in templates/util.js [235:516]
exports.lexFullAccess = function() {
return {
"PolicyName": "AWSQnaBotLexFullAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"polly:SynthesizeSpeech",
"logs:DescribeLogGroups",
"cloudwatch:DescribeAlarms",
"kms:DescribeKey",
"s3:GetBucketLocation",
"lambda:GetPolicy"
],
"Resource": [
{"Fn::Sub": "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*"},
{"Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*"},
{"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*"},
{"Fn::Sub": "arn:${AWS::Partition}:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*"},
{"Fn::Sub": "arn:${AWS::Partition}:s3:::*"},
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"lambda:ListFunctions",
"cloudwatch:DescribeAlarmsForMetric",
"kms:ListAliases",
"iam:ListRoles",
"cloudwatch:GetMetricStatistics",
"kendra:ListIndices",
"polly:DescribeVoices"
],
"Resource": "*"
},
{ // Lex V1 policies
"Effect": "Allow",
"Action": [
"lex:GetBuiltinIntent",
"lex:GetIntents",
"lex:GetBots",
"lex:GetSlotTypes",
"lex:GetBotAliases",
"lex:StartImport",
"lex:GetMigration",
"lex:GetBuiltinSlotTypes",
"lex:GetBuiltinIntents",
"lex:GetImport",
"lex:GetMigrations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "lex:*",
"Resource": [
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:intent:*:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:slottype:*:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot:*:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot-channel:*:*"},
]
},
{ // Lex V2 policies
"Effect": "Allow",
"Action": [
"lex:CreateUploadUrl",
"lex:ListBuiltInSlotTypes",
"lex:ListBots",
"lex:ListBuiltInIntents",
"lex:ListImports",
"lex:ListExports"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "lex:*",
"Resource": [
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot-alias/*/*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot-alias/*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot/*"},
]
},
{ // Lex V1 policies
"Effect": "Allow",
"Action": [
"lex:GetBuiltinIntent",
"lex:GetIntents",
"lex:GetBots",
"lex:GetSlotTypes",
"lex:GetBotAliases",
"lex:StartImport",
"lex:GetMigration",
"lex:GetBuiltinSlotTypes",
"lex:GetBuiltinIntents",
"lex:GetImport",
"lex:GetMigrations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "lex:*",
"Resource": [
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:intent:*:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:slottype:*:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot:*:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot:*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot-channel:*:*"},
]
},
{ // Lex V2 policies
"Effect": "Allow",
"Action": [
"lex:CreateUploadUrl",
"lex:ListBuiltInSlotTypes",
"lex:ListBots",
"lex:ListBuiltInIntents",
"lex:ListImports",
"lex:ListExports"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "lex:*",
"Resource": [
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot-alias/*/*"},
{"Fn::Sub": "arn:${AWS::Partition}:lex:${AWS::Region}:${AWS::AccountId}:bot/*"},
]
},
{
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:RemovePermission"
],
"Resource": {"Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:AmazonLex*"},
"Condition": {
"StringEquals": {
"lambda:Principal": "lex.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
"arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels",
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*",
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "lex.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "channels.lex.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "lexv2.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "channels.lexv2.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots",
"arn:aws:iam::*:role/aws-service-role/channels.lex.amazonaws.com/AWSServiceRoleForLexChannels",
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*",
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lex.amazonaws.com/AWSServiceRoleForLexBots"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lex.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lexv2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/channels.lexv2.amazonaws.com/AWSServiceRoleForLexV2Channels*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"channels.lexv2.amazonaws.com"
]
}
}
}
]
},
};
};