AWS Amazon Connect 的托管策略 - Amazon Connect
AmazonConnect_FullAccessAmazonConnectReadOnlyAccessAmazonConnectServiceLinkedRolePolicyAmazonConnectCampaignsServiceLinkedRolePolicyAmazonConnectVoiceIDFullAccessCustomerProfilesServiceLinkedRolePolicyAmazonConnectSynchronizationServiceRolePolicy策略更新

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS Amazon Connect 的托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 AWS 托管策略更为有效。创建IAM客户托管策略以仅向您的团队提供他们所需的权限需要时间和专业知识。要快速入门,您可以使用 AWS 托管策略。这些政策涵盖常见用例,可在您的 AWS 账户中使用。有关 AWS 托管策略的更多信息,请参阅《IAM用户指南》中的AWS 托管策略

AWS 服务维护和更新 AWS 托管策略。您无法更改 AWS 托管策略中的权限。服务偶尔会向 AWS 托管策略添加其他权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当推出新功能或有新操作可用时,服务最有可能更新 AWS 托管策略。服务不会从 AWS 托管策略中移除权限,因此策略更新不会破坏您的现有权限。

此外,还 AWS 支持跨多个服务的工作职能的托管策略。例如, ReadOnlyAccess AWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动一项新功能时, AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅《IAM用户指南》中的工作职能AWS 托管策略

AWS 托管策略: AmazonConnect_ FullAccess

要允许对 Amazon Connect 进行完全读/写权限,您必须为IAM用户、群组或角色附加两项策略。附加 AmazonConnect_FullAccess 策略和包含以下内容的自定义策略:

自定义策略

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "AttachAnyPolicyToAmazonConnectRole", 
            "Effect": "Allow", 
            "Action": "iam:PutRolePolicy", 
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" 
        } 
    ] 
}

AmazonConnect_ FullAccess 政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "connect:*",
                "ds:CreateAlias",
                "ds:AuthorizeApplication",
                "ds:CreateIdentityPoolDirectory",
                "ds:DeleteDirectory",
                "ds:DescribeDirectories",
                "ds:UnauthorizeApplication",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kms:DescribeKey",
                "kms:ListAliases",
                "lex:GetBots",
                "lex:ListBots",
                "lex:ListBotAliases",
                "logs:CreateLogGroup",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "lambda:ListFunctions",
                "ds:CheckAlias",
                "profile:ListAccountIntegrations",
                "profile:GetDomain",
                "profile:ListDomains",
                "profile:GetProfileObjectType",
                "profile:ListProfileObjectTypeTemplates"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "profile:AddProfileKey",
                "profile:CreateDomain",
                "profile:CreateProfile",
                "profile:DeleteDomain",
                "profile:DeleteIntegration",
                "profile:DeleteProfile",
                "profile:DeleteProfileKey",
                "profile:DeleteProfileObject",
                "profile:DeleteProfileObjectType",
                "profile:GetIntegration",
                "profile:GetMatches",
                "profile:GetProfileObjectType",
                "profile:ListIntegrations",
                "profile:ListProfileObjects",
                "profile:ListProfileObjectTypes",
                "profile:ListTagsForResource",
                "profile:MergeProfiles",
                "profile:PutIntegration",
                "profile:PutProfileObject",
                "profile:PutProfileObjectType",
                "profile:SearchProfiles",
                "profile:TagResource",
                "profile:UntagResource",
                "profile:UpdateDomain",
                "profile:UpdateProfile"
            ],
            "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::amazon-connect-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "servicequotas:GetServiceQuota"
            ],
            "Resource": "arn:aws:servicequotas:*:*:connect/*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "connect.amazonaws.com"
                }
            }
        },

        {
            "Effect": "Allow",
            "Action": "iam:DeleteServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/profile.amazonaws.com/*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "profile.amazonaws.com"
                }
            }
        }
    ]
}

要允许用户创建实例,请确保他们具有 AmazonConnect_FullAccess 策略授予的权限。

当您使用 AmazonConnect_FullAccess 策略时,请注意以下几点:

  • iam:PutRolePolicy 允许获得该策略的用户将账户中的任何资源配置为使用 Amazon Connect 实例。由于它授予非常广泛的权限,因此仅在必要时才进行分配。相反,创建具有必要资源访问权限的服务相关角色,并允许用户将服务相关角色传递给 Amazon Connect(由 AmazonConnect_FullAccess 策略授予)。

  • 要使用您选择的名称创建 Amazon S3 存储桶,或者在 Amazon Connect 管理网站上创建或更新实例时使用现有存储桶,则需要额外的权限。如果您为通话录音、聊天记录、通话记录和其他数据选择默认存储位置,则系统会在这些对象的名称前面加上 “amazon-connect-”。

  • aws/connect KMS 密钥可用作默认加密选项。要使用自定义加密密钥,请为用户分配其他KMS权限。

  • 为用户分配额外权限,以便将 Amazon Polly、直播媒体流、数据流和 Lex 机器人等其他 AWS 资源附加到他们的 Amazon Connect 实例。

有关更多信息和详细权限,请参阅使用自定义IAM策略管理 Amazon Connect 管理网站访问权限所需的权限

AWS 托管策略: AmazonConnectReadOnlyAccess

要允许只读访问权限,您只需要附加AmazonConnectReadOnlyAccess策略:


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "AllowConnectReadOnly",
         "Effect": "Allow",
         "Action": [
            "connect:Get*",
            "connect:Describe*",
            "connect:List*",
            "ds:DescribeDirectories"
         ],
         "Resource": "*"
      },
      {
         "Sid": "DenyConnectEmergencyAccess",
         "Effect": "Deny",
         "Action": "connect:AdminGetEmergencyAccessToken",
         "Resource": "*"
      }
   ]
}

AWS 托管策略: AmazonConnectServiceLinkedRolePolicy

AmazonConnectServiceLinkedRolePolicy 角色权限策略允许 Amazon Connect 对指定的资源完成以下操作。当您在中启用其他功能 Amazon Connect时,将为AWSServiceRoleForAmazonConnect服务相关角色添加访问与这些功能关联的资源的额外权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowConnectActions",
            "Effect": "Allow",
            "Action": [
                "connect:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowDeleteSLR",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteRole"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_*"
        },
        {
            "Sid": "AllowS3ObjectForConnectBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::amazon-connect-*/*"
            ]
        },
        {
            "Sid": "AllowGetBucketMetadataForConnectBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketAcl"
            ],
            "Resource": [
                "arn:aws:s3:::amazon-connect-*"
            ]
        },
        {
            "Sid": "AllowConnectLogGroupAccess",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/connect/*:*"
            ]
        },
        {
            "Sid": "AllowListLexBotAccess",
            "Effect": "Allow",
            "Action": [
                "lex:ListBots",
                "lex:ListBotAliases"
            ],
            "Resource": "*"
        },
        {
			"Sid": "AllowCustomerProfilesForConnectDomain",
			"Effect": "Allow",
			"Action": [
				"profile:SearchProfiles",
				"profile:CreateProfile",
				"profile:UpdateProfile",
				"profile:AddProfileKey",
				"profile:ListProfileObjectTypes",
				"profile:ListCalculatedAttributeDefinitions",
				"profile:ListCalculatedAttributesForProfile",
				"profile:GetDomain",
				"profile:ListIntegrations"
			],
			"Resource": "arn:aws:profile:*:*:domains/amazon-connect-*"
		  },
        {
            "Sid": "AllowReadPermissionForCustomerProfileObjects",
            "Effect": "Allow",
            "Action": [
                "profile:ListProfileObjects",
                "profile:GetProfileObjectType"
            ],
            "Resource": [
                "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*"
            ]
        },
        {
            "Sid": "AllowListIntegrationForCustomerProfile",
            "Effect": "Allow",
            "Action": [
                "profile:ListAccountIntegrations"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowReadForCustomerProfileObjectTemplates",
            "Effect": "Allow",
            "Action": [
                "profile:ListProfileObjectTypeTemplates",
                "profile:GetProfileObjectTypeTemplate"
            ],
            "Resource": "arn:aws:profile:*:*:/templates*"
        },
        {
            "Sid": "AllowWisdomForConnectEnabledTaggedResources",
            "Effect": "Allow",
            "Action": [
                "wisdom:CreateContent",
                "wisdom:DeleteContent",
                "wisdom:CreateKnowledgeBase",
                "wisdom:GetAssistant",
                "wisdom:GetKnowledgeBase",
                "wisdom:GetContent",
                "wisdom:GetRecommendations",
                "wisdom:GetSession",
                "wisdom:NotifyRecommendationsReceived",
                "wisdom:QueryAssistant",
                "wisdom:StartContentUpload",
                "wisdom:UpdateContent",
                "wisdom:UntagResource",
                "wisdom:TagResource",
                "wisdom:CreateSession",
                "wisdom:CreateQuickResponse",
                "wisdom:GetQuickResponse",
                "wisdom:SearchQuickResponses",
                "wisdom:StartImportJob",
                "wisdom:GetImportJob",
                "wisdom:ListImportJobs",
                "wisdom:ListQuickResponses",
                "wisdom:UpdateQuickResponse",
                "wisdom:DeleteQuickResponse",
                "wisdom:PutFeedback",
                "wisdom:ListContentAssociations"               
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/AmazonConnectEnabled": "True"
                }
            }
        },
        {
            "Sid": "AllowListOperationForWisdom",
            "Effect": "Allow",
            "Action": [
                "wisdom:ListAssistants",
                "wisdom:ListKnowledgeBases"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCustomerProfilesCalculatedAttributesForConnectDomain",
            "Effect": "Allow",
            "Action": [
                "profile:GetCalculatedAttributeForProfile",
                "profile:CreateCalculatedAttributeDefinition", 
                "profile:DeleteCalculatedAttributeDefinition", 
                "profile:GetCalculatedAttributeDefinition",
                "profile:UpdateCalculatedAttributeDefinition"
            ],
            "Resource": [
                "arn:aws:profile:*:*:domains/amazon-connect-*/calculated-attributes/*"
            ]
        },
                {
            "Sid": "AllowPutMetricsForConnectNamespace",
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/Connect"
                }
            }
        },
        {
            "Sid": "AllowSMSVoiceOperationsForConnect",
            "Effect": "Allow",
            "Action": [
                 "sms-voice:SendTextMessage",
                 "sms-voice:DescribePhoneNumbers"
            ],
            "Resource": "arn:aws:sms-voice:*:*:phone-number/*",
            "Condition": {
                  "StringEquals": {
                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
                  }
              }
         },
         {
            "Sid": "AllowCognitoForConnectEnabledTaggedResources",
            "Effect": "Allow",
            "Action": [
                  "cognito-idp:DescribeUserPool",
                  "cognito-idp:ListUserPoolClients"
            ],
            "Resource": "arn:aws:cognito-idp:*:*:userpool/*",
            "Condition": {
                  "StringEquals": {
                        "aws:ResourceTag/AmazonConnectEnabled": "True"
                  }
              }
         },
         {
            "Sid": "AllowWritePermissionForCustomerProfileObjects",
            "Effect": "Allow",
            "Action": [
                  "profile:PutProfileObject"
             ],
            "Resource": [
                  "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*"
                     ]
         }
    ]
}

AWS 托管策略: AmazonConnectCampaignsServiceLinkedRolePolicy

AmazonConnectCampaignsServiceLinkedRolePolicy角色权限策略允许 Amazon Connect 出站活动在指定资源上完成以下操作。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "connect-campaigns:ListCampaigns"
            ],
            "Resource" : "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "connect:BatchPutContact",
                "connect:StopContact"
            ],
            "Resource": "arn:aws:connect:*:*:instance/*"
    ]
}

AWS 托管策略: AmazonConnectVoiceIDFullAccess

要允许针对 Amazon Connect Voice ID 的完全访问权限,您必须为用户、组或角色附加两项策略。附加AmazonConnectVoiceIDFullAccess策略和以下自定义策略内容,以便通过 Amazon Connect 管理员网站访问语音 ID:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Sid": "AttachAnyPolicyToAmazonConnectRole", 
            "Effect": "Allow", 
            "Action": "iam:PutRolePolicy", 
            "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" 
        },
        {
            "Effect": "Allow",
            "Action": [
                "connect:CreateIntegrationAssociation",
                "connect:DeleteIntegrationAssociation",
                "connect:ListIntegrationAssociations"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "events:ManagedBy": "connect.amazonaws.com"
                }
            }
        }
    ] 
}

手动策略配置以下内容:

  • iam:PutRolePolicy 允许获得该策略的用户将账户中的任何资源配置为使用 Amazon Connect 实例。由于它授予非常广泛的权限,因此仅在必要时才进行分配。

  • 要将语音识别域与 Amazon Connect 实例关联,您需要额外的 Amazon Connect 和亚马逊 EventBridge 权限。您需要权限才能调用 Amazon Connect APIs 来创建、删除和列出集成关联。您需要 EventBridge 权限才能创建和删除用于提供与语音 ID 相关的联系人记录的 EventBridge 规则。

由于没有默认加密选项,因此要将您的客户托管密钥与您的 Amazon Connect 语音识别一起使用,密钥策略中必须允许以下API操作。此外,还必须在相关密钥上添加这些权限。它们未包含在托管策略中。

  • kms:Decrypt 用于访问或存储加密数据。

  • kms:CreateGrant – 当创建或更新域时,用于为 Voice ID 域创建对客户托管密钥的授权。该授权控制对指定KMS密钥的访问权限,该密钥允许访问授权 Amazon Connect 语音 ID 所需的操作。有关使用授权的更多信息,请参阅《AWS Key Management Service 开发人员指南》中的使用授权

  • kms:DescribeKey— 创建或更新域时,允许确定您提供的 ARN fo KMS r 密钥。

有关创建域和KMS密钥的更多信息,请参阅启用 Voice ID静态加密

AWS 托管策略: CustomerProfilesServiceLinkedRolePolicy

要允许 Amazon Connect 客户档案向您的 AWS 账户发布 CloudWatch 指标,您必须附上CustomerProfilesServiceLinkedRolePolicy托管政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/CustomerProfiles"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:DeleteRole"
            ],
            "Resource": "arn:aws:iam:::role/aws-service-role/profile.amazonaws.com/AWSServiceRoleForProfile_*"
        }
    ]
}

AWS 托管策略: AmazonConnectSynchronizationServiceRolePolicy

AmazonConnectSynchronizationServiceRolePolicy权限策略允许 Amazon Connect 托管同步对指定资源完成以下读取、写入、更新和删除操作。随着为更多资源启用资源同步,AWSServiceRoleForAmazonConnectSynchronization服务相关角色将获得访问这些资源的额外权限。

AmazonConnectSynchronizationServiceRolePolicy 权限策略分组为以下权限集。

  • connect – 用于同步 Connect 配置和资源的 Connect 权限。

  • cloudwatch— 发布您账户中某个实例的 Amazon Connect 使用指标的 CloudWatch 权限。

{
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "AllowConnectActions",
    			"Effect": "Allow",
    			"Action": [
    				"connect:CreateUser*",
    				"connect:UpdateUser*",
    				"connect:DeleteUser*",
    				"connect:DescribeUser*",
    				"connect:ListUser*",
    				"connect:CreateRoutingProfile",
    				"connect:UpdateRoutingProfile*",
    				"connect:DeleteRoutingProfile",
    				"connect:DescribeRoutingProfile",
    				"connect:ListRoutingProfile*",
    				"connect:CreateAgentStatus",
    				"connect:UpdateAgentStatus",
    				"connect:DescribeAgentStatus",
    				"connect:ListAgentStatuses",
    				"connect:CreateQuickConnect",
    				"connect:UpdateQuickConnect*",
    				"connect:DeleteQuickConnect",
    				"connect:DescribeQuickConnect",
    				"connect:ListQuickConnects",
    				"connect:CreateHoursOfOperation",
    				"connect:UpdateHoursOfOperation",
    				"connect:DeleteHoursOfOperation",
    				"connect:DescribeHoursOfOperation",
    				"connect:ListHoursOfOperations",
    				"connect:CreateQueue",
    				"connect:UpdateQueue*",
    				"connect:DeleteQueue",
    				"connect:DescribeQueue",
    				"connect:ListQueue*",
    				"connect:CreatePrompt",
    				"connect:UpdatePrompt",
    				"connect:DeletePrompt",
    				"connect:DescribePrompt",
    				"connect:ListPrompts",
    				"connect:GetPromptFile",
    				"connect:CreateSecurityProfile",
    				"connect:UpdateSecurityProfile",
    				"connect:DeleteSecurityProfile",
    				"connect:DescribeSecurityProfile",
    				"connect:ListSecurityProfile*",
    				"connect:CreateContactFlow*",
    				"connect:UpdateContactFlow*",
    				"connect:DeleteContactFlow*",
    				"connect:DescribeContactFlow*",
    				"connect:ListContactFlow*",
    				"connect:BatchGetFlowAssociation",
    				"connect:CreatePredefinedAttribute",
    				"connect:UpdatePredefinedAttribute",
    				"connect:DeletePredefinedAttribute",
    				"connect:DescribePredefinedAttribute",
    				"connect:ListPredefinedAttributes",
    				"connect:ListTagsForResource",
    				"connect:TagResource",
    				"connect:UntagResource",
    				"connect:ListTrafficDistributionGroups",
    				"connect:ListPhoneNumbersV2",
    				"connect:UpdatePhoneNumber",
    				"connect:DescribePhoneNumber",
                "connect:AssociatePhoneNumberContactFlow", 
                "connect:DisassociatePhoneNumberContactFlow", 
                "connect:AssociateRoutingProfileQueues", 
                "connect:DisassociateQueueQuickConnects", 
                "connect:AssociateQueueQuickConnects", 
                "connect:DisassociateUserProficiencies", 
                "connect:AssociateUserProficiencies", 
                "connect:DisassociateRoutingProfileQueues", 
                "connect:CreateAuthenticationProfile", 
                "connect:UpdateAuthenticationProfile", 
                "connect:DescribeAuthenticationProfile", 
                "connect:ListAuthenticationProfiles"
    			],
    			"Resource": "*"
    		},
    		{
    			"Sid": "AllowPutMetricsForConnectNamespace",
    			"Effect": "Allow",
    			"Action": "cloudwatch:PutMetricData",
    			"Resource": "*",
    			"Condition": {
    				"StringEquals": {
    					"cloudwatch:namespace": "AWS/Connect"
    				}
    			}
    		}
    	]
}

Amazon Connect 更新 AWS 了托管策略

查看自该服务开始跟踪这些更改以来,Amazon Connect AWS 托管政策更新的详细信息。要获得有关此页面变更的自动提醒,请订RSS阅该Amazon Connect 文档历史记录页面上的订阅源。

更改 描述 日期

AmazonConnectSynchronizationServiceRolePolicy— 已添加用于托管同步

在托管同步的服务相关角色托管策略中添加了以下操作:

  • connect:AssociatePhoneNumberContactFlow

  • connect:DisassociatePhoneNumberContactFlow

  • connect:AssociateRoutingProfileQueues

  • connect:DisassociateQueueQuickConnects

  • connect:AssociateQueueQuickConnects

  • connect:DisassociateUserProficiencies

  • connect:AssociateUserProficiencies

  • connect:DisassociateRoutingProfileQueues

  • connect:CreateAuthenticationProfile

  • connect:UpdateAuthenticationProfile

  • connect:DescribeAuthenticationProfile

  • connect:ListAuthenticationProfiles

 2024年7月5日

AmazonConnectReadOnlyAccess— 已重命名操作connect:GetFederationTokens并更改为 connect:AdminGetEmergencyAccessToken

AmazonConnectReadOnlyAccess 由于 Amazon Connect 操作已重命名为,托管策略已更新connect:GetFederationTokensconnect:AdminGetEmergencyAccessToken此更改向后兼容,并且connect:AdminGetEmergencyAccessToken动作将以与动connect:GetFederationTokens作相同的方式运行。如果您在保单中保留先前命名的connect:GetFederationTokens操作,它们将继续按预期运行。

 2024年6月15日

AmazonConnectServiceLinkedRolePolicy— 增加了针对 Amazon Cognito 用户池和 Amazon Connect 客户资料的操作

在服务相关角色策略中添加了以下 Amazon Cognito 用户池操作,允许对具有资源标签的 Cognito 用户池用户池资源进行选择读取操作。AmazonConnectEnabled调用时,会将此标签放在资源上:CreateIntegrationAssociationsAPI

  • cognito-idp:DescribeUserPool

  • cognito-idp:ListUserPoolClients

在服务相关角色策略中添加了以下 Amazon Connect 客户档案操作,以允许将数据放入与 Connect 相邻的服务 “客户档案”:

  • 个人资料:PutProfileObject

 2024 年 5 月 23 日

AmazonConnectServiceLinkedRolePolicy— 在 Connect 中为亚马逊 Q 添加了操作

在 Amazon Q in Connect 知识库中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q in Connect 资源执行以下操作:

  • wisdom:ListContentAssociations

 2024 年 5 月 20 日

AmazonConnectServiceLinkedRolePolicy— 为亚马逊 Pinpoint 添加了操作

在服务相关角色策略中添加了以下操作,以使用 Amazon Pinpoint 电话号码 Amazon Connect 允许发送:SMS

  • sms:DescribePhoneNumbers

  • sms:SendTextMessage

 2023 年 11 月 17 日

AmazonConnectServiceLinkedRolePolicy— 在 Connect 中为亚马逊 Q 添加了操作

在 Amazon Q in Connect 知识库中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q in Connect 资源执行以下操作:

  • wisdom:PutFeedback

 2023 年 11 月 15 日

AmazonConnectCampaignsServiceLinkedRolePolicy— 为添加了操作 Amazon Connect

Amazon Connect 添加了检索出站广告系列的新操作:

  • connect:BatchPutContact

  • connect:StopContact

 2023 年 11 月 8 日

AmazonConnectSynchronizationServiceRolePolicy— 添加了新的 AWS 托管策略

已为托管式同步添加新的服务相关角色托管策略。

该策略提供读取、创建、更新和删除 Amazon Connect 资源的权限,并用于跨 AWS 区域自动同步 AWS 资源。

 2023 年 11 月 3 日

AmazonConnectServiceLinkedRolePolicy— 为客户档案添加了操作

添加了以下操作来管理 Amazon Connect 客户档案服务关联角色:

  • profile:ListCalculatedAttributesForProfile

  • profile:GetDomain

  • profile:ListIntegrations

  • profile:CreateCalculatedAttributeDefinition

  • profile:DeleteCalculatedAttributeDefinition

  • profile:GetCalculatedAttributeDefinition

  • profile:UpdateCalculatedAttributeDefinition

 2023 年 10 月 30 日

AmazonConnectServiceLinkedRolePolicy— 在 Connect 中为亚马逊 Q 添加了操作

在 Amazon Q in Connect 知识库中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q in Connect 资源执行以下操作:

  • wisdom:CreateQuickResponse

  • wisdom:GetQuickResponse

  • wisdom:SearchQuickResponses

  • wisdom:StartImportJob

  • wisdom:GetImportJob

  • wisdom:ListImportJobs

  • wisdom:ListQuickResponses

  • wisdom:UpdateQuickResponse

  • wisdom:DeleteQuickResponse

 2023 年 10 月 25 日

AmazonConnectServiceLinkedRolePolicy— 为客户档案添加了操作

添加了以下操作来管理 Amazon Connect 客户档案服务关联角色:

  • profile:ListCalculatedAttributeDefinitions

  • profile:GetCalculatedAttributeForProfile

 2023 年 10 月 6 日

AmazonConnectServiceLinkedRolePolicy— 在 Connect 中为亚马逊 Q 添加了操作

在 Amazon Q in Connect 知识库和助理中,允许对带有资源标签 'AmazonConnectEnabled':'True' 的 Amazon Q in Connect 资源执行以下操作:

  • wisdom:CreateContent

  • wisdom:DeleteContent

  • wisdom:CreateKnowledgeBase

  • wisdom:GetAssistant

  • wisdom:GetKnowledgeBase

  • wisdom:GetContent

  • wisdom:GetRecommendations

  • wisdom:GetSession

  • wisdom:NotifyRecommendationsReceived

  • wisdom:QueryAssistant

  • wisdom:StartContentUpload

  • wisdom:UntagResource

  • wisdom:TagResource

  • wisdom:CreateSession

允许对所有 Amazon Q in Connect 资源执行以下 List 操作:

  • wisdom:ListAssistants

  • wisdom:KnowledgeBases

 2023 年 9 月 29 日

CustomerProfilesServiceLinkedRolePolicy— 已添加 CustomerProfilesServiceLinkedRolePolicy

新的托管策略。

 2023 年 3 月 7 日

AmazonConnect_ FullAccess — 增加了管理 Amazon Connect 客户档案服务关联角色的权限

已添加以下操作来管理 Amazon Connect Customer Profiles 服务相关角色。

  • iam:CreateServiceLinkedRole – 允许您为 Customer Profiles 创建服务相关角色。

 2023 年 1 月 26 日

AmazonConnectServiceLinkedRolePolicy— 为亚马逊添加了操作 CloudWatch

已添加以下操作,以将实例的 Amazon Connect 使用情况指标发布到您的账户。

  • cloudwatch:PutMetricData

 2022 年 2 月 22 日

AmazonConnect_ FullAccess — 增加了管理 Amazon Connect 客户资料域的权限

已添加用于管理为新 Amazon Connect 实例创建的 Amazon Connect Customer Profiles 域的所有权限。

  • profile:ListAccountIntegrations-列出与URI中特定内容相关的所有集成。 AWS 账户

  • profile:ListDomains-返回已创建的所有域 AWS 账户 的列表。

  • profile:GetDomain – 返回有关特定域的信息。

  • profile:ListProfileObjectTypeTemplates-允许 Amazon Connect 管理网站显示可用于创建数据映射的模板列表。

  • profile:GetObjectTypes – 允许您查看已创建的所有当前对象类型(数据映射)。

允许对名称前缀为 amazon-connect- 的域执行以下权限:

  • profile:AddProfileKey – 允许您将新的密钥值与特定的配置文件相关联

  • profile:CreateDomain – 允许您创建新域

  • profile:CreateProfile – 允许您创建新的配置文件

  • profile:DeleteDomain – 允许您删除域

  • profile:DeleteIntegration – 允许您删除与域的集成

  • profile:DeleteProfile – 允许您删除配置文件

  • profile:DeleteProfileKey – 允许您删除配置文件密钥

  • profile:DeleteProfileObject – 允许您删除配置文件对象

  • profile:DeleteProfileObjectType – 允许您删除配置文件对象类型

  • profile:GetIntegration – 允许您检索有关集成的信息

  • profile:GetMatches – 允许您检索可能的配置文件匹配项

  • profile:GetProfileObjectType – 允许您检索配置文件对象类型

  • profile:ListIntegrations – 允许您列出集成

  • profile:ListProfileObjects – 允许您列出配置文件对象

  • profile:ListProfileObjectTypes – 允许您列出配置文件对象类型

  • profile:ListTagsForResource – 允许您列出资源的标签

  • profile:MergeProfiles – 允许您合并配置文件匹配项

  • profile:PutIntegration-允许您在服务与第三方服务(包括亚马逊 AppFlow 和Amazon Connect)之间添加集成

  • profile:PutProfileObject – 允许您创建和更新对象

  • profile:PutProfileObjectType – 允许您创建和更新对象类型

  • profile:SearchProfiles – 允许您搜索配置文件

  • profile:TagResource – 允许您标记资源

  • profile:UntagResource – 允许您取消标记资源

  • profile:UpdateDomain – 允许您更新域

  • profile:UpdateProfile – 允许您更新配置文件

 2021 年 11 月 12 日

AmazonConnectServiceLinkedRolePolicy— 为 Amazon Connect 客户档案添加了操作

已添加以下操作,以便 Amazon Connect 流和座席体验可以与您的默认 Customer Profiles 域中的配置文件进行交互:

  • profile:SearchProfiles

  • profile:CreateProfile

  • profile:UpdateProfile

  • profile:AddProfileKey

已添加以下操作,以便 Amazon Connect 流和座席体验可以与您的默认 Customer Profiles 域中的配置文件对象进行交互:

  • profile:ListProfileObjects

已添加以下操作,以便 Amazon Connect 流和座席体验可以确定是否已为您的 Amazon Connect 实例启用了 Customer Profiles:

  • profile:ListAccountIntegrations

2021 年 11 月 12 日

AmazonConnectVoiceIDFullAccess— 添加了新的 AWS 托管策略

添加了新的 AWS 托管策略,这样您就可以将用户设置为使用 Amazon Connect 语音识别码。

本政策提供通过 AWS 控制台或其他方式对 Amazon Connect 语音识别的完全访问权限。SDK

 2021 年 9 月 27 日

AmazonConnectCampaignsServiceLinkedRolePolicy— 添加了新的服务相关角色策略

已为出站活动添加新的服务相关角色策略。

该策略提供检索所有出站活动的权限。

 2021 年 9 月 27 日

AmazonConnectServiceLinkedRolePolicy— 为 Amazon Lex 添加了操作

已为跨所有区域的账户中创建的所有自动程序添加以下操作。添加了这些操作是为了支持与 Amazon Lex 的集成。

  • lex:ListBots – 列出在您的账户的给定区域中可用的所有自动程序。

  • lex:ListBotAliases – 列出给定自动程序的所有别名。

 2021 年 6 月 15 日

AmazonConnect_ FullAccess — 为 Amazon Lex 添加了操作

已为跨所有区域的账户中创建的所有自动程序添加以下操作。添加了这些操作是为了支持与 Amazon Lex 的集成。

  • lex:ListBots

  • lex:ListBotAliases

 2021 年 6 月 15 日

Amazon Connect 开始跟踪更改

Amazon Connect 开始跟踪其 AWS 托管策略的变更。

 2021 年 6 月 15 日