Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Create an IAM role for the Test Workbench - Advanced Features

PDF
RSS
Focus mode
Create an IAM role for the Test Workbench - Advanced Features - Amazon Lex
Permission setup for Test workbench IAM role

This section shows several example AWS Identity and Access Management (IAM) identity-based policies to implement least-privilege access controls for Test Workbench permissions.

  1. Policy for Test Workbench to read audio files in S3 – This policy enables Test Workbench to read audio files being used in the test sets. The below policy should be accordingly modified to update S3BucketName and S3Path to point them to an Amazon S3 location of the audio files in a test set.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "TestWorkbenchS3AudioFilesReadOnly",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::S3BucketName/S3Path/*"
      ]
    }
  ]
}

  2. Policy for Test Workbench to read and write test sets and results into an Amazon S3 bucket – This policy enables Test Workbench to store the test set inputs and results. The below policy should be modified to update S3BucketName to the Amazon S3 Bucket where test-set data will be stored. Test Workbench stores these data exclusively in your Amazon S3 bucket and not in the Lex Service infrastructure. Therefore For this reason, Test Workbench requires access to your Amazon S3 bucket to function properly.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "TestSetDataUploadWithEncryptionOnly",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::S3BucketName/*/lex_testworkbench/test_set/*",
        "arn:aws:s3:::S3BucketName/*/lex_testworkbench/test_execution/*",
        "arn:aws:s3:::S3BucketName/*/lex_testworkbench/test_set_discrepancy_report/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "TestSetDataGetObject",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::S3BucketName/*/lex_testworkbench/test_set/*",
        "arn:aws:s3:::S3BucketName/*/lex_testworkbench/test_execution/*",
        "arn:aws:s3:::S3BucketName/*/lex_testworkbench/test_set_discrepancy_report/*"
      ]
    },
    {
      "Sid": "TestSetListS3Objects",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::S3BucketName"
      ]
    }
  ]
}

  3. Policy for Test Workbench to read CloudWatch Logs – This policy enables Test Workbench to generate test-sets from Lex Conversation Text Logs stored in Amazon CloudWatch Logs. The below policy should be modified to update Region, AwsAccountId, LogGroupName. 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
       "Sid": "TestWorkbenchLogsReadOnly",
      "Effect": "Allow",
      "Action": [
        "logs:FilterLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:Region:AwsAccountId:log-group:LogGroupName:*"
      ]
    }
  ]
}

  4. Policy for Test Workbench to call Lex Runtime – This policy enables Test Workbench to execute a test set against Lex bots. The below policy should be modified to update Region, AwsAccountId, BotId. Since Test Workbench can test any bot in your Lex environment, you can replace the resource with "arn:aws:lex:Region:AwsAccountId:bot-alias/*" to allow Test Workbench access to all Amazon Lex V2 bots in an account.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "TestWorkbenchLexRuntime",
      "Effect": "Allow",
      "Action": [
        "lex:RecognizeText",
        "lex:RecognizeUtterance",
        "lex:StartConversation"
      ],
      "Resource": [
        "arn:aws:lex:Region:AwsAccountId:bot-alias/BotId/*"
      ]
    }
  ]
}

  5. (Optional) Policy for Test Workbench to encrypt and decrypt test set data – If Test Workbench is configured to store test-set inputs and results in Amazon S3 buckets using a customer managed KMS key, Test Workbench will need both encryption and decryption permission to the KMS key. The below policy should be modified to update Region, AwsAccountId, and KmsKeyId where KmsKeyId is the ID of the customer managed KMS key.

    {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "TestWorkbenchKmsEncryption",
          "Effect": "Allow",
          "Action": [
              "kms:GenerateDataKey",
              "kms:Decrypt"
          ],
          "Resource": [
              "arn:aws:kms:Region:AwsAccountId:key/KmsKeyId"
          ],
           "Condition": {
               "StringLike": {
                   "kms:ViaService": [
                       "s3.*.amazonaws.com"
                   ]
               }
           }
      }
  ]
}

  6. (Optional) Policy for Test Workbench to decrypt audio files – If Audio files are stored in the S3 bucket using customer managed KMS key, Test Workbench will need decryption permission to the KMS keys. The below policy should be modified to update Region, AwsAccountId, and KmsKeyId where KmsKeyId is the ID of the customer managed KMS key used to encrypt the audio files.

    {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "TestWorkbenchKmsDecryption",
          "Effect": "Allow",
          "Action": [
              "kms:Decrypt"
          ],
          "Resource": [
              "arn:aws:kms:Region:AwsAccountId:key/KmsKeyId"
          ],
           "Condition": {
               "StringLike": {
                   "kms:ViaService": [
                       "s3.*.amazonaws.com"
                   ]
               }
           }
      }
  ]
}
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.