Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Connect
Resource types defined by Amazon Connect
Condition keys for Amazon Connect

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateApprovedOrigin	Grants permissions to associate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
AssociateApprovedOrigin		Write		connect:InstanceId
AssociateBot	Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:CreateResourcePolicy lex:DescribeBotAlias lex:GetBot lex:UpdateResourcePolicy
AssociateBot		Write		connect:InstanceId
AssociateCustomerProfilesDomain	Grants permissions to associate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy profile:GetDomain
AssociateInstanceStorageConfig	Grants permissions to associate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
AssociateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
AssociateLambdaFunction	Grants permissions to associate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		lambda:AddPermission
AssociateLambdaFunction		Write		connect:InstanceId
AssociateLexBot	Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot
AssociateLexBot		Write		connect:InstanceId
AssociateQueueQuickConnects	Grants permissions to associate quick connects with a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateRoutingProfileQueues	Grants permissions to associate queues with a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateSecurityKey	Grants permissions to associate a security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
AssociateSecurityKey		Write		connect:InstanceId
CreateAgentStatus	Grants permission to create agent status in an Amazon Connect instance	Write	agent-status*
CreateAgentStatus		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateContactFlow	Grants permissions to create a contact flow in an Amazon Connect instance	Write	contact-flow*
CreateContactFlow		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateHoursOfOperation	Grants permission to create hours of operation in an Amazon Connect instance	Write	hours-of-operation*
CreateHoursOfOperation		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateInstance	Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings.	Write			ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
CreateIntegrationAssociation	Grants permissions to create an AppIntegration association with an Amazon Connect instance	Write	instance*		app-integrations:CreateEventIntegrationAssociation connect:DescribeInstance ds:DescribeDirectories events:PutRule events:PutTargets
			integration-association*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateQueue	Grants permissions to create a queue in an Amazon Connect instance	Write	hours-of-operation*
			queue*
			contact-flow
			phone-number
			quick-connect
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateQuickConnect	Grants permission to create a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateRoutingProfile	Grants permission to create a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUseCase	Grants permissions to create a use case for an AppIntegration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			integration-association*
			use-case*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateUser	Grants permission to create a user for the specified Amazon Connect instance	Write	routing-profile*
			security-profile*
			user*
			hierarchy-group
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUserHierarchyGroup	Grants permissions to create a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group
CreateUserHierarchyGroup		Write		connect:InstanceId
DeleteHoursOfOperation	Grants permission to delete hours of operation in an Amazon Connect instance	Write	hours-of-operation*
DeleteHoursOfOperation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteInstance	Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed.	Write	instance*		ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication
DeleteInstance		Write		connect:InstanceId
DeleteIntegrationAssociation	Grants permissions to delete an AppIntegration association from an Amazon Connect instance. The association must not have any use cases associated with it.	Write	instance*		app-integrations:DeleteEventIntegrationAssociation connect:DescribeInstance ds:DescribeDirectories events:DeleteRule events:ListTargetsByRule events:RemoveTargets
			integration-association*
				connect:InstanceId
DeleteQuickConnect	Grants permissions to delete a quick connect in an Amazon Connect instance	Write	quick-connect*
DeleteQuickConnect		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteUseCase	Grants permissions to delete a use case from an AppIntegration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			use-case*
				connect:InstanceId
DeleteUser	Grants permissions to delete a user in an Amazon Connect instance	Write	user*
DeleteUser		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteUserHierarchyGroup	Grants permissions to delete a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group*
DeleteUserHierarchyGroup		Write		connect:InstanceId
DescribeAgentStatus	Grants permission to describe agent status in an Amazon Connect instance	Read	agent-status*
DescribeAgentStatus		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeContactFlow	Grants permissions to describe a contact flow in an Amazon Connect instance	Read	contact-flow*
DescribeContactFlow		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeHoursOfOperation	Grants permissions to describe hours of operation in an Amazon Connect instance	Read	hours-of-operation*
DescribeHoursOfOperation		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeInstance	Grants permissions to view details of an Amazon Connect instance. This is required to create an instance.	Read	instance*		ds:DescribeDirectories
DescribeInstance		Read		connect:InstanceId
DescribeInstanceAttribute	Grants permissions to view the attribute details of an existing Amazon Connect instance	Read	instance*
DescribeInstanceAttribute		Read		connect:AttributeType connect:InstanceId
DescribeInstanceStorageConfig	Grants permissions to view the instance storage configuration for an existing Amazon Connect instance	Read	instance*
DescribeInstanceStorageConfig		Read		connect:StorageResourceType connect:InstanceId
DescribeQueue	Grants permissions to describe a queue in an Amazon Connect instance	Read	queue*
DescribeQueue		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeQuickConnect	Grants permissions to describe a quick connect in an Amazon Connect instance	Read	quick-connect*
DescribeQuickConnect		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeRoutingProfile	Grants permissions to describe a routing profile in an Amazon Connect instance	Read	routing-profile*
DescribeRoutingProfile		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeUser	Grants permissions to describe a user in an Amazon Connect instance	Read	user*
DescribeUser		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeUserHierarchyGroup	Grants permissions to describe a hierarchy group for an Amazon Connect instance	Read	hierarchy-group*
DescribeUserHierarchyGroup		Read		connect:InstanceId
DescribeUserHierarchyStructure	Grants permissions to describe the hierarchy structure for an Amazon Connect instance	Read	instance*
DescribeUserHierarchyStructure		Read		connect:InstanceId
DisassociateApprovedOrigin	Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
DisassociateApprovedOrigin		Write		connect:InstanceId
DisassociateBot	Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:DeleteResourcePolicy lex:UpdateResourcePolicy
DisassociateBot		Write		connect:InstanceId
DisassociateCustomerProfilesDomain	Grants permissions to disassociate a Customer Profiles domain for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:DeleteRolePolicy iam:DetachRolePolicy iam:GetPolicy iam:GetPolicyVersion iam:GetRolePolicy
DisassociateInstanceStorageConfig	Grants permissions to disassociate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
DisassociateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
DisassociateLambdaFunction	Grants permissions to disassociate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		lambda:RemovePermission
DisassociateLambdaFunction		Write		connect:InstanceId
DisassociateLexBot	Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
DisassociateLexBot		Write		connect:InstanceId
DisassociateQueueQuickConnects	Grants permissions to disassociate quick connects from a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateRoutingProfileQueues	Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance	Write	routing-profile*
DisassociateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateSecurityKey	Grants permissions to disassociate the security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*
DisassociateSecurityKey		Write		connect:InstanceId
GetContactAttributes	Grants permissions to retrieve the contact attributes for the specified contact	Read	contact*
GetContactAttributes		Read		connect:InstanceId
GetCurrentMetricData	Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance	Read	queue*
GetCurrentMetricData		Read		connect:InstanceId
GetFederationToken	Grants permissions to federate into an Amazon Connect instance when using SAML-based authentication for identity management	Read	instance*
GetFederationToken		Read		connect:InstanceId
GetFederationTokens	Grants permissions to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)	Write	instance*		connect:DescribeInstance connect:ListInstances ds:DescribeDirectories
GetMetricData	Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance	Read	queue*
GetMetricData		Read		connect:InstanceId
ListAgentStatuses	Grants permission to list agent statuses in an Amazon Connect instance	List	instance*
ListApprovedOrigins	Grants permissions to view approved origins of an existing Amazon Connect instance	List	instance*
ListApprovedOrigins		List		connect:InstanceId
ListBots	Grants permissions to view the Lex bots of an existing Amazon Connect instance	List	instance*
ListBots		List		connect:InstanceId
ListContactFlows	Grants permissions to list contact flow resources in an Amazon Connect instance	List	instance*
ListHoursOfOperations	Grants permissions to list hours of operation resources in an Amazon Connect instance	List	instance*
ListHoursOfOperations		List		connect:InstanceId
ListInstanceAttributes	Grants permissions to view the attributes of an existing Amazon Connect instance	List	instance*
ListInstanceAttributes		List		connect:InstanceId
ListInstanceStorageConfigs	Grants permissions to view storage configurations of an existing Amazon Connect instance	List	instance*
ListInstanceStorageConfigs		List		connect:InstanceId
ListInstances	Grants permissions to view the Amazon Connect instances associated with an AWS account	List			ds:DescribeDirectories
ListIntegrationAssociations	Grants permissions to list summary information about the AppIntegration associations for the specified Amazon Connect instance	List	instance*		connect:DescribeInstance ds:DescribeDirectories
ListIntegrationAssociations		List		connect:InstanceId
ListLambdaFunctions	Grants permissions to view the Lambda functions of an existing Amazon Connect instance	List	instance*
ListLambdaFunctions		List		connect:InstanceId
ListLexBots	Grants permissions to view the Lex bots of an existing Amazon Connect instance	List	instance*
ListLexBots		List		connect:InstanceId
ListPhoneNumbers	Grants permissions to list phone number resources in an Amazon Connect instance	List	instance*
ListPrompts	Grants permissions to list prompt resources in an Amazon Connect instance	List	instance*
ListPrompts		List		connect:InstanceId
ListQueueQuickConnects	Grants permissions to list quick connect resources in a queue in an Amazon Connect instance	List	queue*
ListQueueQuickConnects		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListQueues	Grants permissions to list queue resources in an Amazon Connect instance	List	instance*
ListQuickConnects	Grants permissions to list quick connect resources in an Amazon Connect instance	List	instance*
ListRealtimeContactAnalysisSegments	Grants permission to list the analysis segments for a real-time analysis session	Read	contact*
ListRoutingProfileQueues	Grants permissions to list queue resources in a routing profile in an Amazon Connect instance	List	routing-profile*
ListRoutingProfileQueues		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListRoutingProfiles	Grants permissions to list routing profile resources in an Amazon Connect instance	List	instance*
ListRoutingProfiles		List		connect:InstanceId
ListSecurityKeys	Grants permissions to view the security keys of an existing Amazon Connect instance	List	instance*
ListSecurityKeys		List		connect:InstanceId
ListSecurityProfiles	Grants permissions to list security profile resources in an Amazon Connect instance	List	instance*
ListSecurityProfiles		List		connect:InstanceId
ListTagsForResource	Grants permissions to list tags for an Amazon Connect resource	Read	contact-flow
			integration-association
			queue
			quick-connect
			routing-profile
			use-case
			user
				aws:ResourceTag/${TagKey}
ListUseCases	Grants permissions to list the use cases of an AppIntegration association	List	instance*		connect:DescribeInstance ds:DescribeDirectories
ListUseCases		List		connect:InstanceId
ListUserHierarchyGroups	Grants permissions to list the hierarchy group resources in an Amazon Connect instance	List	instance*
ListUserHierarchyGroups		List		connect:InstanceId
ListUsers	Grants permissions to list user resources in an Amazon Connect instance	List	instance*
ListUsers		List		connect:InstanceId
ResumeContactRecording	Grants permissions to resume recording for the specified contact	Write	contact*
StartChatContact	Grants permissions to initiate a chat using the Amazon Connect API	Write	contact-flow*
StartContactRecording	Grants permissions to start recording for the specified contact	Write	contact*
StartOutboundVoiceContact	Grants permissions to initiate outbound calls using the Amazon Connect API	Write	contact*
StartTaskContact	Grants permissions to initiate a task using the Amazon Connect API	Write	contact-flow*
StartTaskContact		Write		connect:InstanceId
StopContact	Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer.	Write	contact*
StopContact		Write		connect:InstanceId
StopContactRecording	Grants permissions to stop recording for the specified contact	Write	contact*
SuspendContactRecording	Grants permissions to suspend recording for the specified contact	Write	contact*
TagResource	Grants permissions to tag an Amazon Connect resource	Tagging	contact-flow
			integration-association
			queue
			quick-connect
			routing-profile
			use-case
			user
				aws:TagKeys aws:RequestTag/${TagKey} aws:ResourceTag/${TagKey}
UntagResource	Grants permissions to untag an Amazon Connect resource	Tagging	contact-flow
			integration-association
			queue
			quick-connect
			routing-profile
			use-case
			user
				aws:TagKeys aws:ResourceTag/${TagKey}
UpdateAgentStatus	Grants permission to update agent status in an Amazon Connect instance	Write	agent-status*
UpdateAgentStatus		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactAttributes	Grants permissions to create or update the contact attributes associated with the specified contact	Write	contact*
UpdateContactAttributes		Write		connect:InstanceId
UpdateContactFlowContent	Grants permissions to update contact flow content in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowName	Grants permissions to update the name and description of a contact flow in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateHoursOfOperation	Grants permission to update hours of operation in an Amazon Connect instance	Write	hours-of-operation*
UpdateHoursOfOperation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateInstanceAttribute	Grants permissions to update the attribute for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup
UpdateInstanceAttribute		Write		connect:AttributeType connect:InstanceId
UpdateInstanceStorageConfig	Grants permissions to update the storage configuration for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
UpdateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
UpdateQueueHoursOfOperation	Grants permissions to update queue hours of operation in an Amazon Connect instance	Write	hours-of-operation*
			queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueMaxContacts	Grants permissions to update queue capacity in an Amazon Connect instance	Write	queue*
UpdateQueueMaxContacts		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueName	Grants permissions to update a queue name and description in an Amazon Connect instance	Write	queue*
UpdateQueueName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueOutboundCallerConfig	Grants permissions to update queue outbound caller config in an Amazon Connect instance	Write	queue*
			contact-flow
			phone-number
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueStatus	Grants permissions to update queue status in an Amazon Connect instance	Write	queue*
UpdateQueueStatus		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectConfig	Grants permissions to update the configuration of a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectName	Grants permissions to update a quick connect name and description in an Amazon Connect instance	Write	quick-connect*
UpdateQuickConnectName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileConcurrency	Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileConcurrency		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileDefaultOutboundQueue	Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileName	Grants permissions to update a routing profile name and description in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileQueues	Grants permissions to update the queues in routing profile in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserHierarchy	Grants permissions to update a hierarchy group for a user in an Amazon Connect instance	Write	user*
			hierarchy-group
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserHierarchyGroupName	Grants permissions to update a user hierarchy group name in an Amazon Connect instance	Write	hierarchy-group*
UpdateUserHierarchyGroupName		Write		connect:InstanceId
UpdateUserHierarchyStructure	Grants permissions to update user hierarchy structure in an Amazon Connect instance	Write	instance*
UpdateUserHierarchyStructure		Write		connect:InstanceId
UpdateUserIdentityInfo	Grants permissions to update identity information for a user in an Amazon Connect instance	Write	user*
UpdateUserIdentityInfo		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserPhoneConfig	Grants permissions to update phone configuration settings for a user in an Amazon Connect instance	Write	user*
UpdateUserPhoneConfig		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserRoutingProfile	Grants permissions to update a routing profile for a user in an Amazon Connect instance	Write	routing-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserSecurityProfiles	Grants permissions to update security profiles for a user in an Amazon Connect instance	Write	security-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types	ARN	Condition keys
instance	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}`
contact	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}`
user	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}`	aws:ResourceTag/${TagKey}
routing-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}`	aws:ResourceTag/${TagKey}
security-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}`
hierarchy-group	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}`
queue	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}`	aws:ResourceTag/${TagKey}
quick-connect	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}`	aws:ResourceTag/${TagKey}
contact-flow	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}`	aws:ResourceTag/${TagKey}
hours-of-operation	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}`	aws:ResourceTag/${TagKey}
agent-status	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-status/${AgentStatusId}`	aws:ResourceTag/${TagKey}
phone-number	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}`
integration-association	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}`	aws:ResourceTag/${TagKey}
use-case	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters actions based on the presence of tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters actions based on tag key-value pairs attached to the resource	String
aws:TagKeys	Filters actions based on the presence of tag keys in the request	String
connect:AttributeType	Filters access by the attribute type of the Amazon Connect instance	String
connect:InstanceId	Filters access by restricting federation into specified Amazon Connect instances	String
connect:StorageResourceType	Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config

Amazon Connect Customer Profiles