AWS connect documentation change
Summary
Updated service-linked role permissions for outbound campaigns: added permissions for new channels (web notifications, chat messages, WhatsApp, SMS), removed legacy actions, and tightened resource scoping with account-based conditions.
Security assessment
The changes enhance security documentation by explicitly listing required permissions for new communication channels and adding resource constraints (e.g., same AWS account requirements). This implements least-privilege access but doesn't address a specific vulnerability.
Diff
diff --git a/connect/latest/adminguide/connect-slr-outbound.md b/connect/latest/adminguide/connect-slr-outbound.md index f38ed335a..89c1e8910 100644 --- a//connect/latest/adminguide/connect-slr-outbound.md +++ b//connect/latest/adminguide/connect-slr-outbound.md @@ -19 +19 @@ For information about other services that support service-linked roles, see [AWS -Outbound campaigns uses the service-linked role prefixed `AWSServiceRoleForConnectCampaigns`—Grants outbound campaigns permission to access AWS resources on your behalf. +Outbound campaigns uses the service-linked role prefixed `AWSServiceRoleForConnectCampaigns`. This role grants outbound campaigns permission to access AWS resources on your behalf. @@ -38,11 +38 @@ The [AmazonConnectCampaignsServiceLinkedRolePolicy](./security_iam_awsmanpol.htm -for all Connect Customer instances. - - * Action: Connect Customer - - * `connect:StartOutboundVoiceContact` - - * `connect:GetMetricData` - - * `connect:GetCurrentMetricData` - - * `connect:BatchPutContact` + * `connect:DescribeContactFlow` @@ -50 +40 @@ for all Connect Customer instances. - * `connect:StopContact` + * `connect:SendOutboundEmail` @@ -52 +42 @@ for all Connect Customer instances. - * `connect:GetMetricDataV2` + * `connect:SendOutboundWebNotification` @@ -54 +44 @@ for all Connect Customer instances. - * `connect:DescribeContactFlow` +on `arn:aws:connect:*:*:instance/*` resources. @@ -56 +46 @@ for all Connect Customer instances. - * `connect:SendOutboundEmail` + * Action: Connect Customer `connect:SendOutboundChatMessage` on `arn:aws:connect:*:*:instance/*` and `arn:aws:connect:*:*:phone-number/*` resources in the same AWS account as the calling principal. @@ -58 +48 @@ for all Connect Customer instances. -For the Connect Customer instance specified. + * Action: AWS End User Messaging Social `social-messaging:SendWhatsAppMessage` on `arn:aws:social-messaging:*:*:phone-number-id/*` resources that are tagged with `AmazonConnectEnabled: True` and in the same AWS account as the calling principal. @@ -60 +50 @@ For the Connect Customer instance specified. - * Action: EventBridge: + * Action: AWS End User Messaging Social `social-messaging:GetWhatsAppMessageTemplate` on `arn:aws:social-messaging:*:*:waba/*` resources in the same AWS account as the calling principal. @@ -62 +52 @@ For the Connect Customer instance specified. - * `events:ListRules` + * Action: Amazon Pinpoint SMS and Voice `sms-voice:SendTextMessage` on `arn:aws:sms-voice:*:*:phone-number/*` resources in the same AWS account as the calling principal. @@ -64 +54 @@ For the Connect Customer instance specified. -For all events. + * Action: EventBridge `events:ListRules` on `arn:aws:events:*:*:rule/*` resources in the same AWS account as the calling principal. @@ -76,3 +66 @@ For all events. - * `events:ListTargetsByRule` - -for rules named `ConnectCampaignsRule*` managed by `connect-campaigns.amazonaws.com`. +for rules named `ConnectCampaignsRule*` managed by `connect-campaigns.amazonaws.com`, in the same AWS account as the calling principal. The `events:ListTargetsByRule` action is also permitted on `ConnectCampaignsRule*` resources in the same account. @@ -91 +79 @@ on all resources tagged with `aws:ResourceTag/AmazonConnectCampaignsEnabled`. -Permissions for Connect Customer Customer Profiles will be added to ezCRC template: `ConnectCampaignsCustomerProfilesIntegrationAccess`. +Permissions for Connect Customer Customer Profiles are provided through the `ConnectCampaignsCustomerProfilesIntegrationAccess` managed policy.