AWS managed policies for Amazon Connect
To add permissions to users, groups, and roles, it is more efficient to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions that they need. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
AWS managed policy: AmazonConnect_FullAccess
To allow full read/write access to Amazon Connect, you must attach two policies to your IAM
users, groups, or roles. Attach the AmazonConnect_FullAccess
policy and a
custom policy with the following contents:
Custom Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] }
AmazonConnect_FullAccess Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "connect:*", "ds:CreateAlias", "ds:AuthorizeApplication", "ds:CreateIdentityPoolDirectory", "ds:DeleteDirectory", "ds:DescribeDirectories", "ds:UnauthorizeApplication", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "kinesis:DescribeStream", "kinesis:ListStreams", "kms:DescribeKey", "kms:ListAliases", "lex:GetBots", "lex:ListBots", "lex:ListBotAliases", "logs:CreateLogGroup", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "lambda:ListFunctions", "ds:CheckAlias", "profile:ListAccountIntegrations", "profile:GetDomain", "profile:ListDomains", "profile:GetProfileObjectType", "profile:ListProfileObjectTypeTemplates" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "profile:AddProfileKey", "profile:CreateDomain", "profile:CreateProfile", "profile:DeleteDomain", "profile:DeleteIntegration", "profile:DeleteProfile", "profile:DeleteProfileKey", "profile:DeleteProfileObject", "profile:DeleteProfileObjectType", "profile:GetIntegration", "profile:GetMatches", "profile:GetProfileObjectType", "profile:ListIntegrations", "profile:ListProfileObjects", "profile:ListProfileObjectTypes", "profile:ListTagsForResource", "profile:MergeProfiles", "profile:PutIntegration", "profile:PutProfileObject", "profile:PutProfileObjectType", "profile:SearchProfiles", "profile:TagResource", "profile:UntagResource", "profile:UpdateDomain", "profile:UpdateProfile" ], "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::amazon-connect-*" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "arn:aws:servicequotas:*:*:connect/*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "connect.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:DeleteServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/profile.amazonaws.com/*", "Condition": { "StringEquals": { "iam:AWSServiceName": "profile.amazonaws.com" } } } ] }
To allow a user to create an instance, ensure that they have the permissions granted
by the AmazonConnect_FullAccess
policy.
When you use AmazonConnect_FullAccess
policy, note the following:
-
The
iam:PutRolePolicy
allows the user who gets that policy to configure any resource in the account to work with the Amazon Connect instance. Because it grants such broad permissions, only assign it when necessary. Instead, create the service-linked role with access to the necessary resources and let the user have access to pass the service-linked role to Amazon Connect (which is granted by theAmazonConnect_FullAccess
policy). -
Additional privileges are required to create a Amazon S3 bucket with a name of your choosing, or use an existing bucket while creating or updating an instance from the Amazon Connect admin website. If you choose default storage locations for your call recordings, chat transcripts, call transcripts, and other data, the system prepends "amazon-connect-" to the names of those objects.
-
The aws/connect KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges.
-
Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Amazon Connect instances.
For more information and detailed permissions, see Required permissions for using custom IAM policies to manage access to the Amazon Connect admin website.
AWS managed policy: AmazonConnectReadOnlyAccess
To allow read-only access, you need to attach only the
AmazonConnectReadOnlyAccess
policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectReadOnly", "Effect": "Allow", "Action": [ "connect:Get*", "connect:Describe*", "connect:List*", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "DenyConnectEmergencyAccess", "Effect": "Deny", "Action": "connect:AdminGetEmergencyAccessToken", "Resource": "*" } ] }
AWS managed policy: AmazonConnectServiceLinkedRolePolicy
The AmazonConnectServiceLinkedRolePolicy
role permissions policy allows
Amazon Connect to complete the following actions on the specified resources. As
you enable additional features in Amazon Connect, additional permissions are added
for the AWSServiceRoleForAmazonConnect service-linked role to access the resources
associated with those features:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectActions", "Effect": "Allow", "Action": [ "connect:*" ], "Resource": [ "*" ] }, { "Sid": "AllowDeleteSLR", "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_*" }, { "Sid": "AllowS3ObjectForConnectBucket", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::amazon-connect-*/*" ] }, { "Sid": "AllowGetBucketMetadataForConnectBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::amazon-connect-*" ] }, { "Sid": "AllowConnectLogGroupAccess", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/connect/*:*" ] }, { "Sid": "AllowListLexBotAccess", "Effect": "Allow", "Action": [ "lex:ListBots", "lex:ListBotAliases" ], "Resource": "*" }, { "Sid": "AllowCustomerProfilesForConnectDomain", "Effect": "Allow", "Action": [ "profile:SearchProfiles", "profile:CreateProfile", "profile:UpdateProfile", "profile:AddProfileKey", "profile:ListProfileObjectTypes", "profile:ListCalculatedAttributeDefinitions", "profile:ListCalculatedAttributesForProfile", "profile:GetDomain", "profile:ListIntegrations" ], "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*" }, { "Sid": "AllowReadPermissionForCustomerProfileObjects", "Effect": "Allow", "Action": [ "profile:ListProfileObjects", "profile:GetProfileObjectType" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*" ] }, { "Sid": "AllowListIntegrationForCustomerProfile", "Effect": "Allow", "Action": [ "profile:ListAccountIntegrations" ], "Resource": "*" }, { "Sid": "AllowReadForCustomerProfileObjectTemplates", "Effect": "Allow", "Action": [ "profile:ListProfileObjectTypeTemplates", "profile:GetProfileObjectTypeTemplate" ], "Resource": "arn:aws:profile:*:*:/templates*" }, { "Sid": "AllowWisdomForConnectEnabledTaggedResources", "Effect": "Allow", "Action": [ "wisdom:CreateContent", "wisdom:DeleteContent", "wisdom:CreateKnowledgeBase", "wisdom:GetAssistant", "wisdom:GetKnowledgeBase", "wisdom:GetContent", "wisdom:GetRecommendations", "wisdom:GetSession", "wisdom:NotifyRecommendationsReceived", "wisdom:QueryAssistant", "wisdom:StartContentUpload", "wisdom:UpdateContent", "wisdom:UntagResource", "wisdom:TagResource", "wisdom:CreateSession", "wisdom:CreateQuickResponse", "wisdom:GetQuickResponse", "wisdom:SearchQuickResponses", "wisdom:StartImportJob", "wisdom:GetImportJob", "wisdom:ListImportJobs", "wisdom:ListQuickResponses", "wisdom:UpdateQuickResponse", "wisdom:DeleteQuickResponse", "wisdom:PutFeedback", "wisdom:ListContentAssociations" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectEnabled": "True" } } }, { "Sid": "AllowListOperationForWisdom", "Effect": "Allow", "Action": [ "wisdom:ListAssistants", "wisdom:ListKnowledgeBases" ], "Resource": "*" }, { "Sid": "AllowCustomerProfilesCalculatedAttributesForConnectDomain", "Effect": "Allow", "Action": [ "profile:GetCalculatedAttributeForProfile", "profile:CreateCalculatedAttributeDefinition", "profile:DeleteCalculatedAttributeDefinition", "profile:GetCalculatedAttributeDefinition", "profile:UpdateCalculatedAttributeDefinition" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/calculated-attributes/*" ] }, { "Sid": "AllowPutMetricsForConnectNamespace", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/Connect" } } }, { "Sid": "AllowSMSVoiceOperationsForConnect", "Effect": "Allow", "Action": [ "sms-voice:SendTextMessage", "sms-voice:DescribePhoneNumbers" ], "Resource": "arn:aws:sms-voice:*:*:phone-number/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowCognitoForConnectEnabledTaggedResources", "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPool", "cognito-idp:ListUserPoolClients" ], "Resource": "arn:aws:cognito-idp:*:*:userpool/*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectEnabled": "True" } } }, { "Sid": "AllowWritePermissionForCustomerProfileObjects", "Effect": "Allow", "Action": [ "profile:PutProfileObject" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*" ] } ] }
AWS managed policy: AmazonConnectCampaignsServiceLinkedRolePolicy
The AmazonConnectCampaignsServiceLinkedRolePolicy
role permissions
policy allows Amazon Connect outbound campaigns to complete the following actions on the
specified resources.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "connect-campaigns:ListCampaigns" ], "Resource" : "*" }, { "Effect": "Allow", "Action": [ "connect:BatchPutContact", "connect:StopContact" ], "Resource": "arn:aws:connect:*:*:instance/*" ] }
AWS managed policy: AmazonConnectVoiceIDFullAccess
To allow full access to Amazon Connect Voice ID, you must attach two policies to your users,
groups, or roles. Attach the AmazonConnectVoiceIDFullAccess
policy and the
following custom policy contents to access Voice ID through the Amazon Connect admin website:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" }, { "Effect": "Allow", "Action": [ "connect:CreateIntegrationAssociation", "connect:DeleteIntegrationAssociation", "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:DeleteRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "connect.amazonaws.com" } } } ] }
The manual policy configures the following:
-
The
iam:PutRolePolicy
allows the user who gets that policy to configure any resource in the account to work with the Amazon Connect instance. Because it grants such broad permissions, only assign it when necessary. -
To attach a Voice ID domain with an Amazon Connect instance, you need additional Amazon Connect and Amazon EventBridge privileges. You need privileges to call Amazon Connect APIs to create, delete, and list integration associations. You need EventBridge permissions to create and delete EventBridge rules which are used to provide contact records related to Voice ID.
Since there is no default encryption option, to use your customer managed key with your Amazon Connect Voice ID, the following API operations must be permitted in the key policy. Also, you must add these permissions on the relevant key. They are not included in the managed policy.
-
kms:Decrypt
to access or store encrypted data. -
kms:CreateGrant
– when creating or updating a domain, used to create a grant to the customer managed key for the Voice ID domain. The grant controls access to the specified KMS key which allows access to grant operations Amazon Connect Voice ID requires. For more information about using grants, see Using grants in the AWS Key Management Service Developer Guide. -
kms:DescribeKey
– when creating or updating a domain, allows determining the ARN for KMS key you provided.
For more about creating domains and KMS keys, see Get started enabling Voice ID in Amazon Connect and Encryption at rest.
AWS managed policy: CustomerProfilesServiceLinkedRolePolicy
To allow Amazon Connect Customer Profiles to publish CloudWatch metrics to your AWS account, you must attach
the CustomerProfilesServiceLinkedRolePolicy
managed policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/CustomerProfiles" } } }, { "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": "arn:aws:iam:::role/aws-service-role/profile.amazonaws.com/AWSServiceRoleForProfile_*" } ] }
AWS managed policy: AmazonConnectSynchronizationServiceRolePolicy
The AmazonConnectSynchronizationServiceRolePolicy
permissions policy
allows Amazon Connect Managed Synchronization to complete the following read, write,
update, and delete actions on the specified resources. As resource synchronization is
enabled for more resources, additional permissions are added to the AWSServiceRoleForAmazonConnectSynchronization service-linked role to access
these resources.
The AmazonConnectSynchronizationServiceRolePolicy
permissions policy is
grouped into the following sets of permissions.
-
connect
– Connect permissions for the synchronization of Connect configurations and resources. -
cloudwatch
– CloudWatch permissions to publish Amazon Connect usage metrics for an instance in your account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectActions", "Effect": "Allow", "Action": [ "connect:CreateUser*", "connect:UpdateUser*", "connect:DeleteUser*", "connect:DescribeUser*", "connect:ListUser*", "connect:CreateRoutingProfile", "connect:UpdateRoutingProfile*", "connect:DeleteRoutingProfile", "connect:DescribeRoutingProfile", "connect:ListRoutingProfile*", "connect:CreateAgentStatus", "connect:UpdateAgentStatus", "connect:DescribeAgentStatus", "connect:ListAgentStatuses", "connect:CreateQuickConnect", "connect:UpdateQuickConnect*", "connect:DeleteQuickConnect", "connect:DescribeQuickConnect", "connect:ListQuickConnects", "connect:CreateHoursOfOperation", "connect:UpdateHoursOfOperation", "connect:DeleteHoursOfOperation", "connect:DescribeHoursOfOperation", "connect:ListHoursOfOperations", "connect:CreateQueue", "connect:UpdateQueue*", "connect:DeleteQueue", "connect:DescribeQueue", "connect:ListQueue*", "connect:CreatePrompt", "connect:UpdatePrompt", "connect:DeletePrompt", "connect:DescribePrompt", "connect:ListPrompts", "connect:GetPromptFile", "connect:CreateSecurityProfile", "connect:UpdateSecurityProfile", "connect:DeleteSecurityProfile", "connect:DescribeSecurityProfile", "connect:ListSecurityProfile*", "connect:CreateContactFlow*", "connect:UpdateContactFlow*", "connect:DeleteContactFlow*", "connect:DescribeContactFlow*", "connect:ListContactFlow*", "connect:BatchGetFlowAssociation", "connect:CreatePredefinedAttribute", "connect:UpdatePredefinedAttribute", "connect:DeletePredefinedAttribute", "connect:DescribePredefinedAttribute", "connect:ListPredefinedAttributes", "connect:ListTagsForResource", "connect:TagResource", "connect:UntagResource", "connect:ListTrafficDistributionGroups", "connect:ListPhoneNumbersV2", "connect:UpdatePhoneNumber", "connect:DescribePhoneNumber", "connect:AssociatePhoneNumberContactFlow", "connect:DisassociatePhoneNumberContactFlow", "connect:AssociateRoutingProfileQueues", "connect:DisassociateQueueQuickConnects", "connect:AssociateQueueQuickConnects", "connect:DisassociateUserProficiencies", "connect:AssociateUserProficiencies", "connect:DisassociateRoutingProfileQueues", "connect:CreateAuthenticationProfile", "connect:UpdateAuthenticationProfile", "connect:DescribeAuthenticationProfile", "connect:ListAuthenticationProfiles" ], "Resource": "*" }, { "Sid": "AllowPutMetricsForConnectNamespace", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/Connect" } } } ] }
Amazon Connect updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Connect since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Connect Document history page.
Change | Description | Date |
---|---|---|
AmazonConnectSynchronizationServiceRolePolicy – Added for Managed Synchronization |
Added the following actions to the service-linked role managed policy for managed synchronization:
|
July 5, 2024 |
AmazonConnectReadOnlyAccess – Renamed action
|
The AmazonConnectReadOnlyAccess managed policy has been updated due to
the renaming of the Amazon Connect action |
June 15, 2024 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Cognito user pools and Amazon Connect Customer Profiles |
Added the following Amazon Cognito user pools actions to the service-linked role policy
to allow select read operations on Cognito User Pool User Pool resources
that have an
Added the following Amazon Connect Customer Profiles action to the service-linked role policy to allow permissions to put data into the Connect-adjacent service, Customer Profiles:
|
May 23, 2024 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect |
The following action is allowed to be performed on Amazon Q in Connect resources
that have the resource tag
|
May 20, 2024 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Pinpoint |
Added the following actions to the service-linked role policy to use Amazon Pinpoint phone numbers to allow Amazon Connect to send SMS:
|
November 17, 2023 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect |
The following action is allowed to be performed on Amazon Q in Connect resources
that have the resource tag
|
November 15, 2023 |
AmazonConnectCampaignsServiceLinkedRolePolicy – Added actions for Amazon Connect |
Amazon Connect added new actions to retrieve outbound campaigns:
|
November 8, 2023 |
AmazonConnectSynchronizationServiceRolePolicy – Added new AWS managed policy |
Added a new service-linked role managed policy for managed synchronization. The policy provides access to read, create, update, and delete Amazon Connect resources and is used to automatically synchronize AWS resources across AWS regions. |
November 3, 2023 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Customer Profiles |
Added the following action to manage Amazon Connect Customer Profiles Service Linked Roles:
|
October 30, 2023 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect |
The following actions are allowed to be performed on Amazon Q in Connect
resources that have the resource tag
|
October 25, 2023 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Customer Profiles |
Added the following action to manage Amazon Connect Customer Profiles Service Linked Roles:
|
October 6, 2023 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect |
The following actions are allowed to be performed on Amazon Q in Connect
resources that have the resource tag
The following
|
September 29, 2023 |
CustomerProfilesServiceLinkedRolePolicy – Added CustomerProfilesServiceLinkedRolePolicy |
New managed policy. |
March 7, 2023 |
AmazonConnect_FullAccess – Added permission for managing Amazon Connect Customer Profiles Service Linked Roles |
Added the following action to manage Amazon Connect Customer Profiles Service Linked Roles.
|
January 26, 2023 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon CloudWatch |
Added the following action to publish usage Amazon Connect metrics for an instance to your account.
|
Februrary 22, 2022 |
AmazonConnect_FullAccess – Added permissions for managing Amazon Connect Customer Profiles domains |
Added all permissions for managing Amazon Connect Customer Profiles domains that are created for new Amazon Connect instances.
The following permissions are allowed to be performed on domains with
a name that is prefixed with
|
November 12, 2021 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Connect Customer Profiles |
Added the following actions so Amazon Connect flows and the agent experience can interact with the profiles in your default Customer Profiles domain:
Added the following action so Amazon Connect flows and the agent experience can interact with the profile objects in your default Customer Profiles domain:
Added the following action so Amazon Connect flows and the agent experience can determine whether Customer Profiles is enabled for your Amazon Connect instance:
|
November 12, 2021 |
AmazonConnectVoiceIDFullAccess – Added new AWS managed policy |
Added a new AWS managed policy so you can set up your users to use Amazon Connect Voice ID. This policy provides full access to Amazon Connect Voice ID through the AWS console, SDK, or other means. |
September 27, 2021 |
AmazonConnectCampaignsServiceLinkedRolePolicy – Added new service-linked role policy |
Added a new service-linked role policy for outbound campaigns. The policy provides access to retrieve all the outbound campaigns. |
September 27, 2021 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Lex |
Added the following actions for the all bots created in the account across all Regions. These actions were added to support integration with Amazon Lex.
|
June 15, 2021 |
AmazonConnect_FullAccess – Added actions for Amazon Lex |
Added the following actions for the all bots created in the account across all Regions. These actions were added to support integration with Amazon Lex.
|
June 15, 2021 |
Amazon Connect started tracking changes |
Amazon Connect started tracking changes for its AWS managed policies. |
June 15, 2021 |