Actions, resources, and condition keys for Amazon Connect - Service Authorization Reference

Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateApprovedOrigin Grants permissions to associate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

connect:InstanceId

AssociateBot Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:CreateResourcePolicy

lex:DescribeBotAlias

lex:GetBot

lex:UpdateResourcePolicy

connect:InstanceId

AssociateCustomerProfilesDomain Grants permissions to associate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

profile:GetDomain

AssociateInstanceStorageConfig Grants permissions to associate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

ds:DescribeDirectories

firehose:DescribeDeliveryStream

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kinesis:DescribeStream

kms:CreateGrant

kms:DescribeKey

s3:GetBucketAcl

s3:GetBucketLocation

connect:StorageResourceType

connect:InstanceId

AssociateLambdaFunction Grants permissions to associate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

lambda:AddPermission

connect:InstanceId

AssociateLexBot Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:GetBot

connect:InstanceId

AssociateQueueQuickConnects Grants permissions to associate quick connects with a queue in an Amazon Connect instance Write

queue*

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

AssociateRoutingProfileQueues Grants permissions to associate queues with a routing profile in an Amazon Connect instance Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

AssociateSecurityKey Grants permissions to associate a security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

connect:InstanceId

CreateAgentStatus Grants permission to create agent status in an Amazon Connect instance Write

agent-status*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateContactFlow Grants permissions to create a contact flow in an Amazon Connect instance Write

contact-flow*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateHoursOfOperation Grants permission to create hours of operation in an Amazon Connect instance Write

hours-of-operation*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateInstance Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings. Write

ds:AuthorizeApplication

ds:CheckAlias

ds:CreateAlias

ds:CreateDirectory

ds:CreateIdentityPoolDirectory

ds:DeleteDirectory

ds:DescribeDirectories

ds:UnauthorizeApplication

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

CreateIntegrationAssociation Grants permissions to create an AppIntegration association with an Amazon Connect instance Write

instance*

app-integrations:CreateEventIntegrationAssociation

connect:DescribeInstance

ds:DescribeDirectories

events:PutRule

events:PutTargets

integration-association*

connect:InstanceId

aws:RequestTag/${TagKey}

aws:TagKeys

CreateQueue Grants permissions to create a queue in an Amazon Connect instance Write

hours-of-operation*

queue*

contact-flow

phone-number

quick-connect

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateQuickConnect Grants permission to create a quick connect in an Amazon Connect instance Write

quick-connect*

contact-flow

queue

user

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateRoutingProfile Grants permission to create a routing profile in an Amazon Connect instance Write

queue*

routing-profile*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateUseCase Grants permissions to create a use case for an AppIntegration association Write

instance*

connect:DescribeInstance

ds:DescribeDirectories

integration-association*

use-case*

connect:InstanceId

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUser Grants permission to create a user for the specified Amazon Connect instance Write

routing-profile*

security-profile*

user*

hierarchy-group

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateUserHierarchyGroup Grants permissions to create a user hierarchy group in an Amazon Connect instance Write

hierarchy-group

connect:InstanceId

DeleteHoursOfOperation Grants permission to delete hours of operation in an Amazon Connect instance Write

hours-of-operation*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteInstance Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed. Write

instance*

ds:DeleteDirectory

ds:DescribeDirectories

ds:UnauthorizeApplication

connect:InstanceId

DeleteIntegrationAssociation Grants permissions to delete an AppIntegration association from an Amazon Connect instance. The association must not have any use cases associated with it. Write

instance*

app-integrations:DeleteEventIntegrationAssociation

connect:DescribeInstance

ds:DescribeDirectories

events:DeleteRule

events:ListTargetsByRule

events:RemoveTargets

integration-association*

connect:InstanceId

DeleteQuickConnect Grants permissions to delete a quick connect in an Amazon Connect instance Write

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteUseCase Grants permissions to delete a use case from an AppIntegration association Write

instance*

connect:DescribeInstance

ds:DescribeDirectories

use-case*

connect:InstanceId

DeleteUser Grants permissions to delete a user in an Amazon Connect instance Write

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteUserHierarchyGroup Grants permissions to delete a user hierarchy group in an Amazon Connect instance Write

hierarchy-group*

connect:InstanceId

DescribeAgentStatus Grants permission to describe agent status in an Amazon Connect instance Read

agent-status*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeContactFlow Grants permissions to describe a contact flow in an Amazon Connect instance Read

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeHoursOfOperation Grants permissions to describe hours of operation in an Amazon Connect instance Read

hours-of-operation*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeInstance Grants permissions to view details of an Amazon Connect instance. This is required to create an instance. Read

instance*

ds:DescribeDirectories

connect:InstanceId

DescribeInstanceAttribute Grants permissions to view the attribute details of an existing Amazon Connect instance Read

instance*

connect:AttributeType

connect:InstanceId

DescribeInstanceStorageConfig Grants permissions to view the instance storage configuration for an existing Amazon Connect instance Read

instance*

connect:StorageResourceType

connect:InstanceId

DescribeQueue Grants permissions to describe a queue in an Amazon Connect instance Read

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeQuickConnect Grants permissions to describe a quick connect in an Amazon Connect instance Read

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeRoutingProfile Grants permissions to describe a routing profile in an Amazon Connect instance Read

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeUser Grants permissions to describe a user in an Amazon Connect instance Read

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeUserHierarchyGroup Grants permissions to describe a hierarchy group for an Amazon Connect instance Read

hierarchy-group*

connect:InstanceId

DescribeUserHierarchyStructure Grants permissions to describe the hierarchy structure for an Amazon Connect instance Read

instance*

connect:InstanceId

DisassociateApprovedOrigin Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

connect:InstanceId

DisassociateBot Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:DeleteResourcePolicy

lex:UpdateResourcePolicy

connect:InstanceId

DisassociateCustomerProfilesDomain Grants permissions to disassociate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:DeleteRolePolicy

iam:DetachRolePolicy

iam:GetPolicy

iam:GetPolicyVersion

iam:GetRolePolicy

DisassociateInstanceStorageConfig Grants permissions to disassociate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

connect:StorageResourceType

connect:InstanceId

DisassociateLambdaFunction Grants permissions to disassociate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

lambda:RemovePermission

connect:InstanceId

DisassociateLexBot Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

connect:InstanceId

DisassociateQueueQuickConnects Grants permissions to disassociate quick connects from a queue in an Amazon Connect instance Write

queue*

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

DisassociateRoutingProfileQueues Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

DisassociateSecurityKey Grants permissions to disassociate the security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

connect:InstanceId

GetContactAttributes Grants permissions to retrieve the contact attributes for the specified contact Read

contact*

connect:InstanceId

GetCurrentMetricData Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance Read

queue*

connect:InstanceId

GetFederationToken Grants permissions to federate into an Amazon Connect instance when using SAML-based authentication for identity management Read

instance*

connect:InstanceId

GetFederationTokens Grants permissions to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console) Write

instance*

connect:DescribeInstance

connect:ListInstances

ds:DescribeDirectories

GetMetricData Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance Read

queue*

connect:InstanceId

ListAgentStatuses Grants permission to list agent statuses in an Amazon Connect instance List

instance*

ListApprovedOrigins Grants permissions to view approved origins of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListBots Grants permissions to view the Lex bots of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListContactFlows Grants permissions to list contact flow resources in an Amazon Connect instance List

instance*

ListHoursOfOperations Grants permissions to list hours of operation resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListInstanceAttributes Grants permissions to view the attributes of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListInstanceStorageConfigs Grants permissions to view storage configurations of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListInstances Grants permissions to view the Amazon Connect instances associated with an AWS account List

ds:DescribeDirectories

ListIntegrationAssociations Grants permissions to list summary information about the AppIntegration associations for the specified Amazon Connect instance List

instance*

connect:DescribeInstance

ds:DescribeDirectories

connect:InstanceId

ListLambdaFunctions Grants permissions to view the Lambda functions of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListLexBots Grants permissions to view the Lex bots of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListPhoneNumbers Grants permissions to list phone number resources in an Amazon Connect instance List

instance*

ListPrompts Grants permissions to list prompt resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListQueueQuickConnects Grants permissions to list quick connect resources in a queue in an Amazon Connect instance List

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

ListQueues Grants permissions to list queue resources in an Amazon Connect instance List

instance*

ListQuickConnects Grants permissions to list quick connect resources in an Amazon Connect instance List

instance*

ListRealtimeContactAnalysisSegments Grants permission to list the analysis segments for a real-time analysis session Read

contact*

ListRoutingProfileQueues Grants permissions to list queue resources in a routing profile in an Amazon Connect instance List

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

ListRoutingProfiles Grants permissions to list routing profile resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListSecurityKeys Grants permissions to view the security keys of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListSecurityProfiles Grants permissions to list security profile resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListTagsForResource Grants permissions to list tags for an Amazon Connect resource Read

contact-flow

integration-association

queue

quick-connect

routing-profile

use-case

user

aws:ResourceTag/${TagKey}

ListUseCases Grants permissions to list the use cases of an AppIntegration association List

instance*

connect:DescribeInstance

ds:DescribeDirectories

connect:InstanceId

ListUserHierarchyGroups Grants permissions to list the hierarchy group resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListUsers Grants permissions to list user resources in an Amazon Connect instance List

instance*

connect:InstanceId

ResumeContactRecording Grants permissions to resume recording for the specified contact Write

contact*

StartChatContact Grants permissions to initiate a chat using the Amazon Connect API Write

contact-flow*

StartContactRecording Grants permissions to start recording for the specified contact Write

contact*

StartOutboundVoiceContact Grants permissions to initiate outbound calls using the Amazon Connect API Write

contact*

StartTaskContact Grants permissions to initiate a task using the Amazon Connect API Write

contact-flow*

connect:InstanceId

StopContact Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer. Write

contact*

connect:InstanceId

StopContactRecording Grants permissions to stop recording for the specified contact Write

contact*

SuspendContactRecording Grants permissions to suspend recording for the specified contact Write

contact*

TagResource Grants permissions to tag an Amazon Connect resource Tagging

contact-flow

integration-association

queue

quick-connect

routing-profile

use-case

user

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

UntagResource Grants permissions to untag an Amazon Connect resource Tagging

contact-flow

integration-association

queue

quick-connect

routing-profile

use-case

user

aws:TagKeys

aws:ResourceTag/${TagKey}

UpdateAgentStatus Grants permission to update agent status in an Amazon Connect instance Write

agent-status*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactAttributes Grants permissions to create or update the contact attributes associated with the specified contact Write

contact*

connect:InstanceId

UpdateContactFlowContent Grants permissions to update contact flow content in an Amazon Connect instance Write

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactFlowName Grants permissions to update the name and description of a contact flow in an Amazon Connect instance Write

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateHoursOfOperation Grants permission to update hours of operation in an Amazon Connect instance Write

hours-of-operation*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateInstanceAttribute Grants permissions to update the attribute for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

ds:DescribeDirectories

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

logs:CreateLogGroup

connect:AttributeType

connect:InstanceId

UpdateInstanceStorageConfig Grants permissions to update the storage configuration for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

ds:DescribeDirectories

firehose:DescribeDeliveryStream

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kinesis:DescribeStream

kms:CreateGrant

kms:DescribeKey

s3:GetBucketAcl

s3:GetBucketLocation

connect:StorageResourceType

connect:InstanceId

UpdateQueueHoursOfOperation Grants permissions to update queue hours of operation in an Amazon Connect instance Write

hours-of-operation*

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueMaxContacts Grants permissions to update queue capacity in an Amazon Connect instance Write

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueName Grants permissions to update a queue name and description in an Amazon Connect instance Write

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueOutboundCallerConfig Grants permissions to update queue outbound caller config in an Amazon Connect instance Write

queue*

contact-flow

phone-number

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueStatus Grants permissions to update queue status in an Amazon Connect instance Write

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQuickConnectConfig Grants permissions to update the configuration of a quick connect in an Amazon Connect instance Write

quick-connect*

contact-flow

queue

user

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQuickConnectName Grants permissions to update a quick connect name and description in an Amazon Connect instance Write

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileConcurrency Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileDefaultOutboundQueue Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileName Grants permissions to update a routing profile name and description in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileQueues Grants permissions to update the queues in routing profile in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserHierarchy Grants permissions to update a hierarchy group for a user in an Amazon Connect instance Write

user*

hierarchy-group

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserHierarchyGroupName Grants permissions to update a user hierarchy group name in an Amazon Connect instance Write

hierarchy-group*

connect:InstanceId

UpdateUserHierarchyStructure Grants permissions to update user hierarchy structure in an Amazon Connect instance Write

instance*

connect:InstanceId

UpdateUserIdentityInfo Grants permissions to update identity information for a user in an Amazon Connect instance Write

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserPhoneConfig Grants permissions to update phone configuration settings for a user in an Amazon Connect instance Write

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserRoutingProfile Grants permissions to update a routing profile for a user in an Amazon Connect instance Write

routing-profile*

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserSecurityProfiles Grants permissions to update security profiles for a user in an Amazon Connect instance Write

security-profile*

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
instance arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}
contact arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
user arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}

aws:ResourceTag/${TagKey}

routing-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}

aws:ResourceTag/${TagKey}

security-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}
hierarchy-group arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}
queue arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}

aws:ResourceTag/${TagKey}

quick-connect arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}

aws:ResourceTag/${TagKey}

contact-flow arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}

aws:ResourceTag/${TagKey}

hours-of-operation arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}

aws:ResourceTag/${TagKey}

agent-status arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-status/${AgentStatusId}

aws:ResourceTag/${TagKey}

phone-number arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}
integration-association arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}

aws:ResourceTag/${TagKey}

use-case arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String
connect:AttributeType Filters access by the attribute type of the Amazon Connect instance String
connect:InstanceId Filters access by restricting federation into specified Amazon Connect instances String
connect:StorageResourceType Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration String