Amazon Lex
Developer Guide

Service Permissions

Amazon Lex uses AWS Identity and Access Management (IAM) service-linked roles. Amazon Lex assumes these roles to call AWS services on behalf of your bots and bot channels. The roles exist within your account, but are linked to Amazon Lex use cases and have predefined permissions. Only Amazon Lex can assume these roles, and you can't modify their permissions. You can delete them after deleting their related resources using IAM. This protects your Amazon Lex resources because you can't inadvertently remove necessary permissions.

Amazon Lex uses two IAM service-linked roles:

  • AWSServiceRoleForLexBots—Amazon Lex uses this service-linked role to invoke Amazon Polly to synthesize speech responses for your bot.

  • AWSServiceRoleForLexChannels—Amazon Lex uses this service-linked role to post text to your bot when managing channels.

You don't need to manually create either of these roles. When you create your first bot using the console, Amazon Lex creates the AWSServiceRoleForLexBots role for you. When you first associate a bot with a messaging channel, Amazon Lex creates the AWSServiceRoleForLexChannels role for you.

Creating Resource-Based Policies for AWS Lambda

When invoking Lambda functions, Amazon Lex uses resource-based policies. A resource-based policy is attached to a resource; it lets you specify who has access to the resource and which actions they can perform on it. This enables you to narrowly scope permissions between Lambda functions and the intents that you have created. It also allows you to see those permissions in a single policy when you manage Lambda functions that have many event sources.

For more information, see Using Resource-Based Polices for AWS Lambda (Lambda Function Policies) in the AWS Lambda Developer Guide.

To create resource-based policies for intents that you associate with a Lambda function, you can use the Amazon Lex console. Or, you can use the AWS command line interface (AWS CLI). In the AWS CLI, use the Lambda AddPermisssion API with the Principal field set to and the SourceArn set to the ARN of the intent that is allowed to invoke the function.

Deleting Service-Linked Roles

You can use the IAM console, the IAM CLI, or the IAM API to delete the AWSServiceRoleForLexBots and AWSServiceRoleForLexChannels service-linked roles. For more information, see Deleting a Service-Linked Role in the IAM User Guide.