Actions, resources, and condition keys for Amazon Connect - Service Authorization Reference

Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateApprovedOrigin Grants permission to associate approved origin for an existing Amazon Connect instance Write

instance*

connect:InstanceId

AssociateBot Grants permission to associate a Lex bot for an existing Amazon Connect instance Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:CreateResourcePolicy

lex:DescribeBotAlias

lex:GetBot

lex:UpdateResourcePolicy

connect:InstanceId

AssociateCustomerProfilesDomain Grants permission to associate a Customer Profiles domain for an existing Amazon Connect instance Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

profile:GetDomain

AssociateDefaultVocabulary Grants permission to default vocabulary for an existing Amazon Connect instance Write

instance*

connect:InstanceId

AssociateInstanceStorageConfig Grants permission to associate instance storage for an existing Amazon Connect instance Write

instance*

ds:DescribeDirectories

firehose:DescribeDeliveryStream

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kinesis:DescribeStream

kms:CreateGrant

kms:DescribeKey

s3:GetBucketAcl

s3:GetBucketLocation

connect:StorageResourceType

connect:InstanceId

AssociateLambdaFunction Grants permission to associate a Lambda function for an existing Amazon Connect instance Write

instance*

lambda:AddPermission

connect:InstanceId

AssociateLexBot Grants permission to associate a Lex bot for an existing Amazon Connect instance Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:GetBot

connect:InstanceId

AssociatePhoneNumberContactFlow Grants permission to associate contact flow resources to phone number resources in an Amazon Connect instance Write

contact-flow*

phone-number*

aws:ResourceTag/${TagKey}

connect:InstanceId

AssociateQueueQuickConnects Grants permission to associate quick connects with a queue in an Amazon Connect instance Write

queue*

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

AssociateRoutingProfileQueues Grants permission to associate queues with a routing profile in an Amazon Connect instance Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

AssociateSecurityKey Grants permission to associate a security key for an existing Amazon Connect instance Write

instance*

connect:InstanceId

BatchAssociateAnalyticsDataSet [permission only] Grants permission to grant access and to associate the datasets with the specified AWS account Write

instance*

connect:InstanceId

BatchDisassociateAnalyticsDataSet [permission only] Grants permission to revoke access and to disassociate the datasets with the specified AWS account Write

instance*

connect:InstanceId

ClaimPhoneNumber Grants permission to claim phone number resources in an Amazon Connect instance Write

instance*

wildcard-phone-number*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAgentStatus Grants permission to create agent status in an Amazon Connect instance Write

agent-status*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateContactFlow Grants permission to create a contact flow in an Amazon Connect instance Write

contact-flow*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateContactFlowModule Grants permission to create a contact flow module in an Amazon Connect instance Write

contact-flow-module*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateHoursOfOperation Grants permission to create hours of operation in an Amazon Connect instance Write

hours-of-operation*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateInstance Grants permission to create a new Amazon Connect instance Write

aws:RequestTag/${TagKey}

aws:TagKeys

ds:AuthorizeApplication

ds:CheckAlias

ds:CreateAlias

ds:CreateDirectory

ds:CreateIdentityPoolDirectory

ds:DeleteDirectory

ds:DescribeDirectories

ds:UnauthorizeApplication

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

CreateIntegrationAssociation Grants permission to create an integration association with an Amazon Connect instance Write

instance*

app-integrations:CreateEventIntegrationAssociation

connect:DescribeInstance

ds:DescribeDirectories

events:PutRule

events:PutTargets

mobiletargeting:GetApp

voiceid:DescribeDomain

wisdom:GetAssistant

wisdom:GetKnowledgeBase

integration-association*

connect:InstanceId

aws:RequestTag/${TagKey}

aws:TagKeys

CreateQueue Grants permission to create a queue in an Amazon Connect instance Write

hours-of-operation*

queue*

contact-flow

phone-number

quick-connect

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateQuickConnect Grants permission to create a quick connect in an Amazon Connect instance Write

quick-connect*

contact-flow

queue

user

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateRoutingProfile Grants permission to create a routing profile in an Amazon Connect instance Write

queue*

routing-profile*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateSecurityProfile Grants permission to create a security profile for the specified Amazon Connect instance Write

security-profile*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateTaskTemplate Grants permission to create a task template in an Amazon Connect instance Write

task-template*

CreateUseCase Grants permission to create a use case for an integration association Write

instance*

connect:DescribeInstance

ds:DescribeDirectories

integration-association*

use-case*

connect:InstanceId

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUser Grants permission to create a user for the specified Amazon Connect instance Write

routing-profile*

security-profile*

user*

hierarchy-group

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateUserHierarchyGroup Grants permission to create a user hierarchy group in an Amazon Connect instance Write

hierarchy-group

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

CreateVocabulary Grants permission to create a vocabulary in an Amazon Connect instance Write

vocabulary*

aws:RequestTag/${TagKey}

aws:TagKeys

connect:InstanceId

DeleteContactFlow Grants permission to delete a contact flow in an Amazon Connect instance Write

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteContactFlowModule Grants permission to delete a contact flow module in an Amazon Connect instance Write

contact-flow-module*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteHoursOfOperation Grants permission to delete hours of operation in an Amazon Connect instance Write

hours-of-operation*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteInstance Grants permission to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed Write

instance*

ds:DeleteDirectory

ds:DescribeDirectories

ds:UnauthorizeApplication

connect:InstanceId

aws:ResourceTag/${TagKey}

DeleteIntegrationAssociation Grants permission to delete an integration association from an Amazon Connect instance. The association must not have any use cases associated with it Write

instance*

app-integrations:DeleteEventIntegrationAssociation

connect:DescribeInstance

ds:DescribeDirectories

events:DeleteRule

events:ListTargetsByRule

events:RemoveTargets

integration-association*

connect:InstanceId

DeleteQuickConnect Grants permission to delete a quick connect in an Amazon Connect instance Write

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteSecurityProfile Grants permission to delete a security profile in an Amazon Connect instance Write

security-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteTaskTemplate Grants permission to delete a task template in an Amazon Connect instance Write

task-template*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteUseCase Grants permission to delete a use case from an integration association Write

instance*

connect:DescribeInstance

ds:DescribeDirectories

use-case*

connect:InstanceId

DeleteUser Grants permission to delete a user in an Amazon Connect instance Write

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

DeleteUserHierarchyGroup Grants permission to delete a user hierarchy group in an Amazon Connect instance Write

hierarchy-group*

connect:InstanceId

DeleteVocabulary Grants permission to delete a vocabulary in an Amazon Connect instance Write

vocabulary*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeAgentStatus Grants permission to describe agent status in an Amazon Connect instance Read

agent-status*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeContact Grants permission to describe a contact in an Amazon Connect instance Read

contact*

connect:InstanceId

DescribeContactFlow Grants permission to describe a contact flow in an Amazon Connect instance Read

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeContactFlowModule Grants permission to describe a contact flow module in an Amazon Connect instance Read

contact-flow-module*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeHoursOfOperation Grants permission to describe hours of operation in an Amazon Connect instance Read

hours-of-operation*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeInstance Grants permission to view details of an Amazon Connect instance and is also required to create an instance Read

instance*

ds:DescribeDirectories

connect:InstanceId

aws:ResourceTag/${TagKey}

DescribeInstanceAttribute Grants permission to view the attribute details of an existing Amazon Connect instance Read

instance*

connect:AttributeType

connect:InstanceId

DescribeInstanceStorageConfig Grants permission to view the instance storage configuration for an existing Amazon Connect instance Read

instance*

connect:StorageResourceType

connect:InstanceId

DescribePhoneNumber Grants permission to describe phone number resources in an Amazon Connect instance List

phone-number*

aws:ResourceTag/${TagKey}

DescribeQueue Grants permission to describe a queue in an Amazon Connect instance Read

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeQuickConnect Grants permission to describe a quick connect in an Amazon Connect instance Read

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeRoutingProfile Grants permission to describe a routing profile in an Amazon Connect instance Read

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeSecurityProfile Grants permission to describe a security profile in an Amazon Connect instance Read

security-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeUser Grants permission to describe a user in an Amazon Connect instance Read

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

DescribeUserHierarchyGroup Grants permission to describe a hierarchy group for an Amazon Connect instance Read

hierarchy-group*

connect:InstanceId

DescribeUserHierarchyStructure Grants permission to describe the hierarchy structure for an Amazon Connect instance Read

instance*

connect:InstanceId

DescribeVocabulary Grants permission to describe a vocabulary in an Amazon Connect instance Read

vocabulary*

aws:ResourceTag/${TagKey}

connect:InstanceId

DisassociateApprovedOrigin Grants permission to disassociate approved origin for an existing Amazon Connect instance Write

instance*

connect:InstanceId

DisassociateBot Grants permission to disassociate a Lex bot for an existing Amazon Connect instance Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:DeleteResourcePolicy

lex:UpdateResourcePolicy

connect:InstanceId

DisassociateCustomerProfilesDomain Grants permission to disassociate a Customer Profiles domain for an existing Amazon Connect instance Write

instance*

iam:AttachRolePolicy

iam:DeleteRolePolicy

iam:DetachRolePolicy

iam:GetPolicy

iam:GetPolicyVersion

iam:GetRolePolicy

DisassociateInstanceStorageConfig Grants permission to disassociate instance storage for an existing Amazon Connect instance Write

instance*

connect:StorageResourceType

connect:InstanceId

DisassociateLambdaFunction Grants permission to disassociate a Lambda function for an existing Amazon Connect instance Write

instance*

lambda:RemovePermission

connect:InstanceId

DisassociateLexBot Grants permission to disassociate a Lex bot for an existing Amazon Connect instance Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

connect:InstanceId

DisassociatePhoneNumberContactFlow Grants permission to disassociate contact flow resources from phone number resources in an Amazon Connect instance Write

phone-number*

aws:ResourceTag/${TagKey}

connect:InstanceId

DisassociateQueueQuickConnects Grants permission to disassociate quick connects from a queue in an Amazon Connect instance Write

queue*

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

DisassociateRoutingProfileQueues Grants permission to disassociate queues from a routing profile in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

DisassociateSecurityKey Grants permission to disassociate the security key for an existing Amazon Connect instance Write

instance*

connect:InstanceId

GetContactAttributes Grants permission to retrieve the contact attributes for the specified contact Read

contact*

connect:InstanceId

GetCurrentMetricData Grants permission to retrieve current metric data for the queues in an Amazon Connect instance Read

queue*

connect:InstanceId

GetCurrentUserData Grants permission to retrieve current user data in an Amazon Connect instance Read

queue*

connect:InstanceId

GetFederationToken Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management Read

instance*

connect:InstanceId

GetFederationTokens Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console) Write

instance*

connect:DescribeInstance

connect:ListInstances

ds:DescribeDirectories

GetMetricData Grants permission to retrieve historical metric data for queues in an Amazon Connect instance Read

queue*

connect:InstanceId

GetTaskTemplate Grants permission to get details about specified task template in an Amazon Connect instance Read

task-template*

aws:ResourceTag/${TagKey}

connect:InstanceId

ListAgentStatuses Grants permission to list agent statuses in an Amazon Connect instance List

wildcard-agent-status*

ListApprovedOrigins Grants permission to view approved origins of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListBots Grants permission to view the Lex bots of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListContactFlowModules Grants permission to list contact flow module resources in an Amazon Connect instance List

instance*

ListContactFlows Grants permission to list contact flow resources in an Amazon Connect instance List

wildcard-contact-flow*

ListContactReferences Grants permission to list references associated with a contact in an Amazon Connect instance List

contact*

connect:InstanceId

ListDefaultVocabularies Grants permission to list default vocabularies associated with a Amazon Connect instance List

instance*

connect:InstanceId

ListHoursOfOperations Grants permission to list hours of operation resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListInstanceAttributes Grants permission to view the attributes of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListInstanceStorageConfigs Grants permission to view storage configurations of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListInstances Grants permission to view the Amazon Connect instances associated with an AWS account List

ds:DescribeDirectories

ListIntegrationAssociations Grants permission to list summary information about the integration associations for the specified Amazon Connect instance List

instance*

connect:DescribeInstance

ds:DescribeDirectories

connect:InstanceId

ListLambdaFunctions Grants permission to view the Lambda functions of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListLexBots Grants permission to view the Lex bots of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListPhoneNumbers Grants permission to list phone number resources in an Amazon Connect instance List

wildcard-legacy-phone-number*

ListPhoneNumbersV2 Grants permission to list phone number resources in an Amazon Connect instance List

wildcard-phone-number*

ListPrompts Grants permission to list prompt resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListQueueQuickConnects Grants permission to list quick connect resources in a queue in an Amazon Connect instance List

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

ListQueues Grants permission to list queue resources in an Amazon Connect instance List

wildcard-queue*

ListQuickConnects Grants permission to list quick connect resources in an Amazon Connect instance List

wildcard-quick-connect*

ListRealtimeContactAnalysisSegments Grants permission to list the analysis segments for a real-time analysis session Read

contact*

ListRoutingProfileQueues Grants permission to list queue resources in a routing profile in an Amazon Connect instance List

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

ListRoutingProfiles Grants permission to list routing profile resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListSecurityKeys Grants permission to view the security keys of an existing Amazon Connect instance List

instance*

connect:InstanceId

ListSecurityProfilePermissions Grants permission to list permissions associated with security profile in an Amazon Connect instance List

security-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

ListSecurityProfiles Grants permission to list security profile resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListTagsForResource Grants permission to list tags for an Amazon Connect resource Read

agent-status

contact-flow

contact-flow-module

hierarchy-group

hours-of-operation

integration-association

phone-number

queue

quick-connect

routing-profile

security-profile

use-case

user

wildcard-phone-number

aws:ResourceTag/${TagKey}

ListTaskTemplates Grants permission to list task template resources in an Amazon Connect instance List

instance*

ListUseCases Grants permission to list the use cases of an integration association List

instance*

connect:DescribeInstance

ds:DescribeDirectories

connect:InstanceId

ListUserHierarchyGroups Grants permission to list the hierarchy group resources in an Amazon Connect instance List

instance*

connect:InstanceId

ListUsers Grants permission to list user resources in an Amazon Connect instance List

instance*

connect:InstanceId

PutUserStatus Grants permission to switch User Status in an Amazon Connect instance Write

agent-status*

instance*

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

ReleasePhoneNumber Grants permission to release phone number resources in an Amazon Connect instance Write

phone-number*

aws:ResourceTag/${TagKey}

ResumeContactRecording Grants permission to resume recording for the specified contact Write

contact*

SearchAvailablePhoneNumbers Grants permission to search phone number resources in an Amazon Connect instance List

wildcard-phone-number*

SearchUsers Grants permission to search user resources in an Amazon Connect instance Read

instance*

connect:DescribeUser

connect:InstanceId

connect:SearchTag/${TagKey}

SearchVocabularies Grants permission to search vocabularies in a Amazon Connect instance List

vocabulary*

connect:InstanceId

StartChatContact Grants permission to initiate a chat using the Amazon Connect API Write

contact-flow*

StartContactRecording Grants permission to start recording for the specified contact Write

contact*

StartContactStreaming Grants permission to start chat streaming using the Amazon Connect API Write

instance*

StartOutboundVoiceContact Grants permission to initiate outbound calls using the Amazon Connect API Write

contact*

StartTaskContact Grants permission to initiate a task using the Amazon Connect API Write

contact-flow*

connect:InstanceId

StopContact Grants permission to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer Write

contact*

connect:InstanceId

StopContactRecording Grants permission to stop recording for the specified contact Write

contact*

StopContactStreaming Grants permission to stop chat streaming using the Amazon Connect API Write

instance*

SuspendContactRecording Grants permission to suspend recording for the specified contact Write

contact*

TagResource Grants permission to tag an Amazon Connect resource Tagging

agent-status

contact-flow

contact-flow-module

hierarchy-group

hours-of-operation

integration-association

phone-number

queue

quick-connect

routing-profile

security-profile

use-case

user

wildcard-phone-number

aws:TagKeys

aws:RequestTag/${TagKey}

TransferContact Grants permission to transfer the contact to another queue or agent Write

contact*

contact-flow*

instance*

connect:InstanceId

UntagResource Grants permission to untag an Amazon Connect resource Tagging

agent-status

contact-flow

contact-flow-module

hierarchy-group

hours-of-operation

integration-association

phone-number

queue

quick-connect

routing-profile

security-profile

use-case

user

wildcard-phone-number

aws:TagKeys

aws:RequestTag/${TagKey}

UpdateAgentStatus Grants permission to update agent status in an Amazon Connect instance Write

agent-status*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContact Grants permission to update a contact in an Amazon Connect instance Write

contact*

connect:InstanceId

UpdateContactAttributes Grants permission to create or update the contact attributes associated with the specified contact Write

contact*

connect:InstanceId

UpdateContactFlowContent Grants permission to update contact flow content in an Amazon Connect instance Write

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactFlowMetadata Grants permission to update the metadata of a contact flow in an Amazon Connect instance Write

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactFlowModuleContent Grants permission to update contact flow module content in an Amazon Connect instance Write

contact-flow-module*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactFlowModuleMetadata Grants permission to update the metadata of a contact flow module in an Amazon Connect instance Write

contact-flow-module*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactFlowName Grants permission to update the name and description of a contact flow in an Amazon Connect instance Write

contact-flow*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateContactSchedule Grants permission to update the schedule of a contact that is already scheduled in an Amazon Connect instance Write

contact*

connect:InstanceId

UpdateHoursOfOperation Grants permission to update hours of operation in an Amazon Connect instance Write

hours-of-operation*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateInstanceAttribute Grants permission to update the attribute for an existing Amazon Connect instance Write

instance*

ds:DescribeDirectories

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

logs:CreateLogGroup

connect:AttributeType

connect:InstanceId

UpdateInstanceStorageConfig Grants permission to update the storage configuration for an existing Amazon Connect instance Write

instance*

ds:DescribeDirectories

firehose:DescribeDeliveryStream

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kinesis:DescribeStream

kms:CreateGrant

kms:DescribeKey

s3:GetBucketAcl

s3:GetBucketLocation

connect:StorageResourceType

connect:InstanceId

UpdatePhoneNumber Grants permission to update phone number resources in an Amazon Connect instance Write

instance*

phone-number*

aws:ResourceTag/${TagKey}

UpdateQueueHoursOfOperation Grants permission to update queue hours of operation in an Amazon Connect instance Write

hours-of-operation*

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueMaxContacts Grants permission to update queue capacity in an Amazon Connect instance Write

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueName Grants permission to update a queue name and description in an Amazon Connect instance Write

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueOutboundCallerConfig Grants permission to update queue outbound caller config in an Amazon Connect instance Write

queue*

contact-flow

phone-number

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQueueStatus Grants permission to update queue status in an Amazon Connect instance Write

queue*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQuickConnectConfig Grants permission to update the configuration of a quick connect in an Amazon Connect instance Write

quick-connect*

contact-flow

queue

user

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateQuickConnectName Grants permission to update a quick connect name and description in an Amazon Connect instance Write

quick-connect*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileConcurrency Grants permission to update the concurrency in a routing profile in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileDefaultOutboundQueue Grants permission to update the outbound queue in a routing profile in an Amazon Connect instance Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileName Grants permission to update a routing profile name and description in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateRoutingProfileQueues Grants permission to update the queues in routing profile in an Amazon Connect instance Write

routing-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateSecurityProfile Grants permission to update a security profile group for a user in an Amazon Connect instance Write

security-profile*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateTaskTemplate Grants permission to update task template belonging to a Amazon Connect instance Write

task-template*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserHierarchy Grants permission to update a hierarchy group for a user in an Amazon Connect instance Write

user*

hierarchy-group

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserHierarchyGroupName Grants permission to update a user hierarchy group name in an Amazon Connect instance Write

hierarchy-group*

connect:InstanceId

UpdateUserHierarchyStructure Grants permission to update user hierarchy structure in an Amazon Connect instance Write

instance*

connect:InstanceId

UpdateUserIdentityInfo Grants permission to update identity information for a user in an Amazon Connect instance Write

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserPhoneConfig Grants permission to update phone configuration settings for a user in an Amazon Connect instance Write

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserRoutingProfile Grants permission to update a routing profile for a user in an Amazon Connect instance Write

routing-profile*

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdateUserSecurityProfiles Grants permission to update security profiles for a user in an Amazon Connect instance Write

security-profile*

user*

aws:ResourceTag/${TagKey}

connect:InstanceId

UpdatedescribeContent Grants permission to update contact flow module content in an Amazon Connect instance Write

contact-flow-module*

aws:ResourceTag/${TagKey}

connect:InstanceId

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
instance arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}

aws:ResourceTag/${TagKey}

contact arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
user arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}

aws:ResourceTag/${TagKey}

routing-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}

aws:ResourceTag/${TagKey}

security-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}

aws:ResourceTag/${TagKey}

hierarchy-group arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}

aws:ResourceTag/${TagKey}

queue arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}

aws:ResourceTag/${TagKey}

wildcard-queue arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/*
quick-connect arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}

aws:ResourceTag/${TagKey}

wildcard-quick-connect arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/*
contact-flow arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}

aws:ResourceTag/${TagKey}

task-template arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/task-template/${TaskTemplateId}

aws:ResourceTag/${TagKey}

contact-flow-module arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/flow-module/${ContactFlowModuleId}

aws:ResourceTag/${TagKey}

wildcard-contact-flow arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/*
hours-of-operation arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}

aws:ResourceTag/${TagKey}

agent-status arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/${AgentStatusId}

aws:ResourceTag/${TagKey}

wildcard-agent-status arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/*
legacy-phone-number arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/${PhoneNumberId}
wildcard-legacy-phone-number arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/*
phone-number arn:${Partition}:connect:${Region}:${Account}:phone-number/${PhoneNumberId}

aws:ResourceTag/${TagKey}

wildcard-phone-number arn:${Partition}:connect:${Region}:${Account}:phone-number/*

aws:ResourceTag/${TagKey}

integration-association arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}

aws:ResourceTag/${TagKey}

use-case arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}

aws:ResourceTag/${TagKey}

vocabulary arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/vocabulary/${VocabularyId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by using tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by using tag key-value pairs attached to the resource String
aws:TagKeys Filters access by using tag keys in the request ArrayOfString
connect:AttributeType Filters access by the attribute type of the Amazon Connect instance String
connect:InstanceId Filters access by restricting federation into specified Amazon Connect instances String
connect:SearchTag/${TagKey} Filters access by TagFilter condition passed in the search request String
connect:StorageResourceType Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration String