You are here:
Amazon Connect IAM Roles and Provisioning Policies for Service Cloud Voice
To integrate natively with Amazon Connect, Service Cloud Voice comes with Amazon Connect artifacts, including IAM roles and provisioning policies.
Required Editions
This article applies to:
- Service Cloud Voice with Partner Telephony from Amazon Connect
| View supported editions. |
Before analyzing the SCV IAM Roles and Policies matrix, review the prerequisite steps for
Service Cloud Voice with Partner Telephony from Amazon Connect and review the resource
details. You can find the latest SCVProvisioningPolicy.json at https://github.com/service-cloud-voice/examples-from-doc/blob/main/iam_policies/SCVProvisioningPolicy.json. The matrix in this document describes the IAM policies and
roles. If you operate in the public sector domain in the US but uses the commercial AWS
account, you can use the same SCVProvisioningPolicy.json file. But, if you operate
in the public sector domain in the US and uses the AWS GovCloud region, use the
SCVGovProvisioningPolicy.json file available on GitHub.
AWS IAM Role
To enable a trusted relationship with the Salesforce Management AWS account, create an Identity and Access Management (IAM) role during setup. Using this role, Salesforce configures artifacts in your Amazon Connect instance that are required for Service Cloud Voice. These resources are nondestructive IAM permissions, such as resetPassword and delete and deactivate roles.
To define access, add policies to the IAM role. The requirements for this role are based on these principles.
- Following the principle of least privilege, we granted this role the minimum level of permissions needed to perform its job.
- We built enough flexibility into this role to add new features and enhancements in the future.
- To reduce the footprint, all permissions and restrictions are included in one IAM role policy: SCVProvisioningPolicy.json.
- This role includes only the permission to the services required by Service Cloud Voice.
- To mitigate security risk associated with Service Cloud Voice Provisioning Service, add an IAM permissions boundary.
See Configure AWS Identity and Access Management (IAM) Role for Voice.
AWS IAM Role for GovCloud
If you operate in the public sector domain
in the US and uses the AWS GovCloud region, use the
SCVGovProvisioningPolicy.json file available on GitHub. The value of GOV prod MPA account ID must be
383319876315.
If you operate in the public sector domain in the US but uses the commercial AWS account, you can use the general SCVProvisioningPolicy.json file.
Wildcard Access
The WildcardAccess section lists all resources that have wildcard-service
actions and wildcard-resource access. The ds (directory service) and logs (cloud watch logs)
policies require wildcard access for provisioning and run-time actions.
The Lambda service also has wildcard actions.
Event Access
The EventAccess section defines who has access to the events. Only the
Lambda functions in the Resource section have access to events.
LambdaEventSourceAccess
The LambdaEventSourceAccess section lists which Lambda functions can act
on an event triggered by AWS resources. You can map only the specified Lambda functions to
event sources. For example, you can map the CTRStream event source to
CTRDataSyncFunction and the S3 event source to
VoiceMailAudioProcessingFunction.
LambdaAccess
The LambdaAccess section imposes resource-based restrictions on Lambda
access. To prevent unwanted access to user-defined Lambda functions, Salesforce provisions
and works only with the specified Lambda functions.
S3Write
The S3Write section defines the policy for the S3-related actions. Service
Cloud Voice Provisioning Service creates two S3 buckets for your Salesforce org. One bucket
stores the conversation audio recording files. The second stores all AWS activity captured
by the CloudTrail service. The IAM Policies and Roles Matrix in this page references S3
buckets that are required to download Lambda function code and layer code.
ResourceBasedAccess
The ResourceBasedAccess section grants wildcard access to the actions of
different services. This section lists the resource regular expressions (regexes) that are
required only for the Service Cloud Voice Provisioning Service. These resources are in your
AWS account with ID AWS_ACCOUNT_ID.
IAMAccess
Service Cloud Voice Provisioning Service creates Lambda functions. Some functions are application-specific, such as pausing and resuming call recordings, and generating presigned S3 credentials for playing back audio recordings. All these functions use the IAM role and are based on Salesforce infrastructure security. Service Cloud Voice adds required actions on IAM roles. The IAM role that you create grants access only to those IAM role resources that Service Cloud Voice requires. They’re nondestructive IAM permissions, such as resetPassword and delete and deactivate roles.
CloudformationAccess
The CloudformationAccess section lists all AWS CloudFormation actions that
Service Cloud Voice requires. Service Cloud Voice provisions two Cloudformation stacks. One
stack is in the us-east-1 region and sets up AWS account-level infrastructure, such as IAM
Roles, Identity Provider, and CloudTrail. The other stack is in the contact center region of
your choice. This CloudFormation access is constrained by the resource-level
restrictions.
ConnectAccess
The ConnectAccess section grants fine-grained Amazon Connect permissions
that are required to operate the contact center.
IAM Policies and Roles Matrix
During provisioning, these IAM policies and roles are created automatically in your AWS account.
| Policy | Permission | Description |
|---|---|---|
| SCVSSMAccessPolicy | Action: Resource: |
This policy controls access to SSM keys created by Service Cloud Voice. |
| SCVLambdaAccessPolicy | Action: Resource: |
This policy controls access to the Lambda functions created by Service Cloud Voice. |
| SCVKMSAccessPolicy | Action: Resource: |
This policy controls access to KMS keys created by Service Cloud Voice. |
| SCVAmazonConnectAccessPolicy | Action: |
This policy controls access to your Amazon Connect instances. |
| InvokeSalesforceRestApiFunctionRolePolicy | Action: |
This policy controls access to the Salesforce REST API. |
| CTRDataSyncFunctionRolePolicy | Action: Resource: |
This policy controls access to the contact record and Contact Lens streams created by Service Cloud Voice. If you use an Amazon Connect instance integrated by Salesforce when you set up Service Cloud Voice, Salesforce also controls access to the customer-configured contact record stream. |
| SCVSecretsManagerAccessPolicy | Action: Resource: |
This policy controls access to Salesforce org and cert details in AWS Secrets Manager. |
| Role Name | Role Description |
|---|---|
SCVKvsTranscriberRoleResource |
The kvsTranscriber Lambda function uses this role and
Telephony Integration API to send transcription data based on Amazon Connect's video
stream. See Create a Transcript. |
SCVProvisioningRole |
A Service Cloud user uses this role to perform provisioning functions, such as creating and updating the contact center via Service Cloud Voice Provisioning Service. |
SCVHandleContactEventsFunct |
The HandleContactEventsFunction Lambda function uses this role
to clear Pending Service Routing requests when Amazon Connect publishes customer
disconnect events. |
SCVContactDataSyncFunctionRole |
The Contact Data Sync Lambda function uses this role to invoke backfill transcripts from the Contact Lens. |
IAM Roles with Policies Created by Service Cloud Voice Provisioning Service
With the exception of a few IAM roles, Service Cloud Voice Provisioning Service creates the IAM roles at runtime. The Provisioning Service creates the SCVIDPLambdaRole, SCVAmazonConnectManagementRole, SCVConnectConfiguratorLambdaRole roles during setup.
| Role Name | Policy | Description |
|---|---|---|
SCVCTRDataSyncFunctionRole |
|
The CTRDataSyncFunction Lambda function uses this role to invoke Update Voice Call API. See Update a Voice Call Record. |
SCVPostCallAnalysisTriggerFunctionRoleResource |
|
The PostCallAnalysisTriggerFunction Lambda function uses this role to send analytics events after the voice call ends to persist Contact-Lens-generated intelligence signals. |
SCVInvokeTelephonyIntegrationApiFunctionRole |
|
The InvokeTelephonyIntegrationApiFunction Lambda function uses this role and CreateVoiceCall API to create Service Cloud Voice calls. See Create a Voice Call Record. |
SCVInvokeSalesforceRestApiFunctionRole |
|
The InvokeSalesforceRestApiFunction Lambda function uses this role to perform REST API operations. |
SCVSSMLambdaExecutionRole |
|
Service Cloud Voice Provisioning Service uses this role to create "Systems Manager" -- "Parameter Store" -- "Secure String" typed parameters. |
SCVS3Role |
|
After voice calls are stored in the AWS S3 bucket, a rep can play the recorded voice calls in Salesforce. Salesforce uses this role to gain access in the AWS S3 bucket and play voice call recordings. |
SCVKvsTranscriberRole |
|
The kvsTranscriber Lambda function uses this role and Telephony Integration API to send transcription data based on the Amazon Connect's video stream. See Create a Transcript. |
SCVKvsConsumerTriggerRole |
|
The kvsConsumerTrigger Lambda function uses this role to trigger the KVSTranscriber Lambda function to invoke and process the Kinesis video stream. |
SCVContactLensConsumerFunctionRole |
|
The ContactLensConsumerFunction Lambda function uses this role to enable real-time transcription from Contact Lens. |
SCVIDPLambdaRole |
|
The ProviderCreator Lambda function uses this role to create "IAM" -- "Identity Provider," where Salesforce serves as the identity provider. Service Cloud Voice Provisioning Service creates this Lambda resource. |
SCVAmazonConnectManagementRole |
|
Service Cloud Voice Provisioning Service uses this role to perform Amazon Connect configuration tasks, such as creating and removing users, routing profiles, queues, and quick connects. |
SCVConnectConfiguratorLambdaRole |
|
The ConnectConfigurationFunction Lambda function uses this role to execute the API call on the Amazon Connect instance. This role is used to perform Amazon Connect management and configure the Amazon Connect instance. Service Cloud Voice Provisioning Service creates this Lambda function. |
SCVTrailLogGroupRole |
|
The scvCloudTrail service uses this role to produce all event record data and write it to the S3 Bucket for CloudTrail.
|
SCVVoiceMailAudioProcessingRole |
|
The VoiceMailAudioProcessing Lambda function uses this role to process contact record Kinesis Data Stream and capture voicemail recording files. |
SCVVoiceMailPackagingRole |
|
The VoiceMailPackagingFunction Lambda function uses this role to call contact record and execute OmniFlow API to enable voicemail functionality. |
SCVVoiceMailTranscribeRole |
|
The VoiceMailTranscribeFunction Lambda function uses this role to process voicemail recording files and transcribe voicemails. |
SCVRealtimeAlertRole |
|
The RealtimeAlert Lambda function uses this role and REST API to create Service Cloud Voice real-time alerts. REST API publishes RealtimeAlertEvent events. See RealtimeAlertEvent. |
SCVHandleContactEventsRole |
|
The HandleContactEventsFunction Lambda function uses this role to clear Pending Service Routing requests when Amazon Connect publishes customer disconnect events. |
[ContactCenter]-SAMLRole |
|
Amazon Connect uses this role after a user is authenticated into AWS using SAML protocol for rep and supervisor single sign-on. After the user is authenticated, Amazon Connect establishes a session based on the user's security profile. |
[ContactCenter]-ConnectCallRole |
|
A Service Cloud user uses this role to stop and resume call recordings. |
SCVRetentionPeriodFunctionRole |
|
The RetentionPeriodFunction Lambda function uses this role to clean up CloudWatch logs that are older than 120 days. |
SCVTenantBucketWriteAccessRole |
|
This role allows Salesforce to store and access objects in the voicemailmessages bucket of the S3BucketForTenantResources. |
SCVSecretConfiguratorLambdaRole |
|
The SecretConfiguratorFunction Lambda function uses this role to create and update secrets in AWS Secrets Manager. |
Permission Boundary
Some resources have wildcard access and service actions. To set up tighter access, create permission boundaries.
- Contact Center Health Check Stack
The health check stack creates specific Identity and Access Management (IAM) roles and policies for the contact center in your AWS account. These resources provide the necessary permissions for the health check Lambda function to analyze your contact center configuration and generate a diagnostic report.
