Required permissions for using custom IAM policies to manage access to the Amazon Connect console
If you're using custom IAM policies to manage access to the Amazon Connect console, your users need some or all of the permissions listed in this article, depending on the tasks they need to do.
Note
Using connect:*
in a custom IAM policy grants your users all of the
Amazon Connect permissions listed in this article.
Note
Certain pages on the Amazon Connect console, such as Tasks and Customer Profiles, require that you add permissions to your inline policies.
Contents
AWS managed policy: AmazonConnect_FullAccess policy
To allow full read/write access to Amazon Connect, you must attach two policies to your users,
groups, or roles. Attach the AmazonConnect_FullAccess
policy and a custom
policy with the following contents:
To allow a user to create an instance, ensure that they have the permissions granted
by the AmazonConnect_FullAccess
policy.
When you use AmazonConnect_FullAccess
policy, note the following:
-
Additional privileges are required to create an Amazon S3 bucket with a name of your choosing, or to use an existing bucket while creating or updating an instance from the Amazon Connect admin website. If you choose default storage locations for your call recordings, chat transcripts, email messages, attachments, call transcripts, and other data, the system prepends
"amazon-connect-"
to those objects. -
The
aws/connect
KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges. -
Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Amazon Connect instances.
AWS managed policy: AmazonConnectReadOnlyAccess policy
To allow read-only access, you need to attach only the
AmazonConnectReadOnlyAccess
policy.
Amazon Connect console home page
The following image shows a sample Amazon Connect console home page, with an arrow pointing to the instance alias. Choose the instance alias to navigate to the detailed instance pages.

Use the permissions listed in the following table to manage access to this page.
Action/Use case | Permissions needed |
---|---|
List instance |
|
Describe instance: View the details of the instance/ current settings |
|
Create instance |
|
Delete instance |
|
Detailed instance pages
The following image shows the navigation menu you use to access each of the detailed instance pages.

To access the detailed instance pages, you need permissions to the Amazon Connect console home
page (describe/list). Or, use the AmazonConnectReadOnlyAccess
policy.
The following tables list the granular permissions for each detailed instance page.
Note
To perform Edit
actions, users also need List
and
Describe
permissions.
Overview page
Action/Use case | Permissions needed |
---|---|
Create service-linked role |
|
Telephony page
Action/Use case | Permissions needed |
---|---|
View telephony options |
|
Enable/Disable telephony options |
|
View outbound campaigns |
|
Enable/disable outbound campaigns |
|
Data storage page
Call recording section
Action/Use case | Permissions needed |
---|---|
View call recording |
|
Edit call recording |
|
Screen recording section
Action/Use case | Permissions needed |
---|---|
View screen recording |
|
Edit screen recording |
|
Chat transcripts section
Action/Use case | Permissions needed |
---|---|
View chat transcripts |
|
Edit chat transcripts |
|
Attachments section
Action/Use case | Permissions needed |
---|---|
View attachments |
|
Edit attachments |
|
Live media streaming section
Action/Use case | Permissions needed |
---|---|
View live media streaming |
|
Edit live media streaming |
|
Exported reports section
Action/Use case | Permissions needed |
---|---|
View exported reports |
|
Edit exported reports |
|
Data streaming page
Contact records section
Action/Use case | Permissions needed |
---|---|
View data streaming - Contact records |
|
Edit contact record |
|
Agent events section
Action/Use case | Permissions needed |
---|---|
View data streaming - Agent events |
|
Edit agent events |
|
Flows page
Flows security keys section
Action/Use case | Permissions needed |
---|---|
View flow security keys |
|
Add/remove flow security keys |
|
Lex bots section
Action/Use case | Permissions needed |
---|---|
View Lex bots |
|
Add/remove Lex bots |
|
Lambda functions section
Action/Use case | Permissions needed |
---|---|
View Lambda functions |
|
Add/remove Lambda functions |
|
Flow logs section
Action/Use case | Permissions needed |
---|---|
View flow log config |
|
Enable/disable flow log |
|
Amazon Polly section
Action/Use case | Permissions needed |
---|---|
View Amazon Polly option |
|
Update Amazon Polly option |
|
Contact Lens connectors page
Action/Use case | Permissions needed |
---|---|
View Contact Lens connectors |
|
Add/Update/Remove Contact Lens connectors |
|
Voice transfer integrations
Action/Use case | Permissions needed |
---|---|
View external voice transfer connectors |
|
Add/Update/Remove external voice transfer connectors |
|
Application integration page
Action/Use case | Permissions needed |
---|---|
View approved origins |
|
Edit approved origins |
|
Customer Profiles page
Action/Use case | Permissions needed |
---|---|
View customer profiles |
|
Edit customer profiles |
|
Tasks page
Action/Use case | Permissions needed |
---|---|
View Tasks integrations |
|
Edit Tasks integrations |
|
Email page
Action/Use case | Permissions needed |
---|---|
View email domains and addresses |
|
Edit email domains and addresses |
|
Cases page
Action/Use case | Permissions needed |
---|---|
View Cases domain details |
|
Onboard to Cases |
|
Customer authentication page
Action/Use case | Permissions needed |
---|---|
View customer authentication |
|
Onboard to customer authentication |
|
Outbound campaigns page
Action / Use case | Permissions needed |
---|---|
View outbound campaigns |
|
Create outbound campaigns |
|
Amazon Q in Connect page
Action/Use case | Permissions needed |
---|---|
View domains and integrations |
|
Add or remove domains |
|
Add or remove integrations |
|
Voice ID page
Action/Use case | Permissions needed |
---|---|
View Voice ID integrations |
|
Edit Voice ID integrations |
|
Forecasting, capacity planning, and scheduling page
Action/Use case | Permissions needed |
---|---|
View forecasting, capacity planning, and scheduling |
|
Enable forecasting, capacity planning, and scheduling |
|
Disable forecasting, capacity planning, and scheduling |
|
Federations
SAML federation
Action/Use case | Permissions needed |
---|---|
SAML federation |
|
Admin/Emergency federation
Action/Use case | Permissions needed |
---|---|
Admin/Emergency federation |
|