If an IAM role has the AmazonLexFullAccess policy attached, it can create and manage bot replicas.
If you prefer to create a role with minimal permissions for Global Resiliency, use the following policy, which contains the following statements.
-
Permissions to access the Amazon Lex V2 service-linked role for bot replication.
-
Permissions to allow Amazon Lex V2 to create a service-linked role for bot replication on your behalf.
-
Permissions to call the bot replication APIs.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetReplicationSLR",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*"
]
},
{
"Sid": "CreateReplicationSLR",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "lexv2.amazonaws.com"
}
}
},
{
"Sid": "AllowBotReplicaActions",
"Effect": "Allow",
"Action": [
"lex:CreateBotReplica",
"lex:DescribeBotReplica",
"lex:ListBotReplica",
"lex:ListBotVersionReplicas",
"lex:ListBotAliasReplicas",
"lex:DeleteBotReplica"
],
"Resource": [
"arn:aws:lex:*:*:bot/*",
"arn:aws:lex:*:*:bot-alias/*"
]
}
]
}You can restrict permissions further by modifying them as follows.
-
Replace
*with specific bot or bot alias IDs to limit the permissions to specific bots or bot aliases. -
Use a subset of the
lex BotReplicaactions to restrict the role to specific actions.
For an example, see Allow users to create and view bot replicas, but not to delete them.
