Amazon Pinpoint
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

IAM Policies for Amazon Pinpoint Users

You can add Amazon Pinpoint API actions to AWS Identity and Access Management (IAM) policies to allow or deny specific actions for Amazon Pinpoint users in your account. The Amazon Pinpoint API actions in your policies control what users can do in the Amazon Pinpoint console. These actions also control which programmatic requests users can make with the AWS SDKs, the AWS Command Line Interface (AWS CLI), or the Amazon Pinpoint APIs.

In a policy, you specify each action with the mobiletargeting namespace followed by a colon and the name of the action, such as GetSegments. Most actions correspond to a request to the Amazon Pinpoint API using a specific URI and HTTP method. For example, if you allow the mobiletargeting:GetSegments action in a user's policy, the user is allowed to make an HTTP GET request against the /apps/projectId/segments URI. This policy also allows the user to view the segments for a project in the console, and to retrieve the segments by using an AWS SDK or the AWS CLI.

Each action is performed on a specific Amazon Pinpoint resource, which you identify in a policy statement by its Amazon Resource Name (ARN). For example, the mobiletargeting:GetSegments action is performed on a specific project, which you identify with the ARN, arn:aws:mobiletargeting:region:accountId:apps/projectId.

Note

As a best practice, you should create policies that follow the principle of least privilege. In other words, when you create IAM policies, they should include only the minimum permissions required to perform the task that you need to perform. For more information, see the IAM User Guide.

Example Policies

The following examples demonstrate how you can manage Amazon Pinpoint access with IAM policies.

Amazon Pinpoint API Actions

Amazon Pinpoint Administrator

The following policy allows full access to all Amazon Pinpoint actions and resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:*" ], "Resource": "arn:aws:mobiletargeting:*:accountId:*" } ] }

In the preceding policy example, replace accountId with your AWS account ID.

Read-Only Access

The following policy allows read-only access to all the projects in your Amazon Pinpoint account in a specific AWS Region. This policy applies only to the Amazon Pinpoint API. For a policy that you can use to create read-only access for console users, see the next section.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "mobiletargeting:Get*" ], "Effect": "Allow", "Resource": "arn:aws:mobiletargeting:region:accountId:*" } ] }

In the preceding policy example, replace region with the name of an AWS Region, and replace accountId with your AWS account ID.

Console Read-Only Access

The following policy provides users with read-only access to the Amazon Pinpoint console in a specific AWS Region. It includes read-only access to other services that the Amazon Pinpoint console depends on, such as Amazon SES, IAM, and Kinesis.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mobiletargeting:Get*", "Resource": "arn:aws:mobiletargeting:region:accountId:*" }, { "Effect": "Allow", "Action": [ "firehose:ListDeliveryStreams", "iam:ListRoles", "kinesis:ListStreams", "s3:List*", "ses:Describe*", "ses:Get*", "ses:List*", "sns:ListTopics" ], "Resource": "*" } ] }

In the preceding policy example, replace region with the name of an AWS Region, and replace accountId with your AWS account ID.

You can also create read-only policies that provide access to only specific projects. The following policy lets users sign in to the console and view a list of projects. However, it only lets users view additional information about the project that's specified in the policy. You can modify this policy to allow access to additional projects or Regions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "mobiletargeting:GetApps", "Resource": "arn:aws:mobiletargeting:region:accountId:*" }, { "Effect": "Allow", "Action": "mobiletargeting:Get*", "Resource": [ "arn:aws:mobiletargeting:region:accountId:apps/projectId", "arn:aws:mobiletargeting:region:accountId:apps/projectId/*", "arn:aws:mobiletargeting:region:accountId:reports" ] }, { "Effect": "Allow", "Action": [ "ses:Get*", "kinesis:ListStreams", "firehose:ListDeliveryStreams", "iam:ListRoles", "ses:List*", "sns:ListTopics", "ses:Describe*", "s3:List*" ], "Resource": "*" } ] }

In the preceding policy example, replace region with the name of an AWS Region, replace accountId with your AWS account ID, and replace projectId with the ID of the Amazon Pinpoint project that you want to provide access to.

Amazon Pinpoint SMS and Voice API Actions

Administrator Access

The following policy grants full access to the Amazon Pinpoint SMS and Voice API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "sms-voice:*" ], "Effect": "Allow", "Resource": "*" } ] }

Read-Only Access

The following policy allows read-only access to the Amazon Pinpoint SMS and Voice API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "sms-voice:Get*", "sms-voice:List*", ], "Effect": "Allow", "Resource": "*" } ] }

Amazon Pinpoint Email API Actions

Administrator Access

The following policy grants full access to the Amazon Pinpoint Email API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "ses:*" ], "Effect": "Allow", "Resource": "*" } ] }

Note

This policy also grants full access to the Amazon Simple Email Service (Amazon SES) API.

Read-Only Access

The following policy allows read-only access to the Amazon Pinpoint Email API:

{ "Version": "2018-09-05", "Statement": [ { "Action": [ "ses:Describe*", "ses:Get*", "ses:List*" ], "Effect": "Allow", "Resource": "*" } ] }

Note

This policy also grants read-only access to the Amazon SES API.

Amazon Pinpoint API Actions

This section identifies API actions that you can add to the IAM policies in your AWS account. By adding policies to an IAM user account, you can specify which Amazon Pinpoint features that user is allowed to use.

To learn more about the Amazon Pinpoint API, see the Amazon Pinpoint API Reference.

Analytics and Metrics

The following permissions are related to viewing analytics data on the Amazon Pinpoint console and retrieving (querying) aggregated data for standard metrics, also referred to as key performance indicators (KPIs), that apply to projects and campaigns.

mobiletargeting:GetReports

View analytics data on the Amazon Pinpoint console.

  • URI – Not applicable

  • Method – Not applicable

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:reports

mobiletargeting:GetApplicationDateRangeKpi

Retrieve (query) aggregated data for a standard application metric, which is a metric that applies to all the campaigns for a project. An example of an application metric is the number of messages that were opened by recipients for each campaign that's associated with a project.

mobiletargeting:GetCampaignDateRangeKpi

Retrieve (query) aggregated data for a standard campaign metric, which is a metric that applies to an individual campaign. An example of a campaign metric is the number of endpoints that a campaign message was sent to.

Campaigns

The following permissions are related to managing campaigns in your Amazon Pinpoint account.

mobiletargeting:CreateCampaign

Create a campaign for a project.

  • URI – /apps/projectId/campaigns

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/campaigns

mobiletargeting:DeleteCampaign

Delete a specific campaign.

mobiletargeting:GetCampaign

Retrieve information about a specific campaign.

mobiletargeting:GetCampaignActivities

Retrieve information about the activities performed by a campaign.

mobiletargeting:GetCampaigns

Retrieve information about all campaigns for a project.

mobiletargeting:GetCampaignVersion

Retrieve information about a specific campaign version.

mobiletargeting:GetCampaignVersions

Retrieve information about the current and prior versions of a campaign.

mobiletargeting:UpdateCampaign

Update a specific campaign.

Channels

The following permissions are related to managing channels in your Amazon Pinpoint account. In Amazon Pinpoint, channels refer to the methods that you use to contact your customers, such as sending email, SMS messages, or push notifications.

mobiletargeting:DeleteAdmChannel

Disable the Amazon Device Messaging (ADM) channel for a project.

  • URI – /apps/projectId/channels/adm

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/channels/adm

mobiletargeting:GetAdmChannel

Retrieve information about the ADM channel for a project.

mobiletargeting:UpdateAdmChannel

Enable or update the ADM channel for a project.

mobiletargeting:DeleteApnsChannel

Disable the Apple Push Notification service (APNs) channel for a project.

mobiletargeting:GetApnsChannel

Retrieve information about the APNs channel for a project.

mobiletargeting:UpdateApnsChannel

Enable or update the APNs channel for a project.

mobiletargeting:DeleteApnsSandboxChannel

Disable the APNs sandbox channel for a project.

mobiletargeting:GetApnsSandboxChannel

Retrieve information about the APNs sandbox channel for a project.

mobiletargeting:UpdateApnsSandboxChannel

Enable or update the APNs sandbox channel for a project.

mobiletargeting:DeleteApnsVoipChannel

Disable the APNs VoIP channel for a project.

mobiletargeting:GetApnsVoipChannel

Retrieve information about the APNs VoIP channel for a project.

mobiletargeting:UpdateApnsVoipChannel

Enable or update the APNs VoIP channel for a project.

mobiletargeting:DeleteApnsVoipChannel

Disable the APNs VoIP sandbox channel for a project.

mobiletargeting:GetApnsVoipChannel

Retrieve information about the APNs VoIP sandbox channel for a project.

mobiletargeting:UpdateApnsVoipChannel

Enable or update the APNs VoIP sandbox channel for a project.

mobiletargeting:DeleteBaiduChannel

Disable the Baidu Cloud Push channel for a project.

mobiletargeting:GetBaiduChannel

Retrieve information about the Baidu Cloud Push channel for a project.

mobiletargeting:UpdateBaiduChannel

Enable or update the Baidu Cloud Push channel for a project.

mobiletargeting:DeleteEmailChannel

Disable the email channel for a project.

mobiletargeting:GetEmailChannel

Retrieve information about the email channel for a project.

mobiletargeting:UpdateEmailChannel

Enable or update the email channel for a project.

mobiletargeting:DeleteGcmChannel

Disable the Firebase Cloud Messaging (FCM) channel for a project. This channel allows Amazon Pinpoint to send push notifications to an Android app through the FCM service, which replaces the Google Cloud Messaging (GCM) service.

  • URI – /apps/projectId/channels/gcm

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/channels/gcm

mobiletargeting:GetGcmChannel

Retrieve information about the FCM channel for a project. This channel allows Amazon Pinpoint to send push notifications to an Android app through the FCM service, which replaces the Google Cloud Messaging (GCM) service.

mobiletargeting:UpdateGcmChannel

Enable or update the FCM channel for a project. This channel allows Amazon Pinpoint to send push notifications to an Android app through the FCM service, which replaces the Google Cloud Messaging (GCM) service.

mobiletargeting:DeleteSmsChannel

Disable the SMS channel for a project.

  • URI – /apps/projectId/channels/sms

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/channels/sms

mobiletargeting:GetSmsChannel

Retrieve information about the SMS channel for a project.

mobiletargeting:UpdateSmsChannel

Enable or update the SMS channel for a project.

Endpoints

The following permissions are related to managing endpoints in your Amazon Pinpoint account. In Amazon Pinpoint, an endpoint is a single destination for your messages. For example, an endpoint could be a customer's email address, telephone number, or mobile device token.

mobiletargeting:DeleteEndpoint

Delete an endpoint.

mobiletargeting:GetEndpoint

Retrieve information about a specific endpoint.

mobiletargeting:UpdateEndpoint

Create an endpoint or update the information for an endpoint.

mobiletargeting:UpdateEndpointsBatch

Create or update endpoints as a batch operation.

Event Streams

The following permissions are related to managing event streams for your Amazon Pinpoint account.

mobiletargeting:DeleteEventStream

Delete the event stream for a project.

  • URI – /apps/projectId/eventstream/

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/eventstream

mobiletargeting:GetEventStream

Retrieve information about the event stream for a project.

mobiletargeting:PutEventStream

Create or update an event stream for a project.

Export Jobs

The following permissions are related to managing export jobs in your Amazon Pinpoint account. In Amazon Pinpoint, you create export jobs to send information about endpoints to an Amazon S3 bucket for storage or analysis.

mobiletargeting:CreateExportJob

Create an export job for exporting endpoint definitions to Amazon S3.

  • URI – /apps/projectId/jobs/export

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/jobs/export

mobiletargeting:GetExportJob

Retrieve information about a specific export job for a project.

mobiletargeting:GetExportJobs

Retrieve a list of all the export jobs for a project.

  • URI – /apps/projectId/jobs/export

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/jobs/export

Import Jobs

The following permissions are related to managing import jobs in your Amazon Pinpoint account. In Amazon Pinpoint, you create import jobs to create segments based on endpoint definitions that are stored in an Amazon S3 bucket.

mobiletargeting:CreateImportJob

Import endpoint definitions from Amazon S3 to create a segment.

mobiletargeting:GetImportJob

Retrieve information about a specific import job for a project.

mobiletargeting:GetImportJobs

Retrieve information about all the import jobs for a project.

Message Templates

The following permissions are related to creating and managing message templates for your Amazon Pinpoint account. A message template is a set of content and settings that you optionally define, save, and reuse in email messages, push notifications, or SMS messages for your Amazon Pinpoint projects.

mobiletargeting:ListTemplates

Retrieve information about all the message templates that are associated with your Amazon Pinpoint account.

  • URI – /templates

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:templates

mobiletargeting:GetEmailTemplate

Retrieve information about a message template for messages that are sent through the email channel.

mobiletargeting:CreateEmailTemplate

Create a message template for messages that are sent through the email channel.

mobiletargeting:UpdateEmailTemplate

Update an existing message template for messages that are sent through the email channel.

mobiletargeting:DeleteEmailTemplate

Delete a message template for messages that were sent through the email channel.

mobiletargeting:GetPushTemplate

Retrieve information about a message template for messages that are sent through a push notification channel.

mobiletargeting:CreatePushTemplate

Create a message template for messages that are sent through a push notification channel.

mobiletargeting:UpdatePushTemplate

Update an existing message template for messages that are sent through a push notification channel.

mobiletargeting:DeletePushTemplate

Delete a message template for messages that were sent through a push notification channel.

mobiletargeting:GetSmsTemplate

Retrieve information about a message template for messages that are sent through the SMS channel.

mobiletargeting:CreateSmsTemplate

Create a message template for messages that are sent through the SMS channel.

  • URI – /templates/template-name/sms

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:templates/template-name/SMS

mobiletargeting:UpdateSmsTemplate

Update an existing message template for messages that are sent through the SMS channel.

mobiletargeting:DeleteSmsTemplate

Delete a message template for messages that were sent through the SMS channel.

  • URI – /templates/template-name/sms

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:templates/template-name/SMS

Messages

The following permissions are related to sending messages and push notifications from your Amazon Pinpoint account. You can use the SendMessages and SendUsersMessages operations to send messages to specific endpoints without creating segments and campaigns first.

mobiletargeting:SendMessages

Send a message or push notification to specific endpoints.

  • URI – /apps/projectId/messages

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/messages

mobiletargeting:SendUsersMessages

Send a message or push notification to all the endpoints that are associated with a specific user ID.

Phone Number Validation

The following permissions are related to using the phone number validation service in Amazon Pinpoint.

mobiletargeting:PhoneNumberValidate

Retrieve information about a phone number.

  • URI – /phone/number/validate

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:phone/number/validate

Projects

The following permissions are related to managing projects in your Amazon Pinpoint account. Originally, projects were referred to as applications. For the purposes of these operations, an Amazon Pinpoint application is the same as an Amazon Pinpoint project.

mobiletargeting:CreateApp

Create an Amazon Pinpoint project.

  • URI – /apps

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps

mobiletargeting:DeleteApp

Delete an Amazon Pinpoint project.

  • URI – /apps/projectId

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:GetApp

Retrieve information about an Amazon Pinpoint project.

  • URI – /apps/projectId

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:GetApps

Retrieve information about all the projects that are associated with your Amazon Pinpoint account.

  • URI – /apps

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps

mobiletargeting:GetApplicationSettings

Retrieve the default settings for an Amazon Pinpoint project.

  • URI – /apps/projectId/settings

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:UpdateApplicationSettings

Update the default settings for an Amazon Pinpoint project.

  • URI – /apps/projectId/settings

  • Method – PUT

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

Segments

The following permissions are related to managing segments in your Amazon Pinpoint account. In Amazon Pinpoint, segments are groups of recipients for your campaigns that share certain attributes that you define.

mobiletargeting:CreateSegment

Create a segment. To allow a user to create a segment by importing endpoint data from outside Amazon Pinpoint, allow the mobiletargeting:CreateImportJob action.

  • URI – /apps/projectId/segments

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:DeleteSegment

Delete a segment.

mobiletargeting:GetSegment

Retrieve information about a specific segment.

mobiletargeting:GetSegmentExportJobs

Retrieve information about jobs that export endpoint definitions for a segment.

mobiletargeting:GetSegments

Retrieve information about all the segments for a project.

  • URI – /apps/projectId/segments

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId

mobiletargeting:GetSegmentImportJobs

Retrieve information about jobs that create segments by importing endpoint definitions from Amazon S3.

mobiletargeting:GetSegmentVersion

Retrieve information about a specific segment version.

mobiletargeting:GetSegmentVersions

Retrieve information about the current and prior versions of a segment.

mobiletargeting:UpdateSegment

Update a specific segment.

Tags

The following permissions are related to tagging resources in your Amazon Pinpoint account.

mobiletargeting:ListTagsforResource

Retrieve information about the tags that are associated with a project, campaign, message template, or segment.

  • URI – /tags/resource-arn

  • Method – GET

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:*

mobiletargeting:TagResource

Add one or more tags to a project, campaign, message template, or segment.

  • URI – /tags/resource-arn

  • Method – POST

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:*

mobiletargeting:UntagResource

Remove one or more tags from a project, campaign, message template, or segment.

  • URI – /tags/resource-arn

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:*

Users

The following permissions are related to managing users. In Amazon Pinpoint, users correspond to individuals who receive messages from you. A single user might be associated with more than one endpoint.

mobiletargeting:DeleteUserEndpoints

Delete all the endpoints that are associated with a user ID.

  • URI – /apps/projectId/users/userId

  • Method – DELETE

  • Resource ARN – arn:aws:mobiletargeting:region:accountId:apps/projectId/users/userId

mobiletargeting:GetUserEndpoints

Retrieve information about all the endpoints that are associated with a user ID.

Amazon Pinpoint SMS and Voice API Actions

This section identifies API actions that you can add to the IAM policies in your AWS account. By adding policies to an IAM user account, you can specify which features of the Amazon Pinpoint SMS and Voice API that user is allowed to use.

To learn more about the Amazon Pinpoint SMS and Voice API, see the Amazon Pinpoint SMS and Voice API Reference.

sms-voice:CreateConfigurationSet

Create a configuration set for sending voice messages.

  • URI – /sms-voice/configuration-sets

  • Method – POST

  • Resource ARN – Not available. Use *.

sms-voice:DeleteConfigurationSet

Delete a configuration set for sending voice messages.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName

  • Method – DELETE

  • Resource ARN – Not available. Use *.

sms-voice:GetConfigurationSetEventDestinations

Retrieve information about a configuration set and the event destinations that it contains.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations

  • Method – GET

  • Resource ARN – Not available. Use *.

sms-voice:CreateConfigurationSetEventDestination

Create an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations

  • Method – POST

  • Resource ARN – Not available. Use *.

sms-voice:UpdateConfigurationSetEventDestination

Update an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations/EventDestinationName

  • Method – PUT

  • Resource ARN – Not available. Use *.

sms-voice:DeleteConfigurationSetEventDestination

Delete an event destination for voice events.

  • URI – /sms-voice/configuration-sets/ConfigurationSetName/event-destinations/EventDestinationName

  • Method – DELETE

  • Resource ARN – Not available. Use *.

sms-voice:SendVoiceMessage

Create and send voice messages.

  • URI – /sms-voice/voice/message

  • Method – POST

  • Resource ARN – Not available. Use *.