AWS managed policies for Amazon Connect
To add permissions to users, groups, and roles, it is more efficient to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions that they need. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.
AWS managed policy: AmazonConnect_FullAccess
To allow full read/write access to Amazon Connect, you must attach two policies to your IAM
users, groups, or roles. Attach the AmazonConnect_FullAccess
policy and a
custom policy with the following contents:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] }
To allow an IAM user to create an instance, ensure that they have the permissions
granted by the AmazonConnect_FullAccess
policy.
When you use AmazonConnect_FullAccess
policy, note the following:
-
The
iam:PutRolePolicy
allows the user who gets that policy to configure any resource in the account to work with the Amazon Connect instance. Because it grants such broad permissions, only assign it when necessary. Instead, create the service-linked role with access to the necessary resources and let the user have access to pass the service-linked role to Amazon Connect (which is granted by theAmazonConnect_FullAccess
policy). -
Additional privileges are required to create a Amazon S3 bucket with a name of your choosing, or use an existing bucket while creating or updating an instance from the Amazon Connect console. If you choose default storage locations for your call recordings, chat transcripts, call transcripts, etc, they are now prefixed with "amazon-connect-".
-
The aws/connect KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges.
-
Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Amazon Connect instances.
For more information and detailed permissions, see Required permissions for using custom IAM policies to manage access to the Amazon Connect console.
AWS managed policy: AmazonConnectReadOnlyAccess
To allow read-only access, you need to attach only the
AmazonConnectReadOnlyAccess
policy.
AWS managed policy: AmazonConnectVoiceIDFullAccess
To allow full access to Amazon Connect Voice ID, you must attach two policies to your IAM
users, groups, or roles. Attach the AmazonConnectVoiceIDFullAccess
policy
and the following custom policy contents to access Voice ID through the Amazon Connect console:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" }, { "Effect": "Allow", "Action": [ "connect:CreateIntegrationAssociation", "connect:DeleteIntegrationAssociation", "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:DeleteRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "connect.amazonaws.com" } } } ] }
The manual policy configures the following:
-
The
iam:PutRolePolicy
allows the user who gets that policy to configure any resource in the account to work with the Amazon Connect instance. Because it grants such broad permissions, only assign it when necessary. -
To attach a Voice ID domain with an Amazon Connect instance, you need additional Amazon Connect and Amazon EventBridge privileges. You need privileges to call Amazon Connect APIs to create, delete, and list integration associations. You need EventBridge permissions to create and delete EventBridge rules which are used to provide contact records related to Voice ID.
Since there is no default encryption option, to use your customer managed key with your Amazon Connect Voice ID, the following API operations must be permitted in the key policy. Also, you must add these permissions on the relevant key. They are not included in the managed policy.
-
kms:Decrypt
to access or store encrypted data. -
kms:CreateGrant
– when creating or updating a domain, used to create a grant to the customer managed key for the Voice ID domain. The grant controls access to the specified KMS key which allows access to grant operations Amazon Connect Voice ID requires. For more information about using grants, see Using grants in the AWS Key Management Service Developer Guide. -
kms:DescribeKey
– when creating or updating a domain, allows determining the ARN for KMS key you provided.
For more about creating domains and KMS keys, see Enable Voice ID and Encryption at rest.
Amazon Connect updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Connect since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Connect Document history page.
Change | Description | Date |
---|---|---|
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon CloudWatch |
Added the following action to publish usage Amazon Connect metrics for an instance to your account.
|
Februrary 22, 2022 |
AmazonConnect_FullAccess – Added permissions for managing Amazon Connect Customer Profiles domains |
Added all permissions for managing Amazon Connect Customer Profiles domains that are created for new Amazon Connect instances.
The following permissions are allowed to be performed on domains with
a name that is prefixed with
|
November 12, 2021 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Connect Customer Profiles |
Added the following actions so Amazon Connect flows and the agent experience can interact with the profiles in your default Customer Profiles domain:
Added the following action so Amazon Connect flows and the agent experience can interact with the profile objects in your default Customer Profiles domain:
Added the following action so Amazon Connect flows and the agent experience can determine whether Customer Profiles is enabled for your Amazon Connect instance:
|
November 12, 2021 |
AmazonConnectVoiceIDFullAccess – Added new AWS managed policy |
Added a new AWS managed policy so you can set up your users to use Amazon Connect Voice ID. This policy provides full access to Amazon Connect Voice ID through the AWS console, SDK, or other means. |
September 27, 2021 |
AmazonConnectCampaignsServiceLinkedRolePolicy – Added new service-linked role policy |
Added a new service-linked role policy for outbound campaigns. The policy provides access to retrieve all the outbound campaigns. |
September 27, 2021 |
AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Lex |
Added the following actions for the all bots created in the account across all Regions. These actions were added to support integration with Amazon Lex.
|
June 15, 2021 |
AmazonConnect_FullAccess – Added actions for Amazon Lex |
Added the following actions for the all bots created in the account across all Regions. These actions were added to support integration with Amazon Lex.
|
June 15, 2021 |
Amazon Connect started tracking changes |
Amazon Connect started tracking changes for its AWS managed policies. |
June 15, 2021 |