Menu
Amazon Pinpoint
Developer Guide

IAM Policies for Amazon Pinpoint Users

You can add Amazon Pinpoint API actions to AWS Identity and Access Management (IAM) policies to allow or deny specific actions for Amazon Pinpoint users in your account. The Amazon Pinpoint API actions in your policies control what users can do in the Amazon Pinpoint console. These actions also control which programmatic requests users can make with the AWS SDKs, the AWS CLI, or the Amazon Pinpoint REST API.

In a policy, you specify each action with the mobiletargeting namespace followed by a colon and the name of the action, such as GetSegments. Most actions correspond to a request to the Amazon Pinpoint REST API using a specific URI and HTTP method. For example, if you allow the mobiletargeting:GetSegments action in a user's policy, the user is allowed to make an HTTP GET request against the /apps/{application-id}/segments URI. This policy also allows the user to view the segments for an app in the console, and to retrieve the segments by using an AWS SDK or the AWS CLI.

Each action is performed on a specific Amazon Pinpoint resource, which you identify in a policy statement by its Amazon Resource Name (ARN). For example, the mobiletargeting:GetSegments action is performed on a specific app, which you identify with the ARN, arn:aws:mobiletargeting:region:account-id:/apps/application-id.

You can refer generically to all Amazon Pinpoint actions or resources by using wildcards ("*"). For example, to allow all actions for all resources, include the following in a policy statement:

Copy
"Effect": "Allow", "Action": "mobiletargeting:*", "Resource": "*"

Example Policies

The following examples demonstrate how you can manage Amazon Pinpoint access with IAM policies.

Amazon Pinpoint Administrator

The following administrator policy allows full access to Amazon Pinpoint actions and resources:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:*", "mobileanalytics:*" ], "Resource": "*" } ] }

In addition to the Amazon Pinpoint actions, this policy allows all Amazon Mobile Analytics actions with mobileanalytics:*. Amazon Pinpoint and Amazon Mobile Analytics share data about your apps, so you must include permissions for both services in policies for Amazon Pinpoint users.

Read-Only Access

The following policy allows read-only access for all apps in an account:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:GetSegment*", "mobiletargeting:GetCampaign*", "mobiletargeting:GetImport*", "mobiletargeting:GetApnsChannel", "mobiletargeting:GetGcmChannel", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEventStream" ], "Effect": "Allow", "Resource": "arn:aws:mobiletargeting:*:account-id:apps/*" }, { "Action": "mobiletargeting:GetReports", "Effect": "Allow", "Resource": "arn:aws:mobiletargeting:*:account-id:reports" }, { "Action": "mobileanalytics:ListApps", "Effect": "Allow", "Resource": "*" } ] }

API Actions for IAM Policies

You can add the following API actions to IAM policies to manage what Amazon Pinpoint users in your account are allowed to do.

mobiletargeting:GetEndpoint

Retrieve information about a specific endpoint.

mobiletargeting:UpdateEndpoint

Create an endpoint or update the information for an endpoint.

mobiletargeting:UpdateEndpointsBatch

Create or update endpoints as a batch operation.

mobiletargeting:CreateSegment

Create a segment that is based on endpoint data reported to Amazon Pinpoint by your app. To allow a user to create a segment by importing endpoint data from outside of Amazon Pinpoint, allow the mobiletargeting:CreateImportJob action.

mobiletargeting:DeleteSegment

Delete a specific segment.

mobiletargeting:GetSegment

Retrieve information about a specific segment.

mobiletargeting:GetSegments

Retrieve information about the segments for an app.

mobiletargeting:GetSegmentImportJobs

Retrieve information about jobs that create segments by importing endpoint definitions from Amazon S3.

mobiletargeting:GetSegmentVersion

Retrieve information about a specific segment version.

mobiletargeting:GetSegmentVersions

Retrieve information about the current and prior versions of a segment.

mobiletargeting:UpdateSegment

Update a specific segment.

mobiletargeting:CreateCampaign

Create a campaign for an app.

mobiletargeting:DeleteCampaign

Delete a specific campaign.

mobiletargeting:GetCampaign

Retrieve information about a specific campaign.

mobiletargeting:GetCampaignActivities

Retrieve information about the activities performed by a campaign.

mobiletargeting:GetCampaigns

Retrieve information about all campaigns for an app.

mobiletargeting:GetCampaignVersion

Retrieve information about a specific campaign version.

mobiletargeting:GetCampaignVersions

Retrieve information about the current and prior versions of a campaign.

mobiletargeting:UpdateCampaign

Update a specific campaign.

mobiletargeting:CreateImportJob

Import endpoint definitions from Amazon S3 to create a segment.

mobiletargeting:GetImportJob

Retrieve information about a specific import job.

mobiletargeting:GetImportJobs

Retrieve information about all import jobs for an app.

mobiletargeting:DeleteApnsChannel

Delete the APNs channel for an app.

mobiletargeting:GetApnsChannel

Retrieve information about the APNs channel for an app.

mobiletargeting:UpdateApnsChannel

Update the Apple Push Notification service (APNs) certificate and private key, which allow Amazon Pinpoint to send push notifications to your iOS app.

mobiletargeting:DeleteGcmChannel

Delete the GCM channel for an app.

mobiletargeting:GetGcmChannel

Retrieve information about the GCM channel for an app.

mobiletargeting:UpdateGcmChannel

Update the Firebase Cloud Messaging (FCM) or Google Cloud Messaging (GCM) API key, which allows Amazon Pinpoint to send push notifications to your Android app.

mobiletargeting:GetApplicationSettings

Retrieve the default settings for an app.

mobiletargeting:UpdateApplicationSettings

Update the default settings for an app.

mobiletargeting:DeleteEventStream

Delete the event stream for an app.

mobiletargeting:GetEventStream

Retrieve information about the event stream for an app.

mobiletargeting:PutEventStream

Create or update an event stream for an app.

mobiletargeting:GetReports

View analytics in the Amazon Pinpoint console.

  • URI – Not applicable

  • Method – Not applicable

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:reports