# Required permissions for using custom IAM policies to manage access to the Connect Customer console If you're using custom [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) policies to manage access to the Connect Customer console, your users need some or all of the permissions listed in this article, depending on the tasks they need to do. **Note** Using `connect:*` in a custom IAM policy grants your users all of the Connect Customer permissions listed in this article. **Note** Certain pages on the Connect Customer console, such as [Tasks](#tasks-page) and [Customer Profiles](#customer-profiles-page), require that you add permissions to your inline policies. **Topics** + [AmazonConnect\_FullAccess policy](#amazonconnectfullaccesspolicy) + [AmazonConnectReadOnlyAccess policy](#amazonconnectreadonlyaccesspolicy) + [Home page](#console-home-page-permissions) + [Detail pages](#detail-pages) + [Overview page](#overview-page) + [Telephony page](#telephony-page) + [Data storage page](#data-storage-page) + [Data streaming page](#data-streaming-page) + [Flows page](#contact-flows-page) + [Contact Lens connectors page](#contactlensconnectors-page) + [Voice transfer integrations page](#voice-transfer-integrations-page) + [Application integration page](#application-integration-page) + [Customer Profiles page](#customer-profiles-page) + [Tasks page](#tasks-page) + [Email page](#email-page) + [Cases page](#cases-page) + [Customer authentication page](#customer-authentication-page) + [Outbound campaigns page](#outbound-campaigns-page) + [Connect AI agents page](#wisdom-page) + [Voice ID page](#voiceid-page) + [Forecasting, capacity planning, and scheduling page](#forecasting-page) + [Federations](#federations) ## AWS managed policy: AmazonConnect\_FullAccess policy To allow full read/write access to Connect Customer, you must attach two policies to your users, groups, or roles. Attach the `AmazonConnect_FullAccess` policy and a custom policy with the following contents: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AttachAnyPolicyToAmazonConnectRole", "Effect": "Allow", "Action": "iam:PutRolePolicy", "Resource": "arn:aws:iam::*:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect*" } ] } ``` ------ To allow a user to create an instance, ensure that they have the permissions granted by the `AmazonConnect_FullAccess` policy. When you use `AmazonConnect_FullAccess` policy, note the following: + Additional privileges are required to create an Amazon S3 bucket with a name of your choosing, or to use an existing bucket while creating or updating an instance from the Connect Customer admin website. If you choose default storage locations for your call recordings, chat transcripts, email messages, attachments, call transcripts, and other data, the system prepends `"amazon-connect-"` to those objects. + The `aws/connect` KMS key is available to use as a default encryption option. To use a custom encryption key, assign users additional KMS privileges. + Assign users additional privileges to attach other AWS resources like Amazon Polly, Live Media Streaming, Data Streaming, and Lex bots to their Connect Customer instances. ## AWS managed policy: AmazonConnectReadOnlyAccess policy To allow read-only access, you need to attach only the `AmazonConnectReadOnlyAccess` policy. ## Connect Customer console home page The following image shows a sample Connect Customer console home page, with an arrow pointing to the instance alias. Choose the instance alias to navigate to the detailed instance pages. ![The Connect Customer virtual contact center instances page, the instance alias.](http://docs.aws.amazon.com/connect/latest/adminguide/images/instance.png) Use the permissions listed in the following table to manage access to this page. | Action/Use case | Permissions needed | | --- | --- | | List instance | `connect:ListInstances`
`ds:DescribeDirectories` | | Describe instance: View the details of the instance/ current settings | `connect:DescribeInstance`
`connect:ListLambdaFunctions`
`connect:ListLexBots`
`connect:ListInstanceStorageConfigs`
`connect:ListApprovedOrigins`
`connect:ListSecurityKeys`
`connect:DescribeInstanceAttributes`
`connect:DescribeInstanceStorageConfig`
`ds:DescribeDirectories` | | Create instance | `connect:AssociateCustomerProfilesDomain`
`connect:CreateInstance`
`connect:DescribeInstance`
`connect:ListInstances`
`connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceAttribute`
`ds:CheckAlias`
`ds:CreateAlias`
`ds:AuthorizeApplication`
`ds:UnauthorizeApplication`
`ds:CreateIdentityPoolDirectory`
`ds:DescribeDirectories`
`iam:CreateServiceLinkedRole`
`iam:PutRolePolicy`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`kms:RetireGrant`
`logs:CreateLogGroup`
`s3:CreateBucket`
`s3:GetBucketLocation`
`s3:ListAllMyBuckets`
`servicequotas:GetServiceQuota`
`profile:CreateDomain`
`profile:GetDomain`
`profile:GetProfileObjectType`
`profile:ListAccountIntegrations`
`profile:ListDomains`
`profile:ListProfileObjectTypeTemplates`
`profile:PutIntegration` | | Delete instance | `connect:DescribeInstance`
`connect:DeleteInstance`
`connect:ListInstances`
`ds:DescribeDirectories`
`ds:DeleteDirectory`
`ds:UnauthorizeApplication` | ## Detailed instance pages The following image shows the navigation menu you use to access each of the detailed instance pages. ![The navigation menu on the Connect Customer instances page.](http://docs.aws.amazon.com/connect/latest/adminguide/images/iam-custom-permissions-admin-console-telephony-page.png) To access the detailed instance pages, you need permissions to the Connect Customer console home page (describe/list). Or, use the `AmazonConnectReadOnlyAccess` policy. The following tables list the granular permissions for each detailed instance page. **Note** To perform `Edit` actions, users also need `List` and `Describe` permissions. ## Overview page | Action/Use case | Permissions needed | | --- | --- | | Create service-linked role | `connect:DescribeInstance`
`connect:ListInstances`
`connect:DescribeInstanceAttribute`
`connect:UpdateInstanceAttribute`
`connect:ListIntegrationAssociations`
`profile:ListAccountIntegrations`
`ds:DescribeDirectories`
`iam:CreateServiceLinkedRole`
`iam:PutRolePolicy` | ## Telephony page | Action/Use case | Permissions needed | | --- | --- | | View telephony options | `connect:DescribeInstance` | | Enable/Disable telephony options | `connect:UpdateInstanceAttribute` | | View outbound campaigns | `connect-campaigns:GetConnectInstanceConfig`
`connect-campaigns:GetInstanceOnboardingJobStatus`
`connect:DescribeInstance`
`connect:DescribeInstanceAttribute`
`kms:DescribeKey` | | Enable/disable outbound campaigns | `connect-campaigns:GetConnectInstanceConfig`
`connect-campaigns:GetInstanceOnboardingJobStatus`
`connect-campaigns:StartInstanceOnboardingJob`
`connect-campaigns:DeleteInstanceOnboardingJob`
`connect-campaigns:DeleteConnectInstanceConfig`
`connect:DescribeInstance`
`connect:DescribeInstanceAttribute`
`connect:UpdateInstanceAttribute`
`iam:CreateServiceLinkedRole`
`iam:DeleteServiceLinkedRole`
`iam:AttachRolePolicy`
`iam:PutRolePolicy`
`iam:DeleteRolePolicy`
`events:PutRule`
`events:PutTargets`
`events:DeleteRule`
`events:RemoveTargets`
`events:DescribeRule`
`events:ListTargetsByRule`
`ds:DescribeDirectories`
`kms:DescribeKey`
`kms:ListKeys`
`kms:CreateGrant`
`kms:RetireGrant` | ## Data storage page ### Call recording section | Action/Use case | Permissions needed | | --- | --- | | View call recording | `connect:DescribeInstance`
`connect:ListInstanceStorageConfigs`
`connect:DescribeInstanceStorageConfig` | | Edit call recording | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`s3:ListAllMyBuckets`
`s3:GetBucketLocation`
`s3:GetBucketAcl`
`s3:CreateBucket`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`kms:RetireGrant`
`iam:PutRolePolicy` | ### Screen recording section | Action/Use case | Permissions needed | | --- | --- | | View screen recording | `connect:DescribeInstance`
`connect:ListInstanceStorageConfigs`
`connect:DescribeInstanceStorageConfig` | | Edit screen recording | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`s3:ListAllMyBuckets`
`s3:GetBucketLocation`
`s3:GetBucketAcl`
`s3:CreateBucket`
`iam:PutRolePolicy`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`kms:RetireGrant` | ### Chat transcripts section | Action/Use case | Permissions needed | | --- | --- | | View chat transcripts | `connect:DescribeInstance`
`connect:DescribeInstanceStorageConfig`
`connect:ListInstanceStorageConfigs` | | Edit chat transcripts | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`s3:ListAllMyBuckets`
`s3:GetBucketLocation`
`s3:GetBucketAcl`
`s3:CreateBucket`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`kms:RetireGrant`
`iam:PutRolePolicy` | ### Attachments section | Action/Use case | Permissions needed | | --- | --- | | View attachments | `connect:DescribeInstance`
`connect:DescribeInstanceStorageConfig`
`connect:ListInstanceStorageConfigs` | | Edit attachments | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`s3:ListAllMyBuckets`
`s3:GetBucketLocation`
`s3:CreateBucket`
`s3:GetBucketAcl`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`kms:RetireGrant`
`iam:PutRolePolicy` | ### Live media streaming section | Action/Use case | Permissions needed | | --- | --- | | View live media streaming | `connect:DescribeInstance`
`connect:ListInstanceStorageConfigs`
`connect:DescribeInstanceStorageConfig` | | Edit live media streaming | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:RetireGrant`
`iam:PutRolePolicy` | ### Exported reports section | Action/Use case | Permissions needed | | --- | --- | | View exported reports | `connect:DescribeInstance`
`connect:ListInstanceStorageConfigs`
`connect:DescribeInstanceStorageConfig` | | Edit exported reports | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect: DisassociateInstanceStorageConfig`
`s3:ListAllMyBuckets`
`s3:GetBucketLocation`
`s3:CreateBucket`
`kms:DescribeKey`
`kms:ListAliases`
`kms:RetireGrant`
`kms:CreateGrant`
`iam:PutRolePolicy` | ## Data streaming page ### Contact records section | Action/Use case | Permissions needed | | --- | --- | | View data streaming - Contact records | `connect:DescribeInstance`
`connect:ListInstanceStorageConfigs`
`connect:DescribeInstanceStorageConfig` | | Edit contact record | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`firehose:ListDeliveryStreams`
`firehose:DescribeDeliveryStream`
`kinesis:ListStreams`
`kinesis:DescribeStream`
`iam:PutRolePolicy` | ### Agent events section | Action/Use case | Permissions needed | | --- | --- | | View data streaming - Agent events | `connect:DescribeInstance`
`connect:ListInstanceStorageConfigs`
`connect:DescribeInstanceStorageConfig` | | Edit agent events | `connect:AssociateInstanceStorageConfig`
`connect:UpdateInstanceStorageConfig`
`connect:DisassociateInstanceStorageConfig`
`kinesis:ListStreams`
`kinesis: DescribeStream`
`iam:PutRolePolicy` | ## Flows page ### Flows security keys section | Action/Use case | Permissions needed | | --- | --- | | View flow security keys | `connect:DescribeInstance`
`connect:ListSecurityKeys` | | Add/remove flow security keys | `connect:AssociateSecurityKey`
`connect:DisassociateSecurityKey` | ### Lex bots section | Action/Use case | Permissions needed | | --- | --- | | View Lex bots | `connect:ListLexBots`
`connect:ListBots` | | Add/remove Lex bots | `lex:GetBots`
`lex:GetBot`
`lex:CreateResourcePolicy`
`lex:DeleteResourcePolicy`
`lex:UpdateResourcePolicy`
`lex:DescribeBotAlias`
`lex:ListBotAliases`
`lex:ListBots`
`connect:AssociateBot`
`connect:DisassociateBot`
`connect:ListBots`
`connect:AssociateLexBot`
`connect:DisassociateLexBot`
`connect:ListLexBots`
`iam:PutRolePolicy` | ### Lambda functions section | Action/Use case | Permissions needed | | --- | --- | | View Lambda functions | `connect:ListLambdaFunctions` | | Add/remove Lambda functions | `connect:ListLambdaFunctions`
`connect:AssociateLambdaFunction`
`connect:DisassociateLambdaFunction`
`iam:PutRolePolicy`
`lambda:ListFunctions`
`lambda:AddPermission`
`lambda:RemovePermission` | ### Flow logs section | Action/Use case | Permissions needed | | --- | --- | | View flow log config | `connect:DescribeInstance`
`connect:DescribeInstanceAttribute` | | Enable/disable flow log | `logs:CreateLogGroup` | ### Amazon Polly section | Action/Use case | Permissions needed | | --- | --- | | View Amazon Polly option | `connect:DescribeInstance`
`connect:DescribeInstanceAttribute` | | Update Amazon Polly option | `connect:UpdateInstanceAttribute` | ## Contact Lens connectors page | Action/Use case | Permissions needed | | --- | --- | | View Contact Lens connectors | `connect:ListIntegrationAssociations`
`chime:GetVoiceConnector`
`chime:GetVoiceConnectorLoggingConfiguration`
`chime:GetVoiceConnectorTermination`
`chime:GetVoiceConnectorTerminationHealth`
`chime:ListVoiceConnectors`
`chime:ListVoiceConnectorTerminationCredentials`
`chime:GetVoiceConnectorExternalSystemsConfiguration` | | Add/Update/Remove Contact Lens connectors | `chime:CreateVoiceConnector`
`chime:DeleteVoiceConnector`
`chime:DeleteVoiceConnectorTermination`
`chime:DeleteVoiceConnectorTerminationCredentials`
`chime:GetVoiceConnector`
`chime:GetVoiceConnectorLoggingConfiguration`
`chime:GetVoiceConnectorTermination`
`chime:GetVoiceConnectorTerminationHealth`
`chime:ListVoiceConnectors`
`chime:ListVoiceConnectorTerminationCredentials`
`chime:PutVoiceConnectorLoggingConfiguration`
`chime:PutVoiceConnectorTermination`
`chime:PutVoiceConnectorTerminationCredentials`
`chime:UpdateVoiceConnector`
`chime:CreateConnectAnalyticsConnector`
`chime:PutVoiceConnectorExternalSystemsConfiguration`
`chime:GetVoiceConnectorExternalSystemsConfiguration`
`chime:DeleteVoiceConnectorExternalSystemsConfiguration`
`chime:AssociateVoiceConnectorConnect`
`chime:DisassociateVoiceConnectorConnect`
`chime:TagResources`
`chime:UntagResources`
`chime:ListTagsForResource` | ## Voice transfer integrations page | Action/Use case | Permissions needed | | --- | --- | | View external voice transfer connectors | `connect:ListIntegrationAssociations`
`chime:GetVoiceConnector`
`chime:GetVoiceConnectorLoggingConfiguration`
`chime:GetVoiceConnectorTermination`
`chime:GetVoiceConnectorTerminationHealth`
`chime:ListVoiceConnectors`
`chime:ListVoiceConnectorTerminationCredentials`
`chime:GetVoiceConnectorExternalSystemsConfiguration`
`servicequotas:GetServiceQuota` | | Add/Update/Remove external voice transfer connectors | `connect:CreateIntegrationAssociation`
`connect:DeleteIntegrationAssociation`
`connect:ListIntegrationAssociations`
`chime:CreateConnectCallTransferConnector`
`chime:CreateVoiceConnector`
`chime:DeleteVoiceConnector`
`chime:DeleteVoiceConnectorTermination`
`chime:DeleteVoiceConnectorTerminationCredentials`
`chime:GetVoiceConnector`
`chime:GetVoiceConnectorLoggingConfiguration`
`chime:GetVoiceConnectorOrigination`
`chime:GetVoiceConnectorTermination`
`chime:GetVoiceConnectorTerminationHealth`
`chime:ListVoiceConnectors`
`chime:ListVoiceConnectorTerminationCredentials`
`chime:PutVoiceConnectorLoggingConfiguration`
`chime:PutVoiceConnectorOrigination`
`chime:PutVoiceConnectorTermination`
`chime:PutVoiceConnectorTerminationCredentials`
`chime:UpdateVoiceConnector`
`chime:CreateConnectAnalyticsConnector`
`chime:PutVoiceConnectorExternalSystemsConfiguration`
`chime:GetVoiceConnectorExternalSystemsConfiguration`
`chime:DeleteVoiceConnectorExternalSystemsConfiguration`
`chime:AssociateVoiceConnectorConnect`
`chime:DisassociateVoiceConnectorConnect`
`chime:TagResources`
`chime:UntagResources`
`chime:ListTagsForResource`
`servicequotas:GetServiceQuota` | ## Application integration page | Action/Use case | Permissions needed | | --- | --- | | View approved origins | `connect:DescribeInstance`
`connect:ListApprovedOrigins` | | Edit approved origins | `connect: AssociateApprovedOrigin`
`connect:ListApprovedOrigins`
`connect:DisassociateApprovedOrigin` | ## Customer Profiles page | Action/Use case | Permissions needed | | --- | --- | | View customer profiles | `app-integrations:ListEventIntegrations`
`appflow:DescribeConnectorEntity`
`appflow:DescribeConnectorProfiles`
`appflow:DescribeFlow`
`appflow:ListFlows`
`appflow:ListConnectorEntities`
`appflow:ListConnectorProfiles`
`cloudwatch:GetMetricData`
`connect:DescribeInstance`
`connect:ListInstances`
`ds:DescribeDirectories`
`iam:ListRoles`
`kinesis:DescribeStreamSummary`
`kms:Decrypt`
`kms:DescribeKey`
`kms:GenerateDataKey`
`kms:ListKeys`
`profile:GetCalculatedAttributeDefinition`
`profile:GetDomain`
`profile:GetEventStream`
`profile:GetIdentityResolutionJob`
`profile:GetIntegration`
`profile:GetProfileObjectType`
`profile:GetProfileObjectTypeTemplate`
`profile:GetWorkflow`
`profile:ListAccountIntegrations`
`profile:ListCalculatedAttributeDefinitions`
`profile:ListDomains`
`profile:ListDomainLayouts`
`profile:ListEventStreams`
`profile:ListIdentityResolutionJobs`
`profile:ListIntegrations`
`profile:ListProfileObjectTypes`
`profile:ListProfileObjectTypeTemplates`
`profile:ListRecommenders`
`profile:ListSegmentDefinitions`
`sqs:ListQueues` | | Edit customer profiles | `app-integrations:CreateEventIntegration`
`app-integrations:ListEventIntegrations`
`appflow:CreateFlow`
`appflow:CreateConnectorProfile`
`appflow:DescribeFlow`
`appflow:DeleteFlow`
`appflow:DescribeConnectorEntity`
`appflow:DescribeConnectorProfiles`
`appflow:ListFlows`
`appflow:ListConnectorEntities`
`appflow:ListConnectorProfiles`
`appflow:StartFlow`
`cloudwatch:GetMetricData`
`connect:DescribeInstance`
`connect:ListInstances`
`ds:DescribeDirectories`
`events:CreateEventBus`
`events:DescribeEventBus`
`events:DescribeEventSource`
`events:ListEventSources`
`iam:CreateRole`
`iam:CreatePolicy`
`iam:AttachRolePolicy`
`iam:ListRoles`
`iam:PutRolePolicy`
`kinesis:DescribeStreamSummary`
`kinesis:ListStreams`
`kms:CreateGrant`
`kms:Decrypt`
`kms:DescribeKey`
`kms:GenerateDataKey`
`kms:ListAliases`
`kms:ListKeys`
`kms:ListGrants`
`profile:CreateCalculatedAttributeDefinition`
`profile:CreateDomain`
`profile:CreateDomainLayout`
`profile:CreateEventStream`
`profile:CreateIntegrationWorkflow`
`profile:CreateSegmentDefinition`
`profile:DeleteEventStream`
`profile:DeleteIntegration`
`profile:DeleteDomain`
`profile:DeleteProfileObjectType`
`profile:DetectProfileObjectType`
`profile:GetCalculatedAttributeDefinition`
`profile:GetDomain`
`profile:GetEventStream`
`profile:GetIdentityResolutionJob`
`profile:GetIntegration`
`profile:GetProfileObjectType`
`profile:GetProfileObjectTypeTemplate`
`profile:GetWorkflow`
`profile:ListAccountIntegrations`
`profile:ListCalculatedAttributeDefinitions`
`profile:ListDomains`
`profile:ListDomainLayouts`
`profile:ListEventStreams`
`profile:ListIdentityResolutionJobs`
`profile:ListIntegrations`
`profile:ListProfileObjectTypes`
`profile:ListProfileObjectTypeTemplates`
`profile:ListSegmentDefinitions`
`profile:PutIntegration`
`profile:PutProfileObjectType`
`profile:TagResource`
`profile:UntagResource`
`profile:UpdateDomain`
`s3:GetBucketLocation`
`s3:GetBucketPolicy`
`s3:GetObject`
`s3:HeadBucket`
`s3:ListAllMyBuckets`
`s3:ListBucket`
`s3:ListObjectsV2`
`s3:PutBucketPolicy`
`s3:SelectObjectContent`
`sqs:ListQueues` | ## Tasks page | Action/Use case | Permissions needed | | --- | --- | | View Tasks integrations | `app-integrations:GetEventIntegration`
`connect:ListIntegrationAssociations` | | Edit Tasks integrations | `app-integrations:CreateEventIntegration`
`app-integrations:GetEventIntegration`
`app-integrations:ListEventIntegrations`
`app-integrations:DeleteEventIntegrationAssociation`
`app-integrations:CreateEventIntegrationAssociation`
`appflow:CreateFlow`
`appflow:CreateConnectorProfile`
`appflow:DescribeFlow`
`appflow:DeleteFlow`
`appflow:DeleteConnectorProfile`
`appflow:DescribeConnectorEntity`
`appflow:ListFlows`
`appflow:ListConnectorEntities`
`appflow:StartFlow`
`connect:ListIntegrationAssociations`
`connect:DeleteIntegrationAssociation`
`connect:ListUseCases`
`connect:DeleteUseCase`
`events:ActivateEventSource`
`events:CreateEventBus`
`events:DescribeEventBus`
`events:DescribeEventSource`
`events:ListEventSources`
`events:ListTargetsByRule`
`events:PutRule`
`events:PutTargets`
`events:DeleteRule`
`events:RemoveTargets`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`kms:ListKeys`
`kms:ListGrants` | ## Email page | Action/Use case | Permissions needed | | --- | --- | | View email domains and addresses | `ses:GetIdentityVerificationAttributes`
`ses:DescribeReceiptRule`
`ses:DescribeActiveReceiptRuleSet`
`ses:GetEmailIdentity`
`ses:DescribeReceiptRuleSet`
`ses:GetConfigurationSetEventDestinations`
`ses:GetConfigurationSet` | | Edit email domains and addresses | `ses:CreateReceiptRule`
`ses:UpdateReceiptRule`
`ses:SetActiveReceiptRuleSet`
`ses:CreateReceiptRuleSet`
`ses:CreateEmailIdentity`
`ses:TagResource`
`ses:UntagResource`
`ses:DeleteReceiptRule`
`ses:DeleteReceiptRuleSet`
`ses:CloneReceiptRuleSet`
`ses:CreateConfigurationSet`
`ses:CreateConfigurationSetEventDestination`
`ses:PutEmailIdentityConfigurationSetAttributes`
`ses:CreateEmailIdentityPolicy`
`ses:UpdateEmailIdentityPolicy`
`ses:DeleteEmailIdentityPolicy`
`iam:CreateServiceLinkedRole`
`iam:PassRole`
`iam:CreateRole`
`iam:CreatePolicy` | ## Cases page | Action/Use case | Permissions needed | | --- | --- | | View Cases domain details | `connect:ListInstances`
`ds:DescribeDirectories`
`connect:ListIntegrationAssociations`
`cases:GetDomain` | | Onboard to Cases | `connect:ListInstances`
`connect:ListIntegrationAssociations`
`cases:GetDomain`
`cases:CreateDomain`
`connect:CreateIntegrationAssociation`
`connect:DescribeInstance`
`iam:PutRolePolicy` | ## Customer authentication page | Action/Use case | Permissions needed | | --- | --- | | View customer authentication | `connect:ListIntegrationAssociations`
`cognito-idp:ListUserPools`
`cognito-idp:DescribeUserPool` | | Onboard to customer authentication | `connect:CreateIntegrationAssociation`
`connect:DeleteIntegrationAssociation`
`connect:ListIntegrationAssociations`
`cognito-idp:ListUserPools`
`cognito-idp:DescribeUserPool`
`cognito-idp:ListUserPoolClients`
`cognito-idp:TagResource`
`cognito-idp:CreateUserPool` | ## Outbound campaigns page | Action / Use case | Permissions needed | | --- | --- | | View outbound campaigns | `connect:ListIntegrationAssociations`
`connect:ListPhoneNumbersV2`
`connect:SearchEmailAddresses`
`connect:DescribeInstance`
`connect:DescribeInstanceAttribute`
`kms:DescribeKey`
`kms:ListKeys`
`profile:ListAccountIntegrations`
`profile:ListIntegrations`
`profile:ListDomains`
`profile:GetDomain`
`wisdom:ListKnowledgeBases`
`wisdom:GetKnowledgeBase`
`connect-campaigns:GetInstanceOnboardingJobStatus`
`connect-campaigns:GetConnectInstanceConfig`
`connect-campaigns:ListConnectInstanceIntegrations` | | Create outbound campaigns | `connect-campaigns:StartInstanceOnboardingJob`
`connect-campaigns:DeleteInstanceOnboardingJob`
`connect-campaigns:GetConnectInstanceConfig`
`connect-campaigns:GetInstanceOnboardingJobStatus`
`connect-campaigns:DeleteConnectInstanceConfig`
`connect:DescribeInstance`
`connect:DescribeInstanceAttribute`
`connect:UpdateInstanceAttribute`
`iam:CreateServiceLinkedRole`
`iam:DeleteServiceLinkedRole`
`iam:AttachRolePolicy`
`iam:PutRolePolicy`
`iam:DeleteRolePolicy`
`events:PutRule`
`events:PutTargets`
`events:DeleteRule`
`events:RemoveTargets`
`events:DescribeRule`
`events:ListTargetsByRule`
`ds:DescribeDirectories`
`kms:DescribeKey`
`kms:ListKeys`
`kms:CreateGrant`
`kms:RetireGrant`
`profile:CreateDomain`
`profile:ListAccountIntegrations`
`profile:ListIntegrations`
`profile:PutIntegration`
`profile:PutProfileObjectType`
`connect:CreateIntegrationAssociation`
`connect:ListIntegrationAssociations`
`connect:UpdateInstanceAttribute`
`connect:AssociateCustomerProfilesDomain`
`connect-campaigns:ListConnectInstanceIntegrations`
`connect-campaigns:PutConnectInstanceIntegration`
`wisdom:CreateKnowledgeBase`
`wisdom:ListKnowledgeBases` | ## Connect AI agents page | Action/Use case | Permissions needed | | --- | --- | | View domains and integrations | `wisdom:ListAssistantAssociations`
`appflow:DescribeConnectorProfiles`
`app-integrations:GetDataIntegration`
`connect:DescribeInstance`
`connect:DescribeInstanceAttribute`
`connect:ListIntegrationAssociations`
`kms:DescribeKey`
`kms:ListGrants`
`wisdom:GetAssistant`
`wisdom:GetKnowledgeBase`
`wisdom:ListAssistantAssociations` | | Add or remove domains | `connect:CreateIntegrationAssociation`
`connect:DeleteIntegrationAssociation`
`connect:ListIntegrationAssociations`
`iam:DeleteRolePolicy`
`iam:PutRolePolicy`
`kms:CreateGrant`
`kms:DescribeKey`
`kms:ListAliases`
`wisdom:CreateAssistant`
`wisdom:DeleteAssistant`
`wisdom:GetAssistant`
`wisdom:ListAssistantAssociations`
`wisdom:ListAssistants`
`wisdom:TagResource` | | Add or remove integrations | `wisdom:ListAssistantAssociations`
`app-integrations:CreateDataIntegration`
`app-integrations:CreateDataIntegrationAssociation`
`app-integrations:DeleteDataIntegrationAssociation`
`app-integrations:GetDataIntegration`
`app-integrations:ListDataIntegrations`
`appflow:CreateConnectorProfile`
`appflow:CreateFlow`
`appflow:DeleteFlow`
`appflow:DescribeConnector`
`appflow:DescribeConnectorEntity`
`appflow:DescribeConnectorProfiles`
`appflow:DescribeConnectors`
`appflow:DescribeFlow`
`appflow:ListConnectorEntities`
`appflow:StartFlow`
`appflow:StopFlow`
`appflow:TagResource`
`appflow:UseConnectorProfile`
`connect:CreateIntegrationAssociation`
`connect:DeleteIntegrationAssociation`
`connect:ListIntegrationAssociations`
`iam:DeleteRolePolicy`
`iam:PutRolePolicy`
`kms:CreateGrant`
`kms:Decrypt`
`kms:DescribeKey`
`kms:GenerateDataKey`
`kms:ListAliases`
`kms:ListGrants`
`secretsmanager:CreateSecret`
`secretsmanager:PutResourcePolicy`
`wisdom:CreateAssistantAssociation`
`wisdom:CreateKnowledgeBase`
`wisdom:DeleteAssistantAssociation`
`wisdom:DeleteKnowledgeBase`
`wisdom:GetAssistant`
`wisdom:GetKnowledgeBase`
`wisdom:ListAssistantAssociations`
`wisdom:ListKnowledgeBases`
`wisdom:TagResource` | ## Voice ID page | Action/Use case | Permissions needed | | --- | --- | | View Voice ID integrations | `voiceid:DescribeDomain`
`voiceid:ListDomains`
`voiceid:RegisterComplianceConsent`
`voiceid:DescribeComplianceConsent`
`connect:ListIntegrationAssociations` | | Edit Voice ID integrations | `voiceid:DescribeDomain`
`voiceid:ListDomains`
`voiceid:RegisterComplianceConsent`
`voiceid:DescribeComplianceConsent`
`voiceid:UpdateDomain`
`voiceid:CreateDomain`
`connect:ListIntegrationAssociations`
`connect:CreateIntegrationAssociation`
`connect:DeleteIntegrationAssociation`
`events:PutRule`
`events:DeleteRule`
`events:PutTargets`
`events:RemoveTargets`
`iam:PutRolePolicy` | ## Forecasting, capacity planning, and scheduling page | Action/Use case | Permissions needed | | --- | --- | | View forecasting, capacity planning, and scheduling | `connect:DescribeForecastingPlanningSchedulingIntegration` | | Enable forecasting, capacity planning, and scheduling | `connect:UpdateInstanceAttribute`
`connect:StartForecastingPlanningSchedulingIntegration` | | Disable forecasting, capacity planning, and scheduling | `connect:UpdateInstanceAttribute`
`connect:StopForecastingPlanningSchedulingIntegration` | ## Federations ### SAML federation | Action/Use case | Permissions needed | | --- | --- | | SAML federation | `connect:GetFederationToken` | ### Admin/Emergency federation | Action/Use case | Permissions needed | | --- | --- | | Admin/Emergency federation | `connect:AdminGetEmergencyAccessToken` |