Amazon Connect 的 AWS 托管策略 - Amazon Connect
AmazonConnect_FullAccessAmazonConnectReadOnlyAccessAmazonConnectServiceLinkedRolePolicyAmazonConnectCampaignsServiceLinkedRolePolicyAmazonConnectVoiceIDFullAccessCustomerProfilesServiceLinkedRolePolicyAmazonConnectSynchronizationServiceRolePolicy策略更新

Amazon Connect 的 AWS 托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 AWS 托管策略更为有效。创建 IAM 客户托管策略需要时间和专业知识,这些策略仅为您的团队提供所需的权限。要快速入门,您可以使用 AWS 托管策略。这些策略涵盖常见应用场景,可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息,请参阅《IAM 用户指南》中的 AWS 托管策略

AWS 服务负责维护和更新 AWS 管理型策略。您无法更改 AWS 管理型策略中的权限。服务偶尔会向 AWS 管理型策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新特征或新操作可用时,服务最有可能会更新 AWS 管理型策略。服务不会从 AWS 管理型策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,AWS 还支持跨多种服务的工作职能的托管策略。例如,ReadOnlyAccess AWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新特征时,AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 AWS 管理型策略

AWS 托管策略:AmazonConnect_FullAccess

要允许对 Amazon Connect 进行完整的读/写访问,您必须为 IAM 用户、组或角色附加两项策略。附加 AmazonConnect_FullAccess 策略和包含以下内容的自定义策略:

自定义策略

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "AttachAnyPolicyToAmazonConnectRole", 
            "Effect": "Allow", 
            "Action": "iam:PutRolePolicy", 
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" 
        } 
    ] 
}

AmazonConnect_FullAccess 策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "connect:*",
                "ds:CreateAlias",
                "ds:AuthorizeApplication",
                "ds:CreateIdentityPoolDirectory",
                "ds:DeleteDirectory",
                "ds:DescribeDirectories",
                "ds:UnauthorizeApplication",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kms:DescribeKey",
                "kms:ListAliases",
                "lex:GetBots",
                "lex:ListBots",
                "lex:ListBotAliases",
                "logs:CreateLogGroup",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "lambda:ListFunctions",
                "ds:CheckAlias",
                "profile:ListAccountIntegrations",
                "profile:GetDomain",
                "profile:ListDomains",
                "profile:GetProfileObjectType",
                "profile:ListProfileObjectTypeTemplates"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "profile:AddProfileKey",
                "profile:CreateDomain",
                "profile:CreateProfile",
                "profile:DeleteDomain",
                "profile:DeleteIntegration",
                "profile:DeleteProfile",
                "profile:DeleteProfileKey",
                "profile:DeleteProfileObject",
                "profile:DeleteProfileObjectType",
                "profile:GetIntegration",
                "profile:GetMatches",
                "profile:GetProfileObjectType",
                "profile:ListIntegrations",
                "profile:ListProfileObjects",
                "profile:ListProfileObjectTypes",
                "profile:ListTagsForResource",
                "profile:MergeProfiles",
                "profile:PutIntegration",
                "profile:PutProfileObject",
                "profile:PutProfileObjectType",
                "profile:SearchProfiles",
                "profile:TagResource",
                "profile:UntagResource",
                "profile:UpdateDomain",
                "profile:UpdateProfile"
            ],
            "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::amazon-connect-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "servicequotas:GetServiceQuota"
            ],
            "Resource": "arn:aws:servicequotas:*:*:connect/*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "connect.amazonaws.com"
                }
            }
        },

        {
            "Effect": "Allow",
            "Action": "iam:DeleteServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/profile.amazonaws.com/*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "profile.amazonaws.com"
                }
            }
        }
    ]
}

要允许用户创建实例,请确保他们具有 AmazonConnect_FullAccess 策略授予的权限。

当您使用 AmazonConnect_FullAccess 策略时,请注意以下几点:

  • iam:PutRolePolicy 允许获得该策略的用户将账户中的任何资源配置为使用 Amazon Connect 实例。由于它授予非常广泛的权限,因此仅在必要时才进行分配。相反,创建具有必要资源访问权限的服务相关角色,并允许用户将服务相关角色传递给 Amazon Connect(由 AmazonConnect_FullAccess 策略授予)。

  • 要使用您选择的名称创建 Amazon S3 存储桶,或者在通过 Amazon Connect 管理员网站创建或更新实例时使用现有存储桶,则需要额外的权限。如果您为通话录音、聊天文字记录、通话文字记录和其他数据选择默认存储位置,则系统会在这些对象名称前加上“amazon-connect-”。

  • aws/connect KMS 密钥可用作默认加密选项。要使用自定义加密密钥,请为用户分配其他 KMS 权限。

  • 为用户分配其他权限,以便将 Amazon Polly、实时媒体流式传输、数据流式处理和 Lex 自动程序等其他 AWS 资源附加到其 Amazon Connect 实例。

有关更多信息和详细权限,请参阅使用自定义 IAM 策略管理对 Amazon Connect 管理员网站的访问权限所需的权限

AWS 托管策略:AmazonConnectReadOnlyAccess

要允许只读访问,您只需附加 AmazonConnectReadOnlyAccess 策略。


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AllowConnectReadOnly",
         "Effect": "Allow",
         "Action": [
            "connect:Get*",
            "connect:Describe*",
            "connect:List*",
            "ds:DescribeDirectories"
         ],
         "Resource": "*"
      },
      {
         "Sid": "DenyConnectEmergencyAccess",
         "Effect": "Deny",
         "Action": "connect:AdminGetEmergencyAccessToken",
         "Resource": "*"
      }
   ]
}

AWS 托管策略:AmazonConnectServiceLinkedRolePolicy

AmazonConnectServiceLinkedRolePolicy 角色权限策略允许 Amazon Connect 对指定的资源完成以下操作。在 Amazon Connect 中启用其他功能时,会为 AWSServiceRoleForAmazonConnect 服务相关角色添加其他权限,以访问与这些功能关联的资源:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowConnectActions",
			"Effect": "Allow",
			"Action": [
				"connect:*"
			],
			"Resource": [
				"*"
			]
		},
		{
			"Sid": "AllowDeleteSLR",
			"Effect": "Allow",
			"Action": [
				"iam:DeleteRole"
			],
			"Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_*"
		},
		{
			"Sid": "AllowS3ObjectForConnectBucket",
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:GetObjectAcl",
				"s3:PutObject",
				"s3:PutObjectAcl",
				"s3:DeleteObject"
			],
			"Resource": [
				"arn:aws:s3:::amazon-connect-*/*"
			]
		},
		{
			"Sid": "AllowGetBucketMetadataForConnectBucket",
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketLocation",
				"s3:GetBucketAcl"
			],
			"Resource": [
				"arn:aws:s3:::amazon-connect-*"
			]
		},
		{
			"Sid": "AllowConnectLogGroupAccess",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogStream",
				"logs:DescribeLogStreams",
				"logs:PutLogEvents"
			],
			"Resource": [
				"arn:aws:logs:*:*:log-group:/aws/connect/*:*"
			]
		},
		{
			"Sid": "AllowListLexBotAccess",
			"Effect": "Allow",
			"Action": [
				"lex:ListBots",
				"lex:ListBotAliases"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowCustomerProfilesForConnectDomain",
			"Effect": "Allow",
			"Action": [
				"profile:SearchProfiles",
				"profile:CreateProfile",
				"profile:UpdateProfile",
				"profile:AddProfileKey",
				"profile:ListProfileObjectTypes",
				"profile:ListCalculatedAttributeDefinitions",
				"profile:ListCalculatedAttributesForProfile",
				"profile:GetDomain",
				"profile:ListIntegrations",
				"profile:ListSegmentDefinitions",
				"profile:ListProfileAttributeValues",
				"profile:CreateSegmentEstimate",
				"profile:GetSegmentEstimate",
				"profile:BatchGetProfile",
				"profile:BatchGetCalculatedAttributeForProfile",
				"profile:GetSegmentMembership"
			],
			"Resource": "arn:aws:profile:*:*:domains/amazon-connect-*"
		},
		{
			"Sid": "AllowReadPermissionForCustomerProfileObjects",
			"Effect": "Allow",
			"Action": [
				"profile:ListProfileObjects",
				"profile:GetProfileObjectType",
				"profile:ListObjectTypeAttributes"
			],
			"Resource": [
				"arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*"
			]
		},
		{
			"Sid": "AllowListIntegrationForCustomerProfile",
			"Effect": "Allow",
			"Action": [
				"profile:ListAccountIntegrations"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowReadForCustomerProfileObjectTemplates",
			"Effect": "Allow",
			"Action": [
				"profile:ListProfileObjectTypeTemplates",
				"profile:GetProfileObjectTypeTemplate"
			],
			"Resource": "arn:aws:profile:*:*:/templates*"
		},
		{
			"Sid": "AllowWisdomForConnectEnabledTaggedResources",
			"Effect": "Allow",
			"Action": [
				"wisdom:CreateContent",
				"wisdom:DeleteContent",
				"wisdom:CreateKnowledgeBase",
				"wisdom:GetAssistant",
				"wisdom:GetKnowledgeBase",
				"wisdom:GetContent",
				"wisdom:GetRecommendations",
				"wisdom:GetSession",
				"wisdom:NotifyRecommendationsReceived",
				"wisdom:QueryAssistant",
				"wisdom:StartContentUpload",
				"wisdom:UpdateContent",
				"wisdom:UntagResource",
				"wisdom:TagResource",
				"wisdom:CreateSession",
				"wisdom:CreateQuickResponse",
				"wisdom:GetQuickResponse",
				"wisdom:SearchQuickResponses",
				"wisdom:StartImportJob",
				"wisdom:GetImportJob",
				"wisdom:ListImportJobs",
				"wisdom:ListQuickResponses",
				"wisdom:UpdateQuickResponse",
				"wisdom:DeleteQuickResponse",
				"wisdom:PutFeedback",
				"wisdom:ListContentAssociations",
				"wisdom:CreateMessageTemplate",
				"wisdom:UpdateMessageTemplate",
				"wisdom:UpdateMessageTemplateMetadata",
				"wisdom:GetMessageTemplate",
				"wisdom:DeleteMessageTemplate",
				"wisdom:ListMessageTemplates",
				"wisdom:SearchMessageTemplates",
				"wisdom:ActivateMessageTemplate",
				"wisdom:DeactivateMessageTemplate",
				"wisdom:CreateMessageTemplateVersion",
				"wisdom:ListMessageTemplateVersions",
				"wisdom:CreateMessageTemplateAttachment",
				"wisdom:DeleteMessageTemplateAttachment",
				"wisdom:RenderMessageTemplate"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/AmazonConnectEnabled": "True"
				}
			}
		},
		{
			"Sid": "AllowListOperationForWisdom",
			"Effect": "Allow",
			"Action": [
				"wisdom:ListAssistants",
				"wisdom:ListKnowledgeBases"
			],
			"Resource": "*"
		},
		{
			"Sid": "AllowCustomerProfilesCalculatedAttributesForConnectDomain",
			"Effect": "Allow",
			"Action": [
				"profile:GetCalculatedAttributeForProfile",
				"profile:CreateCalculatedAttributeDefinition",
				"profile:DeleteCalculatedAttributeDefinition",
				"profile:GetCalculatedAttributeDefinition",
				"profile:UpdateCalculatedAttributeDefinition"
			],
			"Resource": [
				"arn:aws:profile:*:*:domains/amazon-connect-*/calculated-attributes/*"
			]
		},
		{
			"Sid": "AllowCustomerProfilesSegmentationForConnectDomain",
			"Effect": "Allow",
			"Action": [
				"profile:CreateSegmentDefinition",
				"profile:GetSegmentDefinition",
				"profile:DeleteSegmentDefinition",
				"profile:CreateSegmentSnapshot",
				"profile:GetSegmentSnapshot"
			],
			"Resource": [
				"arn:aws:profile:*:*:domains/amazon-connect-*/segment-definitions/*"
			]
		},
		{
			"Sid": "AllowPutMetricsForConnectNamespace",
			"Effect": "Allow",
			"Action": "cloudwatch:PutMetricData",
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"cloudwatch:namespace": "AWS/Connect"
				}
			}
		},
		{
			"Sid": "AllowSMSVoiceOperationsForConnect",
			"Effect": "Allow",
			"Action": [
				"sms-voice:SendTextMessage",
				"sms-voice:DescribePhoneNumbers"
			],
			"Resource": "arn:aws:sms-voice:*:*:phone-number/*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowCognitoForConnectEnabledTaggedResources",
			"Effect": "Allow",
			"Action": [
				"cognito-idp:DescribeUserPool",
				"cognito-idp:ListUserPoolClients"
			],
			"Resource": "arn:aws:cognito-idp:*:*:userpool/*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/AmazonConnectEnabled": "True"
				}
			}
		},
		{
			"Sid": "AllowWritePermissionForCustomerProfileObjects",
			"Effect": "Allow",
			"Action": [
				"profile:PutProfileObject"
			],
			"Resource": [
				"arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*"
			]
		},
		{
			"Sid": "AllowChimeSDKVoiceConnectorGetOperationForConnect",
			"Effect": "Allow",
			"Action": [
				"chime:GetVoiceConnector"
			],
			"Resource": "arn:aws:chime:*:*:vc/*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/AmazonConnectEnabled": "True",
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "AllowChimeSDKVoiceConnectorListOperationForConnect",
			"Effect": "Allow",
			"Action": [
				"chime:ListVoiceConnectors"
			],
			"Resource": "arn:aws:chime:*:*:vc/*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
	     }
	]
}

AWS 托管策略:AmazonConnectCampaignsServiceLinkedRolePolicy

AmazonConnectCampaignsServiceLinkedRolePolicy 角色权限策略允许 Amazon Connect 出站活动对指定资源完成以下操作:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "connect-campaigns:ListCampaigns"
            ],
            "Resource" : "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "connect:BatchPutContact",
                "connect:StopContact"
            ],
            "Resource": "arn:aws:connect:*:*:instance/*"
    ]
}

AWS 托管策略:AmazonConnectVoiceIDFullAccess

要允许针对 Amazon Connect Voice ID 的完全访问权限,您必须为用户、组或角色附加两项策略。请附加 AmazonConnectVoiceIDFullAccess 策略和以下自定义策略内容,以便通过 Amazon Connect 管理员网站访问 Voice ID:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "AttachAnyPolicyToAmazonConnectRole", 
            "Effect": "Allow", 
            "Action": "iam:PutRolePolicy", 
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" 
        },
        {
            "Effect": "Allow",
            "Action": [
                "connect:CreateIntegrationAssociation",
                "connect:DeleteIntegrationAssociation",
                "connect:ListIntegrationAssociations"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "events:ManagedBy": "connect.amazonaws.com"
                }
            }
        }
    ] 
}

手动策略配置以下内容:

  • iam:PutRolePolicy 允许获得该策略的用户将账户中的任何资源配置为使用 Amazon Connect 实例。由于它授予非常广泛的权限,因此仅在必要时才进行分配。

  • 要附加具有 Amazon Connect 实例的 Voice ID 域,您需要额外的 Amazon Connect 和 Amazon EventBridge 权限。您需要权限才能调用 Amazon Connect API 来创建、删除和列出集成关联。您需要 EventBridge 权限才能创建和删除 EventBridge 规则,这些规则用于提供与 Voice ID 相关的联系记录。

由于没有默认加密选项,因此要将您的客户托管密钥与 Amazon Connect Voice ID 结合使用,密钥政策中必须允许以下 API 操作。此外,还必须在相关密钥上添加这些权限。它们未包含在托管策略中。

  • kms:Decrypt 用于访问或存储加密数据。

  • kms:CreateGrant – 当创建或更新域时,用于为 Voice ID 域创建对客户托管密钥的授权。该授权控制对指定 KMS 密钥的访问,该密钥允许访问 Amazon Connect Voice ID 所需的授权操作。有关使用授权的更多信息,请参阅《AWS Key Management Service 开发人员指南》中的使用授权

  • kms:DescribeKey – 当创建或更新域时,允许确定您所提供的 KMS 密钥的 ARN。

有关创建域和 KMS 密钥的更多信息,请参阅开始在 Amazon Connect 中启用 Voice IDAmazon Connect 的静态加密

AWS 托管策略:CustomerProfilesServiceLinkedRolePolicy

要允许 Amazon Connect Customer Profiles 向您的账户发布 CloudWatch 指标,您必须附加 CustomerProfilesServiceLinkedRolePolicy 托管策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/CustomerProfiles"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteRole"
            ],
            "Resource": "arn:aws:iam:::role/aws-service-role/profile.amazonaws.com/AWSServiceRoleForProfile_*"
        }
    ]
}

AWS 托管策略:AmazonConnectSynchronizationServiceRolePolicy

AmazonConnectSynchronizationServiceRolePolicy 权限策略允许 Amazon Connect 托管式同步对指定资源完成以下读取、写入、更新和删除操作。当为更多资源启用资源同步时,将向 AWSServiceRoleForAmazonConnectSynchronization 服务相关角色添加其他权限,以访问这些资源。

AmazonConnectSynchronizationServiceRolePolicy 权限策略分组为以下权限集。

  • connect – 用于同步 Connect 配置和资源的 Connect 权限。

  • cloudwatch – 用于发布您账户中实例的 Amazon Connect 使用指标的 CloudWatch 权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowConnectActions",
            "Effect": "Allow",
            "Action": [
                "connect:CreateUser*",
                "connect:UpdateUser*",
                "connect:DeleteUser*",
                "connect:DescribeUser*",
                "connect:ListUser*",
                "connect:CreateRoutingProfile",
                "connect:UpdateRoutingProfile*",
                "connect:DeleteRoutingProfile",
                "connect:DescribeRoutingProfile",
                "connect:ListRoutingProfile*",
                "connect:CreateAgentStatus",
                "connect:UpdateAgentStatus",
                "connect:DescribeAgentStatus",
                "connect:ListAgentStatuses",
                "connect:CreateQuickConnect",
                "connect:UpdateQuickConnect*",
                "connect:DeleteQuickConnect",
                "connect:DescribeQuickConnect",
                "connect:ListQuickConnects",
                "connect:CreateHoursOfOperation",
                "connect:UpdateHoursOfOperation",
                "connect:DeleteHoursOfOperation",
                "connect:DescribeHoursOfOperation",
                "connect:ListHoursOfOperations",
                "connect:CreateQueue",
                "connect:UpdateQueue*",
                "connect:DeleteQueue",
                "connect:DescribeQueue",
                "connect:ListQueue*",
                "connect:CreatePrompt",
                "connect:UpdatePrompt",
                "connect:DeletePrompt",
                "connect:DescribePrompt",
                "connect:ListPrompts",
                "connect:GetPromptFile",
                "connect:CreateSecurityProfile",
                "connect:UpdateSecurityProfile",
                "connect:DeleteSecurityProfile",
                "connect:DescribeSecurityProfile",
                "connect:ListSecurityProfile*",
                "connect:CreateContactFlow*",
                "connect:UpdateContactFlow*",
                "connect:DeleteContactFlow*",
                "connect:DescribeContactFlow*",
                "connect:ListContactFlow*",
                "connect:BatchGetFlowAssociation",
                "connect:CreatePredefinedAttribute",
                "connect:UpdatePredefinedAttribute",
                "connect:DeletePredefinedAttribute",
                "connect:DescribePredefinedAttribute",
                "connect:ListPredefinedAttributes",
                "connect:ListTagsForResource",
                "connect:TagResource",
                "connect:UntagResource",
                "connect:ListTrafficDistributionGroups",
                "connect:ListPhoneNumbersV2",
                "connect:UpdatePhoneNumber",
                "connect:DescribePhoneNumber",
                "connect:AssociatePhoneNumberContactFlow",
                "connect:DisassociatePhoneNumberContactFlow",
                "connect:AssociateRoutingProfileQueues",
                "connect:DisassociateQueueQuickConnects",
                "connect:AssociateQueueQuickConnects",
                "connect:DisassociateUserProficiencies",
                "connect:AssociateUserProficiencies",
                "connect:DisassociateRoutingProfileQueues",
                "connect:CreateAuthenticationProfile",
                "connect:UpdateAuthenticationProfile",
                "connect:DescribeAuthenticationProfile",
                "connect:ListAuthenticationProfiles",
                "connect:CreateHoursOfOperationOverride",
                "connect:UpdateHoursOfOperationOverride",
                "connect:DeleteHoursOfOperationOverride",
                "connect:DescribeHoursOfOperationOverride",
                "connect:ListHoursOfOperationOverrides"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowPutMetricsForConnectNamespace",
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/Connect"
                }
            }
        }
    ]
}

AWS 托管策略的 Amazon Connect 更新

查看有关自此服务开始跟踪这些更改起,Amazon Connect 的 AWS 托管策略更新的详细信息。要获得有关此页面更改的自动提示,请订阅 Amazon Connect 文档历史记录 页面上的 RSS 源。

更改 描述 日期

AmazonConnectServiceLinkedRolePolicy – 已为 Amazon Chime SDK 语音连接器添加操作

在服务相关角色策略中添加了以下 Amazon Chime SDK 语音连接器操作。这些操作允许 Amazon Connect 通过使用获取和列出 Amazon Chime SDK Voice Connector API 来获取 Amazon Chime Voice Connector 信息:

  • chime:GetVoiceConnector:允许 Amazon Connect 在任何具有 'AmazonConnectEnabled':'True' 资源标签的 Amazon Chime SDK Voice Connector 上调用 GetVoiceConnector API。

  • chime:ListVoiceConnectors:允许 Amazon Connect 列出帐户在所有区域创建的所有 Amazon Chime SDK Voice Connector。

 2024 年 10 月 25 日

AmazonConnectSynchronizationServiceRolePolicy – 已添加用于托管同步

为服务相关角色托管策略添加了以下操作,以支持 HoursOfOperationOverride 属性的启动。

  • connect:CreateHoursOfOperationOverride

  • connect:UpdateHoursOfOperationOverride

  • connect:DeleteHoursOfOperationOverride

  • connect:DescribeHoursOfOperationOverride

  • connect:ListHoursOfOperationOverrides

 2024 年 9 月 25 日

AmazonConnectSynchronizationServiceRolePolicy – 已添加用于托管同步

为托管同步的服务相关角色托管策略添加了以下操作:

  • connect:AssociatePhoneNumberContactFlow

  • connect:DisassociatePhoneNumberContactFlow

  • connect:AssociateRoutingProfileQueues

  • connect:DisassociateQueueQuickConnects

  • connect:AssociateQueueQuickConnects

  • connect:DisassociateUserProficiencies

  • connect:AssociateUserProficiencies

  • connect:DisassociateRoutingProfileQueues

  • connect:CreateAuthenticationProfile

  • connect:UpdateAuthenticationProfile

  • connect:DescribeAuthenticationProfile

  • connect:ListAuthenticationProfiles

 2024 年 7 月 5 日

AmazonConnectReadOnlyAccess – 已重命名操作 connect:GetFederationTokens 并更改为 connect:AdminGetEmergencyAccessToken

AmazonConnectReadOnlyAccess 托管策略已更新,因为 Amazon Connect 操作 connect:GetFederationTokens 已更名为 connect:AdminGetEmergencyAccessToken。此更改是向后兼容的,connect:AdminGetEmergencyAccessToken 操作将以与 connect:GetFederationTokens 操作相同的方式运行。如果您在保单中保留先前命名的 connect:GetFederationTokens 操作,它们将继续按预期运行。

 2024 年 6 月 15 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Cognito 用户池和 Amazon Connect Customer Profiles 的操作

在服务相关角色策略中添加了以下 Amazon Cognito 用户池操作,以允许对具有 AmazonConnectEnabled 资源标签的 Cognito 用户池用户池用户池资源资源进行选择读取操作。调用 CreateIntegrationAssociations API 时,会在此资源上标记此标签:

  • cognito-idp:DescribeUserPool

  • cognito-idp:ListUserPoolClients

在服务相关角色策略中添加了以下 Amazon Connect Customer Profiles 操作,以允许将数据放入 Connect 相邻服务 Customer Profiles 的权限:

  • profile:PutProfileObject

 2024 年 5 月 23 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Q 的 Connect 的操作

在 Amazon Q 的 Connect 知识库中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q 的 Connect 资源执行以下操作:

  • wisdom:ListContentAssociations

 2024 年 5 月 20 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Pinpoint 的操作

在服务相关角色策略中添加了以下操作,以使用 Amazon Pinpoint 电话号码允许 Amazon Connect 发送短信:

  • sms:DescribePhoneNumbers

  • sms:SendTextMessage

 2023 年 11 月 17 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Q 的 Connect 的操作

在 Amazon Q 的 Connect 知识库中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q 的 Connect 资源执行以下操作:

  • wisdom:PutFeedback

 2023 年 11 月 15 日

AmazonConnectCampaignsServiceLinkedRolePolicy – 已添加针对 Amazon Connect 的操作

Amazon Connect 添加了检索出站活动的新操作:

  • connect:BatchPutContact

  • connect:StopContact

 2023 年 11 月 8 日

AmazonConnectSynchronizationServiceRolePolicy – 已添加新的 AWS 托管策略

已为托管式同步添加新的服务相关角色托管策略。

该策略提供读取、创建、更新和删除 Amazon Connect 资源的权限,并用于跨 AWS 区域自动同步 AWS 资源。

 2023 年 11 月 3 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Customer Profiles 的操作

已添加以下操作来管理 Amazon Connect Customer Profiles 服务相关角色:

  • profile:ListCalculatedAttributesForProfile

  • profile:GetDomain

  • profile:ListIntegrations

  • profile:CreateCalculatedAttributeDefinition

  • profile:DeleteCalculatedAttributeDefinition

  • profile:GetCalculatedAttributeDefinition

  • profile:UpdateCalculatedAttributeDefinition

 2023 年 10 月 30 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Q 的 Connect 的操作

在 Amazon Q 的 Connect 知识库中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q 的 Connect 资源执行以下操作:

  • wisdom:CreateQuickResponse

  • wisdom:GetQuickResponse

  • wisdom:SearchQuickResponses

  • wisdom:StartImportJob

  • wisdom:GetImportJob

  • wisdom:ListImportJobs

  • wisdom:ListQuickResponses

  • wisdom:UpdateQuickResponse

  • wisdom:DeleteQuickResponse

 2023 年 10 月 25 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Customer Profiles 的操作

已添加以下操作来管理 Amazon Connect Customer Profiles 服务相关角色:

  • profile:ListCalculatedAttributeDefinitions

  • profile:GetCalculatedAttributeForProfile

 2023 年 10 月 6 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Q 的 Connect 的操作

在 Amazon Q 的 Connect 知识库和助理中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q 的 Connect 资源执行以下操作:

  • wisdom:CreateContent

  • wisdom:DeleteContent

  • wisdom:CreateKnowledgeBase

  • wisdom:GetAssistant

  • wisdom:GetKnowledgeBase

  • wisdom:GetContent

  • wisdom:GetRecommendations

  • wisdom:GetSession

  • wisdom:NotifyRecommendationsReceived

  • wisdom:QueryAssistant

  • wisdom:StartContentUpload

  • wisdom:UntagResource

  • wisdom:TagResource

  • wisdom:CreateSession

允许对所有 Amazon Q 的 Connect 资源执行以下 List 操作:

  • wisdom:ListAssistants

  • wisdom:KnowledgeBases

 2023 年 9 月 29 日

CustomerProfilesServiceLinkedRolePolicy – 已添加 CustomerProfilesServiceLinkedRolePolicy

新的托管策略。

 2023 年 3 月 7 日

AmazonConnect_FullAccess – 已添加用于管理 Amazon Connect Customer Profiles 服务相关角色的权限

已添加以下操作来管理 Amazon Connect Customer Profiles 服务相关角色。

  • iam:CreateServiceLinkedRole – 允许您为 Customer Profiles 创建服务相关角色。

 2023 年 1 月 26 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon CloudWatch 的操作

已添加以下操作,以将实例的 Amazon Connect 使用情况指标发布到您的账户。

  • cloudwatch:PutMetricData

 2022 年 2 月 22 日

AmazonConnect_FullAccess – 已添加用于管理 Amazon Connect Customer Profiles 域的权限

已添加用于管理为新 Amazon Connect 实例创建的 Amazon Connect Customer Profiles 域的所有权限。

  • profile:ListAccountIntegrations – 列出与 AWS 账户 中的特定 URI 关联的所有集成。

  • profile:ListDomains – 返回已创建的 AWS 账户 的所有域的列表。

  • profile:GetDomain – 返回有关特定域的信息。

  • profile:ListProfileObjectTypeTemplates – 允许 Amazon Connect 管理员网站显示可用于创建数据映射的模板列表。

  • profile:GetObjectTypes – 允许您查看已创建的所有当前对象类型(数据映射)。

允许对名称前缀为 amazon-connect- 的域执行以下权限:

  • profile:AddProfileKey – 允许您将新的密钥值与特定的配置文件相关联

  • profile:CreateDomain – 允许您创建新域

  • profile:CreateProfile – 允许您创建新的配置文件

  • profile:DeleteDomain – 允许您删除域

  • profile:DeleteIntegration – 允许您删除与域的集成

  • profile:DeleteProfile – 允许您删除配置文件

  • profile:DeleteProfileKey – 允许您删除配置文件密钥

  • profile:DeleteProfileObject – 允许您删除配置文件对象

  • profile:DeleteProfileObjectType – 允许您删除配置文件对象类型

  • profile:GetIntegration – 允许您检索有关集成的信息

  • profile:GetMatches – 允许您检索可能的配置文件匹配项

  • profile:GetProfileObjectType – 允许您检索配置文件对象类型

  • profile:ListIntegrations – 允许您列出集成

  • profile:ListProfileObjects – 允许您列出配置文件对象

  • profile:ListProfileObjectTypes – 允许您列出配置文件对象类型

  • profile:ListTagsForResource – 允许您列出资源的标签

  • profile:MergeProfiles – 允许您合并配置文件匹配项

  • profile:PutIntegration – 允许您在服务与第三方服务(包括 Amazon AppFlow 和 Amazon Connect)之间添加集成

  • profile:PutProfileObject – 允许您创建和更新对象

  • profile:PutProfileObjectType – 允许您创建和更新对象类型

  • profile:SearchProfiles – 允许您搜索配置文件

  • profile:TagResource – 允许您标记资源

  • profile:UntagResource – 允许您取消标记资源

  • profile:UpdateDomain – 允许您更新域

  • profile:UpdateProfile – 允许您更新配置文件

 2021 年 11 月 12 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Connect Customer Profiles 的操作

已添加以下操作,以便 Amazon Connect 流和座席体验可以与您的默认 Customer Profiles 域中的配置文件进行交互:

  • profile:SearchProfiles

  • profile:CreateProfile

  • profile:UpdateProfile

  • profile:AddProfileKey

已添加以下操作,以便 Amazon Connect 流和座席体验可以与您的默认 Customer Profiles 域中的配置文件对象进行交互:

  • profile:ListProfileObjects

已添加以下操作,以便 Amazon Connect 流和座席体验可以确定是否已为您的 Amazon Connect 实例启用了 Customer Profiles:

  • profile:ListAccountIntegrations

2021 年 11 月 12 日

AmazonConnectVoiceIDFullAccess – 已添加新的 AWS 托管策略

已添加新的 AWS 托管策略,以便您可以将用户设置为使用 Amazon Connect Voice ID。

此策略通过 AWS 控制台、软件开发工具包或其他方式提供对 Amazon Connect Voice ID 的完全访问权限。

 2021 年 9 月 27 日

AmazonConnectCampaignsServiceLinkedRolePolicy – 已添加新的服务相关角色策略

已为出站活动添加新的服务相关角色策略。

该策略提供检索所有出站活动的权限。

 2021 年 9 月 27 日

AmazonConnectServiceLinkedRolePolicy – 已添加针对 Amazon Lex 的操作

已为跨所有区域的账户中创建的所有自动程序添加以下操作。添加了这些操作是为了支持与 Amazon Lex 的集成。

  • lex:ListBots – 列出在您的账户的给定区域中可用的所有自动程序。

  • lex:ListBotAliases – 列出给定自动程序的所有别名。

 2021 年 6 月 15 日

AmazonConnect_FullAccess – 已添加针对 Amazon Lex 的操作

已为跨所有区域的账户中创建的所有自动程序添加以下操作。添加了这些操作是为了支持与 Amazon Lex 的集成。

  • lex:ListBots

  • lex:ListBotAliases

 2021 年 6 月 15 日

Amazon Connect 开始跟踪更改

Amazon Connect 为其 AWS 托管策略开启了跟踪更改。

 2021 年 6 月 15 日