In cloud-heavy environments, managing who can access what quickly becomes a challenge. Especially when you're juggling multiple users, IAM policies, and time-sensitive troubleshooting requests.
How often has your team had to pause work to determine the exact permissions a user has? The console's helpful, but it's not always fast. IAM policies? Powerful but often buried in layers.
Now, imagine simply asking a chatbot:
"What permissions does JohnDoe have?" And getting an instant, clear response.
That's precisely what we're going to build today — a chatbot hosted on AWS that can retrieve IAM permission details for a given user or role, in real-time.
In this blog, we’ll walk through how to build an AWS-hosted chatbot that can retrieve user authorization details on demand.
What are we building?
We'll develop a chatbot that:
Accepts an IAM username or role as input.
Retrieves associated permissions.
Displays any attached or inline policies linked to the user.
This tool helps admins, developers, and support engineers quickly understand user permissions without combing through the AWS console.
When to use this Bot?
Someone says they can't access an S3 bucket → Verify their permissions instantly.
You're onboarding new users and want to double-check access.
Your team wants faster audits or internal support tools.
High-Level Architecture
| Component | Description |
|---|---|
| Amazon Lex | Build the chatbot and design the conversational interface. |
| AWS Lambda | Process user input and fetch IAM details. |
| AWS IAM | Source of user and policy data. |
| Amazon API Gateway (Optional) | Expose the bot via a public REST API endpoint. |
| Amazon CloudWatch | Logging and monitoring of chatbot interactions and Lambda execution. |
Step-by-Step Implementation:
1. Create IAM Role for Lambda
Before creating the Lambda function, define a role with the required IAM permissions.
Sample IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListGroupPolicies",
"iam:GetGroupPolicy"
],
"Resource": "*"
}
]
}
2. Create AWS Lambda Function
Go to AWS Lambda > Create Function.
Choose "Author from scratch" and assign the IAM role created above.
Sample Python Code:
import boto3
import json
def lambda_handler(event, context):
iam = boto3.client('iam')
user_name = event['user_name']
try:
user = iam.get_user(UserName=user_name)
attached_policies = iam.list_attached_user_policies(UserName=user_name)
inline_policies = iam.list_user_policies(UserName=user_name)
response = {
'UserArn': user['User']['Arn'],
'AttachedPolicies': attached_policies['AttachedPolicies'],
'InlinePolicies': inline_policies['PolicyNames']
}
return {
'statusCode': 200,
'body': json.dumps(response)
}
except Exception as e:
return {
'statusCode': 400,
'body': str(e)
}
Test Event Input:
{
"user_name": "your-iam-username"
}
Go to Amazon Lex and create a bot (e.g., PermissionBot).
Add an intent, such as GetUserPermissions.
Sample Utterances:
"What are the permissions for {UserName}?"
"Show me {UserName} permissions."
Make sure {UserName} is defined as a slot.
In the Fulfillment section of the intent, link your Lambda function.
Ensure Lex has permission to invoke the Lambda.
Test the chatbot via the Lex console.
API Gateway: Expose Lex as a RESTful endpoint for integration with websites or internal apps.
This allows users to ask about permissions right from Slack or other platforms!
Use Amazon CloudWatch Logs to monitor Lambda invocations.
Create CloudWatch Alarms for error thresholds or usage spikes.
User: What are the permissions for JohnDoe?
Bot:
User ARN: arn:aws:iam::123456789012:user/JohnDoe
Attached Policies: AdministratorAccess
Inline Policies: None
When building internal tools like this, always bake in security:
Limit access: Only specific users/groups should use the chatbot.
Secure Lambda variables: Use encryption at rest.
Use Secrets Manager: Never hardcode API keys or tokens.
Audit logs: Enable logging to trace any unauthorized access.
Once your base chatbot is up and running, think about what else it can do:
Group permission lookups.
IAM Role-based permission retrieval.
AWS Organization SCP (Service Control Policies) visibility.
With this chatbot, your team can:
Save time navigating the console
Empower non-technical teams with easy access to permissions
Reduce mistakes caused by unclear IAM configurations
And the best part? It’s all hosted securely within your AWS environment.
