Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Connect
Resource types defined by Amazon Connect
Condition keys for Amazon Connect

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateApprovedOrigin	Grants permissions to associate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
AssociateInstanceStorageConfig	Grants permissions to associate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
AssociateInstanceStorageConfig		Write		connect:StorageResourceType
AssociateLambdaFunction	Grants permissions to associate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		lambda:AddPermission
AssociateLexBot	Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot
AssociateRoutingProfileQueues	Grants permissions to associate queues with a routing profile in an Amazon Connect instance.	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey}
AssociateSecurityKey	Grants permissions to associate a security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
CreateContactFlow	Grants permissions to create a contact flow in an Amazon Connect instance.	Write	contact-flow*
CreateContactFlow		Write		aws:RequestTag/${TagKey} aws:TagKeys
CreateInstance	Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings.	Write			ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
CreateQuickConnect	Grants permission to create a quick connect in an Amazon Connect instance.	Write	quick-connect*
			contact-flow
			queue
			user
				aws:RequestTag/${TagKey} aws:TagKeys
CreateRoutingProfile	Grants permission to create a routing profile in an Amazon Connect instance.	Write	queue*
			routing-profile*
				aws:RequestTag/${TagKey} aws:TagKeys
CreateUser	Grants permission to create a user for the specified Amazon Connect instance.	Write	routing-profile*
			security-profile*
			user*
			hierarchy-group
				aws:RequestTag/${TagKey} aws:TagKeys
CreateUserHierarchyGroup	Grants permissions to create a user hierarchy group in an Amazon Connect instance.	Write	hierarchy-group
DeleteInstance	Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed.	Write	instance*		ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication
DeleteQuickConnect	Grants permissions to delete a quick connect in an Amazon Connect instance.	Write	quick-connect*
DeleteQuickConnect		Write		aws:ResourceTag/${TagKey}
DeleteUser	Grants permissions to delete a user in an Amazon Connect instance.	Write	user*
DeleteUser		Write		aws:ResourceTag/${TagKey}
DeleteUserHierarchyGroup	Grants permissions to delete a user hierarchy group in an Amazon Connect instance.	Write	hierarchy-group*
DescribeContactFlow	Grants permissions to describe a contact flow in an Amazon Connect instance.	Read	contact-flow*
DescribeContactFlow		Read		aws:ResourceTag/${TagKey}
DescribeInstance	Grants permissions to view details of an Amazon Connect instance. This is required to create an instance.	Read	instance*		ds:DescribeDirectories
DescribeInstanceAttribute	Grants permissions to view the attribute details of an existing Amazon Connect instance.	Read	instance*
DescribeInstanceAttribute		Read		connect:AttributeType
DescribeInstanceStorageConfig	Grants permissions to view the instance storage configuration for an existing Amazon Connect instance.	Read	instance*
DescribeInstanceStorageConfig		Read		connect:StorageResourceType
DescribeQuickConnect	Grants permissions to describe a quick connect in an Amazon Connect instance.	Read	quick-connect*
DescribeQuickConnect		Read		aws:ResourceTag/${TagKey}
DescribeRoutingProfile	Grants permissions to describe a routing profile in an Amazon Connect instance.	Read	routing-profile*
DescribeRoutingProfile		Read		aws:ResourceTag/${TagKey}
DescribeUser	Grants permissions to describe a user in an Amazon Connect instance.	Read	user*
DescribeUser		Read		aws:ResourceTag/${TagKey}
DescribeUserHierarchyGroup	Grants permissions to describe a hierarchy group for an Amazon Connect instance.	Read	hierarchy-group*
DescribeUserHierarchyStructure	Grants permissions to describe the hierarchy structure for an Amazon Connect instance.	Read	instance*
DisassociateApprovedOrigin	Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
DisassociateInstanceStorageConfig	Grants permissions to disassociate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
DisassociateInstanceStorageConfig		Write		connect:StorageResourceType
DisassociateLambdaFunction	Grants permissions to disassociate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		lambda:RemovePermission
DisassociateLexBot	Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
DisassociateRoutingProfileQueues	Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance.	Write	routing-profile*
DisassociateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey}
DisassociateSecurityKey	Grants permissions to disassociate the security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
GetContactAttributes	Grants permissions to retrieve the contact attributes for the specified contact.	Read	contact*
GetCurrentMetricData	Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance.	Read	queue*
GetFederationToken	Allows federation into an instance when using SAML-based authentication for identity management.	Read	instance*
GetFederationToken		Read		connect:InstanceId
GetFederationTokens	Grants permissions to federate in to an Amazon Connect instance (Log in as administrator functionality in the AWS console).	Write	instance*		connect:DescribeInstance connect:ListInstances ds:DescribeDirectories
GetMetricData	Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance.	Read	queue*
ListApprovedOrigins	Grants permissions to view approved origins of an existing Amazon Connect instance.	List	instance*
ListContactFlows	Grants permissions to list contact flow resources in an Amazon Connect instance.	List	instance*
ListHoursOfOperations	Grants permissions to list hours of operation resources in an Amazon Connect instance.	List	instance*
ListInstanceAttributes	Grants permissions to view the attributes of an existing Amazon Connect instance.	List	instance*
ListInstanceStorageConfigs	Grants permissions to view storage configurations of an existing Amazon Connect instance.	List	instance*
ListInstances	Grants permissions to view the Amazon Connect instances associated with an AWS account.	List			ds:DescribeDirectories
ListLambdaFunctions	Grants permissions to view the Lambda functions of an existing Amazon Connect instance.	List	instance*
ListLexBots	Grants permissions to view the Lex bots of an existing Amazon Connect instance.	List	instance*
ListPhoneNumbers	Grants permissions to list phone number resources in an Amazon Connect instance.	List	instance*
ListPrompts	Grants permissions to list prompt resources in an Amazon Connect instance.	List	instance*
ListQueues	Grants permissions to list queue resources in an Amazon Connect instance.	List	instance*
ListQuickConnects	Grants permissions to list quick connect resources in an Amazon Connect instance.	List	instance*
ListRoutingProfileQueues	Grants permissions to list queue resources in a routing profile in an Amazon Connect instance.	Read	routing-profile*
ListRoutingProfileQueues		Read		aws:ResourceTag/${TagKey}
ListRoutingProfiles	Grants permissions to list routing profile resources in an Amazon Connect instance.	List	instance*
ListSecurityKeys	Grants permissions to view the security keys of an existing Amazon Connect instance.	List	instance*
ListSecurityProfiles	Grants permissions to list security profile resources in an Amazon Connect instance.	List	instance*
ListTagsForResource	Grants permissions to list tags for an Amazon Connect resource.	Read	contact-flow
			quick-connect
			routing-profile
			user
				aws:ResourceTag/${TagKey}
ListUserHierarchyGroups	Grants permissions to list the hierarchy group resources in an Amazon Connect instance.	List	instance*
ListUsers	Grants permissions to list user resources in an Amazon Connect instance.	List	instance*
ResumeContactRecording	Grants permissions to resume recording for the specified contact.	Write	contact*
StartChatContact	Grants permissions to initiate a chat using the Amazon Connect API.	Write	contact-flow*
StartContactRecording	Grants permissions to start recording for the specified contact.	Write	contact*
StartOutboundVoiceContact	Grants permissions to initiate outbound calls using the Amazon Connect API.	Write	contact*
StartTaskContact	Grants permissions to initiate a task using the Amazon Connect API.	Write	contact-flow*
StopContact	Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer.	Write	contact*
StopContactRecording	Grants permissions to stop recording for the specified contact.	Write	contact*
SuspendContactRecording	Grants permissions to suspend recording for the specified contact.	Write	contact*
TagResource	Grants permissions to tag an Amazon Connect resource.	Tagging	contact-flow
			quick-connect
			routing-profile
			user
				aws:TagKeys aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey}
UntagResource	Grants permissions to untag an Amazon Connect resource.	Tagging	contact-flow
			quick-connect
			routing-profile
			user
				aws:TagKeys aws:ResourceTag/${TagKey}
UpdateContactAttributes	Grants permissions to create or update the contact attributes associated with the specified contact.	Write	contact*
UpdateContactFlowContent	Grants permissions to update contact flow content in an Amazon Connect instance.	Write	contact-flow*
UpdateContactFlowContent		Write		aws:ResourceTag/${TagKey}
UpdateContactFlowName	Grants permissions to update the name and description of a contact flow in an Amazon Connect instance.	Write	contact-flow*
UpdateContactFlowName		Write		aws:ResourceTag/${TagKey}
UpdateInstanceAttribute	Grants permissions to update the attribute for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup
UpdateInstanceAttribute		Write		connect:AttributeType
UpdateInstanceStorageConfig	Grants permissions to update the storage configuration for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
UpdateInstanceStorageConfig		Write		connect:StorageResourceType
UpdateQuickConnectConfig	Grants permissions to update the configuration of a quick connect in an Amazon Connect instance.	Write	quick-connect*
			contact-flow
			queue
			user
				aws:ResourceTag/${TagKey}
UpdateQuickConnectName	Grants permissions to update a quick connect name and description in an Amazon Connect instance.	Write	quick-connect*
UpdateQuickConnectName		Write		aws:ResourceTag/${TagKey}
UpdateRoutingProfileConcurrency	Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance.	Write	routing-profile*
UpdateRoutingProfileConcurrency		Write		aws:ResourceTag/${TagKey}
UpdateRoutingProfileDefaultOutboundQueue	Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance.	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey}
UpdateRoutingProfileName	Grants permissions to update a routing profile name and description in an Amazon Connect instance.	Write	routing-profile*
UpdateRoutingProfileName		Write		aws:ResourceTag/${TagKey}
UpdateRoutingProfileQueues	Grants permissions to update the queues in routing profile in an Amazon Connect instance.	Write	routing-profile*
UpdateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey}
UpdateUserHierarchy	Grants permissions to update a hierarchy group for a user in an Amazon Connect instance.	Write	user*
			hierarchy-group
				aws:ResourceTag/${TagKey}
UpdateUserHierarchyGroupName	Grants permissions to update a user hierarchy group name in an Amazon Connect instance.	Write	hierarchy-group*
UpdateUserHierarchyStructure	Grants permissions to update user hierarchy structure in an Amazon Connect instance.	Write	instance*
UpdateUserIdentityInfo	Grants permissions to update identity information for a user in an Amazon Connect instance.	Write	user*
UpdateUserIdentityInfo		Write		aws:ResourceTag/${TagKey}
UpdateUserPhoneConfig	Grants permissions to update phone configuration settings for a user in an Amazon Connect instance.	Write	user*
UpdateUserPhoneConfig		Write		aws:ResourceTag/${TagKey}
UpdateUserRoutingProfile	Grants permissions to update a routing profile for a user in an Amazon Connect instance.	Write	routing-profile*
			user*
				aws:ResourceTag/${TagKey}
UpdateUserSecurityProfiles	Grants permissions to update security profiles for a user in an Amazon Connect instance.	Write	security-profile*
			user*
				aws:ResourceTag/${TagKey}

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types	ARN	Condition keys
instance	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}`
contact	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}`
user	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}`	aws:ResourceTag/${TagKey}
routing-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}`	aws:ResourceTag/${TagKey}
security-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}`
hierarchy-group	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}`
queue	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}`
quick-connect	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}`	aws:ResourceTag/${TagKey}
contact-flow	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}`	aws:ResourceTag/${TagKey}
hours-of-operation	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}`
phone-number	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}`

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters actions based on the presence of tag key-value pairs in the request.	String
aws:ResourceTag/${TagKey}	Filters actions based on tag key-value pairs attached to the resource.	String
aws:TagKeys	Filters actions based on the presence of tag keys in the request.	String
connect:AttributeType	Filters access by the attribute type of the Amazon Connect instance.	String
connect:InstanceId	Filters access by restricting federation into specified connect instances .	String
connect:StorageResourceType	Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration.	String

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config

Amazon Connect Customer Profiles