AWS managed policies for Amazon Connect - Amazon Connect

AWS managed policies for Amazon Connect

To add permissions to users, groups, and roles, it is more efficient to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions that they need. To get started quickly, you can use AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AmazonConnect_FullAccess

To allow full read/write access to Amazon Connect, you must attach two policies to your IAM users, groups, or roles. Attach the AmazonConnect_FullAccess policy and a custom policy with the following contents:

Custom Policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] }

AmazonConnect_FullAccess Policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "connect:*", "ds:CreateAlias", "ds:AuthorizeApplication", "ds:CreateIdentityPoolDirectory", "ds:DeleteDirectory", "ds:DescribeDirectories", "ds:UnauthorizeApplication", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "kinesis:DescribeStream", "kinesis:ListStreams", "kms:DescribeKey", "kms:ListAliases", "lex:GetBots", "lex:ListBots", "lex:ListBotAliases", "logs:CreateLogGroup", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "lambda:ListFunctions", "ds:CheckAlias", "profile:ListAccountIntegrations", "profile:GetDomain", "profile:ListDomains", "profile:GetProfileObjectType", "profile:ListProfileObjectTypeTemplates" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "profile:AddProfileKey", "profile:CreateDomain", "profile:CreateProfile", "profile:DeleteDomain", "profile:DeleteIntegration", "profile:DeleteProfile", "profile:DeleteProfileKey", "profile:DeleteProfileObject", "profile:DeleteProfileObjectType", "profile:GetIntegration", "profile:GetMatches", "profile:GetProfileObjectType", "profile:ListIntegrations", "profile:ListProfileObjects", "profile:ListProfileObjectTypes", "profile:ListTagsForResource", "profile:MergeProfiles", "profile:PutIntegration", "profile:PutProfileObject", "profile:PutProfileObjectType", "profile:SearchProfiles", "profile:TagResource", "profile:UntagResource", "profile:UpdateDomain", "profile:UpdateProfile" ], "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::amazon-connect-*" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "arn:aws:servicequotas:*:*:connect/*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "connect.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:DeleteServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/profile.amazonaws.com/*", "Condition": { "StringEquals": { "iam:AWSServiceName": "profile.amazonaws.com" } } } ] }

To allow a user to create an instance, ensure that they have the permissions granted by the AmazonConnect_FullAccess policy.

When you use AmazonConnect_FullAccess policy, note the following:

  • The iam:PutRolePolicy allows the user who gets that policy to configure any resource in the account to work with the Amazon Connect instance. Because it grants such broad permissions, only assign it when necessary. Instead, create the service-linked role with access to the necessary resources and let the user have access to pass the service-linked role to Amazon Connect (which is granted by the AmazonConnect_FullAccess policy).

  • Additional privileges are required to create a Amazon S3 bucket with a name of your choosing, or use an existing bucket while creating or updating an instance from the Amazon Connect admin website. If you choose default storage locations for your call recordings, chat transcripts, call transcripts, and other data, the system prepends "amazon-connect-" to the names of those objects.

  • The aws/connect KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges.

  • Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Amazon Connect instances.

For more information and detailed permissions, see Required permissions for using custom IAM policies to manage access to the Amazon Connect console.

AWS managed policy: AmazonConnectReadOnlyAccess

To allow read-only access, you need to attach only the AmazonConnectReadOnlyAccess policy:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectReadOnly", "Effect": "Allow", "Action": [ "connect:Get*", "connect:Describe*", "connect:List*", "ds:DescribeDirectories" ], "Resource": "*" }, { "Sid": "DenyConnectEmergencyAccess", "Effect": "Deny", "Action": "connect:AdminGetEmergencyAccessToken", "Resource": "*" } ] }

AWS managed policy: AmazonConnectServiceLinkedRolePolicy

The AmazonConnectServiceLinkedRolePolicy role permissions policy allows Amazon Connect to complete the following actions on the specified resources. As you enable additional features in Amazon Connect, additional permissions are added for the AWSServiceRoleForAmazonConnect service-linked role to access the resources associated with those features:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectActions", "Effect": "Allow", "Action": [ "connect:*" ], "Resource": [ "*" ] }, { "Sid": "AllowDeleteSLR", "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_*" }, { "Sid": "AllowS3ObjectForConnectBucket", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::amazon-connect-*/*" ] }, { "Sid": "AllowGetBucketMetadataForConnectBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::amazon-connect-*" ] }, { "Sid": "AllowConnectLogGroupAccess", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/connect/*:*" ] }, { "Sid": "AllowListLexBotAccess", "Effect": "Allow", "Action": [ "lex:ListBots", "lex:ListBotAliases" ], "Resource": "*" }, { "Sid": "AllowCustomerProfilesForConnectDomain", "Effect": "Allow", "Action": [ "profile:SearchProfiles", "profile:CreateProfile", "profile:UpdateProfile", "profile:AddProfileKey", "profile:ListProfileObjectTypes", "profile:ListCalculatedAttributeDefinitions", "profile:ListCalculatedAttributesForProfile", "profile:GetDomain", "profile:ListIntegrations", "profile:GetIntegration", "profile:PutIntegration", "profile:DeleteIntegration", "profile:CreateEventTrigger", "profile:GetEventTrigger", "profile:ListEventTriggers", "profile:UpdateEventTrigger", "profile:DeleteEventTrigger", "profile:ListSegmentDefinitions", "profile:ListProfileAttributeValues", "profile:CreateSegmentEstimate", "profile:GetSegmentEstimate", "profile:BatchGetProfile", "profile:BatchGetCalculatedAttributeForProfile", "profile:GetSegmentMembership" ], "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*" }, { "Sid": "AllowReadPermissionForCustomerProfileObjects", "Effect": "Allow", "Action": [ "profile:ListProfileObjects", "profile:GetProfileObjectType", "profile:ListObjectTypeAttributes" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*" ] }, { "Sid": "AllowListIntegrationForCustomerProfile", "Effect": "Allow", "Action": [ "profile:ListAccountIntegrations" ], "Resource": "*" }, { "Sid": "AllowReadForCustomerProfileObjectTemplates", "Effect": "Allow", "Action": [ "profile:ListProfileObjectTypeTemplates", "profile:GetProfileObjectTypeTemplate" ], "Resource": "arn:aws:profile:*:*:/templates*" }, { "Sid": "AllowWisdomForConnectEnabledTaggedResources", "Effect": "Allow", "Action": [ "wisdom:CreateContent", "wisdom:DeleteContent", "wisdom:CreateKnowledgeBase", "wisdom:GetAssistant", "wisdom:GetKnowledgeBase", "wisdom:GetContent", "wisdom:GetRecommendations", "wisdom:GetSession", "wisdom:NotifyRecommendationsReceived", "wisdom:QueryAssistant", "wisdom:StartContentUpload", "wisdom:UpdateContent", "wisdom:UntagResource", "wisdom:TagResource", "wisdom:CreateSession", "wisdom:CreateQuickResponse", "wisdom:GetQuickResponse", "wisdom:SearchQuickResponses", "wisdom:StartImportJob", "wisdom:GetImportJob", "wisdom:ListImportJobs", "wisdom:ListQuickResponses", "wisdom:UpdateQuickResponse", "wisdom:DeleteQuickResponse", "wisdom:PutFeedback", "wisdom:ListContentAssociations", "wisdom:CreateMessageTemplate", "wisdom:UpdateMessageTemplate", "wisdom:UpdateMessageTemplateMetadata", "wisdom:GetMessageTemplate", "wisdom:DeleteMessageTemplate", "wisdom:ListMessageTemplates", "wisdom:SearchMessageTemplates", "wisdom:ActivateMessageTemplate", "wisdom:DeactivateMessageTemplate", "wisdom:CreateMessageTemplateVersion", "wisdom:ListMessageTemplateVersions", "wisdom:CreateMessageTemplateAttachment", "wisdom:DeleteMessageTemplateAttachment", "wisdom:RenderMessageTemplate", "wisdom:CreateAIAgent", "wisdom:CreateAIAgentVersion", "wisdom:DeleteAIAgent", "wisdom:DeleteAIAgentVersion", "wisdom:UpdateAIAgent", "wisdom:UpdateAssistantAIAgent", "wisdom:RemoveAssistantAIAgent", "wisdom:GetAIAgent", "wisdom:ListAIAgents, "wisdom:ListAIAgentVersions", "wisdom:CreateAIPrompt", "wisdom:CreateAIPromptVersion", "wisdom:DeleteAIPrompt", "wisdom:DeleteAIPromptVersion" "wisdom:UpdateAIPrompt", "wisdom:GetAIPrompt", "wisdom:ListAIPrompts", "wisdom:ListAIPromptVersions", "wisdom:CreateAIGuardrail", "wisdom:CreateAIGuardrailVersion", "wisdom:DeleteAIGuardrail", "wisdom:DeleteAIGuardrailVersion", "wisdom:UpdateAIGuardrail", "wisdom:GetAIGuardrail", "wisdom:ListAIGuardrails", "wisdom:ListAIGuardrailVersions", "wisdom:CreateAssistant", "wisdom:ListTagsForResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectEnabled": "True" } } }, { "Sid": "AllowListOperationForWisdom", "Effect": "Allow", "Action": [ "wisdom:ListAssistants", "wisdom:ListKnowledgeBases" ], "Resource": "*" }, { "Sid": "AllowCustomerProfilesCalculatedAttributesForConnectDomain", "Effect": "Allow", "Action": [ "profile:GetCalculatedAttributeForProfile", "profile:CreateCalculatedAttributeDefinition", "profile:DeleteCalculatedAttributeDefinition", "profile:GetCalculatedAttributeDefinition", "profile:UpdateCalculatedAttributeDefinition" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/calculated-attributes/*" ] }, { "Sid": "AllowCustomerProfilesSegmentationForConnectDomain", "Effect": "Allow", "Action": [ "profile:CreateSegmentDefinition", "profile:GetSegmentDefinition", "profile:DeleteSegmentDefinition", "profile:CreateSegmentSnapshot", "profile:GetSegmentSnapshot" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/segment-definitions/*" ] }, { "Sid": "AllowPutMetricsForConnectNamespace", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/Connect" } } }, { "Sid": "AllowSMSVoiceOperationsForConnect", "Effect": "Allow", "Action": [ "sms-voice:SendTextMessage", "sms-voice:DescribePhoneNumbers" ], "Resource": "arn:aws:sms-voice:*:*:phone-number/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowCognitoForConnectEnabledTaggedResources", "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPool", "cognito-idp:ListUserPoolClients" ], "Resource": "arn:aws:cognito-idp:*:*:userpool/*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectEnabled": "True" } } }, { "Sid": "AllowWritePermissionForCustomerProfileObjects", "Effect": "Allow", "Action": [ "profile:PutProfileObject" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*" ] }, { "Sid": "AllowChimeSDKVoiceConnectorGetOperationForConnect", "Effect": "Allow", "Action": [ "chime:GetVoiceConnector" ], "Resource": "arn:aws:chime:*:*:vc/*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectEnabled": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowChimeSDKVoiceConnectorListOperationForConnect", "Effect": "Allow", "Action": [ "chime:ListVoiceConnectors" ], "Resource": "arn:aws:chime:*:*:vc/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "SESPermissionsForManagingReceiptRules", "Effect": "Allow", "Action": [ "ses:DescribeReceiptRule", "ses:UpdateReceiptRule" ], "Resource": "*" }, { "Sid": "SESPermissionForManagingConnectProvidedSESIdentity", "Effect": "Allow", "Action": [ "ses:DeleteEmailIdentity" ], "Resource": "arn:aws:ses:*:*:identity/*.email.connect.aws*" }, { "Sid": "SESConfigurationSetPermissionsForSendingEmail", "Effect": "Allow", "Action": [ "ses:SendRawEmail" ], "Resource": "arn:aws:ses:*:*:configuration-set/configuration-set-for-connect-DO-NOT-DELETE" }, { "Sid": "PassRoleToSESForReceiptRuleManagement", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AmazonConnectEmailSESAccessRole" ], "Condition": { "StringLike": { "iam:PassedToService": "ses.amazonaws.com" } } }, { "Sid": "AllowSocialMessagingOperations", "Effect": "Allow", "Action": [ "social-messaging:SendWhatsAppMessage", "social-messaging:PostWhatsAppMessageMedia", "social-messaging:GetWhatsAppMessageMedia", "social-messaging:GetLinkedWhatsAppBusinessAccountPhoneNumber" ], "Resource": "arn:aws:social-messaging:*:*:phone-number-id/*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectEnabled": "True", "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowMobileTargetingOperationsForConnect", "Effect": "Allow", "Action": "mobiletargeting:SendMessages", "Resource": "arn:aws:mobiletargeting:*:*:apps/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }

AWS managed policy: AmazonConnectCampaignsServiceLinkedRolePolicy

The AmazonConnectCampaignsServiceLinkedRolePolicy role permissions policy allows Amazon Connect outbound campaigns to complete the following actions on the specified resources. As you enable additional features in Amazon Connect, additional permissions are added for the AWSServiceRoleForConnectCampaigns service-linked role to access the resources associated with those features:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConnectCampaignAccess", "Effect": "Allow", "Action": [ "connect-campaigns:ListCampaigns" ], "Resource": "*" }, { "Sid": "ConnectAccess", "Effect": "Allow", "Action": [ "connect:BatchPutContact", "connect:StopContact", "connect:DescribeContactFlow", "connect:SendOutboundEmail" ], "Resource": "arn:aws:connect:*:*:instance/*" }, { "Sid": "EventBridgeListRuleAccess", "Effect": "Allow", "Action": [ "events:ListRules" ], "Resource": "arn:aws:events:*:*:rule/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "EventBridgeManagedResourceAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "arn:aws:events:*:*:rule/ConnectCampaignsRule*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "events:ManagedBy": "connect-campaigns.amazonaws.com" } } }, { "Sid": "EventBridgeListTargetsByRuleAccess", "Effect": "Allow", "Action": [ "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/ConnectCampaignsRule*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowWisdomForConnectCampaignsEnabledTaggedResources", "Effect": "Allow", "Action": [ "wisdom:GetMessageTemplate", "wisdom:RenderMessageTemplate" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonConnectCampaignsEnabled": "True" } } } ] }

AWS managed policy: AmazonConnectVoiceIDFullAccess

To allow full access to Amazon Connect Voice ID, you must attach two policies to your users, groups, or roles. Attach the AmazonConnectVoiceIDFullAccess policy and the following custom policy contents to access Voice ID through the Amazon Connect admin website:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" }, { "Effect": "Allow", "Action": [ "connect:CreateIntegrationAssociation", "connect:DeleteIntegrationAssociation", "connect:ListIntegrationAssociations" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:DeleteRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "connect.amazonaws.com" } } } ] }

The manual policy configures the following:

  • The iam:PutRolePolicy allows the user who gets that policy to configure any resource in the account to work with the Amazon Connect instance. Because it grants such broad permissions, only assign it when necessary.

  • To attach a Voice ID domain with an Amazon Connect instance, you need additional Amazon Connect and Amazon EventBridge privileges. You need privileges to call Amazon Connect APIs to create, delete, and list integration associations. You need EventBridge permissions to create and delete EventBridge rules which are used to provide contact records related to Voice ID.

Since there is no default encryption option, to use your customer managed key with your Amazon Connect Voice ID, the following API operations must be permitted in the key policy. Also, you must add these permissions on the relevant key. They are not included in the managed policy.

  • kms:Decrypt to access or store encrypted data.

  • kms:CreateGrant – when creating or updating a domain, used to create a grant to the customer managed key for the Voice ID domain. The grant controls access to the specified KMS key which allows access to grant operations Amazon Connect Voice ID requires. For more information about using grants, see Using grants in the AWS Key Management Service Developer Guide.

  • kms:DescribeKey – when creating or updating a domain, allows determining the ARN for KMS key you provided.

For more about creating domains and KMS keys, see Get started enabling Voice ID in Amazon Connect and Encryption at rest in Amazon Connect.

AWS managed policy: CustomerProfilesServiceLinkedRolePolicy

The CustomerProfilesServiceLinkedRolePolicy role permissions policy allows Amazon Connect to complete the following actions on the specified resources. As you enable additional features in Amazon Connect, additional permissions are added for the AWSServiceRoleForProfile service-linked role to access the resources associated with those features:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/CustomerProfiles" } } }, { "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/profile.amazonaws.com/AWSServiceRoleForProfile_*" }, { "Effect": "Allow", "Action": [ "connect-campaigns:PutProfileOutboundRequestBatch" ], "Resource": [ "arn:aws:connect-campaigns:*:*:campaign/*" ] }, { "Effect": "Allow", "Action": [ "profile:BatchGetProfile" ], "Resource": "*" } ] }

AWS managed policy: AmazonConnectSynchronizationServiceRolePolicy

The AmazonConnectSynchronizationServiceRolePolicy permissions policy allows Amazon Connect Managed Synchronization to complete the following read, write, update, and delete actions on the specified resources. As resource synchronization is enabled for more resources, additional permissions are added to the AWSServiceRoleForAmazonConnectSynchronization service-linked role to access these resources.

The AmazonConnectSynchronizationServiceRolePolicy permissions policy is grouped into the following sets of permissions.

  • connect – Connect permissions for the synchronization of Connect configurations and resources.

  • cloudwatch – CloudWatch permissions to publish Amazon Connect usage metrics for an instance in your account.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectActions", "Effect": "Allow", "Action": [ "connect:Create*", "connect:Update*", "connect:Delete*", "connect:Describe*", "connect:List*", "connect:Search*", "connect:Associate*", "connect:Disassociate*", "connect:Get*", "connect:BatchGet*", "connect:TagResource", "connect:UntagResource" ], "Resource": "*" }, { "Sid": "DisallowedConnectActions", "Effect": "Deny", "Action": [ "connect:Start*", "connect:Stop*", "connect:Resume*", "connect:Suspend*", "connect:*Contact", "connect:SearchContacts", "connect:*ContactAttributes*", "connect:*RealtimeContact*", "connect:*AnalyticsData*", "connect:*MetricData*", "connect:*UserData*", "connect:*ContactEvaluation", "connect:*AttachedFile*", "connect:UpdateContactSchedule", "connect:UpdateContactRoutingData", "connect:ListContactReferences", "connect:CreateParticipant", "connect:CreatePersistentContactAssociation", "connect:CreateInstance", "connect:DeleteInstance", "connect:ListInstances", "connect:ReplicateInstance", "connect:GetFederationToken", "connect:ClaimPhoneNumber", "connect:ImportPhoneNumber", "connect:ReleasePhoneNumber", "connect:SearchAvailablePhoneNumbers", "connect:CreateTrafficDistributionGroup", "connect:DeleteTrafficDistributionGroup", "connect:GetTrafficDistribution", "connect:UpdateTrafficDistribution" ], "Resource": "*" }, { "Sid": "AllowPutMetricsForConnectNamespace", "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/Connect" } } } ] }

Amazon Connect updates to AWS managed policies

View details about updates to AWS managed policies for Amazon Connect since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Connect Document history page.

Change Description Date

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect

Added the following Amazon Q in Connect actions to the service-linked role policy:

  • wisdom:CreateAIAgent

  • wisdom:CreateAIAgentVersion

  • wisdom:DeleteAIAgent

  • wisdom:DeleteAIAgentVersion

  • wisdom:UpdateAIAgent

  • wisdom:UpdateAssistantAIAgent

  • wisdom:RemoveAssistantAIAgent

  • wisdom:GetAIAgent

  • wisdom:ListAIAgents

  • wisdom:ListAIAgentVersions

  • wisdom:CreateAIPrompt

  • wisdom:CreateAIPromptVersion

  • wisdom:DeleteAIPrompt

  • wisdom:DeleteAIPromptVersion

  • wisdom:UpdateAIPrompt

  • wisdom:GetAIPrompt

  • wisdom:ListAIPrompts

  • wisdom:ListAIPromptVersions

  • wisdom:CreateAIGuardrail

  • wisdom:CreateAIGuardrailVersion

  • wisdom:DeleteAIGuardrail

  • wisdom:DeleteAIGuardrailVersion

  • wisdom:UpdateAIGuardrail

  • wisdom:GetAIGuardrail

  • wisdom:ListAIGuardrails

  • wisdom:ListAIGuardrailVersions

  • wisdom:CreateAssistant

  • wisdom:ListTagsForResource

December 31, 2024

AmazonConnectServiceLinkedRolePolicy – Added action for Amazon Pinpoint, to support push notifications

Added the following Amazon Pinpoint action to the service-linked role policy to support push notifications. This action allows Amazon Connect to send push notifications by using the Amazon Pinpoint API:

  • mobiletargeting:SendMessages

December 10, 2024

AmazonConnectServiceLinkedRolePolicy – Added actions for integration with AWS End User Messaging Social

Added the following AWS End User Messaging Social actions to the service-linked role policy. The actions allow Amazon Connect to invoke these APIs on End User Messaging Social phone numbers that have the 'AmazonConnectEnabled':'True' resource tag.

  • social-messaging:SendWhatsAppMessage

  • social-messaging:PostWhatsAppMessageMedia

  • social-messaging:GetWhatsAppMessageMedia

  • social-messaging:GetLinkedWhatsAppBusinessAccountPhoneNumber

December 2, 2024

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon SES, to support the email channel

Added the following Amazon SES actions to the service-linked role policy to support the email channel. These actions allow Amazon Connect send, receive, and manage emails by using the Amazon SES APIs:

  • ses:DescribeReceiptRule

  • ses:UpdateReceiptRule

  • ses:DeleteEmailIdentity

  • ses:SendRawEmail

  • iam:PassRole

November 22, 2024

AmazonConnectServiceLinkedRolePolicy – Added Actions for Amazon Connect Customer Profiles

Added the following actions to manage Amazon Connect Customer Profiles resources:

  • profile:GetIntegration

  • profile:PutIntegration

  • profile:DeleteIntegration

  • profile:CreateEventTrigger

  • profile:GetEventTrigger

  • profile:ListEventTriggers

  • profile:UpdateEventTrigger

  • profile:DeleteEventTrigger

November 18, 2024

CustomerProfilesServiceLinkedRolePolicy – Added permissions for managing outbound campaigns

Added the following actions to retrieving profile information and triggering a campaign.

  • connect-campaigns:PutProfileOutboundRequestBatch - allows you to trigger a campaign based on your Customer Profiles Event Trigger Definition.

  • profile:BatchGetProfile - allows you to retrieve profile information necessary for triggering an event.

December 1, 2024

AmazonConnectServiceLinkedRolePolicy – Added Actions for Amazon Connect Customer Profiles and Amazon Q in Connect

Added the following actions to manage Amazon Connect Customer Profiles resources:

  • profile:ListObjectTypeAttributes

  • profile:ListProfileAttributeValues

  • profile:BatchGetProfile

  • profile:BatchGetCalculatedAttributeForProfile

  • profile:ListSegmentDefinitions

  • profile:CreateSegmentDefinition

  • profile:GetSegmentDefinition

  • profile:DeleteSegmentDefinition

  • profile:CreateSegmentEstimate

  • profile:GetSegmentEstimate

  • profile:CreateSegmentSnapshot

  • profile:GetSegmentSnapshot

  • profile:GetSegmentMembership

Added the following actions to manage Amazon Q in Connect resources:

  • wisdom:CreateMessageTemplate

  • wisdom:UpdateMessageTemplate

  • wisdom:UpdateMessageTemplateMetadata

  • wisdom:GetMessageTemplate

  • wisdom:DeleteMessageTemplate

  • wisdom:ListMessageTemplates

  • wisdom:SearchMessageTemplates

  • wisdom:ActivateMessageTemplate

  • wisdom:DeactivateMessageTemplate

  • wisdom:CreateMessageTemplateVersion

  • wisdom:ListMessageTemplateVersions

  • wisdom:CreateMessageTemplateAttachment

  • wisdom:DeleteMessageTemplateAttachment

  • wisdom:RenderMessageTemplate

November 18, 2024

AmazonConnectCampaignsServiceLinkedRolePolicy – Added Actions for Amazon Connect Customer Profiles and Amazon Q in Connect

Added the following actions to manage Amazon Connect resources:

  • connect:StartOutboundVoiceContact

  • connect:GetMetricData

  • connect:GetCurrentMetricData

  • connect:BatchPutContact

  • connect:StopContact

  • connect:GetMetricDataV2

  • connect:DescribeContactFlow

  • connect:SendOutboundEmail

Added the following actions to manage EventBridge resources:

  • events:DeleteRule

  • events:PutRule

  • events:PutTargets

  • events:RemoveTargets

  • events:ListRules

  • events:ListTargetsByRule

Added the following actions to manage Amazon Q in Connect resources:

  • wisdom:GetMessageTemplate

  • wisdom:RenderMessageTemplate

November 18, 2024

AmazonConnectSynchronizationServiceRolePolicy – Consolidated allowed actions and added a deny-list of actions for Managed Synchronization

Modified the allowed actions by using wildcards and added an explicit deny-list of actions.

November 12, 2024

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Chime SDK Voice Connector

Added the following Amazon Chime SDK Voice Connector actions to the service-linked role policy. These actions allow Amazon Connect to obtain Amazon Chime Voice Connector information by using get and list Amazon Chime SDK Voice Connector APIs:

  • chime:GetVoiceConnector: Allows Amazon Connect to invoke the GetVoiceConnector API on any Amazon Chime SDK Voice Connectors that have an 'AmazonConnectEnabled':'True' resource tag.

  • chime:ListVoiceConnectors: Allows Amazon Connect to list all Amazon Chime SDK Voice Connectors created in the account across all Regions.

October 25, 2024

AmazonConnectSynchronizationServiceRolePolicy – Added for Managed Synchronization

Added the following actions to the service-linked role managed policy to support the launch of the HoursOfOperationOverride attribute.

  • connect:CreateHoursOfOperationOverride

  • connect:UpdateHoursOfOperationOverride

  • connect:DeleteHoursOfOperationOverride

  • connect:DescribeHoursOfOperationOverride

  • connect:ListHoursOfOperationOverrides

September 25, 2024

AmazonConnectSynchronizationServiceRolePolicy – Added for Managed Synchronization

Added the following actions to the service-linked role managed policy for managed synchronization:

  • connect:AssociatePhoneNumberContactFlow

  • connect:DisassociatePhoneNumberContactFlow

  • connect:AssociateRoutingProfileQueues

  • connect:DisassociateQueueQuickConnects

  • connect:AssociateQueueQuickConnects

  • connect:DisassociateUserProficiencies

  • connect:AssociateUserProficiencies

  • connect:DisassociateRoutingProfileQueues

  • connect:CreateAuthenticationProfile

  • connect:UpdateAuthenticationProfile

  • connect:DescribeAuthenticationProfile

  • connect:ListAuthenticationProfiles

July 5, 2024

AmazonConnectReadOnlyAccess – Renamed action connect:GetFederationTokens and changed to connect:AdminGetEmergencyAccessToken

The AmazonConnectReadOnlyAccess managed policy has been updated due to the renaming of the Amazon Connect action connect:GetFederationTokens to connect:AdminGetEmergencyAccessToken. This change is backwards compatible and the connect:AdminGetEmergencyAccessToken action will function in the same way as the connect:GetFederationTokens action. If you leave the previously named connect:GetFederationTokens action in your policies, they will continue to function as expected.

June 15, 2024

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Cognito user pools and Amazon Connect Customer Profiles

Added the following Amazon Cognito user pools actions to the service-linked role policy to allow select read operations on Cognito User Pool User Pool resources that have an AmazonConnectEnabled resource tag. This tag is put on the resource when the CreateIntegrationAssociations API is called:

  • cognito-idp:DescribeUserPool

  • cognito-idp:ListUserPoolClients

Added the following Amazon Connect Customer Profiles action to the service-linked role policy to allow permissions to put data into the Connect-adjacent service, Customer Profiles:

  • profile:PutProfileObject

May 23, 2024

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect

The following action is allowed to be performed on Amazon Q in Connect resources that have the resource tag 'AmazonConnectEnabled':'True' on Amazon Q in Connect Knowledge Base:

  • wisdom:ListContentAssociations

May 20, 2024

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Pinpoint

Added the following actions to the service-linked role policy to use Amazon Pinpoint phone numbers to allow Amazon Connect to send SMS:

  • sms:DescribePhoneNumbers

  • sms:SendTextMessage

November 17, 2023

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect

The following action is allowed to be performed on Amazon Q in Connect resources that have the resource tag 'AmazonConnectEnabled':'True' on Amazon Q in Connect Knowledge Base:

  • wisdom:PutFeedback

November 15, 2023

AmazonConnectCampaignsServiceLinkedRolePolicy – Added actions for Amazon Connect

Amazon Connect added new actions to retrieve outbound campaigns:

  • connect:BatchPutContact

  • connect:StopContact

November 8, 2023

AmazonConnectSynchronizationServiceRolePolicy – Added new AWS managed policy

Added a new service-linked role managed policy for managed synchronization.

The policy provides access to read, create, update, and delete Amazon Connect resources and is used to automatically synchronize AWS resources across AWS regions.

November 3, 2023

AmazonConnectServiceLinkedRolePolicy – Added actions for Customer Profiles

Added the following action to manage Amazon Connect Customer Profiles Service Linked Roles:

  • profile:ListCalculatedAttributesForProfile

  • profile:GetDomain

  • profile:ListIntegrations

  • profile:CreateCalculatedAttributeDefinition

  • profile:DeleteCalculatedAttributeDefinition

  • profile:GetCalculatedAttributeDefinition

  • profile:UpdateCalculatedAttributeDefinition

October 30, 2023

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect

The following actions are allowed to be performed on Amazon Q in Connect resources that have the resource tag 'AmazonConnectEnabled':'True' on Amazon Q in Connect Knowledge Base:

  • wisdom:CreateQuickResponse

  • wisdom:GetQuickResponse

  • wisdom:SearchQuickResponses

  • wisdom:StartImportJob

  • wisdom:GetImportJob

  • wisdom:ListImportJobs

  • wisdom:ListQuickResponses

  • wisdom:UpdateQuickResponse

  • wisdom:DeleteQuickResponse

October 25, 2023

AmazonConnectServiceLinkedRolePolicy – Added actions for Customer Profiles

Added the following action to manage Amazon Connect Customer Profiles Service Linked Roles:

  • profile:ListCalculatedAttributeDefinitions

  • profile:GetCalculatedAttributeForProfile

October 6, 2023

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Q in Connect

The following actions are allowed to be performed on Amazon Q in Connect resources that have the resource tag 'AmazonConnectEnabled':'True' on Amazon Q in Connect knowledge bases and assistants:

  • wisdom:CreateContent

  • wisdom:DeleteContent

  • wisdom:CreateKnowledgeBase

  • wisdom:GetAssistant

  • wisdom:GetKnowledgeBase

  • wisdom:GetContent

  • wisdom:GetRecommendations

  • wisdom:GetSession

  • wisdom:NotifyRecommendationsReceived

  • wisdom:QueryAssistant

  • wisdom:StartContentUpload

  • wisdom:UntagResource

  • wisdom:TagResource

  • wisdom:CreateSession

The following List actions are allowed to be performed on all Amazon Q in Connect resources:

  • wisdom:ListAssistants

  • wisdom:KnowledgeBases

September 29, 2023

CustomerProfilesServiceLinkedRolePolicy – Added CustomerProfilesServiceLinkedRolePolicy

New managed policy.

March 7, 2023

AmazonConnect_FullAccess – Added permission for managing Amazon Connect Customer Profiles Service Linked Roles

Added the following action to manage Amazon Connect Customer Profiles Service Linked Roles.

  • iam:CreateServiceLinkedRole - allows you to create a service-linked role for Customer Profiles.

January 26, 2023

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon CloudWatch

Added the following action to publish usage Amazon Connect metrics for an instance to your account.

  • cloudwatch:PutMetricData

Februrary 22, 2022

AmazonConnect_FullAccess – Added permissions for managing Amazon Connect Customer Profiles domains

Added all permissions for managing Amazon Connect Customer Profiles domains that are created for new Amazon Connect instances.

  • profile:ListAccountIntegrations - Lists all the integrations associated with a specific URI in the AWS account.

  • profile:ListDomains - Returns a list of all the domains for an AWS account that have been created.

  • profile:GetDomain - Returns information about a specific domain.

  • profile:ListProfileObjectTypeTemplates - Allow the Amazon Connect console to display a list of templates that you can use to create your data mappings.

  • profile:GetObjectTypes - Allow you to view all the current Object Types (data mappings) that you've created.

The following permissions are allowed to be performed on domains with a name that is prefixed with amazon-connect-:

  • profile:AddProfileKey - Allows you to associate a new key value with a specific profile

  • profile:CreateDomain - Allows you to create new domains

  • profile:CreateProfile - Allows you to create new profiles

  • profile:DeleteDomain - Allows you to delete domains

  • profile:DeleteIntegration - Allows you to delete integrations with a domain

  • profile:DeleteProfile - Allows you to delete a profile

  • profile:DeleteProfileKey - Allows you to delete a profile key

  • profile:DeleteProfileObject - Allows you to delete a profile object

  • profile:DeleteProfileObjectType - Allows you to delete a profile object type

  • profile:GetIntegration - Allows you to retrieve information about an integration

  • profile:GetMatches - Allows you to retrieve possible profile matches

  • profile:GetProfileObjectType - Allows you to retrieve profile object types

  • profile:ListIntegrations - Allows you to list integrations

  • profile:ListProfileObjects - Allows you to list profile objects

  • profile:ListProfileObjectTypes - Allows you to list profile object types

  • profile:ListTagsForResource - Allows you to list tags for a resource

  • profile:MergeProfiles - Allows you to merge profile matches

  • profile:PutIntegration - Allows you to add an integration between the service and a third-party service which includes Amazon AppFlow and Amazon Connect

  • profile:PutProfileObject - Allows you to create and update objects

  • profile:PutProfileObjectType - Allows you to create and update object types

  • profile:SearchProfiles - Allows you to search profiles

  • profile:TagResource - Allows you to tag resources

  • profile:UntagResource - Allows you to untag resources

  • profile:UpdateDomain - Allows you to update domains

  • profile:UpdateProfile - Allows you to update profiles

November 12, 2021

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Connect Customer Profiles

Added the following actions so Amazon Connect flows and the agent experience can interact with the profiles in your default Customer Profiles domain:

  • profile:SearchProfiles

  • profile:CreateProfile

  • profile:UpdateProfile

  • profile:AddProfileKey

Added the following action so Amazon Connect flows and the agent experience can interact with the profile objects in your default Customer Profiles domain:

  • profile:ListProfileObjects

Added the following action so Amazon Connect flows and the agent experience can determine whether Customer Profiles is enabled for your Amazon Connect instance:

  • profile:ListAccountIntegrations

November 12, 2021

AmazonConnectVoiceIDFullAccess – Added new AWS managed policy

Added a new AWS managed policy so you can set up your users to use Amazon Connect Voice ID.

This policy provides full access to Amazon Connect Voice ID through the AWS console, SDK, or other means.

September 27, 2021

AmazonConnectCampaignsServiceLinkedRolePolicy – Added new service-linked role policy

Added a new service-linked role policy for outbound campaigns.

The policy provides access to retrieve all the outbound campaigns.

September 27, 2021

AmazonConnectServiceLinkedRolePolicy – Added actions for Amazon Lex

Added the following actions for the all bots created in the account across all Regions. These actions were added to support integration with Amazon Lex.

  • lex:ListBots - Lists all the bots available in a given Region for your account.

  • lex:ListBotAliases - Lists all the aliases for a given bot.

June 15, 2021

AmazonConnect_FullAccess – Added actions for Amazon Lex

Added the following actions for the all bots created in the account across all Regions. These actions were added to support integration with Amazon Lex.

  • lex:ListBots

  • lex:ListBotAliases

June 15, 2021

Amazon Connect started tracking changes

Amazon Connect started tracking changes for its AWS managed policies.

June 15, 2021