Actions, resources, and condition keys for Amazon Connect - Service Authorization Reference

Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateApprovedOrigin Grants permissions to associate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

AssociateInstanceStorageConfig Grants permissions to associate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

ds:DescribeDirectories

firehose:DescribeDeliveryStream

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kinesis:DescribeStream

kms:CreateGrant

kms:DescribeKey

s3:GetBucketAcl

s3:GetBucketLocation

connect:StorageResourceType

AssociateLambdaFunction Grants permissions to associate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

lambda:AddPermission

AssociateLexBot Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

lex:GetBot

AssociateRoutingProfileQueues Grants permissions to associate queues with a routing profile in an Amazon Connect instance. Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

AssociateSecurityKey Grants permissions to associate a security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

CreateContactFlow Grants permissions to create a contact flow in an Amazon Connect instance. Write

contact-flow*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateInstance Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings. Write

ds:AuthorizeApplication

ds:CheckAlias

ds:CreateAlias

ds:CreateDirectory

ds:CreateIdentityPoolDirectory

ds:DeleteDirectory

ds:DescribeDirectories

ds:UnauthorizeApplication

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

CreateQuickConnect Grants permission to create a quick connect in an Amazon Connect instance. Write

quick-connect*

contact-flow

queue

user

aws:RequestTag/${TagKey}

aws:TagKeys

CreateRoutingProfile Grants permission to create a routing profile in an Amazon Connect instance. Write

queue*

routing-profile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUser Grants permission to create a user for the specified Amazon Connect instance. Write

routing-profile*

security-profile*

user*

hierarchy-group

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserHierarchyGroup Grants permissions to create a user hierarchy group in an Amazon Connect instance. Write

hierarchy-group

DeleteInstance Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed. Write

instance*

ds:DeleteDirectory

ds:DescribeDirectories

ds:UnauthorizeApplication

DeleteQuickConnect Grants permissions to delete a quick connect in an Amazon Connect instance. Write

quick-connect*

aws:ResourceTag/${TagKey}

DeleteUser Grants permissions to delete a user in an Amazon Connect instance. Write

user*

aws:ResourceTag/${TagKey}

DeleteUserHierarchyGroup Grants permissions to delete a user hierarchy group in an Amazon Connect instance. Write

hierarchy-group*

DescribeContactFlow Grants permissions to describe a contact flow in an Amazon Connect instance. Read

contact-flow*

aws:ResourceTag/${TagKey}

DescribeInstance Grants permissions to view details of an Amazon Connect instance. This is required to create an instance. Read

instance*

ds:DescribeDirectories

DescribeInstanceAttribute Grants permissions to view the attribute details of an existing Amazon Connect instance. Read

instance*

connect:AttributeType

DescribeInstanceStorageConfig Grants permissions to view the instance storage configuration for an existing Amazon Connect instance. Read

instance*

connect:StorageResourceType

DescribeQuickConnect Grants permissions to describe a quick connect in an Amazon Connect instance. Read

quick-connect*

aws:ResourceTag/${TagKey}

DescribeRoutingProfile Grants permissions to describe a routing profile in an Amazon Connect instance. Read

routing-profile*

aws:ResourceTag/${TagKey}

DescribeUser Grants permissions to describe a user in an Amazon Connect instance. Read

user*

aws:ResourceTag/${TagKey}

DescribeUserHierarchyGroup Grants permissions to describe a hierarchy group for an Amazon Connect instance. Read

hierarchy-group*

DescribeUserHierarchyStructure Grants permissions to describe the hierarchy structure for an Amazon Connect instance. Read

instance*

DisassociateApprovedOrigin Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

DisassociateInstanceStorageConfig Grants permissions to disassociate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

connect:StorageResourceType

DisassociateLambdaFunction Grants permissions to disassociate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

lambda:RemovePermission

DisassociateLexBot Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

DisassociateRoutingProfileQueues Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

DisassociateSecurityKey Grants permissions to disassociate the security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

GetContactAttributes Grants permissions to retrieve the contact attributes for the specified contact. Read

contact*

GetCurrentMetricData Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance. Read

queue*

GetFederationToken Allows federation into an instance when using SAML-based authentication for identity management. Read

instance*

connect:InstanceId

GetFederationTokens Grants permissions to federate in to an Amazon Connect instance (Log in as administrator functionality in the AWS console). Write

instance*

connect:DescribeInstance

connect:ListInstances

ds:DescribeDirectories

GetMetricData Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance. Read

queue*

ListApprovedOrigins Grants permissions to view approved origins of an existing Amazon Connect instance. List

instance*

ListContactFlows Grants permissions to list contact flow resources in an Amazon Connect instance. List

instance*

ListHoursOfOperations Grants permissions to list hours of operation resources in an Amazon Connect instance. List

instance*

ListInstanceAttributes Grants permissions to view the attributes of an existing Amazon Connect instance. List

instance*

ListInstanceStorageConfigs Grants permissions to view storage configurations of an existing Amazon Connect instance. List

instance*

ListInstances Grants permissions to view the Amazon Connect instances associated with an AWS account. List

ds:DescribeDirectories

ListLambdaFunctions Grants permissions to view the Lambda functions of an existing Amazon Connect instance. List

instance*

ListLexBots Grants permissions to view the Lex bots of an existing Amazon Connect instance. List

instance*

ListPhoneNumbers Grants permissions to list phone number resources in an Amazon Connect instance. List

instance*

ListPrompts Grants permissions to list prompt resources in an Amazon Connect instance. List

instance*

ListQueues Grants permissions to list queue resources in an Amazon Connect instance. List

instance*

ListQuickConnects Grants permissions to list quick connect resources in an Amazon Connect instance. List

instance*

ListRoutingProfileQueues Grants permissions to list queue resources in a routing profile in an Amazon Connect instance. Read

routing-profile*

aws:ResourceTag/${TagKey}

ListRoutingProfiles Grants permissions to list routing profile resources in an Amazon Connect instance. List

instance*

ListSecurityKeys Grants permissions to view the security keys of an existing Amazon Connect instance. List

instance*

ListSecurityProfiles Grants permissions to list security profile resources in an Amazon Connect instance. List

instance*

ListTagsForResource Grants permissions to list tags for an Amazon Connect resource. Read

contact-flow

quick-connect

routing-profile

user

aws:ResourceTag/${TagKey}

ListUserHierarchyGroups Grants permissions to list the hierarchy group resources in an Amazon Connect instance. List

instance*

ListUsers Grants permissions to list user resources in an Amazon Connect instance. List

instance*

ResumeContactRecording Grants permissions to resume recording for the specified contact. Write

contact*

StartChatContact Grants permissions to initiate a chat using the Amazon Connect API. Write

contact-flow*

StartContactRecording Grants permissions to start recording for the specified contact. Write

contact*

StartOutboundVoiceContact Grants permissions to initiate outbound calls using the Amazon Connect API. Write

contact*

StartTaskContact Grants permissions to initiate a task using the Amazon Connect API. Write

contact-flow*

StopContact Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer. Write

contact*

StopContactRecording Grants permissions to stop recording for the specified contact. Write

contact*

SuspendContactRecording Grants permissions to suspend recording for the specified contact. Write

contact*

TagResource Grants permissions to tag an Amazon Connect resource. Tagging

contact-flow

quick-connect

routing-profile

user

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

UntagResource Grants permissions to untag an Amazon Connect resource. Tagging

contact-flow

quick-connect

routing-profile

user

aws:TagKeys

aws:ResourceTag/${TagKey}

UpdateContactAttributes Grants permissions to create or update the contact attributes associated with the specified contact. Write

contact*

UpdateContactFlowContent Grants permissions to update contact flow content in an Amazon Connect instance. Write

contact-flow*

aws:ResourceTag/${TagKey}

UpdateContactFlowName Grants permissions to update the name and description of a contact flow in an Amazon Connect instance. Write

contact-flow*

aws:ResourceTag/${TagKey}

UpdateInstanceAttribute Grants permissions to update the attribute for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

ds:DescribeDirectories

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

logs:CreateLogGroup

connect:AttributeType

UpdateInstanceStorageConfig Grants permissions to update the storage configuration for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. Write

instance*

ds:DescribeDirectories

firehose:DescribeDeliveryStream

iam:AttachRolePolicy

iam:CreateServiceLinkedRole

iam:PutRolePolicy

kinesis:DescribeStream

kms:CreateGrant

kms:DescribeKey

s3:GetBucketAcl

s3:GetBucketLocation

connect:StorageResourceType

UpdateQuickConnectConfig Grants permissions to update the configuration of a quick connect in an Amazon Connect instance. Write

quick-connect*

contact-flow

queue

user

aws:ResourceTag/${TagKey}

UpdateQuickConnectName Grants permissions to update a quick connect name and description in an Amazon Connect instance. Write

quick-connect*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileConcurrency Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileDefaultOutboundQueue Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance. Write

queue*

routing-profile*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileName Grants permissions to update a routing profile name and description in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

UpdateRoutingProfileQueues Grants permissions to update the queues in routing profile in an Amazon Connect instance. Write

routing-profile*

aws:ResourceTag/${TagKey}

UpdateUserHierarchy Grants permissions to update a hierarchy group for a user in an Amazon Connect instance. Write

user*

hierarchy-group

aws:ResourceTag/${TagKey}

UpdateUserHierarchyGroupName Grants permissions to update a user hierarchy group name in an Amazon Connect instance. Write

hierarchy-group*

UpdateUserHierarchyStructure Grants permissions to update user hierarchy structure in an Amazon Connect instance. Write

instance*

UpdateUserIdentityInfo Grants permissions to update identity information for a user in an Amazon Connect instance. Write

user*

aws:ResourceTag/${TagKey}

UpdateUserPhoneConfig Grants permissions to update phone configuration settings for a user in an Amazon Connect instance. Write

user*

aws:ResourceTag/${TagKey}

UpdateUserRoutingProfile Grants permissions to update a routing profile for a user in an Amazon Connect instance. Write

routing-profile*

user*

aws:ResourceTag/${TagKey}

UpdateUserSecurityProfiles Grants permissions to update security profiles for a user in an Amazon Connect instance. Write

security-profile*

user*

aws:ResourceTag/${TagKey}

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
instance arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}
contact arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
user arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}

aws:ResourceTag/${TagKey}

routing-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}

aws:ResourceTag/${TagKey}

security-profile arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}
hierarchy-group arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}
queue arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}
quick-connect arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}

aws:ResourceTag/${TagKey}

contact-flow arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}

aws:ResourceTag/${TagKey}

hours-of-operation arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}
phone-number arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request. String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource. String
aws:TagKeys Filters actions based on the presence of tag keys in the request. String
connect:AttributeType Filters access by the attribute type of the Amazon Connect instance. String
connect:InstanceId Filters access by restricting federation into specified connect instances . String
connect:StorageResourceType Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration. String