How Amazon Lex Works with IAM

Before you use AWS Identity and Access Management (IAM) to manage access to Amazon Lex, you should understand which IAM features are available to use with Amazon Lex. For a high-level view of how Amazon Lex and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

Amazon Lex Identity-Based Policies

To specify allowed or denied actions and resources and the conditions under which actions are allowed or denied, use IAM identity-based policies,. Amazon Lex supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.

Actions

The Action element of an IAM identity-based policy describes the specific action or actions that will be allowed or denied by the policy. Policy actions usually have the same name as the associated AWS API operation. The action is used in a policy to grant permissions to perform the associated operation.

In Amazon Lex, policy actions use the following prefix before the action: lex:. For example, to grant someone permission to call an Amazon Lex bot with the PostContent operation, you include the lex:PostContent action in their policy. Policy statements must include either an Action or NotAction element. Amazon Lex defines actions that describe the tasks that you can perform with this service. To see a list of Amazon Lex actions, see Actions Defined by Amazon Lex in the IAM User Guide.

To specify multiple actions in a single statement, separate them with commas as follows.

"Action": [
      "lex:action1",
      "lex:action2"

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word Put, include the following action.

"Action": "lex:Put*"

Resources

The Resource element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN or, to indicate that the statement applies to all resources, the wildcard (*).

An Amazon Lex bot resource ARN has the following format.

arn:aws:lex:${Region}:${Account}:bot:${Bot-Name}

For more information about the format of ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

For example, to specify the OrderFlowers bot in your statement, use the following ARN.

"Resource": "arn:aws:lex:us-east-2:123456789012:bot:OrderFlowers"

To specify all bots that belong to a specific account, use the wildcard (*).

"Resource": "arn:aws:lex:us-east-2:123456789012:bot:*"

Some Amazon Lex actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard, (*).

"Resource": "*"

For a list of Amazon Lex resource types and their ARNs, see Resources Defined by Amazon Lex in the IAM User Guide. To learn with which actions you can specify the ARN of each resource, see Actions Defined by Amazon Lex.

Condition Keys

Use the Condition element (or a Condition block) to specify conditions in which a statement is in effect. The Condition element is optional. You can build conditional expressions that use condition operators, such as equals or less than, to match the condition in the policy with values in the request.

If you specify multiple Condition elements in a statement, or multiple keys in a single Condition element, AWS evaluates them using a logical AND operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical OR operation. All of the conditions must be met before the statement's permissions are granted.

You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see IAM Policy Elements: Variables and Tags in the IAM User Guide.

Amazon Lex defines its own set of condition keys and also supports using some global condition keys. For a list of all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.

The following table lists the Amazon Lex condition keys that apply to Amazon Lex resources. You can include these keys in Condition elements in an IAM permissions policy.

Amazon Lex Condition Key	Description	Value Type	Permission
lex:associatedIntents	Scopes the set of intents that can be used when creating or modifying the definition of a bot.	Array of strings	lex:PutBot
lex:associatedSlotTypes	Scopes the set of slot types that can be used when creating or modifying the definition of a slot type.	Array of strings	lex:PutIntent
lex:ChannelType	Scopes the type of bot channel association that a user can create, get, or delete.	String	lex:CreateBotChannelAssociation lex:DeleteBotChannelAssociation lex:GetBotChannelAssociation

Examples

For examples of Amazon Lex identity-based policies, see Amazon Lex Identity-Based Policy Examples.

Amazon Lex Resource-Based Policies

Resource-based policies are JSON policy documents that specify what actions a specified principal can perform on the Amazon Lex resource and under what conditions. Amazon Lex does not support resource-based policies.

Authorization Based on Amazon Lex Tags

You can associate tags with certain types of Amazon Lex resources for authorization. To control access based on tags, provide tag information in the condition element of a policy by using the lex:ResourceTag/${TagKey}, aws:RequestTag/${TagKey}, or aws:TagKeys condition keys.

For information about tagging Amazon Lex resources, see Tagging Your Amazon Lex Resources. For an example identity-based policy that limits access to a resource based on the resource tags, see Example: Use a Tag to Access a Resource. For more information about using tags to limit access to resources, see Controlling Access Using Tags in the IAM User Guide.

The following table lists the actions and corresponding resource types for tag-based access control. Each action is authorized based on the tags associated with the corresponding resource type.

Action	Resource type	Condition keys	Notes
CreateBotVersion	bot	lex:ResourceTag
DeleteBot	bot	lex:ResourceTag
DeleteBotAlias	alias	lex:ResourceTag
DeleteBotChannelAssociation	channel	lex:ResourceTag
DeleteBotVersion	bot	lex:ResourceTag
DeleteSession	bot or alias	lex:ResourceTag	Uses tags associated with the bot when alias is set to $LATEST. Uses tags associated with the specified alias when used with other aliases.
DeleteUtterances	bot	lex:ResourceTag
GetBot	bot or alias	lex:ResourceTag	Uses tags associated with the bot when versionOrAlias is set to $LATEST or numeric version. Uses tags associated with the specified alias when used with aliases
GetBotAlias	alias	lex:ResourceTag
GetBotChannelAssociation	chanel	lex:ResourceTag
GetBotChannelAssociations	chanel	lex:ResourceTag	Uses tags associated with the bot when alias is set to "-". Uses tags associated with the specified alias when a bot alias is specified
GetBotVersions	bot	lex:ResourceTag
GetExport	bot	lex:ResourceTag
GetSession	bot or alias	lex:ResourceTag	Uses tags associated with the bot when alias is set to $LATEST. Uses tags associated with the specified alias when used with other aliases.
GetUtterancesView	bot	lex:ResourceTag
ListTagsForResource	bot, alias, or channel	lex:ResourceTag
PostContent	bot or alias	lex:ResourceTag	Uses tags associated with the bot when alias is set to $LATEST. Uses tags associated with the specified alias when used with other aliases.
PostText	bot or alias	lex:ResourceTag	Uses tags associated with the bot when alias is set to $LATEST. Uses tags associated with the specified alias when used with other aliases.
PutBot	bot	lex:ResourceTag, aws:RequestTag, aws:TagKeys
PutBotAlias	alias	lex:ResourceTag, aws:RequestTag, aws:TagKeys
PutSession	bot or alias	lex:ResourceTag	Uses tags associated with the bot when alias is set to $LATEST. Uses tags associated with the specified alias when used with other aliases.
StartImport	bot	lex:ResourceTag	Relies on access policy for the PutBot operation. Tags and permissions specific to the StartImport operation are ignored.
TagResource	bot, alias, or channel	lex:ResourceTag, aws:RequestTag, aws:TagKeys
UntagResource	bot, alias, or channel	lex:ResourceTag, aws:RequestTag, aws:TagKeys

Amazon Lex IAM Roles

An IAM role is an entity within your AWS account that has specific permissions.

Using Temporary Credentials with Amazon Lex

You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

Amazon Lex supports using temporary credentials.

Service-Linked Roles

Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit, the permissions for service-linked roles.

Amazon Lex supports service-linked roles. For details about creating or managing Amazon Lex service-linked roles, see Step 1: Create a Service-Linked Role (AWS CLI).

Service Roles

A service can assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might prevent the service from functioning as expected.

Amazon Lex supports service roles.

Choosing an IAM Role in Amazon Lex

Amazon Lex uses service-linked roles to call Amazon Comprehend and Amazon Polly. It uses resource-level permissions on your AWS Lambda functions to invoke them.

You must provide an IAM role to enable conversation tagging. For more information, see Creating an IAM Role and Policies for Conversation Logs.