Permissions to replicate bots and manage bot replicas in Lex V2
If an IAM role has the AmazonLexFullAccess policy attached, it can create and manage bot replicas.
If you prefer to create a role with minimal permissions for Global Resiliency, use the following policy, which contains the following statements.
-
Permissions to access the Amazon Lex V2 service-linked role for bot replication.
-
Permissions to allow Amazon Lex V2 to create a service-linked role for bot replication on your behalf.
-
Permissions to call the bot replication APIs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetReplicationSLR", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*" ] }, { "Sid": "CreateReplicationSLR", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "lexv2.amazonaws.com" } } }, { "Sid": "AllowBotReplicaActions", "Effect": "Allow", "Action": [ "lex:CreateBotReplica", "lex:DescribeBotReplica", "lex:ListBotReplica", "lex:ListBotVersionReplicas", "lex:ListBotAliasReplicas", "lex:DeleteBotReplica" ], "Resource": [ "arn:aws:lex:*:*:bot/*", "arn:aws:lex:*:*:bot-alias/*" ] } ] }
You can restrict permissions further by modifying them as follows.
-
Replace
*with specific bot or bot alias IDs to limit the permissions to specific bots or bot aliases. -
Use a subset of the
lex BotReplicaactions to restrict the role to specific actions.
For an example, see Allow users to create and view bot replicas, but not to delete them.
