Developing an AWS Chatbot to Retrieve User Permission Information

M
Mrunali Yelkar 25th July 2025 - 6 mins read

In cloud-heavy environments, managing who can access what quickly becomes a challenge. Especially when you're juggling multiple users, IAM policies, and time-sensitive troubleshooting requests.

How often has your team had to pause work to determine the exact permissions a user has? The console's helpful, but it's not always fast. IAM policies? Powerful but often buried in layers.

Now, imagine simply asking a chatbot:

"What permissions does JohnDoe have?" And getting an instant, clear response.

That's precisely what we're going to build today — a chatbot hosted on AWS that can retrieve IAM permission details for a given user or role, in real-time.

In this blog, we’ll walk through how to build an AWS-hosted chatbot that can retrieve user authorization details on demand.


What are we building?

We'll develop a chatbot that:

    • Accepts an IAM username or role as input.

    • Retrieves associated permissions.

    • Displays any attached or inline policies linked to the user.

This tool helps admins, developers, and support engineers quickly understand user permissions without combing through the AWS console.

When to use this Bot?

    • Someone says they can't access an S3 bucket → Verify their permissions instantly.

    • You're onboarding new users and want to double-check access.

    • Your team wants faster audits or internal support tools.


High-Level Architecture

Component Description
Amazon Lex Build the chatbot and design the conversational interface.
AWS Lambda Process user input and fetch IAM details.
AWS IAM Source of user and policy data.
Amazon API Gateway (Optional) Expose the bot via a public REST API endpoint.
Amazon CloudWatch Logging and monitoring of chatbot interactions and Lambda execution.

Step-by-Step Implementation:

1. Create IAM Role for Lambda

Before creating the Lambda function, define a role with the required IAM permissions.

Sample IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetUser",
        "iam:ListAttachedUserPolicies",
        "iam:ListUserPolicies",
        "iam:GetUserPolicy",
        "iam:ListGroupsForUser",
        "iam:ListGroupPolicies",
        "iam:GetGroupPolicy"
      ],
      "Resource": "*"
    }
  ]
}

  

2. Create AWS Lambda Function

  • Go to AWS Lambda > Create Function.

  • Choose "Author from scratch" and assign the IAM role created above.

Sample Python Code:

import boto3
import json

def lambda_handler(event, context):
    iam = boto3.client('iam')
    user_name = event['user_name']

    try:
        user = iam.get_user(UserName=user_name)
        attached_policies = iam.list_attached_user_policies(UserName=user_name)
        inline_policies = iam.list_user_policies(UserName=user_name)

        response = {
            'UserArn': user['User']['Arn'],
            'AttachedPolicies': attached_policies['AttachedPolicies'],
            'InlinePolicies': inline_policies['PolicyNames']
        }

        return {
            'statusCode': 200,
            'body': json.dumps(response)
        }

    except Exception as e:
        return {
            'statusCode': 400,
            'body': str(e)
        }

  

Test Event Input:

{
  "user_name": "your-iam-username"
}

  

3. Build an Amazon Lex Bot

  • Go to Amazon Lex and create a bot (e.g., PermissionBot).

  • Add an intent, such as GetUserPermissions.

Sample Utterances:

  • "What are the permissions for {UserName}?"

  • "Show me {UserName} permissions."

Make sure {UserName} is defined as a slot.

4. Connect Lambda to Lex

  • In the Fulfillment section of the intent, link your Lambda function.

  • Ensure Lex has permission to invoke the Lambda.

  • Test the chatbot via the Lex console.

5. (Optional) Integrate with Slack or API Gateway

  • API Gateway: Expose Lex as a RESTful endpoint for integration with websites or internal apps.

This allows users to ask about permissions right from Slack or other platforms!

6. Monitor & Debug

  • Use Amazon CloudWatch Logs to monitor Lambda invocations.

  • Create CloudWatch Alarms for error thresholds or usage spikes.

Sample Chatbot Conversation

User: What are the permissions for JohnDoe?

Bot:

  • User ARN: arn:aws:iam::123456789012:user/JohnDoe

  • Attached Policies: AdministratorAccess

  • Inline Policies: None

Security Best Practices

When building internal tools like this, always bake in security:

  • Limit access: Only specific users/groups should use the chatbot.

  • Secure Lambda variables: Use encryption at rest.

  • Use Secrets Manager: Never hardcode API keys or tokens.

  • Audit logs: Enable logging to trace any unauthorized access.

Potential Extensions

Once your base chatbot is up and running, think about what else it can do:

  • Group permission lookups.

  • IAM Role-based permission retrieval.

  • AWS Organization SCP (Service Control Policies) visibility.

Final Thoughts

With this chatbot, your team can:

  • Save time navigating the console

  • Empower non-technical teams with easy access to permissions

  • Reduce mistakes caused by unclear IAM configurations

And the best part? It’s all hosted securely within your AWS environment.




Top Blog Posts

×

Talk to our experts to discuss your requirements

Real boy icon sized sample pic Real girl icon sized sample pic Real boy icon sized sample pic
India Directory