Actions, resources, and condition keys for Amazon Connect

Amazon Connect (service prefix: connect) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

• Learn how to configure this service.

• View a list of the API operations available for this service.

• Learn how to secure this service and its resources by using IAM permission policies.

Actions defined by Amazon Connect

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys	Dependent actions
AssociateApprovedOrigin	Grants permission to associate approved origin for an existing Amazon Connect instance	Write	instance*
				connect:InstanceId
AssociateBot	Grants permission to associate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:CreateResourcePolicy lex:DescribeBotAlias lex:GetBot lex:UpdateResourcePolicy
				connect:InstanceId
AssociateCustomerProfilesDomain	Grants permission to associate a Customer Profiles domain for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy profile:GetDomain
AssociateDefaultVocabulary	Grants permission to default vocabulary for an existing Amazon Connect instance	Write	instance*
				connect:InstanceId
AssociateInstanceStorageConfig	Grants permission to associate instance storage for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
				connect:StorageResourceType connect:InstanceId
AssociateLambdaFunction	Grants permission to associate a Lambda function for an existing Amazon Connect instance	Write	instance*		lambda:AddPermission
				connect:InstanceId
AssociateLexBot	Grants permission to associate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot
				connect:InstanceId
AssociatePhoneNumberContactFlow	Grants permission to associate contact flow resources to phone number resources in an Amazon Connect instance	Write	contact-flow*
			phone-number*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateQueueQuickConnects	Grants permission to associate quick connects with a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateRoutingProfileQueues	Grants permission to associate queues with a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
AssociateSecurityKey	Grants permission to associate a security key for an existing Amazon Connect instance	Write	instance*
				connect:InstanceId
BatchAssociateAnalyticsDataSet [permission only]	Grants permission to grant access and to associate the datasets with the specified AWS account	Write	instance*
				connect:InstanceId
BatchDisassociateAnalyticsDataSet [permission only]	Grants permission to revoke access and to disassociate the datasets with the specified AWS account	Write	instance*
				connect:InstanceId
ClaimPhoneNumber	Grants permission to claim phone number resources in an Amazon Connect instance	Write	instance*
			wildcard-phone-number*
				aws:RequestTag/${TagKey} aws:TagKeys
CreateAgentStatus	Grants permission to create agent status in an Amazon Connect instance	Write	agent-status*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateContactFlow	Grants permission to create a contact flow in an Amazon Connect instance	Write	contact-flow*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateContactFlowModule	Grants permission to create a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateHoursOfOperation	Grants permission to create hours of operation in an Amazon Connect instance	Write	hours-of-operation*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateInstance	Grants permission to create a new Amazon Connect instance	Write		aws:RequestTag/${TagKey} aws:TagKeys	ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
CreateIntegrationAssociation	Grants permission to create an integration association with an Amazon Connect instance	Write	instance*		app-integrations:CreateEventIntegrationAssociation connect:DescribeInstance ds:DescribeDirectories events:PutRule events:PutTargets mobiletargeting:GetApp voiceid:DescribeDomain wisdom:GetAssistant wisdom:GetKnowledgeBase
			integration-association*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateQueue	Grants permission to create a queue in an Amazon Connect instance	Write	hours-of-operation*
			queue*
			contact-flow
			phone-number
			quick-connect
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateQuickConnect	Grants permission to create a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateRoutingProfile	Grants permission to create a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateSecurityProfile	Grants permission to create a security profile for the specified Amazon Connect instance	Write	security-profile*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateTaskTemplate	Grants permission to create a task template in an Amazon Connect instance	Write	task-template*
CreateUseCase	Grants permission to create a use case for an integration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			integration-association*
			use-case*
				connect:InstanceId aws:RequestTag/${TagKey} aws:TagKeys
CreateUser	Grants permission to create a user for the specified Amazon Connect instance	Write	routing-profile*
			security-profile*
			user*
			hierarchy-group
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateUserHierarchyGroup	Grants permission to create a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
CreateVocabulary	Grants permission to create a vocabulary in an Amazon Connect instance	Write	vocabulary*
				aws:RequestTag/${TagKey} aws:TagKeys connect:InstanceId
DeleteContactFlow	Grants permission to delete a contact flow in an Amazon Connect instance	Write	contact-flow*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteContactFlowModule	Grants permission to delete a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteHoursOfOperation	Grants permission to delete hours of operation in an Amazon Connect instance	Write	hours-of-operation*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteInstance	Grants permission to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed	Write	instance*		ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication
				connect:InstanceId aws:ResourceTag/${TagKey}
DeleteIntegrationAssociation	Grants permission to delete an integration association from an Amazon Connect instance. The association must not have any use cases associated with it	Write	instance*		app-integrations:DeleteEventIntegrationAssociation connect:DescribeInstance ds:DescribeDirectories events:DeleteRule events:ListTargetsByRule events:RemoveTargets
			integration-association*
				connect:InstanceId
DeleteQuickConnect	Grants permission to delete a quick connect in an Amazon Connect instance	Write	quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteSecurityProfile	Grants permission to delete a security profile in an Amazon Connect instance	Write	security-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteTaskTemplate	Grants permission to delete a task template in an Amazon Connect instance	Write	task-template*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteUseCase	Grants permission to delete a use case from an integration association	Write	instance*		connect:DescribeInstance ds:DescribeDirectories
			use-case*
				connect:InstanceId
DeleteUser	Grants permission to delete a user in an Amazon Connect instance	Write	user*
				aws:ResourceTag/${TagKey} connect:InstanceId
DeleteUserHierarchyGroup	Grants permission to delete a user hierarchy group in an Amazon Connect instance	Write	hierarchy-group*
				connect:InstanceId
DeleteVocabulary	Grants permission to delete a vocabulary in an Amazon Connect instance	Write	vocabulary*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeAgentStatus	Grants permission to describe agent status in an Amazon Connect instance	Read	agent-status*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeContact	Grants permission to describe a contact in an Amazon Connect instance	Read	contact*
				connect:InstanceId
DescribeContactFlow	Grants permission to describe a contact flow in an Amazon Connect instance	Read	contact-flow*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeContactFlowModule	Grants permission to describe a contact flow module in an Amazon Connect instance	Read	contact-flow-module*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeHoursOfOperation	Grants permission to describe hours of operation in an Amazon Connect instance	Read	hours-of-operation*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeInstance	Grants permission to view details of an Amazon Connect instance and is also required to create an instance	Read	instance*		ds:DescribeDirectories
				connect:InstanceId aws:ResourceTag/${TagKey}
DescribeInstanceAttribute	Grants permission to view the attribute details of an existing Amazon Connect instance	Read	instance*
				connect:AttributeType connect:InstanceId
DescribeInstanceStorageConfig	Grants permission to view the instance storage configuration for an existing Amazon Connect instance	Read	instance*
				connect:StorageResourceType connect:InstanceId
DescribePhoneNumber	Grants permission to describe phone number resources in an Amazon Connect instance	List	phone-number*
				aws:ResourceTag/${TagKey}
DescribeQueue	Grants permission to describe a queue in an Amazon Connect instance	Read	queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeQuickConnect	Grants permission to describe a quick connect in an Amazon Connect instance	Read	quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeRoutingProfile	Grants permission to describe a routing profile in an Amazon Connect instance	Read	routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeSecurityProfile	Grants permission to describe a security profile in an Amazon Connect instance	Read	security-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeUser	Grants permission to describe a user in an Amazon Connect instance	Read	user*
				aws:ResourceTag/${TagKey} connect:InstanceId
DescribeUserHierarchyGroup	Grants permission to describe a hierarchy group for an Amazon Connect instance	Read	hierarchy-group*
				connect:InstanceId
DescribeUserHierarchyStructure	Grants permission to describe the hierarchy structure for an Amazon Connect instance	Read	instance*
				connect:InstanceId
DescribeVocabulary	Grants permission to describe a vocabulary in an Amazon Connect instance	Read	vocabulary*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateApprovedOrigin	Grants permission to disassociate approved origin for an existing Amazon Connect instance	Write	instance*
				connect:InstanceId
DisassociateBot	Grants permission to disassociate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:DeleteResourcePolicy lex:UpdateResourcePolicy
				connect:InstanceId
DisassociateCustomerProfilesDomain	Grants permission to disassociate a Customer Profiles domain for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:DeleteRolePolicy iam:DetachRolePolicy iam:GetPolicy iam:GetPolicyVersion iam:GetRolePolicy
DisassociateInstanceStorageConfig	Grants permission to disassociate instance storage for an existing Amazon Connect instance	Write	instance*
				connect:StorageResourceType connect:InstanceId
DisassociateLambdaFunction	Grants permission to disassociate a Lambda function for an existing Amazon Connect instance	Write	instance*		lambda:RemovePermission
				connect:InstanceId
DisassociateLexBot	Grants permission to disassociate a Lex bot for an existing Amazon Connect instance	Write	instance*		iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy
				connect:InstanceId
DisassociatePhoneNumberContactFlow	Grants permission to disassociate contact flow resources from phone number resources in an Amazon Connect instance	Write	phone-number*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateQueueQuickConnects	Grants permission to disassociate quick connects from a queue in an Amazon Connect instance	Write	queue*
			quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateRoutingProfileQueues	Grants permission to disassociate queues from a routing profile in an Amazon Connect instance	Write	routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
DisassociateSecurityKey	Grants permission to disassociate the security key for an existing Amazon Connect instance	Write	instance*
				connect:InstanceId
GetContactAttributes	Grants permission to retrieve the contact attributes for the specified contact	Read	contact*
				connect:InstanceId
GetCurrentMetricData	Grants permission to retrieve current metric data for the queues in an Amazon Connect instance	Read	queue*
				connect:InstanceId
GetCurrentUserData	Grants permission to retrieve current user data in an Amazon Connect instance	Read	queue*
				connect:InstanceId
GetFederationToken	Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management	Read	instance*
				connect:InstanceId
GetFederationTokens	Grants permission to federate into an Amazon Connect instance (Log in for emergency access functionality in the Amazon Connect console)	Write	instance*		connect:DescribeInstance connect:ListInstances ds:DescribeDirectories
GetMetricData	Grants permission to retrieve historical metric data for queues in an Amazon Connect instance	Read	queue*
				connect:InstanceId
GetTaskTemplate	Grants permission to get details about specified task template in an Amazon Connect instance	Read	task-template*
				aws:ResourceTag/${TagKey} connect:InstanceId
ListAgentStatuses	Grants permission to list agent statuses in an Amazon Connect instance	List	wildcard-agent-status*
ListApprovedOrigins	Grants permission to view approved origins of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListBots	Grants permission to view the Lex bots of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListContactFlowModules	Grants permission to list contact flow module resources in an Amazon Connect instance	List	instance*
ListContactFlows	Grants permission to list contact flow resources in an Amazon Connect instance	List	wildcard-contact-flow*
ListContactReferences	Grants permission to list references associated with a contact in an Amazon Connect instance	List	contact*
				connect:InstanceId
ListDefaultVocabularies	Grants permission to list default vocabularies associated with a Amazon Connect instance	List	instance*
				connect:InstanceId
ListHoursOfOperations	Grants permission to list hours of operation resources in an Amazon Connect instance	List	instance*
				connect:InstanceId
ListInstanceAttributes	Grants permission to view the attributes of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListInstanceStorageConfigs	Grants permission to view storage configurations of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListInstances	Grants permission to view the Amazon Connect instances associated with an AWS account	List			ds:DescribeDirectories
ListIntegrationAssociations	Grants permission to list summary information about the integration associations for the specified Amazon Connect instance	List	instance*		connect:DescribeInstance ds:DescribeDirectories
				connect:InstanceId
ListLambdaFunctions	Grants permission to view the Lambda functions of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListLexBots	Grants permission to view the Lex bots of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListPhoneNumbers	Grants permission to list phone number resources in an Amazon Connect instance	List	wildcard-legacy-phone-number*
ListPhoneNumbersV2	Grants permission to list phone number resources in an Amazon Connect instance	List	wildcard-phone-number*
ListPrompts	Grants permission to list prompt resources in an Amazon Connect instance	List	instance*
				connect:InstanceId
ListQueueQuickConnects	Grants permission to list quick connect resources in a queue in an Amazon Connect instance	List	queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
ListQueues	Grants permission to list queue resources in an Amazon Connect instance	List	wildcard-queue*
ListQuickConnects	Grants permission to list quick connect resources in an Amazon Connect instance	List	wildcard-quick-connect*
ListRealtimeContactAnalysisSegments	Grants permission to list the analysis segments for a real-time analysis session	Read	contact*
ListRoutingProfileQueues	Grants permission to list queue resources in a routing profile in an Amazon Connect instance	List	routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
ListRoutingProfiles	Grants permission to list routing profile resources in an Amazon Connect instance	List	instance*
				connect:InstanceId
ListSecurityKeys	Grants permission to view the security keys of an existing Amazon Connect instance	List	instance*
				connect:InstanceId
ListSecurityProfilePermissions	Grants permission to list permissions associated with security profile in an Amazon Connect instance	List	security-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
ListSecurityProfiles	Grants permission to list security profile resources in an Amazon Connect instance	List	instance*
				connect:InstanceId
ListTagsForResource	Grants permission to list tags for an Amazon Connect resource	Read	agent-status
			contact-flow
			contact-flow-module
			hierarchy-group
			hours-of-operation
			integration-association
			phone-number
			queue
			quick-connect
			routing-profile
			security-profile
			use-case
			user
			wildcard-phone-number
				aws:ResourceTag/${TagKey}
ListTaskTemplates	Grants permission to list task template resources in an Amazon Connect instance	List	instance*
ListUseCases	Grants permission to list the use cases of an integration association	List	instance*		connect:DescribeInstance ds:DescribeDirectories
				connect:InstanceId
ListUserHierarchyGroups	Grants permission to list the hierarchy group resources in an Amazon Connect instance	List	instance*
				connect:InstanceId
ListUsers	Grants permission to list user resources in an Amazon Connect instance	List	instance*
				connect:InstanceId
PutUserStatus	Grants permission to switch User Status in an Amazon Connect instance	Write	agent-status*
			instance*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
ReleasePhoneNumber	Grants permission to release phone number resources in an Amazon Connect instance	Write	phone-number*
				aws:ResourceTag/${TagKey}
ResumeContactRecording	Grants permission to resume recording for the specified contact	Write	contact*
SearchAvailablePhoneNumbers	Grants permission to search phone number resources in an Amazon Connect instance	List	wildcard-phone-number*
SearchUsers	Grants permission to search user resources in an Amazon Connect instance	Read	instance*		connect:DescribeUser
				connect:InstanceId connect:SearchTag/${TagKey}
SearchVocabularies	Grants permission to search vocabularies in a Amazon Connect instance	List	vocabulary*
				connect:InstanceId
StartChatContact	Grants permission to initiate a chat using the Amazon Connect API	Write	contact-flow*
StartContactRecording	Grants permission to start recording for the specified contact	Write	contact*
StartContactStreaming	Grants permission to start chat streaming using the Amazon Connect API	Write	instance*
StartOutboundVoiceContact	Grants permission to initiate outbound calls using the Amazon Connect API	Write	contact*
StartTaskContact	Grants permission to initiate a task using the Amazon Connect API	Write	contact-flow*
				connect:InstanceId
StopContact	Grants permission to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer	Write	contact*
				connect:InstanceId
StopContactRecording	Grants permission to stop recording for the specified contact	Write	contact*
StopContactStreaming	Grants permission to stop chat streaming using the Amazon Connect API	Write	instance*
SuspendContactRecording	Grants permission to suspend recording for the specified contact	Write	contact*
TagResource	Grants permission to tag an Amazon Connect resource	Tagging	agent-status
			contact-flow
			contact-flow-module
			hierarchy-group
			hours-of-operation
			integration-association
			phone-number
			queue
			quick-connect
			routing-profile
			security-profile
			use-case
			user
			wildcard-phone-number
				aws:TagKeys aws:RequestTag/${TagKey}
TransferContact	Grants permission to transfer the contact to another queue or agent	Write	contact*
			contact-flow*
			instance*
				connect:InstanceId
UntagResource	Grants permission to untag an Amazon Connect resource	Tagging	agent-status
			contact-flow
			contact-flow-module
			hierarchy-group
			hours-of-operation
			integration-association
			phone-number
			queue
			quick-connect
			routing-profile
			security-profile
			use-case
			user
			wildcard-phone-number
				aws:TagKeys aws:RequestTag/${TagKey}
UpdateAgentStatus	Grants permission to update agent status in an Amazon Connect instance	Write	agent-status*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContact	Grants permission to update a contact in an Amazon Connect instance	Write	contact*
				connect:InstanceId
UpdateContactAttributes	Grants permission to create or update the contact attributes associated with the specified contact	Write	contact*
				connect:InstanceId
UpdateContactFlowContent	Grants permission to update contact flow content in an Amazon Connect instance	Write	contact-flow*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowMetadata	Grants permission to update the metadata of a contact flow in an Amazon Connect instance	Write	contact-flow*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowModuleContent	Grants permission to update contact flow module content in an Amazon Connect instance	Write	contact-flow-module*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowModuleMetadata	Grants permission to update the metadata of a contact flow module in an Amazon Connect instance	Write	contact-flow-module*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactFlowName	Grants permission to update the name and description of a contact flow in an Amazon Connect instance	Write	contact-flow*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateContactSchedule	Grants permission to update the schedule of a contact that is already scheduled in an Amazon Connect instance	Write	contact*
				connect:InstanceId
UpdateHoursOfOperation	Grants permission to update hours of operation in an Amazon Connect instance	Write	hours-of-operation*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateInstanceAttribute	Grants permission to update the attribute for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup
				connect:AttributeType connect:InstanceId
UpdateInstanceStorageConfig	Grants permission to update the storage configuration for an existing Amazon Connect instance	Write	instance*		ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation
				connect:StorageResourceType connect:InstanceId
UpdatePhoneNumber	Grants permission to update phone number resources in an Amazon Connect instance	Write	instance*
			phone-number*
				aws:ResourceTag/${TagKey}
UpdateQueueHoursOfOperation	Grants permission to update queue hours of operation in an Amazon Connect instance	Write	hours-of-operation*
			queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueMaxContacts	Grants permission to update queue capacity in an Amazon Connect instance	Write	queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueName	Grants permission to update a queue name and description in an Amazon Connect instance	Write	queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueOutboundCallerConfig	Grants permission to update queue outbound caller config in an Amazon Connect instance	Write	queue*
			contact-flow
			phone-number
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQueueStatus	Grants permission to update queue status in an Amazon Connect instance	Write	queue*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectConfig	Grants permission to update the configuration of a quick connect in an Amazon Connect instance	Write	quick-connect*
			contact-flow
			queue
			user
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateQuickConnectName	Grants permission to update a quick connect name and description in an Amazon Connect instance	Write	quick-connect*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileConcurrency	Grants permission to update the concurrency in a routing profile in an Amazon Connect instance	Write	routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileDefaultOutboundQueue	Grants permission to update the outbound queue in a routing profile in an Amazon Connect instance	Write	queue*
			routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileName	Grants permission to update a routing profile name and description in an Amazon Connect instance	Write	routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateRoutingProfileQueues	Grants permission to update the queues in routing profile in an Amazon Connect instance	Write	routing-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateSecurityProfile	Grants permission to update a security profile group for a user in an Amazon Connect instance	Write	security-profile*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateTaskTemplate	Grants permission to update task template belonging to a Amazon Connect instance	Write	task-template*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserHierarchy	Grants permission to update a hierarchy group for a user in an Amazon Connect instance	Write	user*
			hierarchy-group
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserHierarchyGroupName	Grants permission to update a user hierarchy group name in an Amazon Connect instance	Write	hierarchy-group*
				connect:InstanceId
UpdateUserHierarchyStructure	Grants permission to update user hierarchy structure in an Amazon Connect instance	Write	instance*
				connect:InstanceId
UpdateUserIdentityInfo	Grants permission to update identity information for a user in an Amazon Connect instance	Write	user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserPhoneConfig	Grants permission to update phone configuration settings for a user in an Amazon Connect instance	Write	user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserRoutingProfile	Grants permission to update a routing profile for a user in an Amazon Connect instance	Write	routing-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdateUserSecurityProfiles	Grants permission to update security profiles for a user in an Amazon Connect instance	Write	security-profile*
			user*
				aws:ResourceTag/${TagKey} connect:InstanceId
UpdatedescribeContent	Grants permission to update contact flow module content in an Amazon Connect instance	Write	contact-flow-module*
				aws:ResourceTag/${TagKey} connect:InstanceId

Resource types defined by Amazon Connect

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
instance	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}	aws:ResourceTag/${TagKey}
contact	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
user	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}	aws:ResourceTag/${TagKey}
routing-profile	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}	aws:ResourceTag/${TagKey}
security-profile	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}	aws:ResourceTag/${TagKey}
hierarchy-group	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}	aws:ResourceTag/${TagKey}
queue	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}	aws:ResourceTag/${TagKey}
wildcard-queue	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/*
quick-connect	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}	aws:ResourceTag/${TagKey}
wildcard-quick-connect	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/*
contact-flow	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}	aws:ResourceTag/${TagKey}
task-template	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/task-template/${TaskTemplateId}	aws:ResourceTag/${TagKey}
contact-flow-module	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/flow-module/${ContactFlowModuleId}	aws:ResourceTag/${TagKey}
wildcard-contact-flow	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/*
hours-of-operation	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}	aws:ResourceTag/${TagKey}
agent-status	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/${AgentStatusId}	aws:ResourceTag/${TagKey}
wildcard-agent-status	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-state/*
legacy-phone-number	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/${PhoneNumberId}
wildcard-legacy-phone-number	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-number/*
phone-number	arn:${Partition}:connect:${Region}:${Account}:phone-number/${PhoneNumberId}	aws:ResourceTag/${TagKey}
wildcard-phone-number	arn:${Partition}:connect:${Region}:${Account}:phone-number/*	aws:ResourceTag/${TagKey}
integration-association	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/integration-association/${IntegrationAssociationId}	aws:ResourceTag/${TagKey}
use-case	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/use-case/${UseCaseId}	aws:ResourceTag/${TagKey}
vocabulary	arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/vocabulary/${VocabularyId}	aws:ResourceTag/${TagKey}

Condition keys for Amazon Connect

Amazon Connect defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by using tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by using tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by using tag keys in the request	ArrayOfString
connect:AttributeType	Filters access by the attribute type of the Amazon Connect instance	String
connect:InstanceId	Filters access by restricting federation into specified Amazon Connect instances	String
connect:SearchTag/${TagKey}	Filters access by TagFilter condition passed in the search request	String
connect:StorageResourceType	Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration	String