developer Guide.

5. (Optional) Under Tags, choose Add new tag, and then do the following:

1. Enter a value in the Key box.

2. (Optional) Enter a value in the Value box.

3. As needed, choose Add new tag to add more tags.

6. Choose Create SIP media applicaton..

A success message appears at the top of the Create a SIP media application page, and your

media application appears in the list of applications. If you see an error message, follow its

instructions.

Using tags with SIP media applications

The topics in this section explain how to use tags with your existing Amazon Chime SDK SIP

media applications. Tags allow you to assign metadata to your AWS resources, such as SIP media

applications. A tag consists of a key and an optional value that stores information about the

resource, or the data retained on that resource. You deﬁne all keys and values. For example, you

can create a tag key named CostCenter with a value of 98765 and use the pair for cost allocation

purposes. You can add up to 50 tags to a SIP media application.

Topics

• Adding tags to SIP media applications

• Editing tags

• Removing tags

Adding tags to SIP media applications

You can add as many as 50 tags to existing Amazon Chime SDK SIP media applications.

To add tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP media applications.

Using tags with SIP media applications 164

Amazon Chime SDK Administration Guide

3. Choose the name of the SIP media application that you want use.

4. Choose the Tags tab, then choose Manage tags.

5. Choose Add new tag, then enter a key and optional value.

6. As needed, choose Add new tag to create another tag.

7. When ﬁnished, choose Save changes.

Editing tags

If you have the necessary permissions, you can edit any tags in your AWS account regardless of who

created them. However, IAM policies may prevent you from doing so.

To edit tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP media applications.

3. Choose the name of SIP media application that you want change.

4. Choose the Tags tab, then choose Manage tags.

5. In the Key or Value boxes, enter a new value.

6. When ﬁnished, choose Save changes.

Removing tags

If you have the necessary permissions, you can remove any tags in your AWS account regardless of

who created them. However, IAM policies may prevent you from doing so.

To remove tags

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP media applications.

3. Choose the name of SIP media application that you want change.

4. Choose the Tags tab, then choose Manage tags.

5. Choose Remove next to the tag that you want to remove.

6. Choose Save changes.

Using tags with SIP media applications 165

Amazon Chime SDK Administration Guide

Viewing a SIP media application

Other administrators can view your SIP media applications, including their details, and you can

view theirs.

To view a SIP media application

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose SIP media applications.

The SIP media application page appears and displays all the applications in your organization.

3. To view an application's details, choose the application's name.

Updating a SIP media application

You can update the name and Amazon Resource Names (ARNs) of your Lambda function for your

SIP media applications. You can't update the AWS Region.

To update a SIP media application

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose SIP media applications.

The SIP media application page appears.

3. Choose the name of the application that you want to update.

The application appears on its own page.

4. Choose Edit.

5. As needed, change the following:

• The application's name

• The Lambda ARN, alias ARN, or version ARN

• The tags. For more information about changing tags, see

Viewing a SIP media application 166

Amazon Chime SDK Administration Guide

Note

You can create alias and version ARNs when you build a Lambda function, and you

must have an alias or version ARN if you want to enable Lambda concurrency. For

more information about Lambda function aliases, version aliases, and concurrency,

refer to Lambda function aliases, Lambda function versions, and Managing Lambda

provisioned concurrency in the AWS Lambda Developer Guide.

6. Choose Save.

A success message appears. If you see an error message, follow its instructions.

Deleting a SIP media application

You delete a SIP media application for several reasons, such as the following:

• You stop using a phone number or a Request URI hostname.

• You make a mistake creating a SIP media application.

Note

As a best practice, check to ensure that deleting the application won't disrupt the call ﬂow.

Also, deleting the application does not delete any associated phone numbers or SIP rules.

To delete a SIP media application

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, choose SIP media applications.

The SIP media application page appears.

3. Choose the option button next to the application name.

4. Choose Delete.

The Delete application name dialog box appears.

5. Select I understand that this action cannot be reversed, then choose Delete.

Deleting a SIP media application 167

Amazon Chime SDK Administration Guide

Managing SIP rules

A SIP rule associates your SIP media application with a phone number or a Request URI hostname.

You can associate a SIP rule with more than one SIP media application. Each application then

runs only that rule. For an overview of how SIP rules work with SIP media applications, refer to

Understanding SIP applications and rules in the previous section.

Note

To create SIP rules, you need at least one DID or toll-free phone number with a Product

Type set to SIP Media Application Dial-In in your Amazon Chime SDK inventory, or at least

one Request URI hostname, the name assigned to an Amazon Chime SDK Voice Connector.

For more information about phone numbers, see Managing phone numbers. For more

information about Request URI hostnames, follow the steps in the next section.

Contents

• Creating a SIP rule

• Viewing a SIP rule

• Updating a SIP rule

• Enabling a SIP rule

• Disabling a SIP rule

• Deleting a SIP rule

Creating a SIP rule

Before you can create a SIP rule, you need at least one DID or toll-free phone number with a

Product Type set to SIP Media Application Dial-In in your Amazon Chime SDK inventory, or a

Request URI hostname associated with an Amazon Chime SDK Voice Connector, and a SIP media

application. For more about SIP applications, see Creating a SIP media application. Also, you can

use rules created by other administrators.

To create a SIP rule

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

Creating a SIP rule 168

Amazon Chime SDK Administration Guide

2. In the navigation pane, under Phone Numbers, choose SIP media applications.

3. Choose the SIP application for which you want to create a rule, then choose the Rules tab.

4. Copy the phone number or Outbound host name value, paste the value into Notepad or a

similar program, and keep that program open for later use.

5. In the navigation pane, choose SIP rules.

The SIP rules page appears.

6. Choose Create.

The Create a SIP rule dialog box appears.

7. In the Name box, enter a name for the rule, then do one of the following:

Create a rule for a phone number

A. By default, the Trigger type list displays To phone number. If it doesn't, open the list and

select that value.

B. For Phone number, enter a phone number or choose one from the list. If you enter a

number, use this format: +1ten-digit number. For example: +15095551212.

Create a rule for a Request URI hostname

A. Open the Trigger type list and choose Request URI hostname.

B. Paste the hostname that you copied in step 2 into the Request URI hostname box.

8. To use the rule immediately, leave the Enabled check box selected. To disable the rule—for

example, until an Amazon Chime SDK Voice Connector and its hostname become available—

clear the check box.

9. Choose Next, and on the Step 2 page, open the SIP media application list and select the SIP

media application that you want to use.

10. As needed, choose Add a SIP media application to use the rule with multiple applications.

11. Choose Create.

A success message appears. If an error message appears, follow its instructions.

Creating a SIP rule 169

Amazon Chime SDK Administration Guide

Viewing a SIP rule

Other administrators can view your SIP rules, including their details, and you can do the same with

their rules.

To view a SIP rule

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP rules.

The SIP rules page appears and displays all the rules in your organization.

3. To view a rule's details, choose the rule's name.

Updating a SIP rule

The only update you can make to a SIP rule is to change its name. Typically, you change a rule

name to match the name of its corresponding SIP media application.

To update a SIP rule

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP rules.

3. Choose the name of the rule that you want to change.

The page for that rule appears.

4. Choose Edit.

5. For Name, enter a new name for the rule, then choose Save.

Enabling a SIP rule

You can enable any SIP rule, even rules created by another administrator. As a best practice, view

the rule's details before you enable it. For more information, see Viewing a SIP rule.

To enable a SIP rule

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP rules.

Viewing a SIP rule 170

Amazon Chime SDK Administration Guide

The SIP rules page appears.

3. As needed, scroll down to the end of the list of rules, then use the horizontal scroll bar to

display the Status column.

Disabled rules have a red Disabled icon.

4. Do one of the following to enable a rule:

Use the Actions list

A. Scroll over and choose the option button next to the rule's name.

B. Scroll up, open the Actions list and choose Enable, then go to step 5.

Use the Enable button

A. Choose the rule's name.

B. Choose Enable, located next to Edit, then go to step 5.

5. When you choose Enable using either method described in step 4, the Enable rule(s) dialog

box appears. Select I understand that the rule(s) listed here will trigger the SIP media

application, then choose Enable.

Disabling a SIP rule

Disable SIP rules when you don't need the connection that the rule provides. Also, you must disable

a SIP rule before you delete that rule or an associated SIP media application. You can disable any

rule created by any administrator. As a best practice, view the rule's details before you disable it,

and check to ensure that disabling the rule won't disrupt a call ﬂow. For more information, see

Viewing a SIP rule

To disable a SIP rule

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP rules.

The SIP rules page appears.

3. As needed, scroll down to the end of the list of rules, then use the horizontal scroll bar to

display the Status column.

Disabling a SIP rule 171

Amazon Chime SDK Administration Guide

Enabled rules have a green Enabled icon.

4. Do one of the following to disable a rule:

Use the Actions list

A. Scroll over and choose the option button next to the rule's name.

B. Scroll up, open the Actions list and choose Disable.

The Disable rule(s) dialog box appears. Go to step 5.

Use the Disable button

A. Scroll over and select the rule's name.

B. Choose Disable, located next to Edit.

The Disable rule(s) dialog box appears. Go to step 5.

5. Select I understand that this action will stop the above rules triggering the SIP media

application, then choose Disable.

Deleting a SIP rule

Typically, you delete a SIP rule when you don't need the associated Request URI hostname or

phone number. Also, you can delete a SIP rule when you make a mistake creating it.

Note

You must disable a rule before you can delete it. For more information about disabling

rules, see Disabling a SIP rule.

To delete a SIP rule

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under PSTN Audio, choose SIP rules.

The SIP rules page appears.

3. Choose the radio button next to the rule's name.

Deleting a SIP rule 172

Amazon Chime SDK Administration Guide

4. Open the Actions list and choose Delete.

The Delete rule(s) dialog box appears.

5. Select I understand that this action cannot be reversed, then choose Delete.

Deleting a SIP rule 173

Amazon Chime SDK Administration Guide

Managing global settings for the Amazon Chime SDK

Manage call detail record settings for the Amazon Chime SDK.

Conﬁguring call detail records

Before you can conﬁgure call detail record settings for your Amazon Chime SDK administrative

account, you must ﬁrst create an Amazon Simple Storage Service bucket. The Amazon S3 bucket is

used as the log destination for your call detail records. When you conﬁgure your call detail record

settings, you grant the Amazon Chime SDK read and write access to the Amazon S3 bucket in order

to save and manage your data. For more information about creating an Amazon S3 bucket, see

Getting started with Amazon Simple Storage Service in the Amazon Simple Storage Service User

Guide.

You can conﬁgure call detail record settings for Amazon Chime SDK Voice Connectors. For more

information about Amazon Chime SDK Voice Connectors, see Managing phone numbers in Amazon

Chime SDK.

To conﬁgure call detail record settings

1. Create an Amazon S3 bucket by following the steps at Getting started with Amazon Simple

Storage Service in the Amazon Simple Storage Service User Guide.

2. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

3. In the navigation pane, under SIP Trunking, choose Call detail records.

4. Open the Log destination list and choose an S3 bucket.

5. Choose Save.

You can stop logging call detail records at any time.

To stop logging call detail records

1. Open the Amazon Chime SDK console at https://console.aws.amazon.com/chime-sdk/home.

2. In the navigation pane, under SIP Trunking, choose Call detail records.

3. Choose Disable logging.

Conﬁguring call detail records 174

Amazon Chime SDK Administration Guide

Amazon Chime SDK Voice Connector call detail records

When you choose to receive call detail records for your Amazon Chime SDK Voice Connector,

they are sent to your Amazon S3 bucket. The following example shows the general format of an

Amazon Chime SDK Voice Connector call detail record name.

Amazon-Chime-Voice-Connector-CDRs/

json/abcdef1ghij2klmno3pqr4/2019/03/01/17.10.00.020_123abc4d-efg5-6789-h012-

j3456789k012

The following example shows the data that is represented in the call detail record name.

Amazon-Chime-Voice-Connector-CDRs/json/voiceConnectorID/year/month/

day/callStartTime-voiceConnectorTransactionID

The following example shows the general format of an Amazon Chime SDK Voice Connector call

detail record.

{

"AwsAccountId": "111122223333",

"TransactionId": "123abc4d-efg5-6789-h012-j3456789k012",

"CallId": "[email protected]:8080",

"VoiceConnectorId": "abcdef1ghij2klmno3pqr4",

"Status": "Completed",

"StatusMessage": "OK",

"SipAuthUser": "XXXX",

"BillableDurationSeconds": 6,

"BillableDurationMinutes": 0.1,

"SchemaVersion": "2.0",

"SourcePhoneNumber": "+12065550100",

"SourcePhoneNumberName": "North Campus Reception",

"SourceCountry": "US",

"DestinationPhoneNumber": "+12065550101",

"DestinationPhoneNumberName": "South Campus Reception",

"DestinationCountry": "US",

"UsageType": "USE1-US-US-outbound-minutes",

"ServiceCode": "AmazonChimeVoiceConnector",

"Direction": "Outbound",

"StartTimeEpochSeconds": 1565399625,

"EndTimeEpochSeconds": 1565399629,

"Region": "us-east-1",

Amazon Chime SDK Voice Connector call detail records 175

Amazon Chime SDK Administration Guide

"Streaming": true

}

Amazon Chime SDK Voice Connector streaming detail records

When you choose to receive call detail records for your Amazon Chime SDK Voice Connector, and

you stream media to Kinesis Video Streams or send SIPREC requests, streaming detail records are

sent to your Amazon S3 bucket. For more information, see Streaming Amazon Chime SDK Voice

Connector media to Kinesis.

The following example shows the general format of a streaming detail record name.

Amazon-Chime-Voice-Connector-SDRs/

json/abcdef1ghij2klmno3pqr4/2019/03/01/17.10.00.020_123abc4d-efg5-6789-h012-

j3456789k012

The following example shows the data that is represented in the streaming detail record name.

Amazon-Chime-Voice-Connector-SDRs/json/voiceConnectorID/year/month/

day/callStartTime-voiceConnectorTransactionID

The following example shows the general format of a streaming detail record.

{

"SchemaVersion": "1.0",

"AwsAccountId": "111122223333",

"TransactionId": "123abc4d-efg5-6789-h012-j3456789k012",

"CallId": "[email protected]:8080",

"VoiceConnectorId": "abcdef1ghij2klmno3pqr4",

"StartTimeEpochSeconds": 1565399625,

"EndTimeEpochSeconds": 1565399629,

"Status": "Completed",

"StatusMessage": "Streaming succeeded",

"ServiceCode": "AmazonChime",

"UsageType": "USE1-VC-kinesis-audio-streaming",

"BillableDurationSeconds": 6,

"Region": "us-east-1"

}

Amazon Chime SDK Voice Connector streaming detail records 176

Amazon Chime SDK Administration Guide

Network conﬁguration and bandwidth requirements

The Amazon Chime SDK requires the destinations and ports described in this topic to support

various services. If inbound or outbound traﬃc is blocked, this blockage might aﬀect the ability to

use various services, including audio, video, screen sharing, or chat.

The Amazon Chime SDK uses Amazon Elastic Compute Cloud (Amazon EC2) and other AWS

services on port TCP/443. If your ﬁrewall blocks port TCP/443, you must put *.amazonaws.com

on an allow list, or put AWS IP address ranges in the AWS General Reference for the following

services:

• Amazon EC2

• Amazon CloudFront

• Amazon Route53

Common

The following destinations and ports are required when running the Amazon Chime SDK in your

environment.

Destination Ports

*.chime.aws TCP:443

*.amazonaws.com TCP:443

Amazon Chime SDK WebRTC media sessions

Domain Subnet Ports

*.chime.aws 99.77.128.0/18 TCP:443 UDP:3478

*.sdkassets.chime.aws TCP:443

Common 177

Amazon Chime SDK Administration Guide

Amazon Chime SDK Voice Connector

The following destinations and ports are recommended if you use Amazon Chime SDK Voice

Connectors.

SIP Signaling

AWS Region Destination Ports

US East (N. Virginia) 3.80.16.0/23 UDP/5060

TCP/5060

TLS/5061

US West (Oregon) 99.77.253.0/24 UDP/5060

TCP/5060

TLS/5061

Asia Paciﬁc (Seoul) 99.77.242.0/24 UDP/5060

TCP/5060

TLS/5061

Asia Paciﬁc (Singapore) 99.77.240.0/24 UDP/5060

TCP/5060

TLS/5061

Asia Paciﬁc (Sydney) 99.77.239.0/24 UDP/5060

TCP/5060

TLS/5061

Asia Paciﬁc (Tokyo) 99.77.244.0/24 UDP/5060

TCP/5060

Amazon Chime SDK Voice Connector 178

Amazon Chime SDK Administration Guide

AWS Region Destination Ports

TLS/5061

Canada (Central) 99.77.233.0/24 UDP/5060

TCP/5060

TLS/5061

Europe (Frankfurt) 99.77.247.0/24 UDP/5060

TCP/5060

TLS/5061

Europe (Ireland) 99.77.250.0/24 UDP/5060

TCP/5060

TLS/5061

Europe (London) 99.77.249.0/24 UDP/5060

TCP/5060

TLS/5061

Media

AWS Region Destination Ports

Asia Paciﬁc (Seoul) 99.77.242.0/24 UDP/5000:65000

Asia Paciﬁc (Singapore) 99.77.240.0/24 UDP/5000:65000

Asia Paciﬁc (Sydney) 99.77.239.0/24 UDP/5000:65000

Asia Paciﬁc (Tokyo) 99.77.244.0/24 UDP/5000:65000

Canada (Central) 99.77.233.0/24 UDP/5000:65000

Media 179

Amazon Chime SDK Administration Guide

AWS Region Destination Ports

Europe (Frankfurt) 99.77.247.0/24 UDP/5000:65000

Europe (Ireland) 99.77.250.0/24 UDP/5000:65000

Europe (London) 99.77.249.0/24 UDP/5000:65000

US East (N. Virginia) 3.80.16.0/23 UDP/5000:65000

US East (N. Virginia) 52.55.62.128/25 UDP/1024:65535

US East (N. Virginia) 52.55.63.0/25 UDP/1024:65535

US East (N. Virginia) 34.212.95.128/25 UDP/1024:65535

US East (N. Virginia) 34.223.21.0/25 UDP/1024:65535

US West (Oregon) 99.77.253.0/24 UDP/5000:65000

Amazon Voice Focus for carriers media destinations and ports

AWS Region Destination Ports

US East (N. Virginia) 99.77.254.0/24 UDP/5000:65000

US West (Oregon) 99.77.232.0/24 UDP/5000:65000

Bandwidth requirements

The Amazon Chime SDK has the following bandwidth requirements for the media that it provides:

• Audio

• 1:1 call: 54 kbps up and down

• Large call: no more than 32 kbps extra down for 50 callers

• Video

• 1:1 call: 650 kbps up and down

Amazon Voice Focus for carriers media destinations and ports 180

Amazon Chime SDK Administration Guide

• HD mode: 1400 kbps up and down

• 3–4 people: 450 kbps up and (N-1)*400 kbps down

• 5–16 people: 184 kbps up and (N-1)*134 kbps down

• Up and down bandwidth adapts lower based on network conditions

• Screen

• 1.2 mbps up (when presenting) and down (when viewing) for high quality. This adapts as low

as 320 kbps based on network conditions.

• Remote control: 800 kbps ﬁxed

Amazon Chime SDK Voice Connectors have the following bandwidth requirements:

• Audio

• Call: ~90 kbps up and down. This includes media payload and packet overhead.

• T.38 fax

• With V.34: ~40 kbps. This includes media payload and packet overhead.

• Without V.34: ~20 kbps. This includes media payload and packet overhead.

Bandwidth requirements 181

Amazon Chime SDK Administration Guide

Administrative support for the Amazon Chime SDK

If you are an administrator and need to contact support for the Amazon Chime SDK, choose one of

the following options:

• If you have an AWS Support account, go to Support Center and submit a ticket.

• Otherwise, open the AWS Management Console and choose Amazon Chime SDK, Support,

Submit request.

It's helpful to provide the following information:

• A detailed description of the issue.

• The time the issue occurred, including your time zone.

182

Amazon Chime SDK Administration Guide

Document history for the Amazon Chime SDK

Administration Guide

The following table describes important changes to the Amazon Chime SDK Administration

Guide, beginning in March 2022. Subscribe to an RSS feed for notiﬁcations about updates to this

documentation.

Change Description Date

Alexa in-skill calling removed Due to changes by the

Amazon Alexa team, you can

no longer add Alexa calls to

SIP media applications. For

more information, refer to the

Alexa Smart Properties page.

April 1, 2024

Updated service-linked role

policy

The AmazonChimeSDKMedi

aPipelinesServiceL

inkedRolePolicy

added permission that

allows CloudWatch to

provide metrics for use in

service dashboards. For

more information, see

Using roles with Amazon

Chime SDK media pipelines

and AWS managed policy:

AmazonChimeSDKMedi

aPipelinesServiceLinkedRole

Policy

December 8, 2023

Updated service-linked role

policy, new meeting Regions

The AmazonChimeSDKMedi

aPipelinesServiceL

inkedRolePolicy added

permissions that allow Kinesis

Video Streams to stream

September 25, 2023

183

Amazon Chime SDK Administration Guide

audio, video, and screen-sh

are data to Amazon Chime

SDK meetings. For more

information, see Using roles

with Amazon Chime SDK

media pipelines and AWS

managed policy: AmazonChi

meSDKMediaPipeline

sServiceLinkedRolePolicy.

Voice enhancement Administrators can now

enable call enable voice

enhancement, a feature

that improves the audio

quality of PSTN calls. For

more information, refer to

the Understanding voice

enhancement section in

Creating a call analytics

conﬁguration.

August 31, 2023

Updated service-linked role

policy

The AmazonChimeVoiceCo

nnectorServiceLink

edRolePolicy added

permissions that allow

access to the GetMediaI

nsightsPipelineConﬁguratio

n API. Amazon Chime Voice

Connectors require those

permissions in order to get

media insights pipeline

conﬁgurations. For more

information, see Conﬁguring

Voice Connectors to use call

analytics.

April 14, 2023

184

Amazon Chime SDK Administration Guide

Tagging for Voice Connectors Administrators can now

assign tags to Amazon Chime

SDK Voice Connectors. Tags

assign metadata in the form

of key-value pairs that you

deﬁne. For more informati

on, see Using tags with Voice

Connectors.

April 13, 2023

New and updated service

linked role policies

Developers can use the

AmazonChimeSDKEven

ts service linked role to

access streaming services

such as Kinesis Firehose.

For more information,

see Using the AmazonChi

meSDKEvents service-linked

role. We also added the

AmazonChimeVoiceCo

nnectorServiceLink

edRolePolicy name to

Using service linked roles. For

more information, see Using

the AmazonChimeVoiceCo

nnectorServiceLinkedRolePol

icy.

March 27, 2023

185

Amazon Chime SDK Administration Guide

Call analytics and voice

analytics

Administrators, and developer

s with administrative

permissions, can conﬁgure

Voice Connectors for use with

call analytics. As needed,

you can also enable voice

analytics. For more informati

on, see Managing Amazon

Chime SDK call analytics and

Conﬁguring Voice Connector

s to use call analytics in this

guide.

March 27, 2023

Updated security policy The AWS managed Amazon

Chime SDK policy added

new permissions that allow

you to use Amazon Chime

SDK Media Pipeline APIs to

create, read and delete Media

Pipelines.

January 10, 2023

New AWS Regions for SIP

signaling

Administrators can now

associate SIP media applicati

ons with AWS Regions in Asia,

Canada, and Europe. For more

information, see Network

conﬁguration and bandwidth

requirements.

November 18, 2022

Alexa in-skill calling Alexa Skill developers could

enable calling directly from

their skills. This feature has

been removed.

November 18, 2022

186

Amazon Chime SDK Administration Guide

Updated emergency 911

calling

We updated the emergency

calling process. For more

information, see Setting up

emergency calling.

August 4, 2022

New service-linked role A new service-linked role

enables developers to use

media pipelines in Amazon

Chime SDK meetings. For

more information, see AWS

managed policy: AmazonChi

meSDKMediaPipeline

sServiceLinkedRolePolicy.

April 26, 2022

Amazon Chime SDK Administr

ation Guide published

The Amazon Chime SDK

Administration Guide

published. For changes before

March 2022, see Document

history for Amazon Chime in

the Amazon Chime Administr

ator Guide.

March 24, 2022

187