Actions, resources, and condition keys for Amazon Connect - AWS Identity and Access Management

Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateRoutingProfileQueues Grants permissions to associate queues with a routing profile in an Amazon Connect instance. Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

CreateContactFlow Grants permissions to create a contact flow in an Amazon Connect instance. Write

contact-flow*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInstance Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings. Write

ds:CreateAlias

ds:DeleteDirectory

ds:DescribeDirectories

firehose:DescribeDeliveryStream

firehose:ListDeliveryStreams

iam:CreateServiceLinkedRole

kinesis:DescribeStream

kinesis:ListStreams

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

s3:CreateBucket

s3:GetBucketLocation

s3:ListAllMyBuckets

CreateRoutingProfile Grants permission to create a routing profile in an Amazon Connect instance. Write

queue*

routing-profile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUser Grants permission to create a user for the specified Amazon Connect instance. Write

routing-profile*

security-profile*

user*

hierarchy-group

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteUser Grants permissions to delete a user in an Amazon Connect instance. Write

user*

aws:ResourceTag/${TagKey}

DescribeContactFlow Grants permissions to describe a contact flow in an Amazon Connect instance. Read

contact-flow*

aws:ResourceTag/${TagKey}

DescribeInstance Grants permissions to view details of an Amazon Connect instance. This is required to create an instance. Read

instance*

firehose:DescribeDeliveryStream

firehose:ListDeliveryStreams

kinesis:DescribeStream

kinesis:ListStreams

kms:DescribeKey

kms:ListAliases

s3:ListAllMyBuckets

DescribeRoutingProfile Grants permissions to describe a routing profile in an Amazon Connect instance. Read

routing-profile*

aws:ResourceTag/${TagKey}

DescribeUser Grants permissions to describe a user in an Amazon Connect instance. Read

user*

aws:ResourceTag/${TagKey}

DescribeUserHierarchyGroup Grants permissions to describe a hierarchy group for an Amazon Connect instance. Read

hierarchy-group*

DescribeUserHierarchyStructure Grants permissions to describe the hierarchy structure for an Amazon Connect instance. Read

instance*

DestroyInstance Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed. Write

instance*

DisassociateRoutingProfileQueues Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

GetContactAttributes Grants permissions to retrieve the contact attributes for the specified contact. Read

contact*

GetCurrentMetricData Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance. Read

queue*

GetFederationToken Allows federation into an instance when using SAML-based authentication for identity management. Read

instance*

GetFederationTokens Grants permissions to federate in to an Amazon Connect instance (Log in as administrator functionality in the AWS console). Write

instance*

connect:DescribeInstance

connect:ListInstances

ds:DescribeDirectories

GetMetricData Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance. Read

queue*

ListContactFlows Grants permissions to list contact flow resources in an Amazon Connect instance. List

instance*

ListHoursOfOperations Grants permissions to list hours of operation resources in an Amazon Connect instance. List

instance*

ListInstances Grants permissions to view the Amazon Connect instances associated with an AWS account. List
ListPhoneNumbers Grants permissions to list phone number resources in an Amazon Connect instance. List

instance*

ListPrompts Grants permissions to list prompt resources in an Amazon Connect instance. List

instance*

ListQueues Grants permissions to list queue resources in an Amazon Connect instance. List

instance*

ListRoutingProfileQueues Grants permissions to list queue resources in a routing profile in an Amazon Connect instance. Read

routing-profile*

aws:ResourceTag/${TagKey}

ListRoutingProfiles Grants permissions to list routing profile resources in an Amazon Connect instance. List

instance*

ListSecurityProfiles Grants permissions to list security profile resources in an Amazon Connect instance. List

instance*

ListTagsForResource Grants permissions to list tags for an Amazon Connect resource. Read

contact-flow

routing-profile

user

aws:ResourceTag/${TagKey}

ListUserHierarchyGroups Grants permissions to list the hierarchy group resources in an Amazon Connect instance. List

instance*

ListUsers Grants permissions to list user resources in an Amazon Connect instance. List

instance*

ModifyInstance Grants permissions to modify configuration settings for an existing Amazon Connect instance. The associated required actions grant permission modify the settings for the instance. Write

instance*

firehose:DescribeDeliveryStream

firehose:ListDeliveryStreams

kinesis:DescribeStream

kinesis:ListStreams

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

s3:CreateBucket

s3:GetBucketLocation

s3:ListAllMyBuckets

ResumeContactRecording Grants permissions to resume recording for the specified contact. Write

contact*

StartChatContact Grants permissions to initiate a chat using the Amazon Connect API. Write

contact-flow*

StartContactRecording Grants permissions to start recording for the specified contact. Write

contact*

StartOutboundVoiceContact Grants permissions to initiate outbound calls using the Amazon Connect API. Write

contact*

StopContact Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer. Write

contact*

StopContactRecording Grants permissions to stop recording for the specified contact. Write

contact*

SuspendContactRecording Grants permissions to suspend recording for the specified contact. Write

contact*

TagResource Grants permissions to tag an Amazon Connect resource. Tagging

contact-flow

routing-profile

user

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

UntagResource Grants permissions to untag an Amazon Connect resource. Tagging

contact-flow

routing-profile

user

aws:TagKeys

aws:ResourceTag/${TagKey}

UpdateContactAttributes Grants permissions to create or update the contact attributes associated with the specified contact. Write

contact*

UpdateContactFlowContent Grants permissions to update contact flow content in an Amazon Connect instance. Write

contact-flow*

aws:ResourceTag/${TagKey}

UpdateContactFlowName Grants permissions to update the name and description of a contact flow in an Amazon Connect instance. Write

contact-flow*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileConcurrency Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileDefaultOutboundQueue Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance. Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileName Grants permissions to update a routing profile name and description in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileQueues Grants permissions to update the queues in routing profile in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

UpdateUserHierarchy Grants permissions to update a hierarchy group for a user in an Amazon Connect instance. Write

user*

hierarchy-group

aws:ResourceTag/${TagKey}

UpdateUserIdentityInfo Grants permissions to update identity information for a user in an Amazon Connect instance. Write

user*

aws:ResourceTag/${TagKey}

UpdateUserPhoneConfig Grants permissions to update phone configuration settings for a user in an Amazon Connect instance. Write

user*

aws:ResourceTag/${TagKey}

UpdateUserRoutingProfile Grants permissions to update a routing profile for a user in an Amazon Connect instance. Write

routing-profile*

user*

aws:ResourceTag/${TagKey}

UpdateUserSecurityProfiles Grants permissions to update security profiles for a user in an Amazon Connect instance. Write

security-profile*

user*

aws:ResourceTag/${TagKey}

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
instance arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}
contact arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
user arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}

aws:ResourceTag/${TagKey}

routing-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}

aws:ResourceTag/${TagKey}

security-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}
hierarchy-group arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}
queue arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}
contact-flow arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}

aws:ResourceTag/${TagKey}

hours-of-operation arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}
phone-number arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request. String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource. String
aws:TagKeys Filters actions based on the presence of tag keys in the request. String