本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Amazon Lex V2 的托管策略
AWS 托管策略是由创建和管理的独立策略 AWS。 AWS 托管策略旨在为许多常见用例提供权限,以便您可以开始为用户、组和角色分配权限。
请记住, AWS 托管策略可能不会为您的特定用例授予最低权限权限,因为它们可供所有 AWS 客户使用。我们建议通过定义特定于您的使用场景的客户管理型策略来进一步减少权限。
您无法更改 AWS 托管策略中定义的权限。如果 AWS 更新 AWS 托管策略中定义的权限,则更新会影响该策略所关联的所有委托人身份(用户、组和角色)。 AWS 最有可能在启动新的 API 或现有服务可以使用新 AWS 服务 的 API 操作时更新 AWS 托管策略。
有关更多信息,请参阅《IAM 用户指南》中的 AWS 托管策略。
AWS 托管策略: AmazonLexReadOnly
您可以将 AmazonLexReadOnly 策略附加到 IAM 身份。
此策略授予只读权限,允许用户查看 Amazon Lex V2 和 Amazon Lex 模型构建服务中的所有操作。
权限详细信息
该策略包含以下权限:
-
lex:模型构建服务中对 Amazon Lex V2 和 Amazon Lex 资源的只读访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonLexReadOnlyStatement1", "Effect": "Allow", "Action": [ "lex:GetBot", "lex:GetBotAlias", "lex:GetBotAliases", "lex:GetBots", "lex:GetBotChannelAssociation", "lex:GetBotChannelAssociations", "lex:GetBotVersions", "lex:GetBuiltinIntent", "lex:GetBuiltinIntents", "lex:GetBuiltinSlotTypes", "lex:GetIntent", "lex:GetIntents", "lex:GetIntentVersions", "lex:GetSlotType", "lex:GetSlotTypes", "lex:GetSlotTypeVersions", "lex:GetUtterancesView", "lex:DescribeBot", "lex:DescribeBotAlias", "lex:DescribeBotChannel", "lex:DescribeBotLocale", "lex:DescribeBotRecommendation", "lex:DescribeBotReplica", "lex:DescribeBotVersion", "lex:DescribeExport", "lex:DescribeImport", "lex:DescribeIntent", "lex:DescribeResourcePolicy", "lex:DescribeSlot", "lex:DescribeSlotType", "lex:ListBots", "lex:ListBotLocales", "lex:ListBotAliases", "lex:ListBotAliasReplicas", "lex:ListBotChannels", "lex:ListBotRecommendations", "lex:ListBotReplicas", "lex:ListBotVersions", "lex:ListBotVersionReplicas", "lex:ListBuiltInIntents", "lex:ListBuiltInSlotTypes", "lex:ListExports", "lex:ListImports", "lex:ListIntents", "lex:ListRecommendedIntents", "lex:ListSlots", "lex:ListSlotTypes", "lex:ListTagsForResource", "lex:SearchAssociatedTranscripts", "lex:ListCustomVocabularyItems" ], "Resource": "*" } ] }
AWS 托管策略: AmazonLexRunBotsOnly
您可以将 AmazonLexRunBotsOnly 策略附加到 IAM 身份。
该策略授予只读权限,允许运行 Amazon Lex V2 和 Amazon Lex 对话机器人。
权限详细信息
该策略包含以下权限:
-
lex:对 Amazon Lex V2 和 Amazon Lex 运行时中的所有操作的只读访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lex:PostContent", "lex:PostText", "lex:PutSession", "lex:GetSession", "lex:DeleteSession", "lex:RecognizeText", "lex:RecognizeUtterance", "lex:StartConversation" ], "Resource": "*" } ] }
AWS 托管策略: AmazonLexFullAccess
您可以将 AmazonLexFullAccess 策略附加到 IAM 身份。
该政策授予管理权限,允许用户创建、读取、更新和删除 Amazon Lex V2 和 Amazon Lex 资源,以及运行 Amazon Lex V2 和 Amazon Lex 对话机器人。
权限详细信息
该策略包含以下权限:
-
lex:向主体授予对 Amazon Lex V2 和 Amazon Lex 模型构建和运行时服务中的所有操作的读写权限。 -
cloudwatch— 允许委托人查看 Amazon CloudWatch 指标和警报。 -
iam:允许主体创建和删除服务相关角色、传递角色以及为角色附加和分离策略。Amazon Lex 操作的权限仅限于“lex.amazonaws.com”,而 Amazon Lex V2 操作的权限仅限于 “lexv2.amazonaws.com”。 -
kendra:允许主体列出 Amazon Kendra 索引。 -
kms:允许主体描述 AWS KMS 密钥和别名。 -
lambda:允许主体列出 AWS Lambda 函数并管理附加到任何 Lambda 函数的权限。 -
polly:允许主体描述 Amazon Polly 的声音并合成话语。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonLexFullAccessStatement1", "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "kms:DescribeKey", "kms:ListAliases", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListAliases", "lambda:ListVersionsByFunction" "lex:*", "polly:DescribeVoices", "polly:SynthesizeSpeech", "kendra:ListIndices", "iam:ListRoles", "s3:ListAllMyBuckets", "logs:DescribeLogGroups", "s3:GetBucketLocation" ], "Resource": [ "*" ] }, { "Sid": "AmazonLexFullAccessStatement2", "Effect": "Allow", "Action": [ "bedrock:ListFoundationModels" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "bedrock:InvokeModel" ], "Resource": "arn:aws:bedrock:*::foundation-model/*" }, { "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:*:*:function:AmazonLex*", "Condition": { "StringEquals": { "lambda:Principal": "lex.amazonaws.com" } } }, { "Sid": "AmazonLexFullAccessStatement3", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots", "arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels", "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*", "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*", "arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*" ] }, { "Sid": "AmazonLexFullAccessStatement4", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "lex.amazonaws.com" } } }, { "Sid": "AmazonLexFullAccessStatement5", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "channels.lex.amazonaws.com" } } }, { "Sid": "AmazonLexFullAccessStatement6", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "lexv2.amazonaws.com" } } }, { "Sid": "AmazonLexFullAccessStatement7", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "channels.lexv2.amazonaws.com" } } }, { "Sid": "AmazonLexFullAccessStatement8", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "replication.lexv2.amazonaws.com" } } }, { "Sid": "AmazonLexFullAccessStatement9", "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots", "arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels", "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*", "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*", "arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*" ] }, { "Sid": "AmazonLexFullAccessStatement10", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "lex.amazonaws.com" ] } } }, { "Sid": "AmazonLexFullAccessStatement11", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "lexv2.amazonaws.com" ] } } }, { "Sid": "AmazonLexFullAccessStatement12", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "channels.lexv2.amazonaws.com" ] } } }, { "Sid": "AmazonLexFullAccessStatement13", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/replication.lexv2.amazonaws.com/AWSServiceRoleForLexV2Replication*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "lexv2.amazonaws.com" ] } } } ] }
AWS 托管策略: AmazonLexReplicationPolicy
您不能将 AmazonLexReplicationPolicy 附加到自己的 IAM 实体。此附加到服务相关角色的策略允许 Amazon Lex V2 代表您执行操作。有关更多信息,请参阅 对 Amazon Lex V2 使用服务相关角色。
此策略授予管理权限,允许 Amazon Lex V2 代表您跨区域复制 AWS 资源。您可以附加此策略以允许角色轻松复制资源,包括机器人、区域设置、版本、别名、意图、槽位类型、槽位和自定义词汇表。
权限详细信息
该策略包含以下权限。
-
lex:允许主体复制其他区域中的资源。 -
iam:允许主体传递 IAM 角色。这是必需的,这样 Amazon Lex V2 才有权在其他区域复制资源。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReplicationPolicyStatement1", "Effect": "Allow", "Action": [ "lex:BuildBotLocale", "lex:ListBotLocales", "lex:CreateBotAlias", "lex:UpdateBotAlias", "lex:DeleteBotAlias", "lex:DescribeBotAlias", "lex:CreateBotVersion", "lex:DeleteBotVersion", "lex:DescribeBotVersion", "lex:CreateExport", "lex:DescribeBot", "lex:UpdateExport", "lex:DescribeExport", "lex:DescribeBotLocale", "lex:DescribeIntent", "lex:ListIntents", "lex:DescribeSlotType", "lex:ListSlotTypes", "lex:DescribeSlot", "lex:ListSlots", "lex:DescribeCustomVocabulary", "lex:StartImport", "lex:DescribeImport", "lex:CreateBot", "lex:UpdateBot", "lex:DeleteBot", "lex:CreateBotLocale", "lex:UpdateBotLocale", "lex:DeleteBotLocale", "lex:CreateIntent", "lex:UpdateIntent", "lex:DeleteIntent", "lex:CreateSlotType", "lex:UpdateSlotType", "lex:DeleteSlotType", "lex:CreateSlot", "lex:UpdateSlot", "lex:DeleteSlot", "lex:CreateCustomVocabulary", "lex:UpdateCustomVocabulary", "lex:DeleteCustomVocabulary", "lex:DeleteBotChannel", "lex:DeleteResourcePolicy" ], "Resource": [ "arn:aws:lex:*:*:bot/*", "arn:aws:lex:*:*:bot-alias/*" ] }, { "Sid": "ReplicationPolicyStatement2", "Effect": "Allow", "Action": [ "lex:CreateUploadUrl", "lex:ListBots" ], "Resource": "*" }, { "Sid": "ReplicationPolicyStatement3", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "lexv2.amazonaws.com" } } } ] }
AWS 托管策略: AmazonLexV2 BedrockAgentPolicy
Amazon Bedrock 代理策略
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Sid": "BedrockAgentInvokePolicy", "Action": [ "bedrock:InvokeAgent" ], "Resource": [ "arn:aws:bedrock:{region}:{accountId}:agent/[agentId]" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "{accountId}" } } } ] }
响应
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "LexV2TrustPolicy", "Principal": { "Service": "lexv2.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{accountId}" } } } ] }
AWS 托管策略: AmazonLexV2 BedrockKnowledgeBasePolicy
Amazon Bedrock 知识库策略
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Sid": "BedrockKnowledgeBaseReadWritePolicy", "Action": [ "bedrock:RetrieveAndGenerate", "bedrock:Retrieve" ], "Resource": [ "arn:aws:bedrock:{region}:{accountId}:knowledge-base/[knowledgeBaseId]" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "{accountId}" } } } ] }
响应
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "LexV2TrustPolicy", "Principal": { "Service": "lexv2.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{accountId}" } } } ] }
AWS 托管策略: AmazonLexV2 BedrockAgentPolicyInternal
Amazon Bedrock 代理内部策略
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Sid": "BedrockAgentInvokePolicy", "Action": [ "bedrock:InvokeAgent" ], "Resource": [ "arn:aws:bedrock:{region}:{accountId}:agent/[agentId]" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "{accountId}" } } } ] }
响应
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "LexV2InternalTrustPolicy", "Principal": { "Service": "lexv2.aws.internal" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{accountId}" } } } ] }
AWS 托管策略: AmazonLexV2 BedrockKnowledgeBasePolicyInternal
Amazon Bedrock 知识库内部政策
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Sid": "BedrockKnowledgeBaseReadWritePolicy", "Action": [ "bedrock:RetrieveAndGenerate", "bedrock:Retrieve" ], "Resource": [ "arn:aws:bedrock:{region}:{accountId}:knowledge-base/[knowledgeBaseId]" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "{accountId}" } } } ] }
响应
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LexV2InternalTrustPolicy", "Effect": "Allow", "Principal": { "Service": "lexv2.aws.internal" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{accountId}" } } } ] }
Amazon Lex V2 更新了托 AWS 管策略
查看自该服务开始跟踪这些更改以来对 Amazon Lex V2 AWS 托管政策的更新的详细信息。要获得有关此页面更改的自动提示,请订阅 Amazon Lex V2 Amazon Lex V2 文档历史记录 页面上的 RSS 源。
| 更改 | 描述 | 日期 |
|---|---|---|
|
Amazon Lex V2 添加了一项新策略,允许复制 Amazon Bedrock 知识库资源。 |
2024 年 8 月 30 日 | |
|
Amazon Lex V2 添加了一项新策略,允许复制 Amazon Bedrock 代理资源。 |
2024 年 8 月 30 日 | |
|
Amazon Lex V2 添加了一项新策略,允许复制 Amazon Bedrock 知识库资源。 |
2024 年 8 月 30 日 | |
|
Amazon Lex V2 添加了一项新策略,允许复制 Amazon Bedrock 代理资源。 |
2024 年 8 月 30 日 | |
|
AmazonLexReadOnly – 对现有策略的更新 |
Amazon Lex V2 添加了新权限,允许对机器人资源的副本进行只读访问。 |
2024 年 5 月 10 日 |
|
AmazonLexFullAccess – 对现有策略的更新 |
Amazon Lex V2 添加了新权限,允许将机器人资源复制到其他区域。 |
2024 年 4 月 16 日 |
|
AmazonLexFullAccess – 对现有策略的更新 |
Amazon Lex V2 添加了新权限,允许将机器人资源复制到其他区域。 |
2024 年 1 月 31 日 |
|
Amazon Lex V2 添加了一项新策略,允许将机器人资源复制到其他区域。 |
2024 年 1 月 31 日 | |
|
AmazonLexReadOnly – 对现有策略的更新 |
Amazon Lex V2 添加了新权限,允许对自定义词汇项目列表进行只读访问。 |
2022 年 11 月 29 日 |
|
AmazonLexFullAccess – 对现有策略的更新 |
Amazon Lex V2 添加了新的权限,允许对 Amazon Lex V2 模型构建服务操作进行只读访问。 |
2021 年 8 月 18 日 |
AmazonLexReadOnly – 对现有策略的更新 |
Amazon Lex V2 添加了新的权限,允许对 Amazon Lex V2 自动聊天机器人设计器操作进行只读访问。 |
2021 年 12 月 1 日 |
|
AmazonLexFullAccess – 对现有策略的更新 |
Amazon Lex V2 添加了新的权限,允许对 Amazon Lex V2 模型构建服务操作进行只读访问。 |
2021 年 8 月 18 日 |
|
AmazonLexReadOnly – 对现有策略的更新 |
Amazon Lex V2 添加了新的权限,允许对 Amazon Lex V2 模型构建服务操作进行只读访问。 |
2021 年 8 月 18 日 |
|
AmazonLexRunBotsOnly – 对现有策略的更新 |
Amazon Lex V2 添加了新的权限,允许对 Amazon Lex V2 运行时服务操作进行只读访问。 |
2021 年 8 月 18 日 |
|
Amazon Lex V2 开始跟踪更改 |
Amazon Lex V2 开始跟踪对其 AWS 托管式策略的更改。 |
2021 年 8 月 18 日 |
