AWS IAM Policy template for Amazon Connect Admin.

README.md

about

Amazon Connect管理者がAWSコンソールにログインする場合のポリシーを検討します

目標地点

• AWSコンソールログインできる
• 対象となるConnectインスタンス以外は操作できない
• 対象となるConnectインスタンスのみ操作できる
• 通話記録・チャット記録、エクスポートされたレポートを参照できる(S3)
• データストリーミング設定を変更できる
• 問い合わせフローで使用するAmazon Lex Botを設定できる
• 問い合わせフローで使用するAWS Lambdaを設定できる
• 問い合わせフローログを参照できる(CloudWatchLogs)

Rewritten part

• region
  • Your connect instance region
  • eg. us-east-1
• aws account id
  • Your aws account id
  • eg. 123456789012
• connect instance id
  • Your connect instance id
  • eg. aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
• instance alias
  • Your connect instance alias
• bucket name
  • Your connect instance S3 bucket name

Command templates for policy manupilation with an AWS CLI

list

aws iam list-policies

create

aws iam create-policy \
--policy-name MyConnectAdminPolicy \
--policy-document file://connect-admin-policy.json

create new version

aws iam create-policy-version
--policy-arn arn:aws:iam::123456789012:policy/MyConnectAdminPolicy \
--policy-document file://connect-admin-policy.json \
--set-as-default

list versions

aws iam list-policy-versions \
--policy-arn arn:aws:iam::123456789012:policy/MyConnectAdminPolicy

delete

A policy can have up to 5 versions. you must delete an existing version, if you create a new version.

aws iam delete-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyConnectAdminPolicy
--version-id v1

connect-admin-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Connect",
            "Effect": "Allow",
            "Action": [
                "connect:*"
            ],
            "Resource": [
                "arn:aws:connect:<region>:<aws_account_id>:instance/<connect_instance_id>",
                "arn:aws:connect:<region>:<aws_account_id>:instance/<connect_instance_id>/*"
            ]
        },
        {
            "Sid": "CloudWatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/aws/connect/<instance_alias>:*"
            ]
        },
        {
            "Sid": "S3",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        },
        {
            "Sid": "Iam",
            "Effect": "Allow",
            "Action": "iam:PutRolePolicy",
            "Resource": "arn:aws:iam::<aws_account_id>:role/aws-service-role/connect.amazonaws.com/<service_link_role_name>"
        },
        {
            "Sid": "LambdaAssociate",
            "Effect": "Allow",
            "Action": "lambda:AddPermission",
            "Resource": "arn:aws:lambda:<region>:<aws_account_id>:function:*"
        },
        {
            "Sid": "LexBotAssociate",
            "Effect": "Allow",
            "Action": [
                "lex:DescribeBotAlias",
                "lex:CreateResourcePolicy",
                "lex:UpdateResourcePolicy"
            ],
            "Resource": "arn:aws:lex:<region>:<aws_account_id>:bot-alias/*/*"
        },
        {
            "Sid": "Profile",
            "Effect": "Allow",
            "Action": [
                "profile:AddProfileKey",
                "profile:CreateDomain",
                "profile:CreateProfile",
                "profile:DeleteDomain",
                "profile:DeleteIntegration",
                "profile:DeleteProfile",
                "profile:DeleteProfileKey",
                "profile:DeleteProfileObject",
                "profile:DeleteProfileObjectType",
                "profile:GetIntegration",
                "profile:GetMatches",
                "profile:GetProfileObjectType",
                "profile:ListIntegrations",
                "profile:ListProfileObjects",
                "profile:ListProfileObjectTypes",
                "profile:ListTagsForResource",
                "profile:MergeProfiles",
                "profile:PutIntegration",
                "profile:PutProfileObject",
                "profile:PutProfileObjectType",
                "profile:SearchProfiles",
                "profile:TagResource",
                "profile:UntagResource",
                "profile:UpdateDomain",
                "profile:UpdateProfile"
            ],
            "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*"
        },
        {
            "Sid": "AllowAnyResource",
            "Effect": "Allow",
            "Action": [
                "connect:ListInstances",
                "profile:ListAccountIntegrations",
                "profile:GetDomain",
                "profile:ListDomains",
                "profile:GetProfileObjectType",
                "profile:ListProfileObjectTypeTemplates",
                "ds:CreateAlias",
                "ds:AuthorizeApplication",
                "ds:CreateIdentityPoolDirectory",
                "ds:DeleteDirectory",
                "ds:DescribeDirectories",
                "ds:UnauthorizeApplication",
                "ds:CheckAlias",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kms:Describe*",
                "kms:List*",
                "kms:Get*",
                "kms:Decrypt",
                "lex:GetBots",
                "lex:ListBots",
                "lex:ListBotAliases",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "lambda:ListFunctions",
                "voiceid:Describe*",
                "voiceid:List*",
                "logs:DescribeLogGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ReadServiceQuotas",
            "Effect": "Allow",
            "Action": [
                "servicequotas:List*",
                "servicequotas:Get*",
                "cloudwatch:GetMetricData"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ServiceQuotas",
            "Effect": "Allow",
            "Action": [
                "servicequotas:RequestServiceQuotaIncrease"
            ],
            "Resource": "arn:aws:servicequotas:*:*:connect/*"
        }
    ]
}