Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Access level column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Access levels in policy summaries.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
ActivateEvaluationForm	Grants permission to activate an evaluation form in the specified Amazon Connect instance. After the evaluation form is activated, it is available to start new evaluations based on the form	Write	evaluation-form*
ActivateEvaluationForm		Write		connect:InstanceId
AdminGetEmergencyAccessToken	Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)	Write	instance*		connect:DescribeInstance connect:ListInstances ds:DescribeDirectories
AssociateAnalyticsDataSet	Grants permission to grant access and to associate a dataset with the specified AWS account	Write	instance*
AssociateAnalyticsDataSet		Write		connect:InstanceId
AssociateApprovedOrigin	Grants permission to associate approved origin for an existing Amazon Connect instance	Write	instance*
AssociateApprovedOrigin		Write		connect:InstanceId
AssociateBot	Grants permission to associate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:CreateResourcePolicy lex:DescribeBotAlias lex:GetBot lex:UpdateResourcePolicy
AssociateBot		Write		connect:InstanceId
AssociateCustomerProfilesDomain [permission only]	Grants permission to associate a Customer Profiles domain for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy profile:GetDomain
AssociateDefaultVocabulary	Grants permission to default vocabulary for an existing Amazon Connect instance	Write	instance*
AssociateDefaultVocabulary		Write		connect:InstanceId
AssociateFlow	Grants permission to associate a resource with a flow in an Amazon Connect instance	Write	contact-flow*
			wildcard-phone-number*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateInstanceStorageConfig	Grants permission to associate instance storage for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
AssociateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
AssociateLambdaFunction	Grants permission to associate a Lambda function for an existing Amazon Connect instance	Write	instance*		lambda:AddPermission
AssociateLambdaFunction		Write		connect:InstanceId
AssociateLexBot	Grants permission to associate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot
AssociateLexBot		Write		connect:InstanceId
AssociatePhoneNumberContactFlow	Grants permission to associate contact flow resources to phone number resources in an Amazon Connect instance	Write	contact-flow*
			phone-number*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateQueueQuickConnects	Grants permission to associate quick connects with a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateRoutingProfileQueues	Grants permission to associate queues with a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateSecurityKey	Grants permission to associate a security key for an existing Amazon Connect instance	Write	instance*
AssociateSecurityKey		Write		connect:InstanceId
AssociateTrafficDistributionGroupUser	Grants permission to associate a user to a traffic distribution group in the specified Amazon Connect instance	Write	instance*		connect:DescribeUser connect:SearchUsers
			traffic-distribution-group*
			user*
				connect:InstanceId aws:ResourceTag/${TagKey} connect:SearchTag/${TagKey}
AssociateUserProficiencies	Grants permission to associate user proficiencies to a user in an Amazon Connect instance	Write	instance*
			user*
				connect:InstanceId
BatchAssociateAnalyticsDataSet	Grants permission to grant access and to associate the datasets with the specified AWS account	Write	instance*
BatchAssociateAnalyticsDataSet		Write		connect:InstanceId
BatchDisassociateAnalyticsDataSet	Grants permission to revoke access and to disassociate the datasets with the specified AWS account	Write	instance*
BatchDisassociateAnalyticsDataSet		Write		connect:InstanceId
BatchGetAttachedFileMetadata	Grants permission to get metadata for multiple attached files from an Amazon Connect instance	Read	attached-file*
BatchGetAttachedFileMetadata		Read		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
BatchGetFlowAssociation	Grants permission to get summary information about the flow associations for the specified Amazon Connect instance	List	wildcard-phone-number*
BatchGetFlowAssociation		List		aws:ResourceTag/${TagKey} connect:InstanceId
BatchPutContact	Grants permission to put contacts in an Amazon Connect instance	Write	instance*
			queue
				connect:InstanceId
ClaimPhoneNumber	Grants permission to claim phone number resources in an Amazon Connect instance or traffic distribution group	Write	instance*
			traffic-distribution-group*
			wildcard-phone-number*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CompleteAttachedFileUpload	Grants permission to complete an attached file upload in an Amazon Connect instance	Write	attached-file*
CompleteAttachedFileUpload		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateAgentStatus	Grants permission to create agent status in an Amazon Connect instance	Write	agent-status*
CreateAgentStatus		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateAuthenticationProfile	Grants permission to create authentication profile resources in an Amazon Connect instance	Write	authentication-profile*
CreateAuthenticationProfile		Write		connect:InstanceId
CreateContact	Grants permission to create a new contact using the Amazon Connect API	Write	instance*
			contact
			user
				aws:ResourceTag/${TagKey} connect:InstanceId connect:ContactInitiationMethod
CreateContactFlow	Grants permission to create a contact flow in an Amazon Connect instance	Write	contact-flow*
CreateContactFlow		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId connect:FlowType
CreateContactFlowModule	Grants permission to create a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
CreateContactFlowModule		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateContactFlowVersion	Grants permission to create a version a flow in an Amazon Connect instance	Write	contact-flow*
CreateContactFlowVersion		Write		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
CreateEmailAddress	Grants permission to create an email address resource in an Amazon Connect instance	Write	instance*
CreateEmailAddress		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateEvaluationForm	Grants permission to create an evaluation form in the specified Amazon Connect instance. The form can be used to define questions related to agent performance, and create sections to organize such questions. Question and section identifiers cannot be duplicated within the same evaluation form	Write	evaluation-form*
CreateEvaluationForm		Write		connect:InstanceId
CreateHoursOfOperation	Grants permission to create hours of operation in an Amazon Connect instance	Write	hours-of-operation*
CreateHoursOfOperation		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateHoursOfOperationOverride	Grants permission to create an hours of operation override in an Amazon Connect instance	Write	hours-of-operation*
			instance*
				connect:InstanceId
CreateInstance	Grants permission to create a new Amazon Connect instance	Write		aws:RequestTag/${TagKey} aws:TagKeys	ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
CreateIntegrationAssociation	Grants permission to create an integration association with an Amazon Connect instance	Write	instance*		app-integrations:CreateApplicationAssociation app-integrations:CreateEventIntegrationAssociation app-integrations:GetApplication app-integrations:GetDataIntegration app-integrations:ListDataIntegrationAssociations app-integrations:TagResource cases:GetDomain chime:AssociateVoiceConnectorConnect chime:DisassociateVoiceConnectorConnect chime:TagResource chime:UntagResource connect:DescribeInstance ds:DescribeDirectories events:PutRule events:PutTargets iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy mobiletargeting:GetApp voiceid:DescribeDomain wisdom:GetAssistant wisdom:GetKnowledgeBase wisdom:TagResource
			integration-association*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateParticipant	Grants permission to add a participant to an ongoing contact	Write	contact*
			instance*
				connect:InstanceId
CreatePersistentContactAssociation	Grants permission to create persistent contact associations for a contact	Write	contact*
			instance*
				connect:InstanceId
CreatePredefinedAttribute	Grants permission to create a predefined attribute in an Amazon Connect instance	Write	instance*
CreatePredefinedAttribute		Write		connect:InstanceId
CreatePrompt	Grants permission to create a prompt in an Amazon Connect instance	Write	prompt*		kms:Decrypt s3:GetObject s3:GetObjectAcl
CreatePrompt		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreatePushNotificationRegistration	Grants permission to create a push notification registration for an Amazon Connect instance	Write	instance*
CreatePushNotificationRegistration		Write		connect:InstanceId
CreateQueue	Grants permission to create a queue in an Amazon Connect instance	Write	hours-of-operation*
			queue*
			contact-flow
			phone-number
			quick-connect
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateQuickConnect	Grants permission to create a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateRoutingProfile	Grants permission to create a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateRule	Grants permission to create a rule in an Amazon Connect instance	Write	rule*
CreateRule		Write		connect:InstanceId
CreateSecurityProfile	Grants permission to create a security profile for the specified Amazon Connect instance	Write	security-profile*
CreateSecurityProfile		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateTaskTemplate	Grants permission to create a task template in an Amazon Connect instance	Write	task-template*
CreateTrafficDistributionGroup	Grants permission to create a traffic distribution group	Write	instance*
			traffic-distribution-group*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUseCase	Grants permission to create a use case for an integration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			integration-association*
			use-case*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateUser	Grants permission to create a user for the specified Amazon Connect instance	Write	routing-profile*
			security-profile*
			user*
			hierarchy-group
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUserHierarchyGroup	Grants permission to create a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group
CreateUserHierarchyGroup		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateView	Grants permission to create a view in an Amazon Connect instance	Write	customer-managed-view*
CreateView		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateViewVersion	Grants permission to create a view version in an Amazon Connect instance	Write	customer-managed-view*
CreateViewVersion		Write		aws:ResourceTag/${TagKey} connect:InstanceId
CreateVocabulary	Grants permission to create a vocabulary in an Amazon Connect instance	Write	vocabulary*
CreateVocabulary		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
DeactivateEvaluationForm	Grants permission to deactivate an evaluation form in the specified Amazon Connect instance. After a form is deactivated, it is no longer available for users to start new evaluations based on the form	Write	evaluation-form*
DeactivateEvaluationForm		Write		connect:InstanceId
DeleteAttachedFile	Grants permission to delete an attached file from an Amazon Connect instance	Write	attached-file*		cases:DeleteRelatedItem
DeleteAttachedFile		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
DeleteContactEvaluation	Grants permission to delete a contact evaluation in the specified Amazon Connect instance	Write	contact-evaluation*
DeleteContactEvaluation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteContactFlow	Grants permission to delete a contact flow in an Amazon Connect instance	Write	contact-flow*
DeleteContactFlow		Write		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
DeleteContactFlowModule	Grants permission to delete a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
DeleteContactFlowModule		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteContactFlowVersion	Grants permission to delete a version of a flow in an Amazon Connect instance	Write	contact-flow*
DeleteContactFlowVersion		Write		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
DeleteEmailAddress	Grants permission to delete an email address resource in an Amazon Connect instance	Write	email-address*
DeleteEmailAddress		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteEvaluationForm	Grants permission to delete an evaluation form in the specified Amazon Connect instance. If the version property is provided, only the specified version of the evaluation form is deleted	Write	evaluation-form*
DeleteEvaluationForm		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteHoursOfOperation	Grants permission to delete hours of operation in an Amazon Connect instance	Write	hours-of-operation*
DeleteHoursOfOperation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteHoursOfOperationOverride	Grants permission to delete an hours of operation override in an Amazon Connect instance	Write	hours-of-operation*
			instance*
				connect:InstanceId
DeleteInstance	Grants permission to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed	Write	instance*		ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication
DeleteInstance		Write		connect:InstanceId aws:ResourceTag/${TagKey}
DeleteIntegrationAssociation	Grants permission to delete an integration association from an Amazon Connect instance. The association must not have any use cases associated with it	Write	instance*		app-integrations:DeleteApplicationAssociation app-integrations:DeleteEventIntegrationAssociation app-integrations:UntagResource connect:DescribeInstance ds:DescribeDirectories events:DeleteRule events:ListTargetsByRule events:RemoveTargets
			integration-association*
				connect:InstanceId
DeletePredefinedAttribute	Grants permission to delete a predefined attribute in an Amazon Connect instance	Write	instance*
DeletePredefinedAttribute		Write		connect:InstanceId
DeletePrompt	Grants permission to delete a prompt in an Amazon Connect instance	Write	prompt*
DeletePrompt		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeletePushNotificationRegistration	Grants permission to delete a push notification registration for an Amazon Connect instance	Write	instance*
DeletePushNotificationRegistration		Write		connect:InstanceId
DeleteQueue	Grants permission to delete a queue in an Amazon Connect instance	Write	queue*
DeleteQueue		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteQuickConnect	Grants permission to delete a quick connect in an Amazon Connect instance	Write	quick-connect*
DeleteQuickConnect		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteRoutingProfile	Grants permission to delete routing profiles in an Amazon Connect instance	Write	routing-profile*
DeleteRoutingProfile		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteRule	Grants permission to delete a rule in an Amazon Connect instance	Write	rule*
DeleteRule		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteSecurityProfile	Grants permission to delete a security profile in an Amazon Connect instance	Write	security-profile*
DeleteSecurityProfile		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteTaskTemplate	Grants permission to delete a task template in an Amazon Connect instance	Write	task-template*
DeleteTaskTemplate		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteTrafficDistributionGroup	Grants permission to delete a traffic distribution group	Write	traffic-distribution-group*
DeleteTrafficDistributionGroup	Grants permission to delete a traffic distribution group	Write		aws:ResourceTag/${TagKey}
DeleteUseCase	Grants permission to delete a use case from an integration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			use-case*
				connect:InstanceId
DeleteUser	Grants permission to delete a user in an Amazon Connect instance	Write	user*
DeleteUser		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteUserHierarchyGroup	Grants permission to delete a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group*
DeleteUserHierarchyGroup		Write		connect:InstanceId
DeleteView	Grants permission to delete a view in an Amazon Connect instance	Write	customer-managed-view*
DeleteView		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteViewVersion	Grants permission to delete a view version in an Amazon Connect instance	Write	customer-managed-view-version*
DeleteViewVersion		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteVocabulary	Grants permission to delete a vocabulary in an Amazon Connect instance	Write	vocabulary*
DeleteVocabulary		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeAgentStatus	Grants permission to describe agent status in an Amazon Connect instance	Read	agent-status*
DescribeAgentStatus		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeAuthenticationProfile	Grants permission to describe authentication profile resources in an Amazon Connect instance	Read	authentication-profile*
DescribeAuthenticationProfile		Read		connect:InstanceId
DescribeContact	Grants permission to describe a contact in an Amazon Connect instance	Read	contact*
DescribeContact		Read		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
DescribeContactEvaluation	Grants permission to describe a contact evaluation in the specified Amazon Connect instance	Read	contact-evaluation*
DescribeContactEvaluation		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeContactFlow	Grants permission to describe a contact flow in an Amazon Connect instance	Read	contact-flow*
DescribeContactFlow		Read		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
DescribeContactFlowModule	Grants permission to describe a contact flow module in an Amazon Connect instance	Read	contact-flow-module*
DescribeContactFlowModule		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeEmailAddress	Grants permission to describe an email address resource in an Amazon Connect instance	Read	email-address*
DescribeEmailAddress		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeEvaluationForm	Grants permission to describe an evaluation form in the specified Amazon Connect instance. If the version property is not provided, the latest version of the evaluation form is described	Read	evaluation-form*
DescribeEvaluationForm		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeForecastingPlanningSchedulingIntegration [permission only]	Grants permission to describe the status of forecasting, planning, and scheduling integration on an Amazon Connect instance	Read	instance*
		Read		connect:InstanceId
DescribeHoursOfOperation	Grants permission to describe hours of operation in an Amazon Connect instance	Read	hours-of-operation*
DescribeHoursOfOperation		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeHoursOfOperationOverride	Grants permission to describe an hours of operation override in an Amazon Connect instance	Read	hours-of-operation*
			instance*
				connect:InstanceId
DescribeInstance	Grants permission to view details of an Amazon Connect instance and is also required to create an instance	Read	instance*		ds:DescribeDirectories
DescribeInstance		Read		connect:InstanceId aws:ResourceTag/${TagKey}
DescribeInstanceAttribute	Grants permission to view the attribute details of an existing Amazon Connect instance	Read	instance*
DescribeInstanceAttribute		Read		connect:AttributeType connect:InstanceId
DescribeInstanceStorageConfig	Grants permission to view the instance storage configuration for an existing Amazon Connect instance	Read	instance*
DescribeInstanceStorageConfig		Read		connect:StorageResourceType connect:InstanceId
DescribePhoneNumber	Grants permission to describe phone number resources in an Amazon Connect instance or traffic distribution group	Read	phone-number*
DescribePhoneNumber		Read		aws:ResourceTag/${TagKey}
DescribePredefinedAttribute	Grants permission to describe a predefined attribute in an Amazon Connect instance	Read	instance*
DescribePredefinedAttribute		Read		connect:InstanceId
DescribePrompt	Grants permission to describe a prompt in an Amazon Connect instance	Read	prompt*
DescribePrompt		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeQueue	Grants permission to describe a queue in an Amazon Connect instance	Read	queue*
DescribeQueue		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeQuickConnect	Grants permission to describe a quick connect in an Amazon Connect instance	Read	quick-connect*
DescribeQuickConnect		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeRoutingProfile	Grants permission to describe a routing profile in an Amazon Connect instance	Read	routing-profile*
DescribeRoutingProfile		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeRule	Grants permission to describe a rule in an Amazon Connect instance	Read	rule*
DescribeRule		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeSecurityProfile	Grants permission to describe a security profile in an Amazon Connect instance	Read	security-profile*
DescribeSecurityProfile		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeTrafficDistributionGroup	Grants permission to describe a traffic distribution group	Read	traffic-distribution-group*
DescribeTrafficDistributionGroup	Grants permission to describe a traffic distribution group	Read		aws:ResourceTag/${TagKey}
DescribeUser	Grants permission to describe a user in an Amazon Connect instance	Read	user*
DescribeUser		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeUserHierarchyGroup	Grants permission to describe a hierarchy group for an Amazon Connect instance	Read	hierarchy-group*
DescribeUserHierarchyGroup		Read		connect:InstanceId
DescribeUserHierarchyStructure	Grants permission to describe the hierarchy structure for an Amazon Connect instance	Read	instance*
DescribeUserHierarchyStructure		Read		connect:InstanceId
DescribeView	Grants permission to describe a view in an Amazon Connect instance	Read	aws-managed-view*
			customer-managed-view*
			qualified-aws-managed-view*
			qualified-customer-managed-view*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeVocabulary	Grants permission to describe a vocabulary in an Amazon Connect instance	Read	vocabulary*
DescribeVocabulary		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateAnalyticsDataSet	Grants permission to revoke access and to disassociate a dataset with the specified AWS account	Write	instance*
DisassociateAnalyticsDataSet		Write		connect:InstanceId
DisassociateApprovedOrigin	Grants permission to disassociate approved origin for an existing Amazon Connect instance	Write	instance*
DisassociateApprovedOrigin		Write		connect:InstanceId
DisassociateBot	Grants permission to disassociate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:DeleteResourcePolicy lex:UpdateResourcePolicy
DisassociateBot		Write		connect:InstanceId
DisassociateCustomerProfilesDomain [permission only]	Grants permission to disassociate a Customer Profiles domain for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:DeleteRolePolicy iam:DetachRolePolicy iam:GetPolicy iam:GetPolicyVersion iam:GetRolePolicy
DisassociateFlow	Grants permission to disassociate a resource from a flow in an Amazon Connect instance	Write	wildcard-phone-number*
DisassociateFlow		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateInstanceStorageConfig	Grants permission to disassociate instance storage for an existing Amazon Connect instance	Write	instance*
DisassociateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
DisassociateLambdaFunction	Grants permission to disassociate a Lambda function for an existing Amazon Connect instance	Write	instance*		lambda:RemovePermission
DisassociateLambdaFunction		Write		connect:InstanceId
DisassociateLexBot	Grants permission to disassociate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
DisassociateLexBot		Write		connect:InstanceId
DisassociatePhoneNumberContactFlow	Grants permission to disassociate contact flow resources from phone number resources in an Amazon Connect instance	Write	phone-number*
DisassociatePhoneNumberContactFlow		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateQueueQuickConnects	Grants permission to disassociate quick connects from a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateRoutingProfileQueues	Grants permission to disassociate queues from a routing profile in an Amazon Connect instance	Write	routing-profile*
DisassociateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateSecurityKey	Grants permission to disassociate the security key for an existing Amazon Connect instance	Write	instance*
DisassociateSecurityKey		Write		connect:InstanceId
DisassociateTrafficDistributionGroupUser	Grants permission to disassociate a user from a traffic distribution group in the specified Amazon Connect instance	Write	instance*
			traffic-distribution-group*
			user*
				connect:InstanceId aws:ResourceTag/${TagKey}
DisassociateUserProficiencies	Grants permission to disassociate user proficiencies from a user in an Amazon Connect instance	Write	instance*
			user*
				connect:InstanceId
DismissUserContact	Grants permission to dismiss terminated Contact from Agent CCP	Write	user*
DismissUserContact		Write		aws:ResourceTag/${TagKey} connect:InstanceId
GetAttachedFile	Grants permission to get an attached file from an Amazon Connect instance	Read	attached-file*
GetAttachedFile		Read		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
GetContactAttributes	Grants permission to retrieve the contact attributes for the specified contact	Read	contact*
GetContactAttributes		Read		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
GetCurrentMetricData	Grants permission to retrieve current metric data for queues and routing profiles in an Amazon Connect instance	Read	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
GetCurrentUserData	Grants permission to retrieve current user data in an Amazon Connect instance	Read	hierarchy-group*
			queue*
			routing-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
GetEffectiveHoursOfOperations	Grants permission to get effective hours of operation resources in an Amazon Connect instance	Read	hours-of-operation*
			instance*
				connect:InstanceId
GetFederationToken	Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management	Read	instance*
GetFederationToken		Read		connect:InstanceId
GetFlowAssociation	Grants permission to get information about the flow associations for the specified Amazon Connect instance	Read	wildcard-phone-number*
GetFlowAssociation		Read		aws:ResourceTag/${TagKey} connect:InstanceId
GetMetricData	Grants permission to retrieve historical metric data for queues in an Amazon Connect instance	Read	queue*
GetMetricData		Read		aws:ResourceTag/${TagKey} connect:InstanceId
GetMetricDataV2	Grants permission to retrieve metric data in an Amazon Connect instance	Read	hierarchy-group*
			queue*
			routing-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
GetPromptFile	Grants permission to get details about a prompt's presigned Amazon S3 URL in an Amazon Connect instance	Read	prompt*
GetPromptFile		Read		aws:ResourceTag/${TagKey} connect:InstanceId
GetTaskTemplate	Grants permission to get details about specified task template in an Amazon Connect instance	Read	task-template*
GetTaskTemplate		Read		aws:ResourceTag/${TagKey} connect:InstanceId
GetTrafficDistribution	Grants permission to read traffic distribution for a traffic distribution group	List	traffic-distribution-group*
GetTrafficDistribution		List		aws:ResourceTag/${TagKey}
ImportPhoneNumber	Grants permission to import phone number resources to an Amazon Connect instance	Write	instance*		sms-voice:DescribePhoneNumbers social-messaging:GetLinkedWhatsAppBusinessAccountPhoneNumber social-messaging:TagResource
			wildcard-phone-number*
				aws:RequestTag/${TagKey} aws:TagKeys
ListAgentStatuses	Grants permission to list agent statuses in an Amazon Connect instance	List	wildcard-agent-status*
ListAnalyticsDataAssociations	Grants permission to list the association status of a dataset for a given Amazon Connect instance	List	instance*
ListAnalyticsDataAssociations		List		connect:InstanceId
ListAnalyticsDataLakeDataSets	Grants permission to list data lake datasets available to associate with for a given Amazon Connect instance	List	instance*
ListAnalyticsDataLakeDataSets		List		connect:InstanceId
ListApprovedOrigins	Grants permission to view approved origins of an existing Amazon Connect instance	List	instance*
ListApprovedOrigins		List		connect:InstanceId
ListAssociatedContacts	Grants permission to list the contacts associated with an email address in an Amazon Connect instance	List	contact*
ListAssociatedContacts		List		connect:InstanceId
ListAuthenticationProfiles	Grants permission to list authentication profile resources in an Amazon Connect instance	List	instance*
ListAuthenticationProfiles		List		connect:InstanceId
ListBots	Grants permission to view the Lex bots of an existing Amazon Connect instance	List	instance*
ListBots		List		connect:InstanceId
ListContactEvaluations	Grants permission to list contact evaluations in the specified Amazon Connect instance	List	instance*
ListContactEvaluations		List		connect:InstanceId
ListContactFlowModules	Grants permission to list contact flow module resources in an Amazon Connect instance	List	instance*
ListContactFlowVersions	Grants permission to list all the versions a flow in an Amazon Connect instance	List	contact-flow*
ListContactFlowVersions		List		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
ListContactFlows	Grants permission to list contact flow resources in an Amazon Connect instance	List	wildcard-contact-flow*
ListContactFlows		List		connect:InstanceId
ListContactReferences	Grants permission to list references associated with a contact in an Amazon Connect instance	List	contact*
ListContactReferences		List		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
ListDefaultVocabularies	Grants permission to list default vocabularies associated with a Amazon Connect instance	List	instance*
ListDefaultVocabularies		List		connect:InstanceId
ListEvaluationFormVersions	Grants permission to list versions of an evaluation form in the specified Amazon Connect instance	List	evaluation-form*
ListEvaluationFormVersions		List		connect:InstanceId
ListEvaluationForms	Grants permission to list evaluation forms in the specified Amazon Connect instance	List	instance*
ListEvaluationForms		List		connect:InstanceId
ListFlowAssociations	Grants permission to list summary information about the flow associations for the specified Amazon Connect instance	List	instance*
ListFlowAssociations		List		connect:InstanceId
ListHoursOfOperationOverrides	Grants permission to list hours of operation override resources in an Amazon Connect instance	List	hours-of-operation*
			instance*
				connect:InstanceId
ListHoursOfOperations	Grants permission to list hours of operation resources in an Amazon Connect instance	List	instance*
ListHoursOfOperations		List		connect:InstanceId
ListInstanceAttributes	Grants permission to view the attributes of an existing Amazon Connect instance	List	instance*
ListInstanceAttributes		List		connect:InstanceId
ListInstanceStorageConfigs	Grants permission to view storage configurations of an existing Amazon Connect instance	List	instance*
ListInstanceStorageConfigs		List		connect:InstanceId
ListInstances	Grants permission to view the Amazon Connect instances associated with an AWS account	List			ds:DescribeDirectories
ListIntegrationAssociations	Grants permission to list summary information about the integration associations for the specified Amazon Connect instance	List	instance*		connect:DescribeInstance ds:DescribeDirectories
ListIntegrationAssociations		List		connect:InstanceId
ListLambdaFunctions	Grants permission to view the Lambda functions of an existing Amazon Connect instance	List	instance*
ListLambdaFunctions		List		connect:InstanceId
ListLexBots	Grants permission to view the Lex bots of an existing Amazon Connect instance	List	instance*
ListLexBots		List		connect:InstanceId
ListPhoneNumbers	Grants permission to list phone number resources in an Amazon Connect instance	List	wildcard-legacy-phone-number*
ListPhoneNumbersV2	Grants permission to list phone number resources in an Amazon Connect instance	List	wildcard-phone-number*
ListPredefinedAttributes	Grants permission to list predefined attributes in an Amazon Connect instance	List	instance*
ListPredefinedAttributes		List		connect:InstanceId
ListPrompts	Grants permission to list prompt resources in an Amazon Connect instance	List	instance*
ListPrompts		List		connect:InstanceId
ListQueueQuickConnects	Grants permission to list quick connect resources in a queue in an Amazon Connect instance	List	queue*
ListQueueQuickConnects		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListQueues	Grants permission to list queue resources in an Amazon Connect instance	List	wildcard-queue*
ListQuickConnects	Grants permission to list quick connect resources in an Amazon Connect instance	List	wildcard-quick-connect*
ListRealtimeContactAnalysisSegments	Grants permission to list the analysis segments for a real-time analysis session	Read	contact*
ListRealtimeContactAnalysisSegmentsV2	Grants permission to list the analysis segments for a real-time chat analytics session	List	contact*
ListRealtimeContactAnalysisSegmentsV2		List		connect:ListRealtimeContactAnalysisSegmentsByOutputType connect:ListRealtimeContactAnalysisSegmentsBySegmentType
ListRoutingProfileQueues	Grants permission to list queue resources in a routing profile in an Amazon Connect instance	List	routing-profile*
ListRoutingProfileQueues		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListRoutingProfiles	Grants permission to list routing profile resources in an Amazon Connect instance	List	instance*
ListRoutingProfiles		List		connect:InstanceId
ListRules	Grants permission to list rules associated with a Amazon Connect instance	List	instance*
ListRules		List		connect:InstanceId
ListSecurityKeys	Grants permission to view the security keys of an existing Amazon Connect instance	List	instance*
ListSecurityKeys		List		connect:InstanceId
ListSecurityProfileApplications	Grants permission to list applications associated with a specific security profile in an Amazon Connect instance	List	security-profile*
ListSecurityProfileApplications		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListSecurityProfilePermissions	Grants permission to list permissions associated with security profile in an Amazon Connect instance	List	security-profile*
ListSecurityProfilePermissions		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListSecurityProfiles	Grants permission to list security profile resources in an Amazon Connect instance	List	instance*
ListSecurityProfiles		List		connect:InstanceId
ListTagsForResource	Grants permission to list tags for an Amazon Connect resource	Read	agent-status
			contact-evaluation
			contact-flow
			contact-flow-module
			evaluation-form
			hierarchy-group
			hours-of-operation
			integration-association
			phone-number
			prompt
			queue
			quick-connect
			routing-profile
			rule
			security-profile
			traffic-distribution-group
			use-case
			user
			wildcard-phone-number
				aws:ResourceTag/${TagKey}
ListTaskTemplates	Grants permission to list task template resources in an Amazon Connect instance	List	instance*
ListTrafficDistributionGroupUsers	Grants permission to list the active user associations for a traffic distribution group	List	traffic-distribution-group*
ListTrafficDistributionGroupUsers		List		aws:ResourceTag/${TagKey}
ListTrafficDistributionGroups	Grants permission to list traffic distribution groups	List	traffic-distribution-group*
ListUseCases	Grants permission to list the use cases of an integration association	List	instance*		connect:DescribeInstance ds:DescribeDirectories
ListUseCases		List		connect:InstanceId
ListUserHierarchyGroups	Grants permission to list the hierarchy group resources in an Amazon Connect instance	List	instance*
ListUserHierarchyGroups		List		connect:InstanceId
ListUserProficiencies	Grants permission to list user proficiencies from a user in an Amazon Connect instance	List	instance*
			user*
				connect:InstanceId
ListUsers	Grants permission to list user resources in an Amazon Connect instance	List	instance*
ListUsers		List		connect:InstanceId
ListViewVersions	Grants permission to list the view versions in an Amazon Connect instance	List	aws-managed-view*
			customer-managed-view*
				aws:ResourceTag/${TagKey} connect:InstanceId
ListViews	Grants permission to list the views in an Amazon Connect instance	List	instance*
ListViews		List		connect:InstanceId
MonitorContact	Grants permission to monitor an ongoing contact	Write	contact*
			instance*
			user*
				connect:MonitorCapabilities aws:ResourceTag/${TagKey} connect:InstanceId
PauseContact	Grants permission to pause an ongoing contact	Write	contact*
			instance*
			contact-flow
				aws:ResourceTag/${TagKey} connect:InstanceId
PutUserStatus	Grants permission to switch User Status in an Amazon Connect instance	Write	agent-status*
			instance*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
ReleasePhoneNumber	Grants permission to release phone number resources in an Amazon Connect instance	Write	phone-number*
ReleasePhoneNumber		Write		aws:ResourceTag/${TagKey}
ReplicateInstance	Grants permission to create a replica of an Amazon Connect instance	Write	instance*		ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
ReplicateInstance		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
ResumeContact	Grants permission to resume a paused contact	Write	contact*
			instance*
			contact-flow
				aws:ResourceTag/${TagKey} connect:InstanceId
ResumeContactRecording	Grants permission to resume recording for the specified contact	Write	contact*
ResumeContactRecording		Write		connect:ContactAssociationId connect:Channel connect:UserArn
SearchAgentStatuses	Grants permission to search agent status resources in an Amazon Connect instance	Read	instance*		connect:DescribeAgentStatus
SearchAgentStatuses		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchAvailablePhoneNumbers	Grants permission to search phone number resources in an Amazon Connect instance or traffic distribution group	List	wildcard-phone-number*
SearchContactFlowModules	Grants permission to search contact flow module resources in an Amazon Connect instance	Read	instance*		connect:DescribeContactFlowModule
SearchContactFlowModules		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchContactFlows	Grants permission to search contact flow resources in an Amazon Connect instance	Read	instance*		connect:DescribeContactFlow
SearchContactFlows		Read		connect:InstanceId connect:SearchTag/${TagKey} connect:FlowType
SearchContacts	Grants permission to search contacts in an Amazon Connect instance	Read	instance*		connect:DescribeContact
SearchContacts		Read		connect:InstanceId connect:SearchContactsByContactAnalysis
SearchEmailAddresses	Grants permission to search email address resources in an Amazon Connect instance	Read	instance*		connect:DescribeEmailAddress
SearchEmailAddresses		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchHoursOfOperationOverrides	Grants permission to search hours of operation override resources in an Amazon Connect instance	Read	hours-of-operation*		connect:DescribeHoursOfOperation connect:ListHoursOfOperationOverrides
			instance*
				connect:InstanceId connect:SearchTag/${TagKey}
SearchHoursOfOperations	Grants permission to search hours of operation resources in an Amazon Connect instance	Read	instance*		connect:DescribeHoursOfOperation
SearchHoursOfOperations		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchPredefinedAttributes	Grants permission to search predefined attributes in an Amazon Connect instance	Read	instance*		connect:DescribePredefinedAttribute
SearchPredefinedAttributes		Read		connect:InstanceId
SearchPrompts	Grants permission to search prompt resources in an Amazon Connect instance	Read	instance*		connect:DescribePrompt
SearchPrompts		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchQueues	Grants permission to search queue resources in an Amazon Connect instance	Read	instance*		connect:DescribeQueue
SearchQueues		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchQuickConnects	Grants permission to search quick connect resources in an Amazon Connect instance	Read	instance*		connect:DescribeQuickConnect
SearchQuickConnects		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchResourceTags	Grants permission to search tags that are used in an Amazon Connect instance	List	instance*
SearchResourceTags		List		connect:InstanceId aws:ResourceTag/${TagKey}
SearchRoutingProfiles	Grants permission to search routing profile resources in an Amazon Connect instance	Read	instance*		connect:DescribeRoutingProfile
SearchRoutingProfiles		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchSecurityProfiles	Grants permission to search security profile resources in an Amazon Connect instance	Read	instance*		connect:DescribeSecurityProfile
SearchSecurityProfiles		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchUserHierarchyGroups	Grants permission to search user hierarchy group resources in an Amazon Connect instance	Read	instance*		connect:DescribeUserHierarchyGroup
SearchUserHierarchyGroups		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchUsers	Grants permission to search user resources in an Amazon Connect instance	Read	instance*		connect:DescribeUser connect:ListUserProficiencies
SearchUsers		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchVocabularies	Grants permission to search vocabularies in a Amazon Connect instance	List	vocabulary*
SearchVocabularies		List		connect:InstanceId
SendChatIntegrationEvent	Grants permission to send chat integration events using the Amazon Connect API	Write
SendIntegrationEvent [permission only]	Grants permission to send integration events using the Amazon Connect API	Write
SendOutboundEmail	Grants permission to send outbound email using the Amazon Connect API	Write	instance*
SendOutboundEmail		Write		connect:InstanceId
StartAttachedFileUpload	Grants permission to start an attached file upload in an Amazon Connect instance	Write	attached-file*		cases:CreateRelatedItem
StartAttachedFileUpload		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId connect:UserArn
StartChatContact	Grants permission to initiate a chat using the Amazon Connect API	Write	contact-flow*
			contact
				connect:InstanceId
StartContactEvaluation	Grants permission to start an empty evaluation in the specified Amazon Connect instance, using the given evaluation form for the particular contact. The evaluation form version used for the contact evaluation corresponds to the currently activated version. If no version is activated for the evaluation form, the contact evaluation cannot be started	Write	contact*
			contact-evaluation*
			evaluation-form*
				connect:InstanceId
StartContactRecording	Grants permission to start recording for the specified contact	Write	contact*
StartContactRecording		Write		connect:ContactAssociationId connect:Channel connect:UserArn
StartContactStreaming	Grants permission to start chat streaming using the Amazon Connect API	Write	instance*
StartEmailContact	Grants permission to initiate an inbound email using the Amazon Connect API	Write	instance*
			contact-flow
				aws:ResourceTag/${TagKey} connect:InstanceId
StartForecastingPlanningSchedulingIntegration [permission only]	Grants permission to enable forecasting, planning, and scheduling integration on an Amazon Connect instance	Write	instance*
		Write		connect:InstanceId
StartOutboundChatContact	Grants permission to initiate an outbound chat using the Amazon Connect API	Write	contact-flow*
			instance*
			contact
			phone-number
				connect:InstanceId connect:Subtype
StartOutboundEmailContact	Grants permission to initiate an outbound email using the Amazon Connect API	Write	instance*
			contact-flow
				aws:ResourceTag/${TagKey} connect:InstanceId
StartOutboundVoiceContact	Grants permission to initiate outbound calls using the Amazon Connect API	Write	contact*
StartScreenSharing	Grants permission to start screen sharing for contact	Write	contact*
			instance*
				connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
StartTaskContact	Grants permission to initiate a task using the Amazon Connect API	Write	contact-flow*
			contact
			quick-connect
			task-template
				aws:ResourceTag/${TagKey} connect:InstanceId connect:AssignmentType
StartWebRTCContact	Grants permission to initiate a WebRTC contact using the Amazon Connect API	Write	contact-flow*
StartWebRTCContact		Write		connect:InstanceId
StopContact	Grants permission to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer	Write	contact*
StopContact		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
StopContactRecording	Grants permission to stop recording for the specified contact	Write	contact*
StopContactRecording		Write		connect:ContactAssociationId connect:Channel connect:UserArn
StopContactStreaming	Grants permission to stop chat streaming using the Amazon Connect API	Write	instance*
StopForecastingPlanningSchedulingIntegration [permission only]	Grants permission to disable forecasting, planning, and scheduling integration on an Amazon Connect instance	Write	instance*
		Write		connect:InstanceId
SubmitContactEvaluation	Grants permission to submit a contact evaluation in the specified Amazon Connect instance. Answers included in the request are merged with existing answers for the given evaluation. If no answers or notes are passed, the evaluation is submitted with the existing answers and notes. You can delete an answer or note by passing an empty object ({}) to the question identifier	Write	contact-evaluation*
SubmitContactEvaluation		Write		connect:InstanceId
SuspendContactRecording	Grants permission to suspend recording for the specified contact	Write	contact*
SuspendContactRecording		Write		connect:ContactAssociationId connect:Channel connect:UserArn
TagContact	Grants permission to tag a contact in an Amazon Connect instance	Write	contact*
TagContact		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
TagResource	Grants permission to tag an Amazon Connect resource	Tagging	agent-status
			contact-evaluation
			contact-flow
			contact-flow-module
			customer-managed-view
			evaluation-form
			hierarchy-group
			hours-of-operation
			instance
			integration-association
			phone-number
			prompt
			queue
			quick-connect
			routing-profile
			rule
			security-profile
			task-template
			traffic-distribution-group
			use-case
			user
			vocabulary
			wildcard-phone-number
				aws:TagKeys aws:RequestTag/${TagKey}
TransferContact	Grants permission to transfer the contact to another queue or agent	Write	contact*
			contact-flow*
			instance*
				connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
UntagContact	Grants permission to untag a contact in an Amazon Connect instance	Write	contact*
UntagContact		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
UntagResource	Grants permission to untag an Amazon Connect resource	Tagging	agent-status
			contact-evaluation
			contact-flow
			contact-flow-module
			customer-managed-view
			evaluation-form
			hierarchy-group
			hours-of-operation
			instance
			integration-association
			phone-number
			prompt
			queue
			quick-connect
			routing-profile
			rule
			security-profile
			task-template
			traffic-distribution-group
			use-case
			user
			vocabulary
			wildcard-phone-number
				aws:TagKeys
UpdateAgentStatus	Grants permission to update agent status in an Amazon Connect instance	Write	agent-status*
UpdateAgentStatus		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateAuthenticationProfile	Grants permission to update authentication profile resources in an Amazon Connect instance	Write	authentication-profile*
UpdateAuthenticationProfile		Write		connect:InstanceId
UpdateContact	Grants permission to update a contact in an Amazon Connect instance	Write	contact*
UpdateContact		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
UpdateContactAttributes	Grants permission to create or update the contact attributes associated with the specified contact	Write	contact*
UpdateContactAttributes		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
UpdateContactEvaluation	Grants permission to update details about a contact evaluation in the specified Amazon Connect instance. A contact evaluation must be in the draft state. Answers included in the request are merged with existing answers for the given evaluation. An answer or note can be deleted by passing an empty object ({}) to the question identifier	Write	contact-evaluation*
UpdateContactEvaluation		Write		connect:InstanceId
UpdateContactFlowContent	Grants permission to update contact flow content in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
UpdateContactFlowMetadata	Grants permission to update the metadata of a contact flow in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowMetadata		Write		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
UpdateContactFlowModuleContent	Grants permission to update contact flow module content in an Amazon Connect instance	Write	contact-flow-module*
UpdateContactFlowModuleContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowModuleMetadata	Grants permission to update the metadata of a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
UpdateContactFlowModuleMetadata		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowName	Grants permission to update the name and description of a contact flow in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowName		Write		aws:ResourceTag/${TagKey} connect:InstanceId connect:FlowType
UpdateContactRoutingData	Grants permission to update routing properties on a contact in an Amazon Connect instance	Write	contact*
UpdateContactRoutingData		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
UpdateContactSchedule	Grants permission to update the schedule of a contact that is already scheduled in an Amazon Connect instance	Write	contact*
UpdateContactSchedule		Write		connect:InstanceId connect:ContactAssociationId connect:Channel connect:UserArn
UpdateEmailAddressMetadata	Grants permission to update the metadata of an email address resource in an Amazon Connect instance	Write	email-address*
UpdateEmailAddressMetadata		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateEvaluationForm	Grants permission to update details about a specific evaluation form version in the specified Amazon Connect instance. Question and section identifiers cannot be duplicated within the same evaluation form	Write	evaluation-form*
UpdateEvaluationForm		Write		connect:InstanceId
UpdateHoursOfOperation	Grants permission to update hours of operation in an Amazon Connect instance	Write	hours-of-operation*
UpdateHoursOfOperation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateHoursOfOperationOverride	Grants permission to update an hours of operation override in an Amazon Connect instance	Write	hours-of-operation*
			instance*
				connect:InstanceId
UpdateInstanceAttribute	Grants permission to update the attribute for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup
UpdateInstanceAttribute		Write		connect:AttributeType connect:InstanceId
UpdateInstanceStorageConfig	Grants permission to update the storage configuration for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
UpdateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
UpdateParticipantAuthentication	Grants permission to update and continue authentication for a specific contact	Write	instance*
UpdateParticipantAuthentication		Write		connect:InstanceId
UpdateParticipantRoleConfig	Grants permission to update participant role configurations associated with a contact	Write	contact*
			instance*
				connect:InstanceId
UpdatePhoneNumber	Grants permission to update phone number resources in an Amazon Connect instance or traffic distribution group	Write	instance*
			phone-number*
			traffic-distribution-group*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdatePhoneNumberMetadata	Grants permission to update the metadata of a phone number resource in an Amazon Connect instance or traffic distribution group	Write	phone-number*
UpdatePhoneNumberMetadata		Write		aws:ResourceTag/${TagKey}
UpdatePredefinedAttribute	Grants permission to update a predefined attribute in an Amazon Connect instance	Write	instance*
UpdatePredefinedAttribute		Write		connect:InstanceId
UpdatePrompt	Grants permission to update a prompt's name, description, and Amazon S3 URI in an Amazon Connect instance	Write	prompt*		kms:Decrypt s3:GetObject s3:GetObjectAcl
UpdatePrompt		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueHoursOfOperation	Grants permission to update queue hours of operation in an Amazon Connect instance	Write	hours-of-operation*
			queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueMaxContacts	Grants permission to update queue capacity in an Amazon Connect instance	Write	queue*
UpdateQueueMaxContacts		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueName	Grants permission to update a queue name and description in an Amazon Connect instance	Write	queue*
UpdateQueueName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueOutboundCallerConfig	Grants permission to update queue outbound caller config in an Amazon Connect instance	Write	queue*
			contact-flow
			phone-number
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueOutboundEmailConfig	Grants permission to update the outbound email configuration for a queue in an Amazon Connect instance	Write	queue*
UpdateQueueOutboundEmailConfig		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueStatus	Grants permission to update queue status in an Amazon Connect instance	Write	queue*
UpdateQueueStatus		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectConfig	Grants permission to update the configuration of a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectName	Grants permission to update a quick connect name and description in an Amazon Connect instance	Write	quick-connect*
UpdateQuickConnectName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileAgentAvailabilityTimer	Grants permission to update a routing profile agent availability timer in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileAgentAvailabilityTimer		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileConcurrency	Grants permission to update the concurrency in a routing profile in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileConcurrency		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileDefaultOutboundQueue	Grants permission to update the outbound queue in a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileName	Grants permission to update a routing profile name and description in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileQueues	Grants permission to update the queues in routing profile in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRule	Grants permission to update a rule for an existing Amazon Connect instance	Write	rule*
UpdateRule		Write		connect:InstanceId
UpdateSecurityProfile	Grants permission to update a security profile group for a user in an Amazon Connect instance	Write	security-profile*
UpdateSecurityProfile		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateTaskTemplate	Grants permission to update task template belonging to a Amazon Connect instance	Write	task-template*
UpdateTaskTemplate		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateTrafficDistribution	Grants permission to update traffic distribution for a traffic distribution group	Write	traffic-distribution-group*
UpdateTrafficDistribution		Write		aws:ResourceTag/${TagKey}
UpdateUserHierarchy	Grants permission to update a hierarchy group for a user in an Amazon Connect instance	Write	user*
			hierarchy-group
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserHierarchyGroupName	Grants permission to update a user hierarchy group name in an Amazon Connect instance	Write	hierarchy-group*
UpdateUserHierarchyGroupName		Write		connect:InstanceId
UpdateUserHierarchyStructure	Grants permission to update user hierarchy structure in an Amazon Connect instance	Write	instance*
UpdateUserHierarchyStructure		Write		connect:InstanceId
UpdateUserIdentityInfo	Grants permission to update identity information for a user in an Amazon Connect instance	Write	user*
UpdateUserIdentityInfo		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserPhoneConfig	Grants permission to update phone configuration settings for a user in an Amazon Connect instance	Write	user*
UpdateUserPhoneConfig		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserProficiencies	Grants permission to update user proficiencies from a user in an Amazon Connect instance	Write	instance*
			user*
				connect:InstanceId
UpdateUserRoutingProfile	Grants permission to update a routing profile for a user in an Amazon Connect instance	Write	routing-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserSecurityProfiles	Grants permission to update security profiles for a user in an Amazon Connect instance	Write	security-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateViewContent	Grants permission to update a view's content in an Amazon Connect instance	Write	customer-managed-view*
UpdateViewContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateViewMetadata	Grants permission to update a view's metadata in an Amazon Connect instance	Write	customer-managed-view*
UpdateViewMetadata		Write		aws:ResourceTag/${TagKey} connect:InstanceId

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
instance	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}`	aws:ResourceTag/${TagKey}
contact	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}`
user	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}`	aws:ResourceTag/${TagKey}
routing-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}`	aws:ResourceTag/${TagKey}
security-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}`	aws:ResourceTag/${TagKey}
authentication-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/authentication-profile/${AuthenticationProfileId}`
hierarchy-group	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}`	aws:ResourceTag/${TagKey}
queue	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}`	aws:ResourceTag/${TagKey}
wildcard-queue	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/*`
quick-connect	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}`	aws:ResourceTag/${TagKey}
wildcard-quick-connect	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/*`
contact-flow	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}`	aws:ResourceTag/${TagKey}
task-template	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/task-template/${TaskTemplateId}`	aws:ResourceTag/${TagKey}
contact-flow-module	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/flow-module/${ContactFlowModuleId}`	aws:ResourceTag/${TagKey}
wildcard-contact-flow	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/*`
hours-of-operation	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}`	aws:ResourceTag/${TagKey}
agent-status	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/${AgentStatusId}`	aws:ResourceTag/${TagKey}
wildcard-agent-status	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/*`
legacy-phone-number	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/${PhoneNumberId}`
wildcard-legacy-phone-number	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/*`
phone-number	`arn:${Partition}:connect:${Region}:${Account}:phone-number/${PhoneNumberId}`	aws:ResourceTag/${TagKey}
wildcard-phone-number	`arn:${Partition}:connect:${Region}:${Account}:phone-number/*`	aws:ResourceTag/${TagKey}
integration-association	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}`	aws:ResourceTag/${TagKey}
use-case	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}`	aws:ResourceTag/${TagKey}
vocabulary	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/vocabulary/${VocabularyId}`	aws:ResourceTag/${TagKey}
traffic-distribution-group	`arn:${Partition}:connect:${Region}:${Account}:traffic-distribution-group/${TrafficDistributionGroupId}`	aws:ResourceTag/${TagKey}
rule	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/rule/${RuleId}`	aws:ResourceTag/${TagKey}
evaluation-form	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/evaluation-form/${FormId}`	aws:ResourceTag/${TagKey}
contact-evaluation	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-evaluation/${EvaluationId}`	aws:ResourceTag/${TagKey}
prompt	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/prompt/${PromptId}`	aws:ResourceTag/${TagKey}
customer-managed-view	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/view/${ViewId}`	aws:ResourceTag/${TagKey}
aws-managed-view	`arn:${Partition}:connect:${Region}:aws:view/${ViewId}`
qualified-customer-managed-view	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/view/${ViewId}:${ViewQualifier}`	aws:ResourceTag/${TagKey}
qualified-aws-managed-view	`arn:${Partition}:connect:${Region}:aws:view/${ViewId}:${ViewQualifier}`
customer-managed-view-version	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/view/${ViewId}:${ViewVersion}`	aws:ResourceTag/${TagKey}
attached-file	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/file/${FileId}`	aws:ResourceTag/${TagKey}
email-address	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/email-address/${EmailAddressId}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see AWS global condition context keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by using tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by using tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by using tag keys in the request	ArrayOfString
connect:AssignmentType	Filters access by restricting access to create contacts based on Assignment Type	String
connect:AttributeType	Filters access by the attribute type of the Amazon Connect instance	String
connect:Channel	Filters access by Channel	String
connect:ContactAssociationId	Filters access by ContactAssociationId	String
connect:ContactInitiationMethod	Filters access by restricting access to create contacts based on the initiation method of the contact	String
connect:FlowType	Filters access by Flow type	ArrayOfString
connect:InstanceId	Filters access by restricting federation into specified Amazon Connect instances	String
connect:ListRealtimeContactAnalysisSegmentsByOutputType	Filters access by restricting the listed segments using the output type of the Amazon Connect Contact Lens real-time segment	String
connect:ListRealtimeContactAnalysisSegmentsBySegmentType	Filters access by restricting the listed segments using the segment types of the Amazon Connect Contact Lens real-time segment	ArrayOfString
connect:MonitorCapabilities	Filters access by restricting the monitor capabilities of the user in the request	ArrayOfString
connect:SearchContactsByContactAnalysis	Filters access by restricting searches using analysis outputs from Amazon Connect Contact Lens	ArrayOfString
connect:SearchTag/${TagKey}	Filters access by TagFilter condition passed in the search request	String
connect:StorageResourceType	Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration	String
connect:Subtype	Filters access by restricting creation of a contact for specific subtypes	String
connect:UserArn	Filters access by UserArn	ARN

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions