适用于 Amazon Lex 的 AWS 托管式策略 - Amazon Lex V1
AmazonLexReadOnlyAmazonLexRunBotsOnlyAmazonLexFullAccess策略更新

如果您使用的是 Amazon Lex V2,请改为参阅 Amazon Lex V2 指南

 

如果您使用的是 Amazon Lex V1,我们建议您将机器人升级到 Amazon Lex V2。我们不再向 V1 添加新功能,强烈建议使用 V2 以获得全新的机器人。

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

适用于 Amazon Lex 的 AWS 托管式策略

AWS 托管式策略是由 AWS 创建和管理的独立策略。AWS 托管式策略旨在为许多常见用例提供权限,以便您可以开始为用户、组和角色分配权限。

请记住,AWS 托管式策略可能不会为您的特定使用场景授予最低权限,因为它们可供所有 AWS 客户使用。我们建议通过定义特定于您的使用场景的客户管理型策略来进一步减少权限。

您无法更改 AWS 托管策略中定义的权限。如果 AWS 更新在 AWS 托管式策略中定义的权限,则更新会影响该策略所附加到的所有主体身份(用户、组和角色)。当新的 AWS 服务启动或新的 API 操作可用于现有服务时,AWS 最有可能更新 AWS 托管式策略。

有关更多信息,请参阅《IAM 用户指南》中的 AWS 托管式策略

AWS 托管式策略:AmazonLexReadOnly

您可以将 AmazonLexReadOnly 策略附加得到 IAM 身份。

此策略授予只读权限,允许用户查看 Amazon Lex 和 Amazon Lex V2 模型构建服务中的所有操作。

权限详细信息

此策略包含以下权限:

  • lex — 模型构建服务中对 Amazon Lex 和 Amazon Lex V2 资源的只读访问权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lex:GetBot",
                "lex:GetBotAlias",
                "lex:GetBotAliases",
                "lex:GetBots",
                "lex:GetBotChannelAssociation",
                "lex:GetBotChannelAssociations",
                "lex:GetBotVersions",
                "lex:GetBuiltinIntent",
                "lex:GetBuiltinIntents",
                "lex:GetBuiltinSlotTypes",
                "lex:GetIntent",
                "lex:GetIntents",
                "lex:GetIntentVersions",
                "lex:GetSlotType",
                "lex:GetSlotTypes",
                "lex:GetSlotTypeVersions",
                "lex:GetUtterancesView",
                "lex:DescribeBot",
                "lex:DescribeBotAlias",
                "lex:DescribeBotChannel",
                "lex:DescribeBotLocale",
                "lex:DescribeBotVersion",
                "lex:DescribeExport",
                "lex:DescribeImport",
                "lex:DescribeIntent",
                "lex:DescribeResourcePolicy",
                "lex:DescribeSlot",
                "lex:DescribeSlotType",
                "lex:ListBots",
                "lex:ListBotLocales",
                "lex:ListBotAliases",
                "lex:ListBotChannels",
                "lex:ListBotVersions",
                "lex:ListBuiltInIntents",
                "lex:ListBuiltInSlotTypes",
                "lex:ListExports",
                "lex:ListImports",
                "lex:ListIntents",
                "lex:ListSlots",
                "lex:ListSlotTypes",
                "lex:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

AWS 托管式策略:AmazonLexRunBotsOnly

您可以将 AmazonLexRunBotsOnly 策略附加得到 IAM 身份。

该策略授予只读权限,允许运行 Amazon Lex 和 Amazon Lex V2 对话机器人。

权限详细信息

此策略包含以下权限:

  • lex — 对 Amazon Lex 和 Amazon Lex V2 运行时中的所有操作的只读访问权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lex:PostContent",
                "lex:PostText",
                "lex:PutSession",
                "lex:GetSession",
                "lex:DeleteSession",
                "lex:RecognizeText",
                "lex:RecognizeUtterance",
                "lex:StartConversation"
            ],
            "Resource": "*"
        }
    ]
}

AWS 托管式策略:AmazonLexFullAccess

您可以将 AmazonLexFullAccess 策略附加得到 IAM 身份。

该政策授予管理权限,允许用户创建、读取、更新和删除 Amazon Lex 和 Amazon Lex V2 资源,以及运行 Amazon Lex 和 Amazon Lex V2 对话机器人。

权限详细信息

此策略包含以下权限:

  • lex — 向主体授予对 Amazon Lex 和 Amazon Lex V2 模型构建和运行时服务中的所有操作的读写权限。

  • cloudwatch — 允许主体查看 Amazon CloudWatch 指标和警报。

  • iam — 允许主体创建和删除服务相关角色、传递角色以及为角色附加和分离策略。Amazon Lex 操作的权限仅限于“lex.amazonaws.com”,而 Amazon Lex V2 操作的权限仅限于 “lexv2.amazonaws.com”。

  • kendra — 允许主体列出 Amazon Kendra 索引。

  • kms — 允许主体描述 AWS KMS 密钥和别名。

  • lambda — 允许主体列出 AWS Lambda 函数并管理附加到任何 Lambda 函数的权限。

  • polly — 允许主体描述 Amazon Polly 的声音并合成言语。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "kms:DescribeKey",
                "kms:ListAliases",
                "lambda:GetPolicy",
                "lambda:ListFunctions",
                "lex:*",
                "polly:DescribeVoices",
                "polly:SynthesizeSpeech",
                "kendra:ListIndices",
                "iam:ListRoles",
                "s3:ListAllMyBuckets",
                "logs:DescribeLogGroups",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:RemovePermission"
            ],
            "Resource": "arn:aws:lambda:*:*:function:AmazonLex*",
            "Condition": {
                "StringEquals": {
                    "lambda:Principal": "lex.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
                "arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels",
                "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*",
                "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "lex.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "channels.lex.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "lexv2.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "channels.lexv2.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteServiceLinkedRole",
                "iam:GetServiceLinkedRoleDeletionStatus"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
                "arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels",
                "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*",
                "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lex.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lexv2.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "channels.lexv2.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

AWS 托管式策略的 Amazon Lex 更新

查看有关 Amazon Lex 的 AWS 托管式策略的更新的详细信息(此服务开始跟踪这些更改)。要获得有关此页面更改的自动提示,请订阅 Amazon Lex Amazon Lex 的文档历史记录 页面上的 RSS 源。

更改 说明 日期

AmazonLexFullAccess — 对现有策略的更新

Amazon Lex 添加了新的权限,允许对 Amazon Lex V2 模型构建服务操作进行只读访问。

 2021 年 8 月 18 日

AmazonLexReadOnly — 对现有策略的更新

Amazon Lex 添加了新的权限,允许对 Amazon Lex V2 模型构建服务操作进行只读访问。

 2021 年 8 月 18 日

AmazonLexRunBotsOnly — 对现有策略的更新

Amazon Lex 添加了新的权限,允许对 Amazon Lex V2 运行时服务操作进行只读访问。

 2021 年 8 月 18 日

Amazon Lex 开始跟踪更改

Amazon Lex 开始跟踪其 AWS 托管式策略的更改。

 2021 年 8 月 18 日