Amazon Pinpoint
Developer Guide

IAM Policies for Amazon Pinpoint Users

You can add Amazon Pinpoint API actions to AWS Identity and Access Management (IAM) policies to allow or deny specific actions for Amazon Pinpoint users in your account. The Amazon Pinpoint API actions in your policies control what users can do in the Amazon Pinpoint console. These actions also control which programmatic requests users can make with the AWS SDKs, the AWS Command Line Interface (AWS CLI), or the Amazon Pinpoint APIs.

In a policy, you specify each action with the mobiletargeting namespace followed by a colon and the name of the action, such as GetSegments. Most actions correspond to a request to the Amazon Pinpoint API using a specific URI and HTTP method. For example, if you allow the mobiletargeting:GetSegments action in a user's policy, the user is allowed to make an HTTP GET request against the /apps/projectId/segments URI. This policy also allows the user to view the segments for a project in the console, and to retrieve the segments by using an AWS SDK or the AWS CLI.

Each action is performed on a specific Amazon Pinpoint resource, which you identify in a policy statement by its Amazon Resource Name (ARN). For example, the mobiletargeting:GetSegments action is performed on a specific app, which you identify with the ARN, arn:aws:mobiletargeting:region:accountId:apps/projectId.

Example Policies

The following examples demonstrate how you can manage Amazon Pinpoint access with IAM policies.

Amazon Pinpoint API Actions

Amazon Pinpoint Administrator

The following policy allows full access to all Amazon Pinpoint actions and resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:*" ], "Resource": "arn:aws:mobiletargeting:*:accountId:*" } ] }

Note

As a best practice, you should create policies that follow the principle of least privilege. In other words, when you create IAM policies, they should only include the minimum number of permissions required to perform the task that you need to perform. For more information, see the IAM User Guide.

Read-Only Access

The following policy allows read-only access to all of the projects in your Amazon Pinpoint account in a specific AWS Region. This policy only applies to the Amazon Pinpoint API. For a policy that you can use to create read-only console users, see the next section.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mobiletargeting:Get*" ], "Effect": "Allow", "Resource": "arn:aws:mobiletargeting:region:accountId:*" } ] }

In the preceding policy example, replace region with the name of an AWS Region, and replace accountId with your AWS account ID.

Console Read-Only Access

The following policy provides users with read-only access to the Amazon Pinpoint console. It includes read-only access to other services that the Amazon Pinpoint console depends on, such as Amazon SES, IAM, and Kinesis.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mobiletargeting:Get*", "Resource": "arn:aws:mobiletargeting:region:accountId:*" }, { "Effect": "Allow", "Action": [ "firehose:ListDeliveryStreams", "iam:ListRoles", "kinesis:ListStreams", "s3:List*", "ses:Describe*", "ses:Get*", "ses:List*", "sns:ListTopics" ], "Resource": "*" } ] }

In the preceding policy example, replace region with the name of an AWS Region, and replace accountId with your AWS account ID.

You can also create read-only policies that provide access only to specific projects. The following policy lets users sign in to the console and view a list of applications. However, it only lets users view additional information about the project that's specified in the policy. You can modify this policy to allow access to additional projects or Regions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mobiletargeting:GetApps", "Resource": "arn:aws:mobiletargeting:region:accountId:*" }, { "Effect": "Allow", "Action": "mobiletargeting:Get*", "Resource": [ "arn:aws:mobiletargeting:region:accountId:apps/projectId", "arn:aws:mobiletargeting:region:accountId:apps/projectId/*", "arn:aws:mobiletargeting:region:accountId:reports" ] }, { "Effect": "Allow", "Action": [ "ses:Get*", "kinesis:ListStreams", "firehose:ListDeliveryStreams", "iam:ListRoles", "ses:List*", "sns:ListTopics", "ses:Describe*", "s3:List*" ], "Resource": "*" } ] }

In the preceding policy example, replace region with the name of an AWS Region, replace accountId with your AWS account ID, and replace projectId with the ID of the Amazon Pinpoint project that you want to provide access to.

Amazon Pinpoint SMS and Voice API Actions

Administrator Access

The following policy grants full access to the Amazon Pinpoint SMS and Voice API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "sms-voice:*" ], "Effect": "Allow", "Resource": "*" } ] }

Read-Only Access

The following policy allows read-only access to the Amazon Pinpoint SMS and Voice API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "sms-voice:Get*", "sms-voice:List*", ], "Effect": "Allow", "Resource": "*" } ] }

Amazon Pinpoint Email API Actions

Administrator Access

The following policy grants full access to the Amazon Pinpoint Email API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "ses:*" ], "Effect": "Allow", "Resource": "*" } ] }

Note

This policy also grants full access to the Amazon SES API.

Read-Only Access

The following policy allows read-only access to the Amazon Pinpoint Email API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "ses:Describe*", "ses:Get*", "ses:List*" ], "Effect": "Allow", "Resource": "*" } ] }

Note

This policy also grants read-only access to the Amazon SES API.

Amazon Pinpoint API Actions

This section contains API actions that you can add to the IAM policies in your AWS account. By adding these policies to an IAM user account, you can specify which Amazon Pinpoint features that user is allowed to use.

To learn more about the Amazon Pinpoint API, see the Amazon Pinpoint API Reference.

Campaigns

The following permissions are related to managing campaigns in your Amazon Pinpoint account.

mobiletargeting:CreateCampaign

Create a campaign for a project.

  • URI – /apps/projectId/campaigns

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/campaigns

mobiletargeting:DeleteCampaign

Delete a specific campaign.

mobiletargeting:GetCampaign

Retrieve information about a specific campaign.

mobiletargeting:GetCampaignActivities

Retrieve information about the activities performed by a campaign.

mobiletargeting:GetCampaigns

Retrieve information about all campaigns for a project.

mobiletargeting:GetCampaignVersion

Retrieve information about a specific campaign version.

mobiletargeting:GetCampaignVersions

Retrieve information about the current and prior versions of a campaign.

mobiletargeting:UpdateCampaign

Update a specific campaign.

Channels

The following permissions are related to managing channels in your Amazon Pinpoint account. In Amazon Pinpoint, channels refer to the methods that you use to contact your customers, such as sending email, SMS messages, or push notifications.

mobiletargeting:DeleteAdmChannel

Delete the Amazon Device Messaging (ADM) channel for a project.

  • URI – /apps/projectId/channels/adm

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/channels/adm

mobiletargeting:GetAdmChannel

Retrieve information about the ADM channel for a project.

mobiletargeting:UpdateAdmChannel

Update the ADM channel for a project.

mobiletargeting:DeleteApnsChannel

Delete the Apple Push Notification service (APNs) channel for a project.

mobiletargeting:GetApnsChannel

Retrieve information about the APNs channel for a project.

mobiletargeting:UpdateApnsChannel

Update the certificate and private key for the APNs channel for a project. This allows Amazon Pinpoint to send push notifications to your iOS app.

mobiletargeting:DeleteApnsSandboxChannel

Delete the APNs sandbox channel for a project.

mobiletargeting:GetApnsSandboxChannel

Retrieve information about the APNs sandbox channel for a project.

mobiletargeting:UpdateApnsSandboxChannel

Update the APNs sandbox channel for a project.

mobiletargeting:DeleteApnsVoipChannel

Delete the APNs VoIP channel for a project.

mobiletargeting:GetApnsVoipChannel

Retrieve information about the APNs VoIP channel for a project.

mobiletargeting:UpdateApnsVoipChannel

Update the APNs VoIP channel for a project.

mobiletargeting:DeleteApnsVoipChannel

Delete the APNs VoIP sandbox channel for a project.

mobiletargeting:GetApnsVoipChannel

Retrieve information about the APNs VoIP sandbox channel for a project.

mobiletargeting:UpdateApnsVoipChannel

Update the APNs VoIP sandbox channel for a project.

mobiletargeting:DeleteBaiduChannel

Delete the Baidu Cloud Push channel for a project.

mobiletargeting:GetBaiduChannel

Retrieve information about the Baidu Cloud Push channel for a project.

mobiletargeting:UpdateBaiduChannel

Update the Baidu Cloud Push channel for a project.

mobiletargeting:DeleteEmailChannel

Delete the email channel for a project.

mobiletargeting:GetEmailChannel

Retrieve information about the email channel for a project.

mobiletargeting:UpdateEmailChannel

Update the email channel for a project.

mobiletargeting:DeleteGcmChannel

Delete the Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM), channel for a project.

  • URI – /apps/projectId/channels/gcm

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/channels/gcm

mobiletargeting:GetGcmChannel

Retrieve information about the FCM, formerly GCM, channel for a project.

mobiletargeting:UpdateGcmChannel

Update the API key for the FCM, formerly GCM, channel for a project. This allows Amazon Pinpoint to send push notifications to your Android app.

mobiletargeting:DeleteSmsChannel

Delete the SMS channel for a project.

  • URI – /apps/projectId/channels/sms

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/channels/sms

mobiletargeting:GetSmsChannel

Retrieve information about the SMS channel for a project.

mobiletargeting:UpdateSmsChannel

Update the SMS channel for a project.

Endpoints

The following permissions are related to managing endpoints in your Amazon Pinpoint account. In Amazon Pinpoint, an endpoint is a single destination for your messages. For example, an endpoint could be a customer's email address, telephone number, or mobile device token.

mobiletargeting:DeleteEndpoint

Delete an endpoint.

mobiletargeting:GetEndpoint

Retrieve information about a specific endpoint.

mobiletargeting:UpdateEndpoint

Create an endpoint or update the information for an endpoint.

mobiletargeting:UpdateEndpointsBatch

Create or update endpoints as a batch operation.

Event Streams

The following permissions are related to managing event streams for your Amazon Pinpoint account.

mobiletargeting:DeleteEventStream

Delete the event stream for a project.

  • URI – /apps/projectId/eventstream/

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/eventstream

mobiletargeting:GetEventStream

Retrieve information about the event stream for a project.

mobiletargeting:PutEventStream

Create or update an event stream for a project.

Export Jobs

The following permissions are related to managing export jobs in your Amazon Pinpoint account. In Amazon Pinpoint, you create export jobs to send information about endpoints to an Amazon S3 bucket for storage or analysis.

mobiletargeting:CreateExportJob

Create an export job for exporting endpoint definitions to Amazon S3.

  • URI – /apps/projectId/jobs/export

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/jobs/export

mobiletargeting:GetExportJob

Retrieve information about a specific export job for a project.

mobiletargeting:GetExportJobs

Retrieve a list of all the export jobs for a project.

  • URI – /apps/projectId/jobs/export

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/jobs/export

Import Jobs

The following permissions are related to managing import jobs in your Amazon Pinpoint account. In Amazon Pinpoint, you create import jobs to create segments based on endpoint definitions stored in an Amazon S3 bucket.

mobiletargeting:CreateImportJob

Import endpoint definitions from Amazon S3 to create a segment.

mobiletargeting:GetImportJob

Retrieve information about a specific import job for a project.

mobiletargeting:GetImportJobs

Retrieve information about all the import jobs for a project.

Messages

The following permissions are related to sending SMS messages and push notifications from your Amazon Pinpoint account. You can use the SendMessages and SendUsersMessages operations to send messages to specific endpoints without creating segments and campaigns first.

mobiletargeting:SendMessages

Send an SMS message or push notification to specific endpoints.

  • URI – /apps/projectId/messages

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/messages

mobiletargeting:SendUsersMessages

Send an SMS message or push notification to all the endpoints that are associated with a specific user ID.

Phone Number Validate

The following permissions are related to using the Phone Number Validate feature in Amazon Pinpoint.

mobiletargeting:PhoneNumberValidate

Retrieve information about a phone number.

  • URI – /phone/number/validate

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:phone/number/validate

Projects

The following permissions are related to managing projects in your Amazon Pinpoint account. Originally, projects were referred to as applications. For the purposes of these operations, an Amazon Pinpoint application is the same as an Amazon Pinpoint project.

mobiletargeting:CreateApp

Create a project.

  • URI – /apps

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps

mobiletargeting:DeleteApp

Delete a project.

  • URI – /apps/projectId

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:GetApp

Retrieve information about a specific project in your Amazon Pinpoint account.

  • URI – /apps/projectId

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:GetApps

Retrieve a list of projects in your Amazon Pinpoint account.

  • URI – /apps

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps

mobiletargeting:GetApplicationSettings

Retrieve the default settings for an Amazon Pinpoint project.

  • URI – /apps/projectId/settings

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:UpdateApplicationSettings

Update the default settings for an Amazon Pinpoint project.

  • URI – /apps/projectId/settings

  • Method – PUT

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

Reports

The following permission is related to retrieving reports and metrics for your Amazon Pinpoint account.

mobiletargeting:GetReports

View analytics in the Amazon Pinpoint console.

  • URI – Not applicable

  • Method – Not applicable

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:reports

Segments

The following permissions are related to managing segments in your Amazon Pinpoint account. In Amazon Pinpoint, segments are groups of recipients for your campaigns that share certain attributes that you define.

mobiletargeting:CreateSegment

Create a segment. To allow a user to create a segment by importing endpoint data from outside Amazon Pinpoint, allow the mobiletargeting:CreateImportJob action.

  • URI – /apps/projectId/segments

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:DeleteSegment

Delete a segment.

mobiletargeting:GetSegment

Retrieve information about a specific segment.

mobiletargeting:GetSegmentExportJobs

Retrieve information about jobs that export endpoint definitions for a segment.

mobiletargeting:GetSegments

Retrieve information about the segments for a project.

  • URI – /apps/projectId/segments

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:GetSegmentImportJobs

Retrieve information about jobs that create segments by importing endpoint definitions from Amazon S3.

mobiletargeting:GetSegmentVersion

Retrieve information about a specific segment version.

mobiletargeting:GetSegmentVersions

Retrieve information about the current and prior versions of a segment.

mobiletargeting:UpdateSegment

Update a specific segment.

Tags

The following permissions are related to managing tags for resources in your Amazon Pinpoint account.

mobiletargeting:ListTagsforResource

Retrieve information about the tags that are associated with a project, campaign, or segment.

  • URI – /tags/resource-arn

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:*

mobiletargeting:TagResource

Add one or more tags to a project, campaign, or segment.

  • URI – /tags/resource-arn

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:*

mobiletargeting:UntagResource

Remove one or more tags from a project, campaign, or segment.

  • URI – /tags/resource-arn

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:*

Users

The following permissions are related to managing users. In Amazon Pinpoint, users correspond to individuals who receive messages from you. A single user might be associated with more than one endpoint.

mobiletargeting:DeleteUserEndpoints

Delete all of the endpoints that are associated with a user ID.

  • URI – /apps/projectId/users/userId

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/users/userId

mobiletargeting:GetUserEndpoints

Retrieve information about all of the endpoints that are associated with a user ID.

Amazon Pinpoint SMS and Voice API Actions

This section contains API actions that you can add to the IAM policies in your AWS account. By adding these policies to an IAM user account, you can specify which features of the Amazon Pinpoint SMS and Voice API a user is allowed to use.

To learn more about the Amazon Pinpoint SMS and Voice API, see the Amazon Pinpoint SMS and Voice API Reference.

sms-voice:CreateConfigurationSet

Create a configuration set for sending voice messages.

  • URI – /sms-voice/configuration-sets

  • Method – POST

  • Resource ARN – Not available; use *

sms-voice:DeleteConfigurationSet

Delete a voice message configuration set.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName

  • Method – DELETE

  • Resource ARN – Not available; use *

sms-voice:GetConfigurationSetEventDestinations

Get information about a configuration set and the event destinations that it contains.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations

  • Method – GET

  • Resource ARN – Not available; use *

sms-voice:CreateConfigurationSetEventDestination

Create an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations

  • Method – POST

  • Resource ARN – Not available; use *

sms-voice:UpdateConfigurationSetEventDestination

Update an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations/EventDestinationName

  • Method – PUT

  • Resource ARN – Not available; use *

sms-voice:DeleteConfigurationSetEventDestination

Delete an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations/EventDestinationName

  • Method – DELETE

  • Resource ARN – Not available; use *

sms-voice:SendVoiceMessage

Create and send voice messages.

  • URI – /sms-voice/voice/message

  • Method – POST

  • Resource ARN – Not available; use *