Actions, resources, and condition keys for Amazon Connect
Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Connect
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| ActivateEvaluationForm | Grants permission to activate an evaluation form in the specified Amazon Connect instance. After the evaluation form is activated, it is available to start new evaluations based on the form | Write | |||
| AdminGetEmergencyAccessToken | Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console) | Write |
connect:DescribeInstance connect:ListInstances ds:DescribeDirectories |
||
| AssociateAnalyticsDataSet | Grants permission to grant access and to associate a dataset with the specified AWS account | Write | |||
| AssociateApprovedOrigin | Grants permission to associate approved origin for an existing Amazon Connect instance | Write | |||
| AssociateBot | Grants permission to associate a Lex bot for an existing Amazon Connect instance | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:CreateResourcePolicy lex:DescribeBotAlias lex:GetBot lex:UpdateResourcePolicy |
||
| AssociateCustomerProfilesDomain [permission only] | Grants permission to associate a Customer Profiles domain for an existing Amazon Connect instance | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy profile:GetDomain |
||
| AssociateDefaultVocabulary | Grants permission to default vocabulary for an existing Amazon Connect instance | Write | |||
| AssociateFlow | Grants permission to associate a resource with a flow in an Amazon Connect instance | Write | |||
| AssociateInstanceStorageConfig | Grants permission to associate instance storage for an existing Amazon Connect instance | Write |
ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation |
||
| AssociateLambdaFunction | Grants permission to associate a Lambda function for an existing Amazon Connect instance | Write |
lambda:AddPermission |
||
| AssociateLexBot | Grants permission to associate a Lex bot for an existing Amazon Connect instance | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot |
||
| AssociatePhoneNumberContactFlow | Grants permission to associate contact flow resources to phone number resources in an Amazon Connect instance | Write | |||
| AssociateQueueQuickConnects | Grants permission to associate quick connects with a queue in an Amazon Connect instance | Write | |||
| AssociateRoutingProfileQueues | Grants permission to associate queues with a routing profile in an Amazon Connect instance | Write | |||
| AssociateSecurityKey | Grants permission to associate a security key for an existing Amazon Connect instance | Write | |||
| AssociateTrafficDistributionGroupUser | Grants permission to associate a user to a traffic distribution group in the specified Amazon Connect instance | Write |
connect:DescribeUser connect:SearchUsers |
||
| AssociateUserProficiencies | Grants permission to associate user proficiencies to a user in an Amazon Connect instance | Write | |||
| BatchAssociateAnalyticsDataSet | Grants permission to grant access and to associate the datasets with the specified AWS account | Write | |||
| BatchDisassociateAnalyticsDataSet | Grants permission to revoke access and to disassociate the datasets with the specified AWS account | Write | |||
| BatchGetAttachedFileMetadata | Grants permission to get metadata for multiple attached files from an Amazon Connect instance | Read | |||
| BatchGetFlowAssociation | Grants permission to get summary information about the flow associations for the specified Amazon Connect instance | List | |||
| BatchPutContact | Grants permission to put contacts in an Amazon Connect instance | Write | |||
| ClaimPhoneNumber | Grants permission to claim phone number resources in an Amazon Connect instance or traffic distribution group | Write | |||
| CompleteAttachedFileUpload | Grants permission to complete an attached file upload in an Amazon Connect instance | Write | |||
| CreateAgentStatus | Grants permission to create agent status in an Amazon Connect instance | Write | |||
| CreateAuthenticationProfile | Grants permission to create authentication profile resources in an Amazon Connect instance | Write | |||
| CreateContactFlow | Grants permission to create a contact flow in an Amazon Connect instance | Write | |||
| CreateContactFlowModule | Grants permission to create a contact flow module in an Amazon Connect instance | Write | |||
| CreateContactFlowVersion | Grants permission to create a version a flow in an Amazon Connect instance | Write | |||
| CreateEvaluationForm | Grants permission to create an evaluation form in the specified Amazon Connect instance. The form can be used to define questions related to agent performance, and create sections to organize such questions. Question and section identifiers cannot be duplicated within the same evaluation form | Write | |||
| CreateHoursOfOperation | Grants permission to create hours of operation in an Amazon Connect instance | Write | |||
| CreateHoursOfOperationOverride | Grants permission to create an hours of operation override in an Amazon Connect instance | Write | |||
| CreateInstance | Grants permission to create a new Amazon Connect instance | Write |
ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy |
||
| CreateIntegrationAssociation | Grants permission to create an integration association with an Amazon Connect instance | Write |
app-integrations:CreateApplicationAssociation app-integrations:CreateEventIntegrationAssociation app-integrations:GetApplication cases:GetDomain chime:AssociateVoiceConnectorConnect chime:DisassociateVoiceConnectorConnect chime:TagResource chime:UntagResource connect:DescribeInstance ds:DescribeDirectories events:PutRule events:PutTargets iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy mobiletargeting:GetApp voiceid:DescribeDomain wisdom:GetAssistant wisdom:GetKnowledgeBase wisdom:TagResource |
||
| CreateParticipant | Grants permission to add a participant to an ongoing contact | Write | |||
| CreatePersistentContactAssociation | Grants permission to create persistent contact associations for a contact | Write | |||
| CreatePredefinedAttribute | Grants permission to create a predefined attribute in an Amazon Connect instance | Write | |||
| CreatePrompt | Grants permission to create a prompt in an Amazon Connect instance | Write |
kms:Decrypt s3:GetObject s3:GetObjectAcl |
||
| CreatePushNotificationRegistration | Grants permission to create a push notification registration for an Amazon Connect instance | Write | |||
| CreateQueue | Grants permission to create a queue in an Amazon Connect instance | Write | |||
| CreateQuickConnect | Grants permission to create a quick connect in an Amazon Connect instance | Write | |||
| CreateRoutingProfile | Grants permission to create a routing profile in an Amazon Connect instance | Write | |||
| CreateRule | Grants permission to create a rule in an Amazon Connect instance | Write | |||
| CreateSecurityProfile | Grants permission to create a security profile for the specified Amazon Connect instance | Write | |||
| CreateTaskTemplate | Grants permission to create a task template in an Amazon Connect instance | Write | |||
| CreateTrafficDistributionGroup | Grants permission to create a traffic distribution group | Write | |||
| CreateUseCase | Grants permission to create a use case for an integration association | Write |
connect:DescribeInstance ds:DescribeDirectories |
||
| CreateUser | Grants permission to create a user for the specified Amazon Connect instance | Write | |||
| CreateUserHierarchyGroup | Grants permission to create a user hierarchy group in an Amazon Connect instance | Write | |||
| CreateView | Grants permission to create a view in an Amazon Connect instance | Write | |||
| CreateViewVersion | Grants permission to create a view version in an Amazon Connect instance | Write | |||
| CreateVocabulary | Grants permission to create a vocabulary in an Amazon Connect instance | Write | |||
| DeactivateEvaluationForm | Grants permission to deactivate an evaluation form in the specified Amazon Connect instance. After a form is deactivated, it is no longer available for users to start new evaluations based on the form | Write | |||
| DeleteAttachedFile | Grants permission to delete an attached file from an Amazon Connect instance | Write |
cases:DeleteRelatedItem |
||
| DeleteContactEvaluation | Grants permission to delete a contact evaluation in the specified Amazon Connect instance | Write | |||
| DeleteContactFlow | Grants permission to delete a contact flow in an Amazon Connect instance | Write | |||
| DeleteContactFlowModule | Grants permission to delete a contact flow module in an Amazon Connect instance | Write | |||
| DeleteEvaluationForm | Grants permission to delete an evaluation form in the specified Amazon Connect instance. If the version property is provided, only the specified version of the evaluation form is deleted | Write | |||
| DeleteHoursOfOperation | Grants permission to delete hours of operation in an Amazon Connect instance | Write | |||
| DeleteHoursOfOperationOverride | Grants permission to delete an hours of operation override in an Amazon Connect instance | Write | |||
| DeleteInstance | Grants permission to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed | Write |
ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication |
||
| DeleteIntegrationAssociation | Grants permission to delete an integration association from an Amazon Connect instance. The association must not have any use cases associated with it | Write |
app-integrations:DeleteApplicationAssociation app-integrations:DeleteEventIntegrationAssociation connect:DescribeInstance ds:DescribeDirectories events:DeleteRule events:ListTargetsByRule events:RemoveTargets |
||
| DeletePredefinedAttribute | Grants permission to delete a predefined attribute in an Amazon Connect instance | Write | |||
| DeletePrompt | Grants permission to delete a prompt in an Amazon Connect instance | Write | |||
| DeletePushNotificationRegistration | Grants permission to delete a push notification registration for an Amazon Connect instance | Write | |||
| DeleteQueue | Grants permission to delete a queue in an Amazon Connect instance | Write | |||
| DeleteQuickConnect | Grants permission to delete a quick connect in an Amazon Connect instance | Write | |||
| DeleteRoutingProfile | Grants permission to delete routing profiles in an Amazon Connect instance | Write | |||
| DeleteRule | Grants permission to delete a rule in an Amazon Connect instance | Write | |||
| DeleteSecurityProfile | Grants permission to delete a security profile in an Amazon Connect instance | Write | |||
| DeleteTaskTemplate | Grants permission to delete a task template in an Amazon Connect instance | Write | |||
| DeleteTrafficDistributionGroup | Grants permission to delete a traffic distribution group | Write | |||
| DeleteUseCase | Grants permission to delete a use case from an integration association | Write |
connect:DescribeInstance ds:DescribeDirectories |
||
| DeleteUser | Grants permission to delete a user in an Amazon Connect instance | Write | |||
| DeleteUserHierarchyGroup | Grants permission to delete a user hierarchy group in an Amazon Connect instance | Write | |||
| DeleteView | Grants permission to delete a view in an Amazon Connect instance | Write | |||
| DeleteViewVersion | Grants permission to delete a view version in an Amazon Connect instance | Write | |||
| DeleteVocabulary | Grants permission to delete a vocabulary in an Amazon Connect instance | Write | |||
| DescribeAgentStatus | Grants permission to describe agent status in an Amazon Connect instance | Read | |||
| DescribeAuthenticationProfile | Grants permission to describe authentication profile resources in an Amazon Connect instance | Read | |||
| DescribeContact | Grants permission to describe a contact in an Amazon Connect instance | Read | |||
| DescribeContactEvaluation | Grants permission to describe a contact evaluation in the specified Amazon Connect instance | Read | |||
| DescribeContactFlow | Grants permission to describe a contact flow in an Amazon Connect instance | Read | |||
| DescribeContactFlowModule | Grants permission to describe a contact flow module in an Amazon Connect instance | Read | |||
| DescribeEvaluationForm | Grants permission to describe an evaluation form in the specified Amazon Connect instance. If the version property is not provided, the latest version of the evaluation form is described | Read | |||
| DescribeForecastingPlanningSchedulingIntegration [permission only] | Grants permission to describe the status of forecasting, planning, and scheduling integration on an Amazon Connect instance | Read | |||
| DescribeHoursOfOperation | Grants permission to describe hours of operation in an Amazon Connect instance | Read | |||
| DescribeHoursOfOperationOverride | Grants permission to describe an hours of operation override in an Amazon Connect instance | Read | |||
| DescribeInstance | Grants permission to view details of an Amazon Connect instance and is also required to create an instance | Read |
ds:DescribeDirectories |
||
| DescribeInstanceAttribute | Grants permission to view the attribute details of an existing Amazon Connect instance | Read | |||
| DescribeInstanceStorageConfig | Grants permission to view the instance storage configuration for an existing Amazon Connect instance | Read | |||
| DescribePhoneNumber | Grants permission to describe phone number resources in an Amazon Connect instance or traffic distribution group | Read | |||
| DescribePredefinedAttribute | Grants permission to describe a predefined attribute in an Amazon Connect instance | Read | |||
| DescribePrompt | Grants permission to describe a prompt in an Amazon Connect instance | Read | |||
| DescribeQueue | Grants permission to describe a queue in an Amazon Connect instance | Read | |||
| DescribeQuickConnect | Grants permission to describe a quick connect in an Amazon Connect instance | Read | |||
| DescribeRoutingProfile | Grants permission to describe a routing profile in an Amazon Connect instance | Read | |||
| DescribeRule | Grants permission to describe a rule in an Amazon Connect instance | Read | |||
| DescribeSecurityProfile | Grants permission to describe a security profile in an Amazon Connect instance | Read | |||
| DescribeTrafficDistributionGroup | Grants permission to describe a traffic distribution group | Read | |||
| DescribeUser | Grants permission to describe a user in an Amazon Connect instance | Read | |||
| DescribeUserHierarchyGroup | Grants permission to describe a hierarchy group for an Amazon Connect instance | Read | |||
| DescribeUserHierarchyStructure | Grants permission to describe the hierarchy structure for an Amazon Connect instance | Read | |||
| DescribeView | Grants permission to describe a view in an Amazon Connect instance | Read | |||
| DescribeVocabulary | Grants permission to describe a vocabulary in an Amazon Connect instance | Read | |||
| DisassociateAnalyticsDataSet | Grants permission to revoke access and to disassociate a dataset with the specified AWS account | Write | |||
| DisassociateApprovedOrigin | Grants permission to disassociate approved origin for an existing Amazon Connect instance | Write | |||
| DisassociateBot | Grants permission to disassociate a Lex bot for an existing Amazon Connect instance | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:DeleteResourcePolicy lex:UpdateResourcePolicy |
||
| DisassociateCustomerProfilesDomain [permission only] | Grants permission to disassociate a Customer Profiles domain for an existing Amazon Connect instance | Write |
iam:AttachRolePolicy iam:DeleteRolePolicy iam:DetachRolePolicy iam:GetPolicy iam:GetPolicyVersion iam:GetRolePolicy |
||
| DisassociateFlow | Grants permission to disassociate a resource from a flow in an Amazon Connect instance | Write | |||
| DisassociateInstanceStorageConfig | Grants permission to disassociate instance storage for an existing Amazon Connect instance | Write | |||
| DisassociateLambdaFunction | Grants permission to disassociate a Lambda function for an existing Amazon Connect instance | Write |
lambda:RemovePermission |
||
| DisassociateLexBot | Grants permission to disassociate a Lex bot for an existing Amazon Connect instance | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy |
||
| DisassociatePhoneNumberContactFlow | Grants permission to disassociate contact flow resources from phone number resources in an Amazon Connect instance | Write | |||
| DisassociateQueueQuickConnects | Grants permission to disassociate quick connects from a queue in an Amazon Connect instance | Write | |||
| DisassociateRoutingProfileQueues | Grants permission to disassociate queues from a routing profile in an Amazon Connect instance | Write | |||
| DisassociateSecurityKey | Grants permission to disassociate the security key for an existing Amazon Connect instance | Write | |||
| DisassociateTrafficDistributionGroupUser | Grants permission to disassociate a user from a traffic distribution group in the specified Amazon Connect instance | Write | |||
| DisassociateUserProficiencies | Grants permission to disassociate user proficiencies from a user in an Amazon Connect instance | Write | |||
| DismissUserContact | Grants permission to dismiss terminated Contact from Agent CCP | Write | |||
| GetAttachedFile | Grants permission to get an attached file from an Amazon Connect instance | Read | |||
| GetContactAttributes | Grants permission to retrieve the contact attributes for the specified contact | Read | |||
| GetCurrentMetricData | Grants permission to retrieve current metric data for queues and routing profiles in an Amazon Connect instance | Read | |||
| GetCurrentUserData | Grants permission to retrieve current user data in an Amazon Connect instance | Read | |||
| GetEffectiveHoursOfOperations | Grants permission to get effective hours of operation resources in an Amazon Connect instance | Read | |||
| GetFederationToken | Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management | Read | |||
| GetFlowAssociation | Grants permission to get information about the flow associations for the specified Amazon Connect instance | Read | |||
| GetMetricData | Grants permission to retrieve historical metric data for queues in an Amazon Connect instance | Read | |||
| GetMetricDataV2 | Grants permission to retrieve metric data in an Amazon Connect instance | Read | |||
| GetPromptFile | Grants permission to get details about a prompt's presigned Amazon S3 URL in an Amazon Connect instance | Read | |||
| GetTaskTemplate | Grants permission to get details about specified task template in an Amazon Connect instance | Read | |||
| GetTrafficDistribution | Grants permission to read traffic distribution for a traffic distribution group | List | |||
| ImportPhoneNumber | Grants permission to import phone number resources to an Amazon Connect instance | Write |
sms-voice:DescribePhoneNumbers social-messaging:GetLinkedWhatsAppBusinessAccountPhoneNumber social-messaging:TagResource |
||
| ListAgentStatuses | Grants permission to list agent statuses in an Amazon Connect instance | List | |||
| ListAnalyticsDataAssociations | Grants permission to list the association status of a dataset for a given Amazon Connect instance | List | |||
| ListApprovedOrigins | Grants permission to view approved origins of an existing Amazon Connect instance | List | |||
| ListAuthenticationProfiles | Grants permission to list authentication profile resources in an Amazon Connect instance | List | |||
| ListBots | Grants permission to view the Lex bots of an existing Amazon Connect instance | List | |||
| ListContactEvaluations | Grants permission to list contact evaluations in the specified Amazon Connect instance | List | |||
| ListContactFlowModules | Grants permission to list contact flow module resources in an Amazon Connect instance | List | |||
| ListContactFlowVersions | Grants permission to list all the versions a flow in an Amazon Connect instance | List | |||
| ListContactFlows | Grants permission to list contact flow resources in an Amazon Connect instance | List | |||
| ListContactReferences | Grants permission to list references associated with a contact in an Amazon Connect instance | List | |||
| ListDefaultVocabularies | Grants permission to list default vocabularies associated with a Amazon Connect instance | List | |||
| ListEvaluationFormVersions | Grants permission to list versions of an evaluation form in the specified Amazon Connect instance | List | |||
| ListEvaluationForms | Grants permission to list evaluation forms in the specified Amazon Connect instance | List | |||
| ListFlowAssociations | Grants permission to list summary information about the flow associations for the specified Amazon Connect instance | List | |||
| ListHoursOfOperationOverrides | Grants permission to list hours of operation override resources in an Amazon Connect instance | List | |||
| ListHoursOfOperations | Grants permission to list hours of operation resources in an Amazon Connect instance | List | |||
| ListInstanceAttributes | Grants permission to view the attributes of an existing Amazon Connect instance | List | |||
| ListInstanceStorageConfigs | Grants permission to view storage configurations of an existing Amazon Connect instance | List | |||
| ListInstances | Grants permission to view the Amazon Connect instances associated with an AWS account | List |
ds:DescribeDirectories |
||
| ListIntegrationAssociations | Grants permission to list summary information about the integration associations for the specified Amazon Connect instance | List |
connect:DescribeInstance ds:DescribeDirectories |
||
| ListLambdaFunctions | Grants permission to view the Lambda functions of an existing Amazon Connect instance | List | |||
| ListLexBots | Grants permission to view the Lex bots of an existing Amazon Connect instance | List | |||
| ListPhoneNumbers | Grants permission to list phone number resources in an Amazon Connect instance | List | |||
| ListPhoneNumbersV2 | Grants permission to list phone number resources in an Amazon Connect instance | List | |||
| ListPredefinedAttributes | Grants permission to list predefined attributes in an Amazon Connect instance | List | |||
| ListPrompts | Grants permission to list prompt resources in an Amazon Connect instance | List | |||
| ListQueueQuickConnects | Grants permission to list quick connect resources in a queue in an Amazon Connect instance | List | |||
| ListQueues | Grants permission to list queue resources in an Amazon Connect instance | List | |||
| ListQuickConnects | Grants permission to list quick connect resources in an Amazon Connect instance | List | |||
| ListRealtimeContactAnalysisSegments | Grants permission to list the analysis segments for a real-time analysis session | Read | |||
| ListRealtimeContactAnalysisSegmentsV2 | Grants permission to list the analysis segments for a real-time chat analytics session | List | |||
| ListRoutingProfileQueues | Grants permission to list queue resources in a routing profile in an Amazon Connect instance | List | |||
| ListRoutingProfiles | Grants permission to list routing profile resources in an Amazon Connect instance | List | |||
| ListRules | Grants permission to list rules associated with a Amazon Connect instance | List | |||
| ListSecurityKeys | Grants permission to view the security keys of an existing Amazon Connect instance | List | |||
| ListSecurityProfileApplications | Grants permission to list applications associated with a specific security profile in an Amazon Connect instance | List | |||
| ListSecurityProfilePermissions | Grants permission to list permissions associated with security profile in an Amazon Connect instance | List | |||
| ListSecurityProfiles | Grants permission to list security profile resources in an Amazon Connect instance | List | |||
| ListTagsForResource | Grants permission to list tags for an Amazon Connect resource | Read | |||
| ListTaskTemplates | Grants permission to list task template resources in an Amazon Connect instance | List | |||
| ListTrafficDistributionGroupUsers | Grants permission to list the active user associations for a traffic distribution group | List | |||
| ListTrafficDistributionGroups | Grants permission to list traffic distribution groups | List | |||
| ListUseCases | Grants permission to list the use cases of an integration association | List |
connect:DescribeInstance ds:DescribeDirectories |
||
| ListUserHierarchyGroups | Grants permission to list the hierarchy group resources in an Amazon Connect instance | List | |||
| ListUserProficiencies | Grants permission to list user proficiencies from a user in an Amazon Connect instance | List | |||
| ListUsers | Grants permission to list user resources in an Amazon Connect instance | List | |||
| ListViewVersions | Grants permission to list the view versions in an Amazon Connect instance | List | |||
| ListViews | Grants permission to list the views in an Amazon Connect instance | List | |||
| MonitorContact | Grants permission to monitor an ongoing contact | Write | |||
| PauseContact | Grants permission to pause an ongoing contact | Write | |||
| PutUserStatus | Grants permission to switch User Status in an Amazon Connect instance | Write | |||
| ReleasePhoneNumber | Grants permission to release phone number resources in an Amazon Connect instance | Write | |||
| ReplicateInstance | Grants permission to create a replica of an Amazon Connect instance | Write |
ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy |
||
| ResumeContact | Grants permission to resume a paused contact | Write | |||
| ResumeContactRecording | Grants permission to resume recording for the specified contact | Write | |||
| SearchAgentStatuses | Grants permission to search agent status resources in an Amazon Connect instance | Read |
connect:DescribeAgentStatus |
||
| SearchAvailablePhoneNumbers | Grants permission to search phone number resources in an Amazon Connect instance or traffic distribution group | List | |||
| SearchContactFlowModules | Grants permission to search contact flow module resources in an Amazon Connect instance | Read |
connect:DescribeContactFlowModule |
||
| SearchContactFlows | Grants permission to search contact flow resources in an Amazon Connect instance | Read |
connect:DescribeContactFlow |
||
| SearchContacts | Grants permission to search contacts in an Amazon Connect instance | Read |
connect:DescribeContact |
||
| SearchHoursOfOperationOverrides | Grants permission to search hours of operation override resources in an Amazon Connect instance | Read |
connect:DescribeHoursOfOperation connect:ListHoursOfOperationOverrides |
||
| SearchHoursOfOperations | Grants permission to search hours of operation resources in an Amazon Connect instance | Read |
connect:DescribeHoursOfOperation |
||
| SearchPredefinedAttributes | Grants permission to search predefined attributes in an Amazon Connect instance | Read |
connect:DescribePredefinedAttribute |
||
| SearchPrompts | Grants permission to search prompt resources in an Amazon Connect instance | Read |
connect:DescribePrompt |
||
| SearchQueues | Grants permission to search queue resources in an Amazon Connect instance | Read |
connect:DescribeQueue |
||
| SearchQuickConnects | Grants permission to search quick connect resources in an Amazon Connect instance | Read |
connect:DescribeQuickConnect |
||
| SearchResourceTags | Grants permission to search tags that are used in an Amazon Connect instance | List | |||
| SearchRoutingProfiles | Grants permission to search routing profile resources in an Amazon Connect instance | Read |
connect:DescribeRoutingProfile |
||
| SearchSecurityProfiles | Grants permission to search security profile resources in an Amazon Connect instance | Read |
connect:DescribeSecurityProfile |
||
| SearchUserHierarchyGroups | Grants permission to search user hierarchy group resources in an Amazon Connect instance | Read |
connect:DescribeUserHierarchyGroup |
||
| SearchUsers | Grants permission to search user resources in an Amazon Connect instance | Read |
connect:DescribeUser connect:ListUserProficiencies |
||
| SearchVocabularies | Grants permission to search vocabularies in a Amazon Connect instance | List | |||
| SendChatIntegrationEvent | Grants permission to send chat integration events using the Amazon Connect API | Write | |||
| SendIntegrationEvent [permission only] | Grants permission to send integration events using the Amazon Connect API | Write | |||
| SendOutboundEmail | Grants permission to send outbound email using the Amazon Connect API | Write | |||
| StartAttachedFileUpload | Grants permission to start an attached file upload in an Amazon Connect instance | Write |
cases:CreateRelatedItem |
||
| StartChatContact | Grants permission to initiate a chat using the Amazon Connect API | Write | |||
| StartContactEvaluation | Grants permission to start an empty evaluation in the specified Amazon Connect instance, using the given evaluation form for the particular contact. The evaluation form version used for the contact evaluation corresponds to the currently activated version. If no version is activated for the evaluation form, the contact evaluation cannot be started | Write | |||
| StartContactRecording | Grants permission to start recording for the specified contact | Write | |||
| StartContactStreaming | Grants permission to start chat streaming using the Amazon Connect API | Write | |||
| StartEmailContact | Grants permission to initiate an inbound email using the Amazon Connect API | Write | |||
| StartForecastingPlanningSchedulingIntegration [permission only] | Grants permission to enable forecasting, planning, and scheduling integration on an Amazon Connect instance | Write | |||
| StartOutboundChatContact | Grants permission to initiate an outbound chat using the Amazon Connect API | Write | |||
| StartOutboundVoiceContact | Grants permission to initiate outbound calls using the Amazon Connect API | Write | |||
| StartScreenSharing | Grants permission to start screen sharing for contact | Write | |||
| StartTaskContact | Grants permission to initiate a task using the Amazon Connect API | Write | |||
| StartWebRTCContact | Grants permission to initiate a WebRTC contact using the Amazon Connect API | Write | |||
| StopContact | Grants permission to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer | Write | |||
| StopContactRecording | Grants permission to stop recording for the specified contact | Write | |||
| StopContactStreaming | Grants permission to stop chat streaming using the Amazon Connect API | Write | |||
| StopForecastingPlanningSchedulingIntegration [permission only] | Grants permission to disable forecasting, planning, and scheduling integration on an Amazon Connect instance | Write | |||
| SubmitContactEvaluation | Grants permission to submit a contact evaluation in the specified Amazon Connect instance. Answers included in the request are merged with existing answers for the given evaluation. If no answers or notes are passed, the evaluation is submitted with the existing answers and notes. You can delete an answer or note by passing an empty object ({}) to the question identifier | Write | |||
| SuspendContactRecording | Grants permission to suspend recording for the specified contact | Write | |||
| TagContact | Grants permission to tag a contact in an Amazon Connect instance | Write | |||
| TagResource | Grants permission to tag an Amazon Connect resource | Tagging | |||
| TransferContact | Grants permission to transfer the contact to another queue or agent | Write | |||
| UntagContact | Grants permission to untag a contact in an Amazon Connect instance | Write | |||
| UntagResource | Grants permission to untag an Amazon Connect resource | Tagging | |||
| UpdateAgentStatus | Grants permission to update agent status in an Amazon Connect instance | Write | |||
| UpdateAuthenticationProfile | Grants permission to update authentication profile resources in an Amazon Connect instance | Write | |||
| UpdateContact | Grants permission to update a contact in an Amazon Connect instance | Write | |||
| UpdateContactAttributes | Grants permission to create or update the contact attributes associated with the specified contact | Write | |||
| UpdateContactEvaluation | Grants permission to update details about a contact evaluation in the specified Amazon Connect instance. A contact evaluation must be in the draft state. Answers included in the request are merged with existing answers for the given evaluation. An answer or note can be deleted by passing an empty object ({}) to the question identifier | Write | |||
| UpdateContactFlowContent | Grants permission to update contact flow content in an Amazon Connect instance | Write | |||
| UpdateContactFlowMetadata | Grants permission to update the metadata of a contact flow in an Amazon Connect instance | Write | |||
| UpdateContactFlowModuleContent | Grants permission to update contact flow module content in an Amazon Connect instance | Write | |||
| UpdateContactFlowModuleMetadata | Grants permission to update the metadata of a contact flow module in an Amazon Connect instance | Write | |||
| UpdateContactFlowName | Grants permission to update the name and description of a contact flow in an Amazon Connect instance | Write | |||
| UpdateContactRoutingData | Grants permission to update routing properties on a contact in an Amazon Connect instance | Write | |||
| UpdateContactSchedule | Grants permission to update the schedule of a contact that is already scheduled in an Amazon Connect instance | Write | |||
| UpdateEvaluationForm | Grants permission to update details about a specific evaluation form version in the specified Amazon Connect instance. Question and section identifiers cannot be duplicated within the same evaluation form | Write | |||
| UpdateHoursOfOperation | Grants permission to update hours of operation in an Amazon Connect instance | Write | |||
| UpdateHoursOfOperationOverride | Grants permission to update an hours of operation override in an Amazon Connect instance | Write | |||
| UpdateInstanceAttribute | Grants permission to update the attribute for an existing Amazon Connect instance | Write |
ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup |
||
| UpdateInstanceStorageConfig | Grants permission to update the storage configuration for an existing Amazon Connect instance | Write |
ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation |
||
| UpdateParticipantAuthentication | Grants permission to update and continue authentication for a specific contact | Write | |||
| UpdateParticipantRoleConfig | Grants permission to update participant role configurations associated with a contact | Write | |||
| UpdatePhoneNumber | Grants permission to update phone number resources in an Amazon Connect instance or traffic distribution group | Write | |||
| UpdatePhoneNumberMetadata | Grants permission to update the metadata of a phone number resource in an Amazon Connect instance or traffic distribution group | Write | |||
| UpdatePredefinedAttribute | Grants permission to update a predefined attribute in an Amazon Connect instance | Write | |||
| UpdatePrompt | Grants permission to update a prompt's name, description, and Amazon S3 URI in an Amazon Connect instance | Write |
kms:Decrypt s3:GetObject s3:GetObjectAcl |
||
| UpdateQueueHoursOfOperation | Grants permission to update queue hours of operation in an Amazon Connect instance | Write | |||
| UpdateQueueMaxContacts | Grants permission to update queue capacity in an Amazon Connect instance | Write | |||
| UpdateQueueName | Grants permission to update a queue name and description in an Amazon Connect instance | Write | |||
| UpdateQueueOutboundCallerConfig | Grants permission to update queue outbound caller config in an Amazon Connect instance | Write | |||
| UpdateQueueStatus | Grants permission to update queue status in an Amazon Connect instance | Write | |||
| UpdateQuickConnectConfig | Grants permission to update the configuration of a quick connect in an Amazon Connect instance | Write | |||
| UpdateQuickConnectName | Grants permission to update a quick connect name and description in an Amazon Connect instance | Write | |||
| UpdateRoutingProfileAgentAvailabilityTimer | Grants permission to update a routing profile agent availability timer in an Amazon Connect instance | Write | |||
| UpdateRoutingProfileConcurrency | Grants permission to update the concurrency in a routing profile in an Amazon Connect instance | Write | |||
| UpdateRoutingProfileDefaultOutboundQueue | Grants permission to update the outbound queue in a routing profile in an Amazon Connect instance | Write | |||
| UpdateRoutingProfileName | Grants permission to update a routing profile name and description in an Amazon Connect instance | Write | |||
| UpdateRoutingProfileQueues | Grants permission to update the queues in routing profile in an Amazon Connect instance | Write | |||
| UpdateRule | Grants permission to update a rule for an existing Amazon Connect instance | Write | |||
| UpdateSecurityProfile | Grants permission to update a security profile group for a user in an Amazon Connect instance | Write | |||
| UpdateTaskTemplate | Grants permission to update task template belonging to a Amazon Connect instance | Write | |||
| UpdateTrafficDistribution | Grants permission to update traffic distribution for a traffic distribution group | Write | |||
| UpdateUserHierarchy | Grants permission to update a hierarchy group for a user in an Amazon Connect instance | Write | |||
| UpdateUserHierarchyGroupName | Grants permission to update a user hierarchy group name in an Amazon Connect instance | Write | |||
| UpdateUserHierarchyStructure | Grants permission to update user hierarchy structure in an Amazon Connect instance | Write | |||
| UpdateUserIdentityInfo | Grants permission to update identity information for a user in an Amazon Connect instance | Write | |||
| UpdateUserPhoneConfig | Grants permission to update phone configuration settings for a user in an Amazon Connect instance | Write | |||
| UpdateUserProficiencies | Grants permission to update user proficiencies from a user in an Amazon Connect instance | Write | |||
| UpdateUserRoutingProfile | Grants permission to update a routing profile for a user in an Amazon Connect instance | Write | |||
| UpdateUserSecurityProfiles | Grants permission to update security profiles for a user in an Amazon Connect instance | Write | |||
| UpdateViewContent | Grants permission to update a view's content in an Amazon Connect instance | Write | |||
| UpdateViewMetadata | Grants permission to update a view's metadata in an Amazon Connect instance | Write | |||
Resource types defined by Amazon Connect
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| instance |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}
|
|
| contact |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
|
|
| user |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}
|
|
| routing-profile |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}
|
|
| security-profile |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}
|
|
| authentication-profile |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/authentication-profile/${AuthenticationProfileId}
|
|
| hierarchy-group |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}
|
|
| queue |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}
|
|
| wildcard-queue |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/*
|
|
| quick-connect |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}
|
|
| wildcard-quick-connect |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/*
|
|
| contact-flow |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}
|
|
| task-template |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/task-template/${TaskTemplateId}
|
|
| contact-flow-module |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/flow-module/${ContactFlowModuleId}
|
|
| wildcard-contact-flow |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/*
|
|
| hours-of-operation |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}
|
|
| agent-status |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/${AgentStatusId}
|
|
| wildcard-agent-status |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/*
|
|
| legacy-phone-number |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/${PhoneNumberId}
|
|
| wildcard-legacy-phone-number |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/*
|
|
| phone-number |
arn:${Partition}:connect:${Region}:${Account}:phone-number/${PhoneNumberId}
|
|
| wildcard-phone-number |
arn:${Partition}:connect:${Region}:${Account}:phone-number/*
|
|
| integration-association |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}
|
|
| use-case |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}
|
|
| vocabulary |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/vocabulary/${VocabularyId}
|
|
| traffic-distribution-group |
arn:${Partition}:connect:${Region}:${Account}:traffic-distribution-group/${TrafficDistributionGroupId}
|
|
| rule |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/rule/${RuleId}
|
|
| evaluation-form |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/evaluation-form/${FormId}
|
|
| contact-evaluation |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-evaluation/${EvaluationId}
|
|
| prompt |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/prompt/${PromptId}
|
|
| customer-managed-view |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/view/${ViewId}
|
|
| aws-managed-view |
arn:${Partition}:connect:${Region}:aws:view/${ViewId}
|
|
| qualified-customer-managed-view |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/view/${ViewId}:${ViewQualifier}
|
|
| qualified-aws-managed-view |
arn:${Partition}:connect:${Region}:aws:view/${ViewId}:${ViewQualifier}
|
|
| customer-managed-view-version |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/view/${ViewId}:${ViewVersion}
|
|
| attached-file |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/file/${FileId}
|
Condition keys for Amazon Connect
Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by using tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by using tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by using tag keys in the request | ArrayOfString |
| connect:AssignmentType | Filters access by restricting access to create contacts based on Assignment Type | String |
| connect:AttributeType | Filters access by the attribute type of the Amazon Connect instance | String |
| connect:FlowType | Filters access by Flow type | ArrayOfString |
| connect:InstanceId | Filters access by restricting federation into specified Amazon Connect instances | String |
| connect:MonitorCapabilities | Filters access by restricting the monitor capabilities of the user in the request | ArrayOfString |
| connect:SearchContactsByContactAnalysis | Filters access by restricting searches using analysis outputs from Amazon Connect Contact Lens | ArrayOfString |
| connect:SearchTag/${TagKey} | Filters access by TagFilter condition passed in the search request | String |
| connect:StorageResourceType | Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration | String |
| connect:Subtype | Filters access by restricting creation of a contact for specific subtypes | String |
| connect:UserArn | Filters access by UserArn | ARN |
