Amazon Pinpoint
Developer Guide

IAM Policies for Amazon Pinpoint Users

You can add Amazon Pinpoint API actions to AWS Identity and Access Management (IAM) policies to allow or deny specific actions for Amazon Pinpoint users in your account. The Amazon Pinpoint API actions in your policies control what users can do in the Amazon Pinpoint console. These actions also control which programmatic requests users can make with the AWS SDKs, the AWS CLI, or the Amazon Pinpoint REST API.

In a policy, you specify each action with the mobiletargeting namespace followed by a colon and the name of the action, such as GetSegments. Most actions correspond to a request to the Amazon Pinpoint REST API using a specific URI and HTTP method. For example, if you allow the mobiletargeting:GetSegments action in a user's policy, the user is allowed to make an HTTP GET request against the /apps/project-id/segments URI. This policy also allows the user to view the segments for a project in the console, and to retrieve the segments by using an AWS SDK or the AWS CLI.

Each action is performed on a specific Amazon Pinpoint resource, which you identify in a policy statement by its Amazon Resource Name (ARN). For example, the mobiletargeting:GetSegments action is performed on a specific app, which you identify with the ARN, arn:aws:mobiletargeting:region:account-id:apps/project-id.

You can refer generically to all Amazon Pinpoint actions or resources by using wildcards ("*"). For example, to allow all actions for all resources, include the following in a policy statement:

"Effect": "Allow", "Action": "mobiletargeting:*", "Resource": "*"

Example Policies

The following examples demonstrate how you can manage Amazon Pinpoint access with IAM policies.

Amazon Pinpoint API Actions

Amazon Pinpoint Administrator

The following administrator policy allows full access to Amazon Pinpoint actions and resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:*" ], "Resource": "*" } ] }

Read-Only Access

The following policy allows read-only access for all apps in an account:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mobiletargeting:Get*" ], "Effect": "Allow", "Resource": [ "arn:aws:mobiletargeting:*:account-id:apps/*" ] } ] }

In the preceding policy example, replace accountId with your AWS Account ID.

You can also create a policy that allows read-only access to a specific Amazon Pinpoint project. To do this, specify an AWS Region and a project ID, as shown in the following example:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mobiletargeting:Get*" ], "Effect": "Allow", "Resource": [ "arn:aws:mobiletargeting:region:account-id:apps/project-id" ] } ] }

In the preceding policy example, replace region with the name of the AWS Region you're using, account-id with your AWS account ID, and project-id with the unique ID of your Amazon Pinpoint project.

Amazon Pinpoint SMS and Voice API Actions

Admin Access

The following policy grants full access to the Amazon Pinpoint SMS and Voice API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "sms-voice:*" ], "Effect": "Allow", "Resource": "*" } ] }

Read-Only Access

The following policy allows read-only access to the Amazon Pinpoint SMS and Voice API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "sms-voice:Get*" ], "Effect": "Allow", "Resource": "*" } ] }

Amazon Pinpoint API Actions

This section contains API actions that you can add to the IAM policies in your AWS account. By adding these policies to an IAM user account, you can specify which Amazon Pinpoint features that user is allowed to perform.

Campaigns

The following permissions are related to managing campaigns in your Amazon Pinpoint account.

mobiletargeting:CreateCampaign

Create a campaign for a project.

  • URI – /apps/project-id/campaigns

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id/campaigns

mobiletargeting:DeleteCampaign

Delete a specific campaign.

mobiletargeting:GetCampaign

Retrieve information about a specific campaign.

mobiletargeting:GetCampaignActivities

Retrieve information about the activities performed by a campaign.

mobiletargeting:GetCampaigns

Retrieve information about all campaigns for a project.

mobiletargeting:GetCampaignVersion

Retrieve information about a specific campaign version.

mobiletargeting:GetCampaignVersions

Retrieve information about the current and prior versions of a campaign.

mobiletargeting:UpdateCampaign

Update a specific campaign.

Channels

The following permissions are related to managing channels in your Amazon Pinpoint account. In Amazon Pinpoint, channels refer to the methods you use to contact your customers, such as by sending email, SMS messages, or push notifications.

mobiletargeting:DeleteAdmChannel

Delete the Amazon Device Messaging (ADM) channel for a project.

mobiletargeting:GetAdmChannel

Retrieve information about the Amazon Device Messaging (ADM) channel for a project.

mobiletargeting:UpdateAdmChannel

Update the Amazon Device Messaging (ADM) channel for a project.

mobiletargeting:DeleteApnsChannel

Delete the APNs channel for a project.

mobiletargeting:GetApnsChannel

Retrieve information about the APNs channel for a project.

mobiletargeting:UpdateApnsChannel

Update the Apple Push Notification service (APNs) certificate and private key, which allow Amazon Pinpoint to send push notifications to your iOS app.

mobiletargeting:DeleteApnsSandboxChannel

Delete the APNs sandbox channel for a project.

mobiletargeting:GetApnsSandboxChannel

Retrieve information about the APNs sandbox channel for a project.

mobiletargeting:UpdateApnsSandboxChannel

Update the APNs sandbox channel for a project.

mobiletargeting:DeleteApnsVoipChannel

Delete the APNs VoIP channel for a project.

mobiletargeting:GetApnsVoipChannel

Retrieve information about the APNs VoIP channel for a project.

mobiletargeting:UpdateApnsVoipChannel

Update the APNs VoIP channel for a project.

mobiletargeting:DeleteApnsVoipChannel

Delete the APNs VoIP sandbox channel for a project.

mobiletargeting:GetApnsVoipChannel

Retrieve information about the APNs VoIP sandbox channel for a project.

mobiletargeting:UpdateApnsVoipChannel

Update the APNs VoIP sandbox channel for a project.

mobiletargeting:DeleteBaiduChannel

Delete the Baidu channel for a project.

mobiletargeting:GetBaiduChannel

Retrieve information about the Baidu channel for a project.

mobiletargeting:UpdateBaiduChannel

Update the Baidu channel for a project.

mobiletargeting:DeleteEmailChannel

Delete the email channel in a project.

mobiletargeting:GetEmailChannel

Obtain information about the email channel in a project.

mobiletargeting:UpdateEmailChannel

Update the email channel in a project.

mobiletargeting:DeleteGcmChannel

Delete the GCM channel for a project.

  • URI – /apps/project-id/channels/gcm

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id/channels/gcm

mobiletargeting:GetGcmChannel

Retrieve information about the GCM channel for a project.

mobiletargeting:UpdateGcmChannel

Update the Firebase Cloud Messaging (FCM) or Google Cloud Messaging (GCM) API key, which allows Amazon Pinpoint to send push notifications to your Android app.

mobiletargeting:DeleteSmsChannel

Delete the SMS channel in a project.

  • URI – /apps/project-id/channels/sms

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id/channels/sms

mobiletargeting:GetSmsChannel

Obtain information about the SMS channel in a project.

mobiletargeting:UpdateSmsChannel

Update the SMS channel in a project.

Endpoints

The following permissions are related to managing endpoints in your Amazon Pinpoint account. In Amazon Pinpoint, an endpoint is a single destination for your messages. For example, an endpoint could be a customer's email address, telephone number, or mobile device token.

mobiletargeting:DeleteEndpoint

Delete an endpoint.

mobiletargeting:GetEndpoint

Retrieve information about a specific endpoint.

mobiletargeting:UpdateEndpoint

Create an endpoint or update the information for an endpoint.

mobiletargeting:UpdateEndpointsBatch

Create or update endpoints as a batch operation.

Event Streams

The following permissions are related to managing campaigns in your Amazon Pinpoint account.

mobiletargeting:DeleteEventStream

Delete the event stream for a project.

mobiletargeting:GetEventStream

Retrieve information about the event stream for a project.

mobiletargeting:PutEventStream

Create or update an event stream for a project.

Export Jobs

The following permissions are related to managing export jobs in your Amazon Pinpoint account. In Amazon Pinpoint, you create export jobs to send information about endpoints to an Amazon S3 bucket for storage or analysis.

mobiletargeting:CreateExportJobs

Create an export job for exporting endpoint definitions to Amazon S3.

  • URI – /apps/project-id/jobs/export

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id/jobs/export

mobiletargeting:GetExportJob

Obtain information a specific export job.

mobiletargeting:GetExportJobs

Retrieve a list of all of the export jobs for a project.

  • URI – /apps/project-id/jobs/export

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id/jobs/export

Import Jobs

The following permissions are related to managing import jobs in your Amazon Pinpoint account. In Amazon Pinpoint, you create import jobs to create segments based on endpoint definitions stored in an Amazon S3 bucket.

mobiletargeting:CreateImportJob

Import endpoint definitions from Amazon S3 to create a segment.

mobiletargeting:GetImportJob

Retrieve information about a specific import job.

mobiletargeting:GetImportJobs

Retrieve information about all import jobs for a project.

Messages

The following permissions are related to sending SMS messages and push notifications from your Amazon Pinpoint account. You can use the SendMessages and SendUsersMessages operations to send messages to specific endpoints without creating segments and campaigns first.

mobiletargeting:SendMessages

Send an SMS message or push notification to specific endpoints.

  • URI – /apps/project-id/messages

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id/messages

mobiletargeting:SendUsersMessages

Send an SMS message or push notification to all endpoints that are associated a specific user ID.

Phone Number Validate

The following permissions are related to using the Phone Number Validate feature in Amazon Pinpoint.

mobiletargeting:PhoneNumberValidate

Obtain information about a phone number.

  • URI – /phone/number/validate

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:phone/number/validate

Projects

The following permissions are related to managing projects in your Amazon Pinpoint account. Originally, projects were referred to as applications. For the purposes of these operations, a Amazon Pinpoint application is the same as a Amazon Pinpoint project.

mobiletargeting:CreateApp

Create a project.

  • URI – /apps

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps

mobiletargeting:DeleteApp

Delete a project.

  • URI – /apps/project-id

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id

mobiletargeting:GetApp

Retrieve information about a specific project in your Amazon Pinpoint account.

  • URI – /apps/project-id

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id

mobiletargeting:GetApps

Retrieve a list of projects in your Amazon Pinpoint account.

  • URI – /apps

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps

mobiletargeting:GetApplicationSettings

Retrieve the default settings for an Amazon Pinpoint project.

  • URI – /apps/project-id/settings

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id

mobiletargeting:UpdateApplicationSettings

Retrieve the default settings for an Amazon Pinpoint project.

  • URI – /apps/project-id/settings

  • Method – PUT

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id

Reports

The following permission is related to retrieving reports and metrics related to your Amazon Pinpoint account.

mobiletargeting:GetReports

View analytics in the Amazon Pinpoint console.

  • URI – Not applicable

  • Method – Not applicable

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:reports

Segments

The following permissions are related to managing segments in your Amazon Pinpoint account. In Amazon Pinpoint, segments are groups of recipients for your campaigns that share certain attributes that you define.

mobiletargeting:CreateSegment

Create a segment. To allow a user to create a segment by importing endpoint data from outside of Amazon Pinpoint, allow the mobiletargeting:CreateImportJob action.

  • URI – /apps/project-id/segments

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id

mobiletargeting:DeleteSegment

Delete a segment.

mobiletargeting:GetSegment

Retrieve information about a specific segment.

mobiletargeting:GetSegmentExportJobs

Retrieve information about jobs that create segments by importing endpoint definitions from Amazon S3.

mobiletargeting:GetSegments

Retrieve information about the segments for a project.

  • URI – /apps/project-id/segments

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:account-id:apps/project-id

mobiletargeting:GetSegmentImportJobs

Retrieve information about jobs that create segments by importing endpoint definitions from Amazon S3.

mobiletargeting:GetSegmentVersion

Retrieve information about a specific segment version.

mobiletargeting:GetSegmentVersions

Retrieve information about the current and prior versions of a segment.

mobiletargeting:UpdateSegment

Update a specific segment.

Users

The following permissions are related to managing users in your Amazon Pinpoint account. In Amazon Pinpoint, users correspond to individuals who receive messages from you. A single user might be associated with more than one endpoint.

mobiletargeting:DeleteUser

Delete all of the endpoints that are associated with a user ID.

mobiletargeting:GetUser

Retrieve information about the endpoints that are associated with a user ID.

Amazon Pinpoint SMS and Voice API Actions

This section contains API actions that you can add to the IAM policies in your AWS account. By adding these policies to an IAM user account, you can specify which features of the Amazon Pinpoint SMS and Voice a user is allowed to use.

To learn more about the Amazon Pinpoint SMS and Voice API, see the Amazon Pinpoint SMS and Voice API Reference.

sms-voice:CreateConfigurationSet

Create a configuration set for sending voice messages.

  • URI – /sms-voice/configuration-sets

  • Method – POST

  • Resource ARN – not available; use *

sms-voice:DeleteConfigurationSet

Delete a voice message configuration set.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName

  • Method – DELETE

  • Resource ARN – not available; use *

sms-voice:GetConfigurationSetEventDestinations

Get information about a configuration set and the event destinations that it contains.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations

  • Method – GET

  • Resource ARN – not available; use *

sms-voice:CreateConfigurationSetEventDestination

Create an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations

  • Method – POST

  • Resource ARN – not available; use *

sms-voice:UpdateConfigurationSetEventDestination

Update an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations/EventDestinationName

  • Method – PUT

  • Resource ARN – not available; use *

sms-voice:DeleteConfigurationSetEventDestination

Delete an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations/EventDestinationName

  • Method – DELETE

  • Resource ARN – not available; use *

sms-voice:SendVoiceMessage

Create and send voice messages.

  • URI – /sms-voice/voice/message

  • Method – POST

  • Resource ARN – not available; use *