Required permissions for using custom IAM policies to manage access to the Amazon Connect console - Amazon Connect
AmazonConnect_FullAccess policyAmazonConnectReadOnlyAccess policyHome pageDetail pagesOverview pageTelephony pageData storage pageData streaming pageFlows pageContact Lens connectors pageVoice transfer integrationsApplication integration pageCustomer Profiles pageTasks pageEmail pageCases pageCustomer authentication pageOutbound campaigns pageAmazon Q in Connect pageVoice ID pageForecasting, capacity planning, and scheduling pageFederations

Required permissions for using custom IAM policies to manage access to the Amazon Connect console

If you're using custom IAM policies to manage access to the Amazon Connect console, your users need some or all of the permissions listed in this article, depending on the tasks they need to do.

Note

Using connect:* in a custom IAM policy grants your users all of the Amazon Connect permissions listed in this article.

Note

Certain pages on the Amazon Connect console, such as Tasks and Customer Profiles, require that you add permissions to your inline policies.

AmazonConnect_FullAccess policy

To allow full read/write access to Amazon Connect, you must attach two policies to your users, groups, or roles. Attach the AmazonConnect_FullAccess policy and a custom policy with the following contents:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "AttachAnyPolicyToAmazonConnectRole", 
            "Effect": "Allow", 
            "Action": "iam:PutRolePolicy", 
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" 
        } 
    ] 
}

To allow a user to create an instance, ensure that they have the permissions granted by the AmazonConnect_FullAccess policy.

When you use AmazonConnect_FullAccess policy, note the following:

  • Additional privileges are required to create an Amazon S3 bucket with a name of your choosing, or to use an existing bucket while creating or updating an instance from the Amazon Connect admin website. If you choose default storage locations for your call recordings, chat transcripts, email messages, attachments, call transcripts, and other data, the system prepends "amazon-connect-" to those objects.

  • The aws/connect KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges.

  • Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Amazon Connect instances.

AmazonConnectReadOnlyAccess policy

To allow read-only access, you need to attach only the AmazonConnectReadOnlyAccess policy.

Amazon Connect console home page

The following image shows a sample Amazon Connect console home page, with an arrow pointing to the instance alias. Choose the instance alias to navigate to the detailed instance pages.

The Amazon Connect virtual contact center instances page, the instance alias.

Use the permissions listed in the following table to manage access to this page.

Action/Use case Permissions needed

List instance

connect:ListInstances

ds:DescribeDirectories

Describe instance: View the details of the instance/ current settings

connect:DescribeInstance

connect:ListLambdaFunctions

connect:ListLexBots

connect:ListInstanceStorageConfigs

connect:ListApprovedOrigins

connect:ListSecurityKeys

connect:DescribeInstanceAttributes

connect:DescribeInstanceStorageConfig

ds:DescribeDirectories

Create instance

connect:AssociateCustomerProfilesDomain

connect:CreateInstance

connect:DescribeInstance

connect:ListInstances

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceAttribute

ds:CheckAlias

ds:CreateAlias

ds:AuthorizeApplication

ds:UnauthorizeApplication

ds:CreateIdentityPoolDirectory

ds:DescribeDirectories

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

logs:CreateLogGroup

s3:CreateBucket

s3:GetBucketLocation

s3:ListAllMyBuckets

servicequotas:GetServiceQuota

profile:CreateDomain

profile:GetDomain

profile:GetProfileObjectType

profile:ListAccountIntegrations

profile:ListDomains

profile:ListProfileObjectTypeTemplates

profile:PutIntegration

Delete instance

connect:DescribeInstance

connect:DeleteInstance

connect:ListInstances

ds:DescribeDirectories

ds:DeleteDirectory

ds:UnauthorizeApplication

Detailed instance pages

The following image shows the navigation menu you use to access each of the detailed instance pages.

The navigation menu on the Amazon Connect instances page.

To access the detailed instance pages, you need permissions to the Amazon Connect console home page (describe/list). Or, use the AmazonConnectReadOnlyAccess policy.

The following tables list the granular permissions for each detailed instance page.

Note

To perform Edit actions, users also need List and Describe permissions.

Overview page

Action/Use case Permissions needed
Create service-linked role

connect:DescribeInstance

connect:ListInstances

connect:DescribeInstanceAttribute

connect:UpdateInstanceAttribute

connect:ListIntegrationAssociations

profile:ListAccountIntegrations

ds:DescribeDirectories

iam:CreateServiceLinkedRole

iam:PutRolePolicy

Telephony page

Action/Use case Permissions needed
View telephony options connect:DescribeInstance

Enable/Disable telephony options

connect:UpdateInstanceAttribute

View outbound campaigns

connect-campaigns:GetConnectInstanceConfig

connect-campaigns:GetInstanceOnboardingJobStatus

connect:DescribeInstance

connect:DescribeInstanceAttribute

kms:DescribeKey

Enable/disable outbound campaigns

connect-campaigns:GetConnectInstanceConfig

connect-campaigns:GetInstanceOnboardingJobStatus

connect-campaigns:StartInstanceOnboardingJob

connect-campaigns:DeleteInstanceOnboardingJob

connect-campaigns:DeleteConnectInstanceConfig

connect:DescribeInstance

connect:DescribeInstanceAttribute

connect:UpdateInstanceAttribute

iam:CreateServiceLinkedRole

iam:DeleteServiceLinkedRole

iam:AttachRolePolicy

iam:PutRolePolicy

iam:DeleteRolePolicy

events:PutRule

events:PutTargets

events:DeleteRule

events:RemoveTargets

events:DescribeRule

events:ListTargetsByRule

ds:DescribeDirectories

kms:DescribeKey

kms:ListKeys

kms:CreateGrant

kms:RetireGrant

Data storage page

Call recording section

Action/Use case Permissions needed

View call recording

connect:DescribeInstance

connect:ListInstanceStorageConfigs

connect:DescribeInstanceStorageConfig

Edit call recording

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

s3:ListAllMyBuckets

s3:GetBucketLocation

s3:GetBucketAcl

s3:CreateBucket

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

iam:PutRolePolicy

Screen recording section

Action/Use case Permissions needed

View screen recording

connect:DescribeInstance

connect:ListInstanceStorageConfigs

connect:DescribeInstanceStorageConfig

Edit screen recording

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

s3:ListAllMyBuckets

s3:GetBucketLocation

s3:GetBucketAcl

s3:CreateBucket

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

Chat transcripts section

Action/Use case Permissions needed

View chat transcripts

connect:DescribeInstance

connect:DescribeInstanceStorageConfig

connect:ListInstanceStorageConfigs

Edit chat transcripts

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

s3:ListAllMyBuckets

s3:GetBucketLocation

s3:GetBucketAcl

s3:CreateBucket

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

iam:PutRolePolicy

Attachments section

Action/Use case Permissions needed

View attachments

connect:DescribeInstance

connect:DescribeInstanceStorageConfig

connect:ListInstanceStorageConfigs

Edit attachments

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

s3:ListAllMyBuckets

s3:GetBucketLocation

s3:CreateBucket

s3:GetBucketAcl

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

iam:PutRolePolicy

Live media streaming section

Action/Use case Permissions needed

View live media streaming

connect:DescribeInstance

connect:ListInstanceStorageConfigs

connect:DescribeInstanceStorageConfig

Edit live media streaming

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

kms:CreateGrant

kms:DescribeKey

kms:RetireGrant

iam:PutRolePolicy

Exported reports section

Action/Use case Permissions needed

View exported reports

connect:DescribeInstance

connect:ListInstanceStorageConfigs

connect:DescribeInstanceStorageConfig

Edit exported reports

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect: DisassociateInstanceStorageConfig

s3:ListAllMyBuckets

s3:GetBucketLocation

s3:CreateBucket

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

kms:CreateGrant

iam:PutRolePolicy

Data streaming page

Contact records section

Action/Use case Permissions needed

View data streaming - Contact records

connect:DescribeInstance

connect:ListInstanceStorageConfigs

connect:DescribeInstanceStorageConfig

Edit contact record

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

firehose:ListDeliveryStreams

firehose:DescribeDeliveryStream

kinesis:ListStreams

kinesis:DescribeStream

iam:PutRolePolicy

Agent events section

Action/Use case Permissions needed

View data streaming - Agent events

connect:DescribeInstance

connect:ListInstanceStorageConfigs

connect:DescribeInstanceStorageConfig

Edit agent events

connect:AssociateInstanceStorageConfig

connect:UpdateInstanceStorageConfig

connect:DisassociateInstanceStorageConfig

kinesis:ListStreams

kinesis: DescribeStream

iam:PutRolePolicy

Flows page

Flows security keys section

Action/Use case Permissions needed

View flow security keys

connect:DescribeInstance

connect:ListSecurityKeys

Add/remove flow security keys

connect:AssociateSecurityKey

connect:DisassociateSecurityKey

Lex bots section

Action/Use case Permissions needed

View Lex bots

connect:ListLexBots

connect:ListBots

Add/remove Lex bots

lex:GetBots

lex:GetBot

lex:CreateResourcePolicy

lex:DeleteResourcePolicy

lex:UpdateResourcePolicy

lex:DescribeBotAlias

lex:ListBotAliases

lex:ListBots

connect:AssociateBot

connect:DisassociateBot

connect:ListBots

connect:AssociateLexBot

connect:DisassociateLexBot

connect:ListLexBots

iam:PutRolePolicy

Lambda functions section

Action/Use case Permissions needed

View Lambda functions

connect:ListLambdaFunctions

Add/remove Lambda functions

connect:ListLambdaFunctions

connect:AssociateLambdaFunction

connect:DisassociateLambdaFunction

iam:PutRolePolicy

lambda:ListFunctions

lambda:AddPermission

lambda:RemovePermission

Flow logs section

Action/Use case Permissions needed

View flow log config

connect:DescribeInstance

connect:DescribeInstanceAttribute

Enable/disable flow log

logs:CreateLogGroup

Amazon Polly section

Action/Use case Permissions needed

View Amazon Polly option

connect:DescribeInstance

connect:DescribeInstanceAttribute

Update Amazon Polly option

connect:UpdateInstanceAttribute

Contact Lens connectors page

Action/Use case Permissions needed

View Contact Lens connectors

chime:GetVoiceConnector

chime:GetVoiceConnectorLoggingConfiguration

chime:GetVoiceConnectorTermination

chime:GetVoiceConnectorTerminationHealth

chime:ListVoiceConnectors

chime:ListVoiceConnectorTerminationCredentials

chime:GetVoiceConnectorExternalSystemsConfiguration

Add/Update/Remove Contact Lens connectors

chime:CreateVoiceConnector

chime:DeleteVoiceConnector

chime:DeleteVoiceConnectorTermination

chime:DeleteVoiceConnectorTerminationCredentials

chime:GetVoiceConnector

chime:GetVoiceConnectorLoggingConfiguration

chime:GetVoiceConnectorTermination

chime:GetVoiceConnectorTerminationHealth

chime:ListVoiceConnectors

chime:ListVoiceConnectorTerminationCredentials

chime:PutVoiceConnectorLoggingConfiguration

chime:PutVoiceConnectorTermination

chime:PutVoiceConnectorTerminationCredentials

chime:UpdateVoiceConnector

chime:CreateConnectAnalyticsConnector

chime:PutVoiceConnectorExternalSystemsConfiguration

chime:GetVoiceConnectorExternalSystemsConfiguration

chime:DeleteVoiceConnectorExternalSystemsConfiguration

chime:AssociateVoiceConnectorConnect

chime:DisassociateVoiceConnectorConnect

chime:TagResources

chime:UntagResources

chime:ListTagsForResource

Voice transfer integrations

Action/Use case Permissions needed

View external voice transfer connectors

chime:GetVoiceConnector

chime:GetVoiceConnectorLoggingConfiguration

chime:GetVoiceConnectorTermination

chime:GetVoiceConnectorTerminationHealth

chime:ListVoiceConnectors

chime:ListVoiceConnectorTerminationCredentials

chime:GetVoiceConnectorExternalSystemsConfiguration

Add/Update/Remove external voice transfer connectors

chime:CreateVoiceConnector

chime:DeleteVoiceConnector

chime:DeleteVoiceConnectorTermination

chime:DeleteVoiceConnectorTerminationCredentials

chime:GetVoiceConnector

chime:GetVoiceConnectorLoggingConfiguration

chime:GetVoiceConnectorTermination

chime:GetVoiceConnectorTerminationHealth

chime:ListVoiceConnectors

chime:ListVoiceConnectorTerminationCredentials

chime:PutVoiceConnectorLoggingConfiguration

chime:PutVoiceConnectorTermination

chime:PutVoiceConnectorTerminationCredentials

chime:UpdateVoiceConnector

chime:CreateConnectAnalyticsConnector

chime:PutVoiceConnectorExternalSystemsConfiguration

chime:GetVoiceConnectorExternalSystemsConfiguration

chime:DeleteVoiceConnectorExternalSystemsConfiguration

chime:AssociateVoiceConnectorConnect

chime:DisassociateVoiceConnectorConnect

chime:TagResources

chime:UntagResources

chime:ListTagsForResource

Application integration page

Action/Use case Permissions needed

View approved origins

connect:DescribeInstance

connect:ListApprovedOrigins

Edit approved origins

connect: AssociateApprovedOrigin

connect:ListApprovedOrigins

connect:DisassociateApprovedOrigin

Customer Profiles page

Action/Use case Permissions needed

View customer profiles

app-integrations:ListEventIntegrations

appflow:DescribeConnectorEntity

appflow:DescribeConnectorProfiles

appflow:DescribeFlow

appflow:ListFlows

appflow:ListConnectorEntities

appflow:ListConnectorProfiles

cloudwatch:GetMetricData

connect:DescribeInstance

connect:ListInstances

ds:DescribeDirectories

iam:ListRoles

kinesis:DescribeStreamSummary

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

kms:ListKeys

profile:GetCalculatedAttributeDefinition

profile:GetDomain

profile:GetEventStream

profile:GetIdentityResolutionJob

profile:GetIntegration

profile:GetProfileObjectType

profile:GetProfileObjectTypeTemplate

profile:GetWorkflow

profile:ListAccountIntegrations

profile:ListCalculatedAttributeDefinitions

profile:ListDomains

profile:ListEventStreams

profile:ListIdentityResolutionJobs

profile:ListIntegrations

profile:ListProfileObjectTypes

profile:ListProfileObjectTypeTemplates

sqs:ListQueues

Edit customer profiles

app-integrations:CreateEventIntegration

app-integrations:ListEventIntegrations

appflow:CreateFlow

appflow:CreateConnectorProfile

appflow:DescribeFlow

appflow:DeleteFlow

appflow:DescribeConnectorEntity

appflow:DescribeConnectorProfiles

appflow:ListFlows

appflow:ListConnectorEntities

appflow:ListConnectorProfiles

appflow:StartFlow

cloudwatch:GetMetricData

connect:DescribeInstance

connect:ListInstances

ds:DescribeDirectories

events:CreateEventBus

events:DescribeEventBus

events:DescribeEventSource

events:ListEventSources

iam:CreateRole

iam:CreatePolicy

iam:AttachRolePolicy

iam:ListRoles

iam:PutRolePolicy

kinesis:DescribeStreamSummary

kinesis:ListStreams

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

kms:ListAliases

kms:ListKeys

kms:ListGrants

profile:CreateDomain

profile:CreateEventStream

profile:CreateIntegrationWorkflow

profile:DeleteEventStream

profile:DeleteIntegration

profile:DeleteDomain

profile:DeleteProfileObjectType

profile:DetectProfileObjectType

profile:GetCalculatedAttributeDefinition

profile:GetDomain

profile:GetEventStream

profile:GetIdentityResolutionJob

profile:GetIntegration

profile:GetProfileObjectType

profile:GetProfileObjectTypeTemplate

profile:GetWorkflow

profile:ListAccountIntegrations

profile:ListCalculatedAttributeDefinitions

profile:ListDomains

profile:ListEventStreams

profile:ListIdentityResolutionJobs

profile:ListIntegrations

profile:ListProfileObjectTypes

profile:ListProfileObjectTypeTemplates

profile:PutIntegration

profile:PutProfileObjectType

profile:TagResource

profile:UntagResource

profile:UpdateDomain

s3:GetBucketLocation

s3:GetBucketPolicy

s3:GetObject

s3:HeadBucket

s3:ListAllMyBuckets

s3:ListBucket

s3:ListObjectsV2

s3:PutBucketPolicy

s3:SelectObjectContent

sqs:ListQueues

Tasks page

Action/Use case Permissions needed

View Tasks integrations

app-integrations:GetEventIntegration

connect:ListIntegrationAssociations

Edit Tasks integrations

app-integrations:CreateEventIntegration

app-integrations:GetEventIntegration

app-integrations:ListEventIntegrations

app-integrations:DeleteEventIntegrationAssociation

app-integrations:CreateEventIntegrationAssociation

appflow:CreateFlow

appflow:CreateConnectorProfile

appflow:DescribeFlow

appflow:DeleteFlow

appflow:DeleteConnectorProfile

appflow:DescribeConnectorEntity

appflow:ListFlows

appflow:ListConnectorEntities

appflow:StartFlow

connect:ListIntegrationAssociations

connect:DeleteIntegrationAssociation

connect:ListUseCases

connect:DeleteUseCase

events:ActivateEventSource

events:CreateEventBus

events:DescribeEventBus

events:DescribeEventSource

events:ListEventSources

events:ListTargetsByRule

events:PutRule

events:PutTargets

events:DeleteRule

events:RemoveTargets

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:ListKeys

kms:ListGrants

Email page

Action/Use case Permissions needed

View email domains and addresses

ses:GetIdentityVerificationAttributes

ses:DescribeReceiptRule

ses:DescribeActiveReceiptRuleSet

ses:GetEmailIdentity

ses:DescribeReceiptRuleSet

ses:GetConfigurationSetEventDestinations

ses:GetConfigurationSet

Edit email domains and addresses

ses:CreateReceiptRule

ses:UpdateReceiptRule

ses:SetActiveReceiptRuleSet

ses:CreateReceiptRuleSet

ses:CreateEmailIdentity

ses:TagResource

ses:UntagResource

ses:DeleteReceiptRule

ses:DeleteReceiptRuleSet

ses:CloneReceiptRuleSet

ses:CreateConfigurationSet

ses:CreateConfigurationSetEventDestination

ses:PutEmailIdentityConfigurationSetAttributes

ses:CreateEmailIdentityPolicy

ses:UpdateEmailIdentityPolicy

ses:DeleteEmailIdentityPolicy

iam:CreateServiceLinkedRole

iam:PassRole

iam:CreateRole

iam:CreatePolicy

Cases page

Action/Use case Permissions needed

View Cases domain details

connect:ListInstances

ds:DescribeDirectories

connect:ListIntegrationAssociations

cases:GetDomain

Onboard to Cases

connect:ListInstances

connect:ListIntegrationAssociations

cases:GetDomain

cases:CreateDomain

connect:CreateIntegrationAssociation

connect:DescribeInstance

iam:PutRolePolicy

Customer authentication page

Action/Use case Permissions needed

View customer authentication

connect:ListIntegrationAssociations

cognito-idp:ListUserPools

cognito-idp:DescribeUserPool

Onboard to customer authentication

connect:CreateIntegrationAssociation

connect:DeleteIntegrationAssociation

connect:ListIntegrationAssociations

cognito-idp:ListUserPools

cognito-idp:DescribeUserPool

cognito-idp:ListUserPoolClients

cognito-idp:TagResource

cognito-idp:CreateUserPool

Outbound campaigns page

Action / Use case Permissions needed
View outbound campaigns

connect:ListIntegrationAssociations

connect:ListPhoneNumbersV2

connect:SearchEmailAddresses

connect:DescribeInstance

connect:DescribeInstanceAttribute

kms:DescribeKey

kms:ListKeys

profile:ListAccountIntegrations

profile:ListIntegrations

profile:ListDomains

profile:GetDomain

wisdom:ListKnowledgeBases

wisdom:GetKnowledgeBase

connect-campaigns:GetInstanceOnboardingJobStatus

connect-campaigns:GetConnectInstanceConfig

connect-campaigns:ListConnectInstanceIntegrations
Create outbound campaigns

connect-campaigns:StartInstanceOnboardingJob

connect-campaigns:DeleteInstanceOnboardingJob

connect-campaigns:GetConnectInstanceConfig

connect-campaigns:GetInstanceOnboardingJobStatus

connect-campaigns:DeleteConnectInstanceConfig

connect:DescribeInstance

connect:DescribeInstanceAttribute

connect:UpdateInstanceAttribute

iam:CreateServiceLinkedRole

iam:DeleteServiceLinkedRole

iam:AttachRolePolicy

iam:PutRolePolicy

iam:DeleteRolePolicy

events:PutRule

events:PutTargets

events:DeleteRule

events:RemoveTargets

events:DescribeRule

events:ListTargetsByRule

ds:DescribeDirectories

kms:DescribeKey

kms:ListKeys

kms:CreateGrant

kms:RetireGrant

profile:CreateDomain

profile:ListAccountIntegrations

profile:ListIntegrations

profile:PutIntegration

profile:PutProfileObjectType

connect:CreateIntegrationAssociation

connect:ListIntegrationAssociations

connect:UpdateInstanceAttribute

connect:AssociateCustomerProfilesDomain

connect-campaigns:ListConnectInstanceIntegrations

connect-campaigns:PutConnectInstanceIntegration

wisdom:CreateKnowledgeBase

wisdom:ListKnowledgeBases

Amazon Q in Connect page

Action/Use case Permissions needed

View domains and integrations

wisdom:ListAssistantAssociations

appflow:DescribeConnectorProfiles

app-integrations:GetDataIntegration

connect:DescribeInstance

connect:DescribeInstanceAttribute

connect:ListIntegrationAssociations

kms:DescribeKey

kms:ListGrants

wisdom:GetAssistant

wisdom:GetKnowledgeBase

wisdom:ListAssistantAssociations

Add or remove domains

connect:CreateIntegrationAssociation

connect:DeleteIntegrationAssociation

connect:ListIntegrationAssociations

iam:DeleteRolePolicy

iam:PutRolePolicy

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

wisdom:CreateAssistant

wisdom:DeleteAssistant

wisdom:GetAssistant

wisdom:ListAssistantAssociations

wisdom:ListAssistants

wisdom:TagResource

Add or remove integrations

wisdom:ListAssistantAssociations

app-integrations:CreateDataIntegration

app-integrations:CreateDataIntegrationAssociation

app-integrations:DeleteDataIntegrationAssociation

app-integrations:GetDataIntegration

app-integrations:ListDataIntegrations

appflow:CreateConnectorProfile

appflow:CreateFlow

appflow:DeleteFlow

appflow:DescribeConnector

appflow:DescribeConnectorEntity

appflow:DescribeConnectorProfiles

appflow:DescribeConnectors

appflow:DescribeFlow

appflow:ListConnectorEntities

appflow:StartFlow

appflow:StopFlow

appflow:TagResource

appflow:UseConnectorProfile

connect:CreateIntegrationAssociation

connect:DeleteIntegrationAssociation

connect:ListIntegrationAssociations

iam:DeleteRolePolicy

iam:PutRolePolicy

kms:CreateGrant

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey

kms:ListAliases

kms:ListGrants

secretsmanager:CreateSecret

secretsmanager:PutResourcePolicy

wisdom:CreateAssistantAssociation

wisdom:CreateKnowledgeBase

wisdom:DeleteAssistantAssociation

wisdom:DeleteKnowledgeBase

wisdom:GetAssistant

wisdom:GetKnowledgeBase

wisdom:ListAssistantAssociations

wisdom:ListKnowledgeBases

wisdom:TagResource

Voice ID page

Action/Use case Permissions needed

View Voice ID integrations

voiceid:DescribeDomain

voiceid:ListDomains

voiceid:RegisterComplianceConsent

voiceid:DescribeComplianceConsent

connect:ListIntegrationAssociations

Edit Voice ID integrations

voiceid:DescribeDomain

voiceid:ListDomains

voiceid:RegisterComplianceConsent

voiceid:DescribeComplianceConsent

voiceid:UpdateDomain

voiceid:CreateDomain

connect:ListIntegrationAssociations

connect:CreateIntegrationAssociation

connect:DeleteIntegrationAssociation

events:PutRule

events:DeleteRule

events:PutTargets

events:RemoveTargets

iam:PutRolePolicy

Forecasting, capacity planning, and scheduling page

Action/Use case Permissions needed

View forecasting, capacity planning, and scheduling

connect:DescribeForecastingPlanningSchedulingIntegration

Enable forecasting, capacity planning, and scheduling

connect:UpdateInstanceAttribute

connect:StartForecastingPlanningSchedulingIntegration

Disable forecasting, capacity planning, and scheduling

connect:UpdateInstanceAttribute

connect:StopForecastingPlanningSchedulingIntegration

Federations

SAML federation

Action/Use case Permissions needed

SAML federation

connect:GetFederationToken

Admin/Emergency federation

Action/Use case Permissions needed

Admin/Emergency federation

connect:AdminGetEmergencyAccessToken