Amazon Lex
Developer Guide

Service Permissions

Amazon Lex uses AWS Identity and Access Management (IAM) service-linked roles. Amazon Lex assumes these roles to call AWS services on behalf of your bots and bot channels. The roles exist within your account, but are linked to Amazon Lex use cases and have predefined permissions. Only Amazon Lex can assume these roles, and you can't modify their permissions. You can delete them after deleting their related resources using the Amazon Lex console. This protects your Amazon Lex resources because you can't inadvertently remove necessary permissions.

Amazon Lex uses two IAM service-linked roles:

  • AWSServiceRoleForLexBots — Amazon Lex uses this service-linked role to invoke Amazon Polly to synthesize speech responses for your bot.

  • AWSServiceRoleForLexChannels — Amazon Lex uses this service-linked role to post text to your bot when managing channels.

You don't need to manually create either of these roles. When you create your first bot using the console, Amazon Lex creates the AWSServiceRoleForLexBots role for you. When you first associate a bot with a messaging channel, Amazon Lex creates the AWSServiceRoleForLexChannels role for you.

Creating Resource-Based Policies for AWS Lambda

When invoking Lambda functions, Amazon Lex uses resource-based policies. A resource-based policy is attached to a resource; it lets you specify who has access to the resource and which actions they can perform on it. This enables you to narrowly scope permissions between Lambda functions and the intents that you have created. It also allows you to see those permissions in a single policy when you manage Lambda functions that have many event sources.

For more information, see Using Resource-Based Polices forAWS Lambda (Lambda Function Policies) in the AWS Lambda Developer Guide.

To create resource-based policies for intents that you associate with a Lambda function, you can use the Amazon Lex console. Or, you can use the AWS command line interface (AWS CLI). In the AWS CLI, use the Lambda AddPermisssion API with the Principal field set to and the SourceArn set to the ARN of the intent that is allowed to invoke the function.

Deleting Service-Linked Roles

To delete the service-linked roles from your account, use the Role Management tool. Before you can delete a role, you must delete all of the bots or bot channel associations that use the service-linked role.

  1. Sign in to the AWS Management Console and open the Amazon Lex console at

  2. On the page that lists bots, choose the Role Management tool from the toolbar in the upper-right corner.

  3. In the dialog box, choose the service-linked role that you want to delete, and then choose Delete.