Actions, resources, and condition keys for Alexa for Business - Service Authorization Reference

Actions, resources, and condition keys for Alexa for Business

Alexa for Business (service prefix: a4b) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Alexa for Business

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
ApproveSkill Grants permission to associate a skill with the organization under the customer's AWS account Write
AssociateContactWithAddressBook Grants permission to associate a contact with a given address book Write

addressbook*

contact*

AssociateDeviceWithNetworkProfile Grants permission to associate a device with the specified network profile Write

device*

networkprofile*

AssociateDeviceWithRoom Grants permission to associate device with given room Write

device*

room*

AssociateSkillGroupWithRoom Grants permission to associate the skill group with given room Write

room*

skillgroup*

AssociateSkillWithSkillGroup Grants permission to associate a skill with a skill group Write

skillgroup*

AssociateSkillWithUsers Grants permission to make a private skill available for enrolled users to enable on their devices Write
CompleteRegistration [permission only] Grants permission to complete the operation of registering an Alexa device Write
CreateAddressBook Grants permission to create an address book with the specified details Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBusinessReportSchedule Grants permission to create a recurring schedule for usage reports to deliver to the specified S3 location with a specified daily or weekly interval Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateConferenceProvider Grants permission to add a new conference provider under the user's AWS account Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateContact Grants permission to create a contact with the specified details Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGatewayGroup Grants permission to create a gateway group with the specified details Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNetworkProfile Grants permission to create a network profile with the specified details Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateProfile Grants permission to create a new profile Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRoom Grants permission to create room with the specified details Write

profile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSkillGroup Grants permission to create a skill group with given name and description Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUser Grants permission to create a user Write

user*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAddressBook Grants permission to delete an address book by the address book ARN Write

addressbook*

DeleteBusinessReportSchedule Grants permission to delete the recurring report delivery schedule with the specified schedule ARN Write

schedule*

DeleteConferenceProvider Grants permission to delete a conference provider Write

conferenceprovider*

DeleteContact Grants permission to delete a contact by the contact ARN Write

contact*

DeleteDevice Grants permission to remove a device from Alexa For Business Write

device*

DeleteDeviceUsageData Grants permission to delete the device's entire previous history of voice input data and associated response data Write

device*

DeleteGatewayGroup Grants permission to delete a gateway group Write

gatewaygroup*

DeleteNetworkProfile Grants permission to delete a network profile by the network profile ARN Write

networkprofile*

DeleteProfile Grants permission to delete profile by profile ARN Write

profile*

DeleteRoom Grants permission to delete room Write

room*

DeleteRoomSkillParameter Grants permission to delete a parameter from a skill and room Write

room*

DeleteSkillAuthorization Grants permission to unlink a third-party account from a skill Write

room*

DeleteSkillGroup Grants permission to delete skill group with skill group ARN Write

skillgroup*

DeleteUser Grants permission to delete a user Write

user*

DisassociateContactFromAddressBook Grants permission to disassociate a contact from a given address book Write

addressbook*

contact*

DisassociateDeviceFromRoom Grants permission to disassociate device from its current room Write

device*

DisassociateSkillFromSkillGroup Grants permission to disassociate a skill from a skill group Write

skillgroup*

DisassociateSkillFromUsers Grants permission to make a private skill unavailable for enrolled users and prevent them from enabling it on their devices Write

user*

DisassociateSkillGroupFromRoom Grants permission to disassociate the skill group from given room Write

room*

skillgroup*

ForgetSmartHomeAppliances Grants permission to forget smart home appliances associated to a room Write

room*

GetAddressBook Grants permission to get the address book details by the address book ARN Read

addressbook*

GetConferencePreference Grants permission to retrieve the existing conference preferences Read
GetConferenceProvider Grants permission to get details about a specific conference provider Read

conferenceprovider*

GetContact Grants permission to get the contact details by the contact ARN Read

contact*

GetDevice Grants permission to get device details Read

device*

GetGateway Grants permission to retrieve the details of a gateway Read

gateway*

GetGatewayGroup Grants permission to retrieve the details of a gateway group Read

gatewaygroup*

GetInvitationConfiguration Grants permission to retrieve the configured values for the user enrollment invitation email template Read
GetNetworkProfile Grants permission to get the network profile details by the network profile ARN Read

networkprofile*

GetProfile Grants permission to get profile when provided with Profile ARN Read

profile*

GetRoom Grants permission to get room details Read

room*

GetRoomSkillParameter Grants permission to get an existing parameter that has been set for a skill and room Read

room*

GetSkillGroup Grants permission to get skill group details with skill group ARN Read

skillgroup*

ListBusinessReportSchedules Grants permission to list the details of the schedules that a user configured List
ListConferenceProviders Grants permission to list conference providers under a specific AWS account List
ListDeviceEvents Grants permission to list the device event history, including device connection status, for up to 30 days List

device*

ListGatewayGroups Grants permission to list gateway group summaries List
ListGateways Grants permission to list gateway summaries List

gatewaygroup*

ListSkills Grants permission to list skills List
ListSkillsStoreCategories Grants permission to list all categories in the Alexa skill store List
ListSkillsStoreSkillsByCategory Grants permission to list all skills in the Alexa skill store by category List
ListSmartHomeAppliances Grants permission to list all of the smart home appliances associated with a room List

room*

ListTags Grants permission to list all tags on a resource Read

device

room

user

PutConferencePreference Grants permission to set the conference preferences on a specific conference provider at the account level Write
PutDeviceSetupEvents [permission only] Grants permission to publish Alexa device setup events Write
PutInvitationConfiguration Grants permission to configure the email template for the user enrollment invitation with the specified attributes Write
PutRoomSkillParameter Grants permission to put a room specific parameter for a skill Write

room*

PutSkillAuthorization Grants permission to link a user's account to a third-party skill provider Write

room*

RegisterAVSDevice Grants permission to register an Alexa-enabled device built by an Original Equipment Manufacturer (OEM) using Alexa Voice Service (AVS) Write

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterDevice [permission only] Grants permission to register an Alexa device Write
RejectSkill Grants permission to disassociate a skill from the organization under a user's AWS account Write
ResolveRoom Grants permission to resolve room information Read
RevokeInvitation Grants permission to revoke an invitation Write

user*

SearchAddressBooks Grants permission to search address books and list the ones that meet a set of filter and sort criteria List
SearchContacts Grants permission to search contacts and list the ones that meet a set of filter and sort criteria List
SearchDevices Grants permission to search for devices List
SearchNetworkProfiles Grants permission to search network profiles and list the ones that meet a set of filter and sort criteria List
SearchProfiles Grants permission to search for profiles List
SearchRooms Grants permission to search for rooms List
SearchSkillGroups Grants permission to search for skill groups List
SearchUsers Grants permission to search for users List
SendAnnouncement Grants permission to trigger an asynchronous flow to send text, SSML, or audio announcements to rooms that are identified by a search or filter Write
SendInvitation Grants permission to send an invitation to a user Write

user*

StartDeviceSync Grants permission to restore the device and its account to its known, default settings by clearing all information and settings set by its previous users Write
StartSmartHomeApplianceDiscovery Grants permission to initiate the discovery of any smart home appliances associated with the room Read

room*

TagResource Grants permission to add metadata tags to a resource Tagging

device

room

user

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove metadata tags from a resource Tagging

device

room

user

UpdateAddressBook Grants permission to update address book details by the address book ARN Write

addressbook*

UpdateBusinessReportSchedule Grants permission to update the configuration of the report delivery schedule with the specified schedule ARN Write

schedule*

UpdateConferenceProvider Grants permission to update an existing conference provider's settings Write

conferenceprovider*

UpdateContact Grants permission to update the contact details by the contact ARN Write

contact*

UpdateDevice Grants permission to update device name Write

device*

UpdateGateway Grants permission to update the details of a gateway Write

gateway*

UpdateGatewayGroup Grants permission to update the details of a gateway group Write

gatewaygroup*

UpdateNetworkProfile Grants permission to update a network profile by the network profile ARN Write

networkprofile*

UpdateProfile Grants permission to update an existing profile Write

profile*

UpdateRoom Grants permission to update room details Write

room*

UpdateSkillGroup Grants permission to update skill group details with skill group ARN Write

skillgroup*

Resource types defined by Alexa for Business

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
profile arn:${Partition}:a4b:${Region}:${Account}:profile/${ResourceId}
room arn:${Partition}:a4b:${Region}:${Account}:room/${ResourceId}

aws:ResourceTag/${TagKey}

device arn:${Partition}:a4b:${Region}:${Account}:device/${ResourceId}

aws:ResourceTag/${TagKey}

skillgroup arn:${Partition}:a4b:${Region}:${Account}:skill-group/${ResourceId}
user arn:${Partition}:a4b:${Region}:${Account}:user/${ResourceId}

aws:ResourceTag/${TagKey}

addressbook arn:${Partition}:a4b:${Region}:${Account}:address-book/${ResourceId}
conferenceprovider arn:${Partition}:a4b:${Region}:${Account}:conference-provider/${ResourceId}
contact arn:${Partition}:a4b:${Region}:${Account}:contact/${ResourceId}
schedule arn:${Partition}:a4b:${Region}:${Account}:schedule/${ResourceId}
networkprofile arn:${Partition}:a4b:${Region}:${Account}:network-profile/${ResourceId}
gateway arn:${Partition}:a4b:${Region}:${Account}:gateway/${ResourceId}
gatewaygroup arn:${Partition}:a4b:${Region}:${Account}:gateway-group/${ResourceId}

Condition keys for Alexa for Business

Alexa for Business defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
a4b:amazonId Filters actions based on the Amazon Id in the request String
a4b:filters_deviceType Filters actions based on the device type in the request ArrayOfString
aws:RequestTag/${TagKey} Filters actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters actions based on tag-value assoicated with the resource String
aws:TagKeys Filters actions based on the presence of mandatory tags in the request ArrayOfString