Amazon Polly Identity-Based Policy Examples - Amazon Polly

Amazon Polly Identity-Based Policy Examples

By default, IAM users and roles don't have permission to create or modify Amazon Polly resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating Policies on the JSON Tab in the IAM User Guide.

Policy Best Practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Amazon Polly resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started using AWS managed policies – To start using Amazon Polly quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get started using permissions with AWS managed policies in the IAM User Guide.

  • Grant least privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant least privilege in the IAM User Guide.

  • Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

  • Use policy conditions for extra security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

Using the Amazon Polly Console

For a user to work with the Amazon Polly console, that user must have a minimum set of permissions to describe the Amazon Polly resources in their AWS account.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console doesn't function as intended for users with that IAM policy.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the Amazon Polly API.

To use the Amazon Polly console, grant permissions to all the Amazon Polly APIs. There are no additional permissions needed. To get full console functionality you can use following policy:.

} "Version": "2012-10-17", "Statement": [{ "Sid": "Console-AllowAllPollyActions", "Effect": "Allow", "Action": [ "polly:*"], "Resource": "*" } ] }

Allow Users to View Their Own Permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }

AWS Managed (Predefined) Policies for Amazon Polly

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to Amazon Polly:

  • AmazonPollyReadOnlyAccess – Grants read-only access to resources, allows listing lexicons, fetching lexicons, listing available voices and synthesizing speech (including, applying lexicons to the synthesized speech).

  • AmazonPollyFullAccess – Grants full access to resources and all the supported operations.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for Amazon Polly actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Customer Managed Policy Examples

In this section, you can find example user policies that grant permissions for various Amazon Polly actions. These policies work when you are using AWS SDKs or the AWS CLI. When you are using the console, grant permissions to all the Amazon Polly APIs.

Note

All examples use the us-east-2 Region and contain fictitious account IDs.

Example 1: Allow All Amazon Polly Actions

After you sign up (see Step 1.1: Sign up for AWS) create an administrator user to manage your account, including creating users and managing their permissions.

You might create a user who has permissions for all Amazon Polly actions. Think of this user as a service-specific administrator for working with Amazon Polly. You can attach the following permissions policy to this user.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowAllPollyActions", "Effect": "Allow", "Action": [ "polly:*"], "Resource": "*" } ] }

Example 2: Allow All Amazon Polly Actions Except DeleteLexicon

The following permissions policy grants the user permissions to perform all actions except DeleteLexicon, with the permissions for delete explicitly denied in all Regions.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowAllActions-DenyDelete", "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:GetLexicon", "polly:PutLexicon", "polly:SynthesizeSpeech", "polly:ListLexicons"], "Resource": "*" } { "Sid": "DenyDeleteLexicon", "Effect": "Deny", "Action": [ "polly:DeleteLexicon"], "Resource": "*" } ] }

Example 3: Allow DeleteLexicon

The following permissions policy grants the user permissions to delete any lexicon that you own regardless of the project or Region in which it is located.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowDeleteLexicon", "Effect": "Allow", "Action": [ "polly:DeleteLexicon"], "Resource": "*" } ] }

Example 4: Allow Delete Lexicon in a Specified Region

The following permissions policy grants the user permissions to delete any lexicon in any project that you own that is located in a single Region (in this case, us-east-2).

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowDeleteSpecifiedRegion", "Effect": "Allow", "Action": [ "polly:DeleteLexicon"], "Resource": "arn:aws:polly:us-east-2:123456789012:lexicon/*" } ] }

Example 5: Allow DeleteLexicon for Specified Lexicon

The following permissions policy grants the user permissions to delete a specific lexicon that you own (in this case, myLexicon) in a specific Region (in this case, us-east-2).

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowDeleteForSpecifiedLexicon", "Effect": "Allow", "Action": [ "polly:DeleteLexicon"], "Resource": "arn:aws:polly:us-east-2:123456789012:lexicon/myLexicon" } ] }