Actions, resources, and condition keys for Alexa for Business
Alexa for Business (service prefix: a4b) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Alexa for Business
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Access level column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Access levels in policy summaries.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| ApproveSkill | Grants permission to associate a skill with the organization under the customer's AWS account | Write | |||
| AssociateContactWithAddressBook | Grants permission to associate a contact with a given address book | Write | |||
| AssociateDeviceWithNetworkProfile | Grants permission to associate a device with the specified network profile | Write | |||
| AssociateDeviceWithRoom | Grants permission to associate device with given room | Write | |||
| AssociateSkillGroupWithRoom | Grants permission to associate the skill group with given room | Write | |||
| AssociateSkillWithSkillGroup | Grants permission to associate a skill with a skill group | Write | |||
| AssociateSkillWithUsers | Grants permission to make a private skill available for enrolled users to enable on their devices | Write | |||
| CompleteRegistration [permission only] | Grants permission to complete the operation of registering an Alexa device | Write | |||
| CreateAddressBook | Grants permission to create an address book with the specified details | Write | |||
| CreateBusinessReportSchedule | Grants permission to create a recurring schedule for usage reports to deliver to the specified S3 location with a specified daily or weekly interval | Write | |||
| CreateConferenceProvider | Grants permission to add a new conference provider under the user's AWS account | Write | |||
| CreateContact | Grants permission to create a contact with the specified details | Write | |||
| CreateGatewayGroup | Grants permission to create a gateway group with the specified details | Write | |||
| CreateNetworkProfile | Grants permission to create a network profile with the specified details | Write | |||
| CreateProfile | Grants permission to create a new profile | Write | |||
| CreateRoom | Grants permission to create room with the specified details | Write | |||
| CreateSkillGroup | Grants permission to create a skill group with given name and description | Write | |||
| CreateUser | Grants permission to create a user | Write | |||
| DeleteAddressBook | Grants permission to delete an address book by the address book ARN | Write | |||
| DeleteBusinessReportSchedule | Grants permission to delete the recurring report delivery schedule with the specified schedule ARN | Write | |||
| DeleteConferenceProvider | Grants permission to delete a conference provider | Write | |||
| DeleteContact | Grants permission to delete a contact by the contact ARN | Write | |||
| DeleteDevice | Grants permission to remove a device from Alexa For Business | Write | |||
| DeleteDeviceUsageData | Grants permission to delete the device's entire previous history of voice input data and associated response data | Write | |||
| DeleteGatewayGroup | Grants permission to delete a gateway group | Write | |||
| DeleteNetworkProfile | Grants permission to delete a network profile by the network profile ARN | Write | |||
| DeleteProfile | Grants permission to delete profile by profile ARN | Write | |||
| DeleteRoom | Grants permission to delete room | Write | |||
| DeleteRoomSkillParameter | Grants permission to delete a parameter from a skill and room | Write | |||
| DeleteSkillAuthorization | Grants permission to unlink a third-party account from a skill | Write | |||
| DeleteSkillGroup | Grants permission to delete skill group with skill group ARN | Write | |||
| DeleteUser | Grants permission to delete a user | Write | |||
| DisassociateContactFromAddressBook | Grants permission to disassociate a contact from a given address book | Write | |||
| DisassociateDeviceFromRoom | Grants permission to disassociate device from its current room | Write | |||
| DisassociateSkillFromSkillGroup | Grants permission to disassociate a skill from a skill group | Write | |||
| DisassociateSkillFromUsers | Grants permission to make a private skill unavailable for enrolled users and prevent them from enabling it on their devices | Write | |||
| DisassociateSkillGroupFromRoom | Grants permission to disassociate the skill group from given room | Write | |||
| ForgetSmartHomeAppliances | Grants permission to forget smart home appliances associated to a room | Write | |||
| GetAddressBook | Grants permission to get the address book details by the address book ARN | Read | |||
| GetConferencePreference | Grants permission to retrieve the existing conference preferences | Read | |||
| GetConferenceProvider | Grants permission to get details about a specific conference provider | Read | |||
| GetContact | Grants permission to get the contact details by the contact ARN | Read | |||
| GetDevice | Grants permission to get device details | Read | |||
| GetGateway | Grants permission to retrieve the details of a gateway | Read | |||
| GetGatewayGroup | Grants permission to retrieve the details of a gateway group | Read | |||
| GetInvitationConfiguration | Grants permission to retrieve the configured values for the user enrollment invitation email template | Read | |||
| GetNetworkProfile | Grants permission to get the network profile details by the network profile ARN | Read | |||
| GetProfile | Grants permission to get profile when provided with Profile ARN | Read | |||
| GetRoom | Grants permission to get room details | Read | |||
| GetRoomSkillParameter | Grants permission to get an existing parameter that has been set for a skill and room | Read | |||
| GetSkillGroup | Grants permission to get skill group details with skill group ARN | Read | |||
| ListBusinessReportSchedules | Grants permission to list the details of the schedules that a user configured | List | |||
| ListConferenceProviders | Grants permission to list conference providers under a specific AWS account | List | |||
| ListDeviceEvents | Grants permission to list the device event history, including device connection status, for up to 30 days | List | |||
| ListGatewayGroups | Grants permission to list gateway group summaries | List | |||
| ListGateways | Grants permission to list gateway summaries | List | |||
| ListSkills | Grants permission to list skills | List | |||
| ListSkillsStoreCategories | Grants permission to list all categories in the Alexa skill store | List | |||
| ListSkillsStoreSkillsByCategory | Grants permission to list all skills in the Alexa skill store by category | List | |||
| ListSmartHomeAppliances | Grants permission to list all of the smart home appliances associated with a room | List | |||
| ListTags | Grants permission to list all tags on a resource | Read | |||
| PutConferencePreference | Grants permission to set the conference preferences on a specific conference provider at the account level | Write | |||
| PutDeviceSetupEvents [permission only] | Grants permission to publish Alexa device setup events | Write | |||
| PutInvitationConfiguration | Grants permission to configure the email template for the user enrollment invitation with the specified attributes | Write | |||
| PutRoomSkillParameter | Grants permission to put a room specific parameter for a skill | Write | |||
| PutSkillAuthorization | Grants permission to link a user's account to a third-party skill provider | Write | |||
| RegisterAVSDevice | Grants permission to register an Alexa-enabled device built by an Original Equipment Manufacturer (OEM) using Alexa Voice Service (AVS) | Write | |||
| RegisterDevice [permission only] | Grants permission to register an Alexa device | Write | |||
| RejectSkill | Grants permission to disassociate a skill from the organization under a user's AWS account | Write | |||
| ResolveRoom | Grants permission to resolve room information | Read | |||
| RevokeInvitation | Grants permission to revoke an invitation | Write | |||
| SearchAddressBooks | Grants permission to search address books and list the ones that meet a set of filter and sort criteria | List | |||
| SearchContacts | Grants permission to search contacts and list the ones that meet a set of filter and sort criteria | List | |||
| SearchDevices | Grants permission to search for devices | List | |||
| SearchNetworkProfiles | Grants permission to search network profiles and list the ones that meet a set of filter and sort criteria | List | |||
| SearchProfiles | Grants permission to search for profiles | List | |||
| SearchRooms | Grants permission to search for rooms | List | |||
| SearchSkillGroups | Grants permission to search for skill groups | List | |||
| SearchUsers | Grants permission to search for users | List | |||
| SendAnnouncement | Grants permission to trigger an asynchronous flow to send text, SSML, or audio announcements to rooms that are identified by a search or filter | Write | |||
| SendInvitation | Grants permission to send an invitation to a user | Write | |||
| StartDeviceSync | Grants permission to restore the device and its account to its known, default settings by clearing all information and settings set by its previous users | Write | |||
| StartSmartHomeApplianceDiscovery | Grants permission to initiate the discovery of any smart home appliances associated with the room | Read | |||
| TagResource | Grants permission to add metadata tags to a resource | Tagging | |||
| UntagResource | Grants permission to remove metadata tags from a resource | Tagging | |||
| UpdateAddressBook | Grants permission to update address book details by the address book ARN | Write | |||
| UpdateBusinessReportSchedule | Grants permission to update the configuration of the report delivery schedule with the specified schedule ARN | Write | |||
| UpdateConferenceProvider | Grants permission to update an existing conference provider's settings | Write | |||
| UpdateContact | Grants permission to update the contact details by the contact ARN | Write | |||
| UpdateDevice | Grants permission to update device name | Write | |||
| UpdateGateway | Grants permission to update the details of a gateway | Write | |||
| UpdateGatewayGroup | Grants permission to update the details of a gateway group | Write | |||
| UpdateNetworkProfile | Grants permission to update a network profile by the network profile ARN | Write | |||
| UpdateProfile | Grants permission to update an existing profile | Write | |||
| UpdateRoom | Grants permission to update room details | Write | |||
| UpdateSkillGroup | Grants permission to update skill group details with skill group ARN | Write |
Resource types defined by Alexa for Business
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| profile |
arn:${Partition}:a4b:${Region}:${Account}:profile/${ResourceId}
|
|
| room |
arn:${Partition}:a4b:${Region}:${Account}:room/${ResourceId}
|
|
| device |
arn:${Partition}:a4b:${Region}:${Account}:device/${ResourceId}
|
|
| skillgroup |
arn:${Partition}:a4b:${Region}:${Account}:skill-group/${ResourceId}
|
|
| user |
arn:${Partition}:a4b:${Region}:${Account}:user/${ResourceId}
|
|
| addressbook |
arn:${Partition}:a4b:${Region}:${Account}:address-book/${ResourceId}
|
|
| conferenceprovider |
arn:${Partition}:a4b:${Region}:${Account}:conference-provider/${ResourceId}
|
|
| contact |
arn:${Partition}:a4b:${Region}:${Account}:contact/${ResourceId}
|
|
| schedule |
arn:${Partition}:a4b:${Region}:${Account}:schedule/${ResourceId}
|
|
| networkprofile |
arn:${Partition}:a4b:${Region}:${Account}:network-profile/${ResourceId}
|
|
| gateway |
arn:${Partition}:a4b:${Region}:${Account}:gateway/${ResourceId}
|
|
| gatewaygroup |
arn:${Partition}:a4b:${Region}:${Account}:gateway-group/${ResourceId}
|
Condition keys for Alexa for Business
Alexa for Business defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see AWS global condition context keys.
| Condition keys | Description | Type |
|---|---|---|
| a4b:amazonId | Filters actions based on the Amazon Id in the request | String |
| a4b:filters_deviceType | Filters actions based on the device type in the request | ArrayOfString |
| aws:RequestTag/${TagKey} | Filters actions based on the allowed set of values for each of the tags | String |
| aws:ResourceTag/${TagKey} | Filters actions based on tag-value assoicated with the resource | String |
| aws:TagKeys | Filters actions based on the presence of mandatory tags in the request | ArrayOfString |
