Required permissions for using custom IAM policies to manage Cases - Amazon Connect

Required permissions for using custom IAM policies to manage Cases

If you're using custom IAM policies to manage access to the Amazon Connect Cases, your users need some or all of the permissions listed in this article, depending on the tasks they need to do.

View Cases domain details

There are two options for granting users IAM permissions to view Cases domain details on the Amazon Connect console.

Option 1: Minimum required IAM permissions

To view Cases domain details in the Amazon Connect console, users must have the following IAM permissions:

  • connect:ListInstances

  • ds:DescribeDirectories

  • connect:ListIntegrationAssociations

  • cases:GetDomain

Following is a sample IAM policy with these permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsViewingConnectConsole", "Effect": "Allow", "Action": [ "connect:ListInstances", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "ListIntegrationAssociations", "Effect": "Allow", "Action": [ "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" } ] }

Note the following:

  • cases:GetDomain Action is required on Resource *

  • connect:ListIntegrationAssociations action supports the instance resource type. See the table in Actions defined by Amazon Connect.

Option 2: Update the existing Amazon Connect policy with cases:GetDomain

Include the AmazonConnectReadOnlyAccess policy, and add the following cases:GetDomain policy:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" } ] }

Onboard to Cases

There are two options for granting users IAM permissions to onboard to Cases using the Amazon Connect console.

Option 1: Minimum required permissions

To onboard to Cases by using the Amazon Connect console, users must have the following IAM permissions:

  • connect:ListInstances

  • ds:DescribeDirectories

  • connect:ListIntegrationAssociations

  • cases:GetDomain

  • cases:CreateDomain

  • connect:CreateIntegrationAssociation

  • connect:DescribeInstance

  • iam:PutRolePolicy

Following is a sample IAM policy with these permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsViewingConnectConsole", "Effect": "Allow", "Action": [ "connect:ListInstances", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "ListIntegrationAssociations", "Effect": "Allow", "Action": [ "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain" ], "Resource": "*" }, { "Sid": "CasesCreateDomain", "Effect": "Allow", "Action": [ "cases:CreateDomain" ], "Resource": "*" }, { "Sid": "CreateIntegrationAssociationsAndDependencies", "Effect": "Allow", "Action": [ "connect:CreateIntegrationAssociation", "connect:DescribeInstance" ], "Resource": "*" }, { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] }

Note the following:

Option 2: Use a combination of existing policies

The following combination of policies will also work:

  • AmazonConnect_FullAccess policy

  • iam:PutRolePolicy to modify the service-linked role. For an example, see AmazonConnect_FullAccess policy.

  • The following IAM policy:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "CasesGetDomain", "Effect": "Allow", "Action": [ "cases:GetDomain", "cases:CreateDomain" ], "Resource": "*" } ] }