Skip to main content

Appendix D: Minimum IAM Permissions for SCCAC Runtime Operations

Overview

This appendix describes the minimum IAM permissions required for SCCAC runtime operations. These permissions are used by the Connect API Named Credential, which is created during the initial setup using the IAM user from the AWS Account prerequisites.

If you want to create a dedicated IAM user with minimal permissions specifically for runtime operations and disable your setup user, this appendix provides the individual permission policies needed based on which features you have enabled.

IAM Permissions

1. Stop Contact Operations (Required)

Why it's needed: Terminates active Amazon Connect contacts when errors occur during contact processing, ensuring contacts don't remain in an active state after failures in the Salesforce integration.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ConnectStopContact",
      "Effect": "Allow",
      "Action": [
        "connect:StopContact"
      ],
      "Resource": [
        "arn:aws:connect:*:<AWS_ACCOUNT_ID>:instance/*"
      ]
    }
  ]
}

2. Unified Routing (Required if enabled)

Why it's needed: If you have enabled Unified Routing, this permission creates task-based contacts in Amazon Connect from Salesforce Cases, enabling external routing from Salesforce to Amazon Connect queues.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ConnectStartTaskContact",
      "Effect": "Allow",
      "Action": [
        "connect:StartTaskContact"
      ],
      "Resource": [
        "arn:aws:connect:*:<AWS_ACCOUNT_ID>:instance/*"
      ]
    }
  ]
}

3. Post-Contact Summarization (Required if enabled)

Why it's needed: If you have enabled Post-Contact Summarization, this permission retrieves AI-generated contact summaries and analysis after contacts end.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ConnectListRealtimeContactAnalysisSegments",
      "Effect": "Allow",
      "Action": [
        "connect:ListRealtimeContactAnalysisSegmentsV2"
      ],
      "Resource": [
        "arn:aws:connect:*:<AWS_ACCOUNT_ID>:instance/*"
      ]
    }
  ]
}

Creating a Dedicated Runtime IAM User

If you want to separate runtime permissions from setup permissions, you can create a dedicated IAM user:

  1. To create an IAM User:

    1. Sign in to your AWS account, go to the IAM Console, Users, and then choose Create user.
    2. For User name, enter SCCAC-Runtime-User or similar and then choose Next.
    3. Choose Attach Policy Directly, Create Policy. In the Policy Editor, select JSON. Replace <AWS_ACCOUNT_ID> with your AWS account ID, and then paste the appropriate policy(ies) from the section above into your JSON editor.
    4. For Policy name enter SCCAC-Runtime-Policy and choose Create Policy.
    5. Refresh Permissions policies in the User creation window, select SCCAC-Runtime-Policy and choose Next, and then Create user.

  2. Create an access key for the user and store it:

    1. Choose SCCAC-Runtime-User, go to the Security credentials tab, Create Access Key, select Other, choose Next, and then Create Access Key.
    2. Store both the access key and the secret access key securely. These will be used in the next step.

  3. Update Salesforce Named Credential:

    1. Log into Salesforce as System Administrator
    2. In Salesforce Setup, go to Security > Named Credentials > External Credentials
    3. Find and select the External Credential: SCC_CONTACT_CENTER_CONNECT_API_EC_{ContactCenterID}
    4. Under Principals, find IAM Credential principal
    5. Choose Edit from the dropdown menu in Actions
    6. Update the new Access Key and Secret Access Key from step 2
    7. Choose Save

Credential Rotation: Follow the procedures in Appendix A to rotate IAM credentials every 90 days.