Actions, resources, and condition keys for Amazon Connect
Amazon Connect (service prefix: connect
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Connect
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AssociateApprovedOrigin | Grants permissions to associate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write | |||
AssociateInstanceStorageConfig | Grants permissions to associate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation |
||
AssociateLambdaFunction | Grants permissions to associate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
lambda:AddPermission |
||
AssociateLexBot | Grants permissions to associate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy lex:GetBot |
||
AssociateRoutingProfileQueues | Grants permissions to associate queues with a routing profile in an Amazon Connect instance. | Write | |||
AssociateSecurityKey | Grants permissions to associate a security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write | |||
CreateContactFlow | Grants permissions to create a contact flow in an Amazon Connect instance. | Write | |||
CreateInstance | Grants permissions to create a new Amazon Connect instance. The associated required actions grant permissions to configure instance settings. | Write |
ds:AuthorizeApplication ds:CheckAlias ds:CreateAlias ds:CreateDirectory ds:CreateIdentityPoolDirectory ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy |
||
CreateQuickConnect | Grants permission to create a quick connect in an Amazon Connect instance. | Write | |||
CreateRoutingProfile | Grants permission to create a routing profile in an Amazon Connect instance. | Write | |||
CreateUser | Grants permission to create a user for the specified Amazon Connect instance. | Write | |||
CreateUserHierarchyGroup | Grants permissions to create a user hierarchy group in an Amazon Connect instance. | Write | |||
DeleteInstance | Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed. | Write |
ds:DeleteDirectory ds:DescribeDirectories ds:UnauthorizeApplication |
||
DeleteQuickConnect | Grants permissions to delete a quick connect in an Amazon Connect instance. | Write | |||
DeleteUser | Grants permissions to delete a user in an Amazon Connect instance. | Write | |||
DeleteUserHierarchyGroup | Grants permissions to delete a user hierarchy group in an Amazon Connect instance. | Write | |||
DescribeContactFlow | Grants permissions to describe a contact flow in an Amazon Connect instance. | Read | |||
DescribeInstance | Grants permissions to view details of an Amazon Connect instance. This is required to create an instance. | Read |
ds:DescribeDirectories |
||
DescribeInstanceAttribute | Grants permissions to view the attribute details of an existing Amazon Connect instance. | Read | |||
DescribeInstanceStorageConfig | Grants permissions to view the instance storage configuration for an existing Amazon Connect instance. | Read | |||
DescribeQuickConnect | Grants permissions to describe a quick connect in an Amazon Connect instance. | Read | |||
DescribeRoutingProfile | Grants permissions to describe a routing profile in an Amazon Connect instance. | Read | |||
DescribeUser | Grants permissions to describe a user in an Amazon Connect instance. | Read | |||
DescribeUserHierarchyGroup | Grants permissions to describe a hierarchy group for an Amazon Connect instance. | Read | |||
DescribeUserHierarchyStructure | Grants permissions to describe the hierarchy structure for an Amazon Connect instance. | Read | |||
DisassociateApprovedOrigin | Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write | |||
DisassociateInstanceStorageConfig | Grants permissions to disassociate instance storage for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write | |||
DisassociateLambdaFunction | Grants permissions to disassociate a Lambda function for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
lambda:RemovePermission |
||
DisassociateLexBot | Grants permissions to disassociate a Lex bot for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy |
||
DisassociateRoutingProfileQueues | Grants permissions to disassociate queues from a routing profile in an Amazon Connect instance. | Write | |||
DisassociateSecurityKey | Grants permissions to disassociate the security key for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write | |||
GetContactAttributes | Grants permissions to retrieve the contact attributes for the specified contact. | Read | |||
GetCurrentMetricData | Grants permissions to retrieve current metric data for the queues in an Amazon Connect instance. | Read | |||
GetFederationToken | Allows federation into an instance when using SAML-based authentication for identity management. | Read | |||
GetFederationTokens | Grants permissions to federate in to an Amazon Connect instance (Log in as administrator functionality in the AWS console). | Write |
connect:DescribeInstance connect:ListInstances ds:DescribeDirectories |
||
GetMetricData | Grants permissions to retrieve historical metric data for queues in an Amazon Connect instance. | Read | |||
ListApprovedOrigins | Grants permissions to view approved origins of an existing Amazon Connect instance. | List | |||
ListContactFlows | Grants permissions to list contact flow resources in an Amazon Connect instance. | List | |||
ListHoursOfOperations | Grants permissions to list hours of operation resources in an Amazon Connect instance. | List | |||
ListInstanceAttributes | Grants permissions to view the attributes of an existing Amazon Connect instance. | List | |||
ListInstanceStorageConfigs | Grants permissions to view storage configurations of an existing Amazon Connect instance. | List | |||
ListInstances | Grants permissions to view the Amazon Connect instances associated with an AWS account. | List |
ds:DescribeDirectories |
||
ListLambdaFunctions | Grants permissions to view the Lambda functions of an existing Amazon Connect instance. | List | |||
ListLexBots | Grants permissions to view the Lex bots of an existing Amazon Connect instance. | List | |||
ListPhoneNumbers | Grants permissions to list phone number resources in an Amazon Connect instance. | List | |||
ListPrompts | Grants permissions to list prompt resources in an Amazon Connect instance. | List | |||
ListQueues | Grants permissions to list queue resources in an Amazon Connect instance. | List | |||
ListQuickConnects | Grants permissions to list quick connect resources in an Amazon Connect instance. | List | |||
ListRoutingProfileQueues | Grants permissions to list queue resources in a routing profile in an Amazon Connect instance. | Read | |||
ListRoutingProfiles | Grants permissions to list routing profile resources in an Amazon Connect instance. | List | |||
ListSecurityKeys | Grants permissions to view the security keys of an existing Amazon Connect instance. | List | |||
ListSecurityProfiles | Grants permissions to list security profile resources in an Amazon Connect instance. | List | |||
ListTagsForResource | Grants permissions to list tags for an Amazon Connect resource. | Read | |||
ListUserHierarchyGroups | Grants permissions to list the hierarchy group resources in an Amazon Connect instance. | List | |||
ListUsers | Grants permissions to list user resources in an Amazon Connect instance. | List | |||
ResumeContactRecording | Grants permissions to resume recording for the specified contact. | Write | |||
StartChatContact | Grants permissions to initiate a chat using the Amazon Connect API. | Write | |||
StartContactRecording | Grants permissions to start recording for the specified contact. | Write | |||
StartOutboundVoiceContact | Grants permissions to initiate outbound calls using the Amazon Connect API. | Write | |||
StartTaskContact | Grants permissions to initiate a task using the Amazon Connect API. | Write | |||
StopContact | Grants permissions to stop contacts that were initiated using the Amazon Connect API. If you use this operation on an active contact the contact ends, even if the agent is active on a call with a customer. | Write | |||
StopContactRecording | Grants permissions to stop recording for the specified contact. | Write | |||
SuspendContactRecording | Grants permissions to suspend recording for the specified contact. | Write | |||
TagResource | Grants permissions to tag an Amazon Connect resource. | Tagging | |||
UntagResource | Grants permissions to untag an Amazon Connect resource. | Tagging | |||
UpdateContactAttributes | Grants permissions to create or update the contact attributes associated with the specified contact. | Write | |||
UpdateContactFlowContent | Grants permissions to update contact flow content in an Amazon Connect instance. | Write | |||
UpdateContactFlowName | Grants permissions to update the name and description of a contact flow in an Amazon Connect instance. | Write | |||
UpdateInstanceAttribute | Grants permissions to update the attribute for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
ds:DescribeDirectories iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy logs:CreateLogGroup |
||
UpdateInstanceStorageConfig | Grants permissions to update the storage configuration for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance. | Write |
ds:DescribeDirectories firehose:DescribeDeliveryStream iam:AttachRolePolicy iam:CreateServiceLinkedRole iam:PutRolePolicy kinesis:DescribeStream kms:CreateGrant kms:DescribeKey s3:GetBucketAcl s3:GetBucketLocation |
||
UpdateQuickConnectConfig | Grants permissions to update the configuration of a quick connect in an Amazon Connect instance. | Write | |||
UpdateQuickConnectName | Grants permissions to update a quick connect name and description in an Amazon Connect instance. | Write | |||
UpdateRoutingProfileConcurrency | Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance. | Write | |||
UpdateRoutingProfileDefaultOutboundQueue | Grants permissions to update the outbound queue in a routing profile in an Amazon Connect instance. | Write | |||
UpdateRoutingProfileName | Grants permissions to update a routing profile name and description in an Amazon Connect instance. | Write | |||
UpdateRoutingProfileQueues | Grants permissions to update the queues in routing profile in an Amazon Connect instance. | Write | |||
UpdateUserHierarchy | Grants permissions to update a hierarchy group for a user in an Amazon Connect instance. | Write | |||
UpdateUserHierarchyGroupName | Grants permissions to update a user hierarchy group name in an Amazon Connect instance. | Write | |||
UpdateUserHierarchyStructure | Grants permissions to update user hierarchy structure in an Amazon Connect instance. | Write | |||
UpdateUserIdentityInfo | Grants permissions to update identity information for a user in an Amazon Connect instance. | Write | |||
UpdateUserPhoneConfig | Grants permissions to update phone configuration settings for a user in an Amazon Connect instance. | Write | |||
UpdateUserRoutingProfile | Grants permissions to update a routing profile for a user in an Amazon Connect instance. | Write | |||
UpdateUserSecurityProfiles | Grants permissions to update security profiles for a user in an Amazon Connect instance. | Write | |||
Resource types defined by Amazon Connect
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
Resource types | ARN | Condition keys |
---|---|---|
instance |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}
|
|
contact |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact/${ContactId}
|
|
user |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent/${UserId}
|
|
routing-profile |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/routing-profile/${RoutingProfileId}
|
|
security-profile |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/security-profile/${SecurityProfileId}
|
|
hierarchy-group |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/agent-group/${HierarchyGroupId}
|
|
queue |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/queue/${QueueId}
|
|
quick-connect |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}
|
|
contact-flow |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}
|
|
hours-of-operation |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/operating-hours/${HoursOfOperationId}
|
|
phone-number |
arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/phone-numbers/${PhoneNumberId}
|
Condition keys for Amazon Connect
Amazon Connect defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters actions based on the presence of tag key-value pairs in the request. | String |
aws:ResourceTag/${TagKey} | Filters actions based on tag key-value pairs attached to the resource. | String |
aws:TagKeys | Filters actions based on the presence of tag keys in the request. | String |
connect:AttributeType | Filters access by the attribute type of the Amazon Connect instance. | String |
connect:InstanceId | Filters access by restricting federation into specified connect instances . | String |
connect:StorageResourceType | Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration. | String |