Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Connect
Resource types defined by Amazon Connect
Condition keys for Amazon Connect

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateApprovedOrigin	Grants permission to associate approved origin for an existing Amazon Connect instance	Write	instance*
AssociateApprovedOrigin		Write		connect:InstanceId
AssociateBot	Grants permission to associate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:CreateResourcePolicy lex:DescribeBotAlias lex:GetBot lex:UpdateResourcePolicy
AssociateBot		Write		connect:InstanceId
AssociateCustomerProfilesDomain [permission only]	Grants permission to associate a Customer Profiles domain for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy profile:GetDomain
AssociateDefaultVocabulary	Grants permission to default vocabulary for an existing Amazon Connect instance	Write	instance*
AssociateDefaultVocabulary		Write		connect:InstanceId
AssociateInstanceStorageConfig	Grants permission to associate instance storage for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
AssociateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
AssociateLambdaFunction	Grants permission to associate a Lambda function for an existing Amazon Connect instance	Write	instance*		lambda:AddPermission
AssociateLambdaFunction		Write		connect:InstanceId
AssociateLexBot	Grants permission to associate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot
AssociateLexBot		Write		connect:InstanceId
AssociatePhoneNumberContactFlow	Grants permission to associate contact flow resources to phone number resources in an Amazon Connect instance	Write	contact-flow*
			phone-number*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateQueueQuickConnects	Grants permission to associate quick connects with a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateRoutingProfileQueues	Grants permission to associate queues with a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateSecurityKey	Grants permission to associate a security key for an existing Amazon Connect instance	Write	instance*
AssociateSecurityKey		Write		connect:InstanceId
BatchAssociateAnalyticsDataSet [permission only]	Grants permission to grant access and to associate the datasets with the specified AWS account	Write	instance*
BatchAssociateAnalyticsDataSet [permission only]		Write		connect:InstanceId
BatchDisassociateAnalyticsDataSet [permission only]	Grants permission to revoke access and to disassociate the datasets with the specified AWS account	Write	instance*
BatchDisassociateAnalyticsDataSet [permission only]		Write		connect:InstanceId
ClaimPhoneNumber	Grants permission to claim phone number resources in an Amazon Connect instance or traffic distribution group	Write	instance*
			traffic-distribution-group*
			wildcard-phone-number*
				aws:RequestTag/${TagKey} aws:TagKeys
CreateAgentStatus	Grants permission to create agent status in an Amazon Connect instance	Write	agent-status*
CreateAgentStatus		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateContactFlow	Grants permission to create a contact flow in an Amazon Connect instance	Write	contact-flow*
CreateContactFlow		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateContactFlowModule	Grants permission to create a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
CreateContactFlowModule		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateHoursOfOperation	Grants permission to create hours of operation in an Amazon Connect instance	Write	hours-of-operation*
CreateHoursOfOperation		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateInstance	Grants permission to create a new Amazon Connect instance	Write		aws:RequestTag/${TagKey} aws:TagKeys	ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
CreateIntegrationAssociation	Grants permission to create an integration association with an Amazon Connect instance	Write	instance*		app-integrations:CreateEventIntegrationAssociation cases:GetDomain connect:DescribeInstance ds:DescribeDirectories events:PutRule events:PutTargets iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy mobiletargeting:GetApp voiceid:DescribeDomain wisdom:GetAssistant wisdom:GetKnowledgeBase
			integration-association*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateQueue	Grants permission to create a queue in an Amazon Connect instance	Write	hours-of-operation*
			queue*
			contact-flow
			phone-number
			quick-connect
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateQuickConnect	Grants permission to create a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateRoutingProfile	Grants permission to create a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateRule	Grants permission to create a rule in an Amazon Connect instance	Write	rule*
CreateRule		Write		connect:InstanceId
CreateSecurityProfile	Grants permission to create a security profile for the specified Amazon Connect instance	Write	security-profile*
CreateSecurityProfile		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateTaskTemplate	Grants permission to create a task template in an Amazon Connect instance	Write	task-template*
CreateTrafficDistributionGroup	Grants permission to create a traffic distribution group	Write	instance*
			traffic-distribution-group*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUseCase	Grants permission to create a use case for an integration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			integration-association*
			use-case*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateUser	Grants permission to create a user for the specified Amazon Connect instance	Write	routing-profile*
			security-profile*
			user*
			hierarchy-group
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUserHierarchyGroup	Grants permission to create a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group
CreateUserHierarchyGroup		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateVocabulary	Grants permission to create a vocabulary in an Amazon Connect instance	Write	vocabulary*
CreateVocabulary		Write		aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
DeleteContactFlow	Grants permission to delete a contact flow in an Amazon Connect instance	Write	contact-flow*
DeleteContactFlow		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteContactFlowModule	Grants permission to delete a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
DeleteContactFlowModule		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteHoursOfOperation	Grants permission to delete hours of operation in an Amazon Connect instance	Write	hours-of-operation*
DeleteHoursOfOperation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteInstance	Grants permission to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed	Write	instance*		ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication
DeleteInstance		Write		connect:InstanceId aws:ResourceTag/${TagKey}
DeleteIntegrationAssociation	Grants permission to delete an integration association from an Amazon Connect instance. The association must not have any use cases associated with it	Write	instance*		app-integrations:DeleteEventIntegrationAssociation connect:DescribeInstance ds:DescribeDirectories events:DeleteRule events:ListTargetsByRule events:RemoveTargets
			integration-association*
				connect:InstanceId
DeleteQuickConnect	Grants permission to delete a quick connect in an Amazon Connect instance	Write	quick-connect*
DeleteQuickConnect		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteRule	Grants permission to delete a rule in an Amazon Connect instance	Write	rule*
DeleteRule		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteSecurityProfile	Grants permission to delete a security profile in an Amazon Connect instance	Write	security-profile*
DeleteSecurityProfile		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteTaskTemplate	Grants permission to delete a task template in an Amazon Connect instance	Write	task-template*
DeleteTaskTemplate		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteTrafficDistributionGroup	Grants permission to delete a traffic distribution group	Write	traffic-distribution-group*
DeleteTrafficDistributionGroup	Grants permission to delete a traffic distribution group	Write		aws:ResourceTag/${TagKey}
DeleteUseCase	Grants permission to delete a use case from an integration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			use-case*
				connect:InstanceId
DeleteUser	Grants permission to delete a user in an Amazon Connect instance	Write	user*
DeleteUser		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DeleteUserHierarchyGroup	Grants permission to delete a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group*
DeleteUserHierarchyGroup		Write		connect:InstanceId
DeleteVocabulary	Grants permission to delete a vocabulary in an Amazon Connect instance	Write	vocabulary*
DeleteVocabulary		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeAgentStatus	Grants permission to describe agent status in an Amazon Connect instance	Read	agent-status*
DescribeAgentStatus		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeContact	Grants permission to describe a contact in an Amazon Connect instance	Read	contact*
DescribeContact		Read		connect:InstanceId
DescribeContactFlow	Grants permission to describe a contact flow in an Amazon Connect instance	Read	contact-flow*
DescribeContactFlow		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeContactFlowModule	Grants permission to describe a contact flow module in an Amazon Connect instance	Read	contact-flow-module*
DescribeContactFlowModule		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeForecastingPlanningSchedulingIntegration [permission only]	Grants permission to describe the status of forecasting, planning, and scheduling integration on an Amazon Connect instance	Read	instance*
		Read		connect:InstanceId
DescribeHoursOfOperation	Grants permission to describe hours of operation in an Amazon Connect instance	Read	hours-of-operation*
DescribeHoursOfOperation		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeInstance	Grants permission to view details of an Amazon Connect instance and is also required to create an instance	Read	instance*		ds:DescribeDirectories
DescribeInstance		Read		connect:InstanceId aws:ResourceTag/${TagKey}
DescribeInstanceAttribute	Grants permission to view the attribute details of an existing Amazon Connect instance	Read	instance*
DescribeInstanceAttribute		Read		connect:AttributeType connect:InstanceId
DescribeInstanceStorageConfig	Grants permission to view the instance storage configuration for an existing Amazon Connect instance	Read	instance*
DescribeInstanceStorageConfig		Read		connect:StorageResourceType connect:InstanceId
DescribePhoneNumber	Grants permission to describe phone number resources in an Amazon Connect instance or traffic distribution group	Read	phone-number*
DescribePhoneNumber		Read		aws:ResourceTag/${TagKey}
DescribeQueue	Grants permission to describe a queue in an Amazon Connect instance	Read	queue*
DescribeQueue		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeQuickConnect	Grants permission to describe a quick connect in an Amazon Connect instance	Read	quick-connect*
DescribeQuickConnect		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeRoutingProfile	Grants permission to describe a routing profile in an Amazon Connect instance	Read	routing-profile*
DescribeRoutingProfile		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeRule	Grants permission to describe a rule in an Amazon Connect instance	Read	rule*
DescribeRule		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeSecurityProfile	Grants permission to describe a security profile in an Amazon Connect instance	Read	security-profile*
DescribeSecurityProfile		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeTrafficDistributionGroup	Grants permission to describe a traffic distribution group	Read	traffic-distribution-group*
DescribeTrafficDistributionGroup	Grants permission to describe a traffic distribution group	Read		aws:ResourceTag/${TagKey}
DescribeUser	Grants permission to describe a user in an Amazon Connect instance	Read	user*
DescribeUser		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DescribeUserHierarchyGroup	Grants permission to describe a hierarchy group for an Amazon Connect instance	Read	hierarchy-group*
DescribeUserHierarchyGroup		Read		connect:InstanceId
DescribeUserHierarchyStructure	Grants permission to describe the hierarchy structure for an Amazon Connect instance	Read	instance*
DescribeUserHierarchyStructure		Read		connect:InstanceId
DescribeVocabulary	Grants permission to describe a vocabulary in an Amazon Connect instance	Read	vocabulary*
DescribeVocabulary		Read		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateApprovedOrigin	Grants permission to disassociate approved origin for an existing Amazon Connect instance	Write	instance*
DisassociateApprovedOrigin		Write		connect:InstanceId
DisassociateBot	Grants permission to disassociate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:DeleteResourcePolicy lex:UpdateResourcePolicy
DisassociateBot		Write		connect:InstanceId
DisassociateCustomerProfilesDomain [permission only]	Grants permission to disassociate a Customer Profiles domain for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:DeleteRolePolicy iam:DetachRolePolicy iam:GetPolicy iam:GetPolicyVersion iam:GetRolePolicy
DisassociateInstanceStorageConfig	Grants permission to disassociate instance storage for an existing Amazon Connect instance	Write	instance*
DisassociateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
DisassociateLambdaFunction	Grants permission to disassociate a Lambda function for an existing Amazon Connect instance	Write	instance*		lambda:RemovePermission
DisassociateLambdaFunction		Write		connect:InstanceId
DisassociateLexBot	Grants permission to disassociate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
DisassociateLexBot		Write		connect:InstanceId
DisassociatePhoneNumberContactFlow	Grants permission to disassociate contact flow resources from phone number resources in an Amazon Connect instance	Write	phone-number*
DisassociatePhoneNumberContactFlow		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateQueueQuickConnects	Grants permission to disassociate quick connects from a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateRoutingProfileQueues	Grants permission to disassociate queues from a routing profile in an Amazon Connect instance	Write	routing-profile*
DisassociateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateSecurityKey	Grants permission to disassociate the security key for an existing Amazon Connect instance	Write	instance*
DisassociateSecurityKey		Write		connect:InstanceId
DismissUserContact	Grants permission to dismiss terminated Contact from Agent CCP	Write	user*
DismissUserContact		Write		aws:ResourceTag/${TagKey} connect:InstanceId
GetContactAttributes	Grants permission to retrieve the contact attributes for the specified contact	Read	contact*
GetContactAttributes		Read		connect:InstanceId
GetCurrentMetricData	Grants permission to retrieve current metric data for queues and routing profiles in an Amazon Connect instance	Read	queue*
			routing-profile*
				connect:InstanceId
GetCurrentUserData	Grants permission to retrieve current user data in an Amazon Connect instance	Read	hierarchy-group*
			queue*
			routing-profile*
			user*
				connect:InstanceId
GetFederationToken	Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management	Read	instance*
GetFederationToken		Read		connect:InstanceId
GetFederationTokens	Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)	Write	instance*		connect:DescribeInstance connect:ListInstances ds:DescribeDirectories
GetMetricData	Grants permission to retrieve historical metric data for queues in an Amazon Connect instance	Read	queue*
GetMetricData		Read		connect:InstanceId
GetMetricDataV2	Grants permission to retrieve metric data in an Amazon Connect instance	Read	hierarchy-group*
			queue*
			routing-profile*
			user*
GetTaskTemplate	Grants permission to get details about specified task template in an Amazon Connect instance	Read	task-template*
GetTaskTemplate		Read		aws:ResourceTag/${TagKey} connect:InstanceId
GetTrafficDistribution	Grants permission to read traffic distribution for a traffic distribution group	List	traffic-distribution-group*
GetTrafficDistribution		List		aws:ResourceTag/${TagKey}
ListAgentStatuses	Grants permission to list agent statuses in an Amazon Connect instance	List	wildcard-agent-status*
ListApprovedOrigins	Grants permission to view approved origins of an existing Amazon Connect instance	List	instance*
ListApprovedOrigins		List		connect:InstanceId
ListBots	Grants permission to view the Lex bots of an existing Amazon Connect instance	List	instance*
ListBots		List		connect:InstanceId
ListContactFlowModules	Grants permission to list contact flow module resources in an Amazon Connect instance	List	instance*
ListContactFlows	Grants permission to list contact flow resources in an Amazon Connect instance	List	wildcard-contact-flow*
ListContactReferences	Grants permission to list references associated with a contact in an Amazon Connect instance	List	contact*
ListContactReferences		List		connect:InstanceId
ListDefaultVocabularies	Grants permission to list default vocabularies associated with a Amazon Connect instance	List	instance*
ListDefaultVocabularies		List		connect:InstanceId
ListHoursOfOperations	Grants permission to list hours of operation resources in an Amazon Connect instance	List	instance*
ListHoursOfOperations		List		connect:InstanceId
ListInstanceAttributes	Grants permission to view the attributes of an existing Amazon Connect instance	List	instance*
ListInstanceAttributes		List		connect:InstanceId
ListInstanceStorageConfigs	Grants permission to view storage configurations of an existing Amazon Connect instance	List	instance*
ListInstanceStorageConfigs		List		connect:InstanceId
ListInstances	Grants permission to view the Amazon Connect instances associated with an AWS account	List			ds:DescribeDirectories
ListIntegrationAssociations	Grants permission to list summary information about the integration associations for the specified Amazon Connect instance	List	instance*		connect:DescribeInstance ds:DescribeDirectories
ListIntegrationAssociations		List		connect:InstanceId
ListLambdaFunctions	Grants permission to view the Lambda functions of an existing Amazon Connect instance	List	instance*
ListLambdaFunctions		List		connect:InstanceId
ListLexBots	Grants permission to view the Lex bots of an existing Amazon Connect instance	List	instance*
ListLexBots		List		connect:InstanceId
ListPhoneNumbers	Grants permission to list phone number resources in an Amazon Connect instance	List	wildcard-legacy-phone-number*
ListPhoneNumbersV2	Grants permission to list phone number resources in an Amazon Connect instance	List	wildcard-phone-number*
ListPrompts	Grants permission to list prompt resources in an Amazon Connect instance	List	instance*
ListPrompts		List		connect:InstanceId
ListQueueQuickConnects	Grants permission to list quick connect resources in a queue in an Amazon Connect instance	List	queue*
ListQueueQuickConnects		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListQueues	Grants permission to list queue resources in an Amazon Connect instance	List	wildcard-queue*
ListQuickConnects	Grants permission to list quick connect resources in an Amazon Connect instance	List	wildcard-quick-connect*
ListRealtimeContactAnalysisSegments	Grants permission to list the analysis segments for a real-time analysis session	Read	contact*
ListRoutingProfileQueues	Grants permission to list queue resources in a routing profile in an Amazon Connect instance	List	routing-profile*
ListRoutingProfileQueues		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListRoutingProfiles	Grants permission to list routing profile resources in an Amazon Connect instance	List	instance*
ListRoutingProfiles		List		connect:InstanceId
ListRules	Grants permission to list rules associated with a Amazon Connect instance	List	instance*
ListRules		List		connect:InstanceId
ListSecurityKeys	Grants permission to view the security keys of an existing Amazon Connect instance	List	instance*
ListSecurityKeys		List		connect:InstanceId
ListSecurityProfilePermissions	Grants permission to list permissions associated with security profile in an Amazon Connect instance	List	security-profile*
ListSecurityProfilePermissions		List		aws:ResourceTag/${TagKey} connect:InstanceId
ListSecurityProfiles	Grants permission to list security profile resources in an Amazon Connect instance	List	instance*
ListSecurityProfiles		List		connect:InstanceId
ListTagsForResource	Grants permission to list tags for an Amazon Connect resource	Read	agent-status
			contact-flow
			contact-flow-module
			hierarchy-group
			hours-of-operation
			integration-association
			phone-number
			queue
			quick-connect
			routing-profile
			rule
			security-profile
			traffic-distribution-group
			use-case
			user
			wildcard-phone-number
				aws:ResourceTag/${TagKey}
ListTaskTemplates	Grants permission to list task template resources in an Amazon Connect instance	List	instance*
ListTrafficDistributionGroups	Grants permission to list traffic distribution groups	List	traffic-distribution-group*
ListUseCases	Grants permission to list the use cases of an integration association	List	instance*		connect:DescribeInstance ds:DescribeDirectories
ListUseCases		List		connect:InstanceId
ListUserHierarchyGroups	Grants permission to list the hierarchy group resources in an Amazon Connect instance	List	instance*
ListUserHierarchyGroups		List		connect:InstanceId
ListUsers	Grants permission to list user resources in an Amazon Connect instance	List	instance*
ListUsers		List		connect:InstanceId
MonitorContact	Grants permission to monitor an ongoing contact	Write	contact*
			instance*
			user*
				connect:MonitorCapabilities aws:ResourceTag/${TagKey} connect:InstanceId
PutUserStatus	Grants permission to switch User Status in an Amazon Connect instance	Write	agent-status*
			instance*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
ReleasePhoneNumber	Grants permission to release phone number resources in an Amazon Connect instance	Write	phone-number*
ReleasePhoneNumber		Write		aws:ResourceTag/${TagKey}
ReplicateInstance	Grants permission to create a replica of an Amazon Connect instance	Write		aws:RequestTag/${TagKey} aws:TagKeys	ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
ResumeContactRecording	Grants permission to resume recording for the specified contact	Write	contact*
SearchAvailablePhoneNumbers	Grants permission to search phone number resources in an Amazon Connect instance or traffic distribution group	List	wildcard-phone-number*
SearchQueues	Grants permission to search queue resources in an Amazon Connect instance	Read	instance*		connect:DescribeQueue
SearchQueues		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchRoutingProfiles	Grants permission to search routing profile resources in an Amazon Connect instance	Read	instance*		connect:DescribeRoutingProfile
SearchRoutingProfiles		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchSecurityProfiles	Grants permission to search security profile resources in an Amazon Connect instance	Read	instance*		connect:DescribeSecurityProfile
SearchSecurityProfiles		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchUsers	Grants permission to search user resources in an Amazon Connect instance	Read	instance*		connect:DescribeUser
SearchUsers		Read		connect:InstanceId connect:SearchTag/${TagKey}
SearchVocabularies	Grants permission to search vocabularies in a Amazon Connect instance	List	vocabulary*
SearchVocabularies		List		connect:InstanceId
StartChatContact	Grants permission to initiate a chat using the Amazon Connect API	Write	contact-flow*
			contact
				connect:InstanceId
StartContactRecording	Grants permission to start recording for the specified contact	Write	contact*
StartContactStreaming	Grants permission to start chat streaming using the Amazon Connect API	Write	instance*
StartForecastingPlanningSchedulingIntegration [permission only]	Grants permission to enable forecasting, planning, and scheduling integration on an Amazon Connect instance	Write	instance*
		Write		connect:InstanceId
StartOutboundVoiceContact	Grants permission to initiate outbound calls using the Amazon Connect API	Write	contact*
StartTaskContact	Grants permission to initiate a task using the Amazon Connect API	Write	contact-flow*
			contact
			quick-connect
			task-template
				aws:ResourceTag/${TagKey} connect:InstanceId
StopContact	Grants permission to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer	Write	contact*
StopContact		Write		connect:InstanceId
StopContactRecording	Grants permission to stop recording for the specified contact	Write	contact*
StopContactStreaming	Grants permission to stop chat streaming using the Amazon Connect API	Write	instance*
StopForecastingPlanningSchedulingIntegration [permission only]	Grants permission to disable forecasting, planning, and scheduling integration on an Amazon Connect instance	Write	instance*
		Write		connect:InstanceId
SuspendContactRecording	Grants permission to suspend recording for the specified contact	Write	contact*
TagResource	Grants permission to tag an Amazon Connect resource	Tagging	agent-status
			contact-flow
			contact-flow-module
			hierarchy-group
			hours-of-operation
			instance
			integration-association
			phone-number
			queue
			quick-connect
			routing-profile
			rule
			security-profile
			task-template
			traffic-distribution-group
			use-case
			user
			vocabulary
			wildcard-phone-number
				aws:TagKeys aws:RequestTag/${TagKey}
TransferContact	Grants permission to transfer the contact to another queue or agent	Write	contact*
			contact-flow*
			instance*
				connect:InstanceId
UntagResource	Grants permission to untag an Amazon Connect resource	Tagging	agent-status
			contact-flow
			contact-flow-module
			hierarchy-group
			hours-of-operation
			instance
			integration-association
			phone-number
			queue
			quick-connect
			routing-profile
			rule
			security-profile
			task-template
			traffic-distribution-group
			use-case
			user
			vocabulary
			wildcard-phone-number
				aws:TagKeys
UpdateAgentStatus	Grants permission to update agent status in an Amazon Connect instance	Write	agent-status*
UpdateAgentStatus		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContact	Grants permission to update a contact in an Amazon Connect instance	Write	contact*
UpdateContact		Write		connect:InstanceId
UpdateContactAttributes	Grants permission to create or update the contact attributes associated with the specified contact	Write	contact*
UpdateContactAttributes		Write		connect:InstanceId
UpdateContactFlowContent	Grants permission to update contact flow content in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowMetadata	Grants permission to update the metadata of a contact flow in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowMetadata		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowModuleContent	Grants permission to update contact flow module content in an Amazon Connect instance	Write	contact-flow-module*
UpdateContactFlowModuleContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowModuleMetadata	Grants permission to update the metadata of a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
UpdateContactFlowModuleMetadata		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowName	Grants permission to update the name and description of a contact flow in an Amazon Connect instance	Write	contact-flow*
UpdateContactFlowName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactSchedule	Grants permission to update the schedule of a contact that is already scheduled in an Amazon Connect instance	Write	contact*
UpdateContactSchedule		Write		connect:InstanceId
UpdateHoursOfOperation	Grants permission to update hours of operation in an Amazon Connect instance	Write	hours-of-operation*
UpdateHoursOfOperation		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateInstanceAttribute	Grants permission to update the attribute for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup
UpdateInstanceAttribute		Write		connect:AttributeType connect:InstanceId
UpdateInstanceStorageConfig	Grants permission to update the storage configuration for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
UpdateInstanceStorageConfig		Write		connect:StorageResourceType connect:InstanceId
UpdateParticipantRoleConfig	Grants permission to update participant role configurations associated with a contact	Write	contact*
			instance*
				connect:InstanceId
UpdatePhoneNumber	Grants permission to update phone number resources in an Amazon Connect instance or traffic distribution group	Write	instance*
			phone-number*
			traffic-distribution-group*
				aws:ResourceTag/${TagKey}
UpdateQueueHoursOfOperation	Grants permission to update queue hours of operation in an Amazon Connect instance	Write	hours-of-operation*
			queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueMaxContacts	Grants permission to update queue capacity in an Amazon Connect instance	Write	queue*
UpdateQueueMaxContacts		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueName	Grants permission to update a queue name and description in an Amazon Connect instance	Write	queue*
UpdateQueueName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueOutboundCallerConfig	Grants permission to update queue outbound caller config in an Amazon Connect instance	Write	queue*
			contact-flow
			phone-number
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueStatus	Grants permission to update queue status in an Amazon Connect instance	Write	queue*
UpdateQueueStatus		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectConfig	Grants permission to update the configuration of a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectName	Grants permission to update a quick connect name and description in an Amazon Connect instance	Write	quick-connect*
UpdateQuickConnectName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileConcurrency	Grants permission to update the concurrency in a routing profile in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileConcurrency		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileDefaultOutboundQueue	Grants permission to update the outbound queue in a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileName	Grants permission to update a routing profile name and description in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileName		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileQueues	Grants permission to update the queues in routing profile in an Amazon Connect instance	Write	routing-profile*
UpdateRoutingProfileQueues		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRule	Grants permission to update a rule for an existing Amazon Connect instance	Write	instance*
UpdateRule		Write		connect:InstanceId
UpdateSecurityProfile	Grants permission to update a security profile group for a user in an Amazon Connect instance	Write	security-profile*
UpdateSecurityProfile		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateTaskTemplate	Grants permission to update task template belonging to a Amazon Connect instance	Write	task-template*
UpdateTaskTemplate		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateTrafficDistribution	Grants permission to update traffic distribution for a traffic distribution group	Write	traffic-distribution-group*
UpdateTrafficDistribution		Write		aws:ResourceTag/${TagKey}
UpdateUserHierarchy	Grants permission to update a hierarchy group for a user in an Amazon Connect instance	Write	user*
			hierarchy-group
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserHierarchyGroupName	Grants permission to update a user hierarchy group name in an Amazon Connect instance	Write	hierarchy-group*
UpdateUserHierarchyGroupName		Write		connect:InstanceId
UpdateUserHierarchyStructure	Grants permission to update user hierarchy structure in an Amazon Connect instance	Write	instance*
UpdateUserHierarchyStructure		Write		connect:InstanceId
UpdateUserIdentityInfo	Grants permission to update identity information for a user in an Amazon Connect instance	Write	user*
UpdateUserIdentityInfo		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserPhoneConfig	Grants permission to update phone configuration settings for a user in an Amazon Connect instance	Write	user*
UpdateUserPhoneConfig		Write		aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserRoutingProfile	Grants permission to update a routing profile for a user in an Amazon Connect instance	Write	routing-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserSecurityProfiles	Grants permission to update security profiles for a user in an Amazon Connect instance	Write	security-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdatedescribeContent	Grants permission to update contact flow module content in an Amazon Connect instance	Write	contact-flow-module*
UpdatedescribeContent		Write		aws:ResourceTag/${TagKey} connect:InstanceId

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
instance	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}`	aws:ResourceTag/${TagKey}
contact	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}`
user	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}`	aws:ResourceTag/${TagKey}
routing-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}`	aws:ResourceTag/${TagKey}
security-profile	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}`	aws:ResourceTag/${TagKey}
hierarchy-group	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}`	aws:ResourceTag/${TagKey}
queue	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}`	aws:ResourceTag/${TagKey}
wildcard-queue	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/*`
quick-connect	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}`	aws:ResourceTag/${TagKey}
wildcard-quick-connect	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/*`
contact-flow	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}`	aws:ResourceTag/${TagKey}
task-template	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/task-template/${TaskTemplateId}`	aws:ResourceTag/${TagKey}
contact-flow-module	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/flow-module/${ContactFlowModuleId}`	aws:ResourceTag/${TagKey}
wildcard-contact-flow	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/*`
hours-of-operation	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}`	aws:ResourceTag/${TagKey}
agent-status	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/${AgentStatusId}`	aws:ResourceTag/${TagKey}
wildcard-agent-status	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/*`
legacy-phone-number	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/${PhoneNumberId}`
wildcard-legacy-phone-number	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/*`
phone-number	`arn:${Partition}:connect:${Region}:${Account}:phone-number/${PhoneNumberId}`	aws:ResourceTag/${TagKey}
wildcard-phone-number	`arn:${Partition}:connect:${Region}:${Account}:phone-number/*`	aws:ResourceTag/${TagKey}
integration-association	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}`	aws:ResourceTag/${TagKey}
use-case	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}`	aws:ResourceTag/${TagKey}
vocabulary	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/vocabulary/${VocabularyId}`	aws:ResourceTag/${TagKey}
traffic-distribution-group	`arn:${Partition}:connect:${Region}:${Account}:traffic-distribution-group/${TrafficDistributionGroupId}`	aws:ResourceTag/${TagKey}
rule	`arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/rule/${RuleId}`	aws:ResourceTag/${TagKey}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by using tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by using tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by using tag keys in the request	ArrayOfString
connect:AttributeType	Filters access by the attribute type of the Amazon Connect instance	String
connect:InstanceId	Filters access by restricting federation into specified Amazon Connect instances	String
connect:MonitorCapabilities	Filters access by restricting the monitor capabilities of the user in the request	ArrayOfString
connect:SearchTag/${TagKey}	Filters access by TagFilter condition passed in the search request	String
connect:StorageResourceType	Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration	String

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config

Amazon Connect Cases