Required permissions for using custom IAM policies to manage access to the Amazon Connect admin website
If you're using custom IAM policies to manage access to the Amazon Connect admin website, your users need some or all of the permissions listed in this article, depending on the tasks they need to do.
Note
Using connect:* in a custom IAM policy grants your users all of the Amazon Connect permissions listed in this article.
Note
Certain pages on the Amazon Connect admin website, such as Tasks and Customer Profiles, require that you add permissions to your inline policies.
Contents
- AmazonConnect_FullAccess policy
- AmazonConnectReadOnlyAccess policy
- Home page
- Detail pages
- Overview page
- Telephony page
- Data storage page
- Data streaming page
- Flows page
- Application integration page
- Customer Profiles page
- Tasks page
- Cases page
- Amazon Q in Connect page
- Voice ID page
- Forecasting, capacity planning, and scheduling page
- Federations
AmazonConnect_FullAccess policy
To allow full read/write access to Amazon Connect, you must attach two policies to your users, groups, or roles. Attach the AmazonConnect_FullAccess policy and a custom policy with the following contents:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] }
To allow a user to create an instance, ensure that they have the permissions granted by the AmazonConnect_FullAccess policy.
When you use AmazonConnect_FullAccess policy, note the following:
-
Additional privileges are required to create an Amazon S3 bucket with a name of your choosing, or to use an existing bucket while creating or updating an instance from the Amazon Connect admin website. If you choose default storage locations for your call recordings, chat transcripts, call transcripts, and other data, the system prepends "amazon-connect-" to those objects.
-
The aws/connect KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges.
-
Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Amazon Connect instances.
AmazonConnectReadOnlyAccess policy
To allow read-only access, you need to attach only the AmazonConnectReadOnlyAccess policy.
Amazon Connect admin website home page
The following image shows a sample Amazon Connect admin website home page, with an arrow pointing to the instance alias. Choose the instance alias to navigate to the detailed instance pages.
Use the permissions listed in the following table to manage access to this page.
| Action/Use case | Permissions needed |
|---|---|
List instance |
connect:ListInstances ds:DescribeDirectories |
Describe instance: View the details of the instance/ current settings |
connect:DescribeInstance connect:ListLambdaFunctions connect:ListLexBots connect:ListInstanceStorageConfigs connect:ListApprovedOrigins connect:ListSecurityKeys connect:DescribeInstanceAttributes connect:DescribeInstanceStorageConfig ds:DescribeDirectories |
Create instance |
connect:CreateInstance connect:DescribeInstance connect:ListInstances connect:AssociateInstanceStorageConfig connect:UpdateInstanceAttribute ds:CheckAlias ds:CreateAlias ds:AuthorizeApplication ds:UnauthorizeApplication ds:CreateIdentityPoolDirectory ds:CreateDirectory ds:DescribeDirectories iam:CreateServiceLinkedRole kms:CreateGrant kms:DescribeKey kms:ListAliases kms:RetireGrant logs:CreateLogGroup s3:CreateBucket s3:GetBucketLocation s3:ListAllMyBuckets servicequotas:GetServiceQuota profile:ListAccountIntegrations profile:GetDomain profile:ListDomains profile:GetProfileObjectType profile:ListProfileObjectTypeTemplates |
Delete instance |
connect:DescribeInstance connect:DeleteInstance connect:ListInstances ds:DescribeDirectories ds:DeleteDirectory ds:UnauthorizeApplication |
Detailed instance pages
The following image shows the navigation menu you use to access each of the detailed instance pages.
To access the detailed instance pages, you need permissions to the Amazon Connect admin website home page (describe/list). Or, use the AmazonConnectReadOnlyAccess policy.
The following tables list the granular permissions for each detailed instance page.
Note
To perform Edit actions, users also need List and Describe permissions.
Overview page
| Action/Use case | Permissions needed |
|---|---|
| Create service-linked role |
connect:DescribeInstance connect:ListInstances connect:DescribeInstanceAttribute connect:UpdateInstanceAttribute connect:ListIntegrationAssociations profile:ListAccountIntegrations ds:DescribeDirectories iam:CreateServiceLinkedRole iam:PutRolePolicy |
Telephony page
| Action/Use case | Permissions needed |
|---|---|
| View telephony options | connect:DescribeInstance |
Enable/Disable telephony options |
connect:UpdateInstanceAttribute |
View outbound campaigns |
connect-campaigns:GetConnectInstanceConfig connect-campaigns:GetInstanceOnboardingJobStatus connect:DescribeInstance connect:DescribeInstanceAttribute kms:DescribeKey |
Enable/disable outbound campaigns |
connect-campaigns:GetConnectInstanceConfig connect-campaigns:GetInstanceOnboardingJobStatus connect-campaigns:StartInstanceOnboardingJob connect-campaigns:DeleteInstanceOnboardingJob connect-campaigns:DeleteConnectInstanceConfig connect:DescribeInstance connect:DescribeInstanceAttribute connect:UpdateInstanceAttribute iam:CreateServiceLinkedRole iam:DeleteServiceLinkedRole iam:AttachRolePolicy iam:PutRolePolicy iam:DeleteRolePolicy events:PutRule events:PutTargets events:DeleteRule events:RemoveTargets events:DescribeRule events:ListTargetsByRule ds:DescribeDirectories kms:DescribeKey kms:ListKeys kms:CreateGrant kms:RetireGrant |
Data storage page
Call recording section
| Action/Use case | Permissions needed |
|---|---|
View call recording |
connect:DescribeInstance connect:ListInstanceStorageConfigs connect:DescribeInstanceStorageConfig |
Edit call recording |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketAcl s3:CreateBucket kms:CreateGrant kms:DescribeKey kms:ListAliases kms:RetireGrant |
Screen recording section
| Action/Use case | Permissions needed |
|---|---|
View screen recording |
connect:DescribeInstance connect:ListInstanceStorageConfigs connect:DescribeInstanceStorageConfig |
Edit screen recording |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketAcl s3:CreateBucket kms:CreateGrant kms:DescribeKey kms:ListAliases kms:RetireGrant |
Chat transcripts section
| Action/Use case | Permissions needed |
|---|---|
View chat transcripts |
connect:DescribeInstance connect:DescribeInstanceStorageConfig connect:ListInstanceStorageConfigs |
Edit chat transcripts |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig s3:ListAllMyBuckets s3:GetBucketLocation s3:GetBucketAcl s3:CreateBucket kms:CreateGrant kms:DescribeKey kms:ListAliases kms:RetireGrant |
Attachments section
| Action/Use case | Permissions needed |
|---|---|
View chat attachments |
connect:DescribeInstance connect:DescribeInstanceStorageConfig connect:ListInstanceStorageConfigs |
Edit chat attachments |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig s3:ListAllMyBuckets s3:GetBucketLocation s3:CreateBucket s3:GetBucketAcl kms:CreateGrant kms:DescribeKey kms:ListAliases kms:RetireGrant |
Live media streaming section
| Action/Use case | Permissions needed |
|---|---|
View live media streaming |
connect:DescribeInstance connect:ListInstanceStorageConfigs connect:DescribeInstanceStorageConfig |
Edit live media streaming |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig kms:CreateGrant kms:DescribeKey kms:RetireGrant |
Exported reports section
| Action/Use case | Permissions needed |
|---|---|
View exported reports |
connect:DescribeInstance connect:ListInstanceStorageConfigs connect:DescribeInstanceStorageConfig |
Edit exported reports |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect: DisassociateInstanceStorageConfig s3:ListAllMyBuckets s3:GetBucketLocation s3:CreateBucket kms:DescribeKey kms:ListAliases kms:RetireGrant kms:CreateGrant |
Data streaming page
Contact records section
| Action/Use case | Permissions needed |
|---|---|
View data streaming - Contact records |
connect:DescribeInstance connect:ListInstanceStorageConfigs connect:DescribeInstanceStorageConfig |
Edit contact record |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig firehose:ListDeliveryStreams firehose:DescribeDeliveryStream kinesis:ListStreams kinesis:DescribeStream |
Agent events section
| Action/Use case | Permissions needed |
|---|---|
View data streaming - Agent events |
connect:DescribeInstance connect:ListInstanceStorageConfigs connect:DescribeInstanceStorageConfig |
Edit agent events |
connect:AssociateInstanceStorageConfig connect:UpdateInstanceStorageConfig connect:DisassociateInstanceStorageConfig kinesis:ListStreams kinesis: DescribeStream |
Flows page
Flows security keys section
| Action/Use case | Permissions needed |
|---|---|
View flow security keys |
connect:DescribeInstance connect:ListSecurityKeys |
Add/remove flow security keys |
connect:AssociateSecurityKey connect:DisassociateSecurityKey |
Lex bots section
| Action/Use case | Permissions needed |
|---|---|
View Lex bots |
connect:ListLexBots connect:ListBots |
Add/remove Lex bots |
lex:GetBots lex:GetBot lex:CreateResourcePolicy lex:DeleteResourcePolicy lex:UpdateResourcePolicy lex:DescribeBotAlias lex:ListBotAliases lex:ListBots connect:AssociateBot connect:DisassociateBot connect:ListBots connect:AssociateLexBot connect:DisassociateLexBot connect:ListLexBots |
Lambda functions section
| Action/Use case | Permissions needed |
|---|---|
View Lambda functions |
connect:ListLambdaFunctions |
Add/remove Lambda functions |
connect:ListLambdaFunctions connect:AssociateLambdaFunction connect:DisassociateLambdaFunction lambda:ListFunctions lambda:AddPermission lambda:RemovePermission |
Flow logs section
| Action/Use case | Permissions needed |
|---|---|
View flow log config |
connect:DescribeInstance connect:DescribeInstanceAttribute |
Enable/disable flow log |
logs:CreateLogGroup |
Amazon Polly section
| Action/Use case | Permissions needed |
|---|---|
View Amazon Polly option |
connect:DescribeInstance connect:DescribeInstanceAttribute |
Update Amazon Polly option |
connect:UpdateInstanceAttribute |
Application integration page
| Action/Use case | Permissions needed |
|---|---|
View approved origins |
connect:DescribeInstance connect:ListApprovedOrigins |
Edit approved origins |
connect: AssociateApprovedOrigin connect:ListApprovedOrigins connect:DisassociateApprovedOrigin |
Customer Profiles page
| Action/Use case | Permissions needed |
|---|---|
View customer profiles |
appflow:DescribeFlow appflow:DescribeConnectorEntity appflow:ListFlows appflow:ListConnectorEntities appflow:ListConnectorProfiles cloudwatch:GetMetricData kinesis:DescribeStreamSummary kms:ListKeys profile:GetCalculatedAttributeDefinition profile:GetEventStream profile:ListAccountIntegrations profile:ListCalculatedAttributeDefinitions profile:ListDomains profile:ListEventStreams sqs:ListQueues |
Edit customer profiles |
appflow:CreateFlow appflow:CreateConnectorProfile appflow:DescribeFlow appflow:DeleteFlow appflow:DescribeConnectorEntity appflow:ListFlows appflow:ListConnectorEntities appflow:ListConnectorProfiles appflow:StartFlow appflow:StopFlow kinesis:ListStreams kms:DescribeKey kms:ListAliases kms:ListKeys kms:ListGrants profile:CreateDomain profile:CreateEventStream profile:DeleteEventStream profile:DeleteIntegration profile:DeleteDomain profile:DetectProfileObjectType profile:GetCalculatedAttributeDefinition profile:ListAccountIntegrations profile:ListCalculatedAttributeDefinitions profile:ListDomains profile:PutIntegration profile:UpdateDomain s3:SelectObjectContent sqs:ListQueues |
Tasks page
| Action/Use case | Permissions needed |
|---|---|
View Tasks integrations |
app-integrations:GetEventIntegration connect:ListIntegrationAssociations |
Edit Tasks integrations |
app-integrations:CreateEventIntegration app-integrations:GetEventIntegration app-integrations:ListEventIntegrations app-integrations:DeleteEventIntegrationAssociation app-integrations:CreateEventIntegrationAssociation appflow:CreateFlow appflow:CreateConnectorProfile appflow:DescribeFlow appflow:DeleteFlow appflow:DeleteConnectorProfile appflow:DescribeConnectorEntity appflow:ListFlows appflow:ListConnectorEntities appflow:StartFlow connect:ListIntegrationAssociations connect:DeleteIntegrationAssociation connect:ListUseCases connect:DeleteUseCase events:ActivateEventSource events:CreateEventBus events:DescribeEventBus events:DescribeEventSource events:ListEventSources events:ListTargetsByRule events:PutRule events:PutTargets events:DeleteRule events:RemoveTargets kms:CreateGrant kms:DescribeKey kms:ListAliases kms:ListKeys kms:ListGrants |
Cases page
| Action/Use case | Permissions needed |
|---|---|
View Cases domain details |
connect:ListInstances ds:DescribeDirectories connect:ListIntegrationAssociations cases:GetDomain |
Onboard to Cases |
connect:ListInstances connect:ListIntegrationAssociations cases:GetDomain cases:CreateDomain connect:CreateIntegrationAssociation connect:DescribeInstance iam:PutRolePolicy |
Amazon Q in Connect page
| Action/Use case | Permissions needed |
|---|---|
View domains and integrations |
wisdom:ListAssistantAssociations appflow:DescribeConnectorProfiles app-integrations:GetDataIntegration connect:ListIntegrationAssociations kms:DescribeKey wisdom:GetAssistant wisdom:GetKnowledgeBase wisdom:ListAssistantAssociations |
Add or remove domains |
connect:CreateIntegrationAssociation connect:DeleteIntegrationAssociation connect:ListIntegrationAssociations iam:DeleteRolePolicy iam:PutRolePolicy kms:CreateGrant kms:DescribeKey kms:ListAliases wisdom:CreateAssistant wisdom:DeleteAssistant wisdom:GetAssistant wisdom:ListAssistantAssociations wisdom:ListAssistants wisdom:TagResource |
Add or remove integrations |
wisdom:ListAssistantAssociations app-integrations:CreateDataIntegration app-integrations:CreateDataIntegrationAssociation app-integrations:DeleteDataIntegrationAssociation app-integrations:GetDataIntegration app-integrations:ListDataIntegrations appflow:CreateConnectorProfile appflow:CreateFlow appflow:DeleteFlow appflow:DescribeConnector appflow:DescribeConnectorEntity appflow:DescribeConnectorProfiles appflow:DescribeConnectors appflow:DescribeFlow appflow:ListConnectorEntities appflow:StartFlow appflow:StopFlow appflow:TagResource appflow:UseConnectorProfile connect:CreateIntegrationAssociation connect:DeleteIntegrationAssociation connect:ListIntegrationAssociations iam:DeleteRolePolicy iam:PutRolePolicy kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKey kms:ListAliases kms:ListGrants secretsmanager:CreateSecret secretsmanager:PutResourcePolicy wisdom:CreateAssistantAssociation wisdom:CreateKnowledgeBase wisdom:DeleteAssistantAssociation wisdom:DeleteKnowledgeBase wisdom:GetAssistant wisdom:GetKnowledgeBase wisdom:ListAssistantAssociations wisdom:ListKnowledgeBases wisdom:TagResource |
Voice ID page
| Action/Use case | Permissions needed |
|---|---|
View Voice ID integrations |
voiceid:DescribeDomain voiceid:ListDomains voiceid:RegisterComplianceConsent voiceid:DescribeComplianceConsent connect:ListIntegrationAssociations |
Edit Voice ID integrations |
voiceid:DescribeDomain voiceid:ListDomains voiceid:RegisterComplianceConsent voiceid:DescribeComplianceConsent voiceid:UpdateDomain voiceid:CreateDomain connect:ListIntegrationAssociations connect:CreateIntegrationAssociation connect:DeleteIntegrationAssociation events:PutRule events:DeleteRule events:PutTargets events:RemoveTargets |
Forecasting, capacity planning, and scheduling page
| Action/Use case | Permissions needed |
|---|---|
View forecasting, capacity planning, and scheduling |
connect:DescribeForecastingPlanningSchedulingIntegration |
Enable forecasting, capacity planning, and scheduling |
connect:UpdateInstanceAttribute connect:StartForecastingPlanningSchedulingIntegration |
Disable forecasting, capacity planning, and scheduling |
connect:UpdateInstanceAttribute connect:StopForecastingPlanningSchedulingIntegration |
Federations
SAML federation
| Action/Use case | Permissions needed |
|---|---|
SAML federation |
connect:GetFederationToken |
Admin/Emergency federation
| Action/Use case | Permissions needed |
|---|---|
Admin/Emergency federation |
connect:GetFederationTokens |
