Loading

Salesforce Voice: Amazon Connect Role and Provisioning Policies

Publish Date: Apr 9, 2026
Description

Amazon Connect IAM Roles and Provisioning Policies for Salesforce Voice

To natively integrate with Amazon Connect, Salesforce Voice (formerly Service Cloud) comes with Amazon Connect artifacts, including IAM roles and provisioning policies. To understand these artifacts, review this content.

 

Applicable telephony models:

  • Salesforce Voice with Amazon Connect 

  • Salesforce Voice with Partner Telephony from Amazon Connect 

 

See also:

Salesforce Voice with Partner Telephony from Amazon Connect

Before analyzing the SCV IAM Roles and Policies matrix, review the prerequisite steps for Salesforce Voice with Partner Telephony from Amazon Connect and review the resource details. 

 

You can find the latest SCVProvisioningPolicy.json here:

https://github.com/service-cloud-voice/examples-from-doc/blob/main/iam_policies/SCVProvisioningPolicy.json 

 

AWS IAM Role

To enable a trusted relationship with the Salesforce Management AWS account, create an Identity and Access Management (IAM) role during setup. Using this role, Salesforce configures artifacts in your Amazon Connect instance that are required for Salesforce Voice. These resources are nondestructive IAM permissions, such as resetPassword and delete and deactivate roles. To define access, add policies to the IAM role.

 

The requirements for this role are based on these principles.

  • Following the Principle of Least Privilege, we granted this role the minimum level of permissions needed to perform its job.

  • We built enough flexibility into this role to add new features and enhancements in the future.

  • To reduce the footprint, all permissions and restrictions are included in one IAM role policy: SCVProvisioningPolicy.json.

  • This role includes only the permission to the services required by Salesforce Voice. 

  • To mitigate security risk associated with Salesforce Voice Provisioning Service, add an IAM permissions boundary.

See Also

Wildcard Access

The WildcardAccess section lists all resources that have wildcard-service actions and wildcard-resource access. The ds (directory service) and the logs (cloud watch logs) policies require wildcard access for provisioning and run-time actions.

Screenshot 2023-11-16 at 8.14.57 PM.png

 

The Lambda service also has wildcard actions.

image.png

 

Event Access

The EventAccess section defines who has access to the events. Only the Lambda functions in the Resource section have access to events.

Screenshot 2023-11-16 at 8.32.57 PM.png

 

LambdaEventSourceAccess

The LambdaEventSourceAccess section lists which Lambda functions can act on an event triggered by AWS resources. You can map only the specified Lambda functions to event sources. For example, you can map the CTRStream event source to CTRDataSyncFunction and the S3 event source to VoiceMailAudioProcessingFunction.

Screenshot 2023-11-16 at 8.37.45 PM.png

 

LambdaAccess

The LambdaAccess section imposes resource-based restrictions on Lambda access. To prevent unwanted access to user-defined Lambda functions, Salesforce provisions and works only with the specified Lambda functions. 

Screenshot 2023-11-16 at 8.41.45 PM.png

S3Write

The S3Write section defines the policy for the S3-related actions. Salesforce Voice Provisioning Service creates two S3 buckets for your Salesforce org. One bucket stores the conversation audio recording files. The second stores all AWS activity captured by the CloudTrail service. IAM Policies and Roles Matrix references S3 buckets that are required to download Lambda function code and layer code. 

ResourceBasedAccess

The ResourceBasedAccess section grants wildcard access to different services’ actions. This section lists the resource regular expressions (regexes) that are required only for the Salesforce Voice Provisioning Service. These resources are in your AWS account with ID AWS_ACCOUNT_ID. 

IAMAccess

Salesforce Voice Provisioning Service creates Lambda functions. Some functions are application specific, such as pausing and resuming call recordings, and generating presigned S3 credentials for playing back audio recordings. All these functions use the IAM role and are designed based on Salesforce infrastructure security. Salesforce Voice adds required actions on IAM roles. The IAM role that you create grants access only to those IAM role resources that Salesforce  Voice requires. They’re nondestructive IAM permissions, such as resetPassword and delete and deactivate roles.

CloudformationAccess

The CloudformationAccess section lists all AWS Cloudformation actions that Salesforce Voice requires. Salesforce Voice provisions two Cloudformation stacks. One stack is in the us-east-1 region and sets up AWS account-level infrastructure, such as IAM Roles, Identity Provider, and CloudTrail. The other stack is in the contact center region of your choice. This Cloudformation access is constrained by the resource-level restrictions.

ConnectAccess

The ConnectAccess section grants fine-grain Amazon Connect permissions that are required to operate the contact center.

IAM Policies and Roles Matrix

During provisioning, these IAM policies and roles are automatically created in your AWS account.

SCV-Managed Policies


Policy


Permission


Description


SCVSSMAccessPolicy


Action:

ssm:*

Resource:

arn:aws:ssm:*:${AWS::AccountId}:parameter/*-salesforce-*

arn:aws:ssm:*:${AWS::AccountId}:parameter/*-scrt-jwt-auth-private-key


This policy controls access to SSM keys created by Salesforce Voice.


SCVLambdaAccessPolicy

Action:

lambda:InvokeFunction

lambda:InvokeAsync

lambda:ListFunctions

lambda:AddPermission

lambda:RemovePermission


Resource:

VoiceMailTranscribeFunction

ContactLensProcessorFunction

kvsTranscriber

kvsConsumerTrigger

InvokeTelephonyIntegrationApiFunction

ContactLensProcessorFunction

ContactLensConsumerFunction

CTRDataSyncFunction

InvokeSalesforceRestApiFunction

AuthKeysSSMUtilFunction

HandleContactEventsFunction

CustomSSMFunction

RealtimeAlert

ConnectConfigurationFunction

S3BucketPolicyConfigurationFunction

S3BucketPolicyConfigurationFunction

S3BucketEventBridgeConfigurationFunction

TDGConfigurationFunction

VoiceMailAudioProcessingFunction

VoiceMailTranscribeFunction

VoiceMailPackagingFunction


This policy controls access to the Lambda functions created by Salesforce Voice.


SCVKMSAccessPolicy


Action:

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

kms:Decrypt

Resource:

alias/aws/kinesisvideo

alias/aws/lambda

alias/aws/ssm

Action:

kms:CreateGrant

kms:DescribeKey

kms:ListAliases

kms:RetireGrant

kms:Decrypt

Resource:

KMS keys tagged with resourceOwner:scv


This policy controls access to KMS keys created by Salesforce Voice.


SCVKinesisDataStreamAccessPolicy


Action:

kinesis:DescribeStream

kinesis:DescribeStreamSummary

kinesis:GetRecords

kinesis:GetShardIterator

kinesis:ListShards

kinesis:ListStreams

kinesis:SubscribeToShard

Resource:

CTRStream",

ContactLensStream"


This policy controls access to the CTR and Contact Lens streams created by Salesforce Voice. If you used an Amazon Connect instance integrated by Salesforce when you set up Salesforce Voice, Salesforce also controls access to the customer-configured CTR stream.


SCVAmazonConnectAccessPolicy


Action:

"connect:Get*",

"connect:List*",

"connect:Search*",

"connect:Describe*",

"connect:AssociateApprovedOrigin",

"connect:AssociateInstanceStorageConfig",

"connect:AssociateLambdaFunction",

"connect:AssociatePhoneNumberContactFlow",

"connect:AssociateQueueQuickConnects",

"connect:AssociateRoutingProfileQueues",

"connect:AssociateTrafficDistributionGroupUser",

"connect:CreateContactFlow",

"connect:CreateInstance",

"connect:CreateHoursOfOperation",

"connect:CreateContactFlowModule",

"connect:CreateQueue",

"connect:CreateQuickConnect",

"connect:CreateRoutingProfile",

"connect:CreateTrafficDistributionGroup",

"connect:CreateUser",

"connect:ReplicateInstance",

"connect:StartOutboundVoiceContact",

"connect:TagResource",

"connect:UpdateTrafficDistribution",

"connect:UpdateQuickConnectName",

"connect:UpdateInstanceAttribute",

"connect:UpdateHoursOfOperation",

"connect:UpdateQueueName",

"connect:DeleteQueue",

"connect:DeleteUser",

"connect:DisassociateLambdaFunction",

"connect:DisassociateApprovedOrigin",

"connect:DisassociateQueueQuickConnects",

"connect:DisassociateTrafficDistributionGroupUser"


This policy controls access to your Amazon Connect instances.

Roles

Role Name

Role Description

SCVCTRDataSyncFunctionRole

The CTRDataSyncFunction Lambda function uses this role to update a voice call with Telephony Integration API. See Update a Voice Call Record.

SCVPostCallAnalysisTriggerFunctionRoleResource

The PostCallAnalysisTriggerFunction Lambda function uses this role to send analytics events after the voice call ends and persist Contact-Lens-generated intelligence signals.

SCVInvokeTelephonyIntegrationApiFunctionRole

The InvokeTelephonyIntegrationApiFunction Lambda function uses this role to create Salesforce Voice calls and invoke the createVoiceCall method. See Create a Voice Call Record.

SCVInvokeSalesforceRestApiFunctionRole

The InvokeSalesforceRestApiFunction Lambda function uses this role to perform Salesforce REST API operations.

SCVSSMLambdaExecutionRole

Salesforce Voice Provisioning Service uses this role to create "Systems Manager" -- "Parameter Store" -- "Secure String" typed parameters.

SCVS3Role

A Service user uses this role to access the call recording files to enable the call recording media player for the Salesforce contact center agents and supervisors.

SCVKvsTranscriberRoleResource

The kvsTranscriber Lambda function uses this role and Telephony Integration API to send transcription data based on Amazon Connect's video stream. 

See Create a Transcript.

SCVKvsConsumerTriggerRole

The kvsConsumerTrigger Lambda function uses this role to trigger the KVSTranscriber Lambda function to invoke and process the Kinesis video stream.

SCVContactLensConsumerFunctionRole

The ContactLensConsumerFunction Lambda function uses this role to enable real-time transcription from Contact Lens.

SCVProvisioningRole

A Service user uses this role to perform provisioning functions, such as creating and updating the contact center via Salesforce Voice Provisioning Service.

SCVIDPLambdaRole

The ProviderCreator Lambda function uses this role to create the "IAM" -- "Identity Provider," where Salesforce serves as the identity provider. Salesforce Voice Provisioning Service creates this Lambda function.

SCVAmazonConnectManagementRole

Salesforce Voice Provisioning Service uses this role to perform Amazon Connect configuration tasks, such as creating and removing users, routing profiles, queues, and quick connects.

SCVConnectConfiguratorLambdaRole

The ConnectConfigurationFunction Lambda function uses this role to execute the API call on the Amazon Connect instance. This role is used to perform Amazon Connect management and configure the Amazon Connect instance. Salesforce Voice Provisioning Service creates this Lambda function.

SCVTrailLogGroupRole

The scvCloudTrail AWS service uses this role to produce all event record data and write it to the S3 bucket created for CloudTrail. For Salesforce Voice, the bucket name is scv-${AWS::AccountId}-cloudtrail. For Salesforce Voice with Partner Telephony from Amazon Connect is scv-${AWS::AccountId}-byoa-cloudtrail.

SCVVoiceMailAudioProcessingRole

The VoiceMailAudioProcessing Lambda function uses this role to process CTR Kinesis Data Stream and capture the voicemail recording files.

SCVVoiceMailPackagingRole

The VoiceMailPackagingFunction Lambda function uses this role to call CTR and execute OmniFlow API to enable voicemail functionality.

SCVVoiceMailTranscribeRole

The VoiceMailTranscribeFunction Lambda function uses this role to process the voicemail recording files and transcribe voicemails.

SCVRealtimeAlertRole

The RealtimeAlert Lambda function uses this role and REST API to create Salesforce Voice real-time alerts. The API publishes RealtimeAlertEvent events. See RealtimeAlertEvent.  

SCVHandleContactEventsFunct

The HandleContactEventsFunction Lambda function uses this role to clear Pending Service Routing requests when Amazon Connect publishes customer disconnect events.

[ContactCenter]-SAMLRole

Amazon Connect uses this role after the user is authenticated into AWS using SAML protocol for agent and supervisor single sign-on. After the user is authenticated, Amazon Connect establishes a session based on the user's security profile.

[ContactCenter]-ConnectCallRole

The Service user uses this role to stop and resume call recordings.

SCVRetentionPeriodFunctionRole

The RetentionPeriodFunction Lambda function uses this role to clean up CloudWatch logs that are older than 120 days.

 

IAM Roles with Policies Created by Salesforce Voice Provisioning Service

With the exception of a few IAM roles, Salesforce Voice Provisioning Service creates the IAM roles at runtime. The Provisioning Service creates the SCVIDPLambdaRole, SCVAmazonConnectManagementRole, SCVConnectConfiguratorLambdaRole roles during setup. 

Role Name

Policy

Description



SCVCTRDataSyncFunctionRole

AWSLambdaBasicExecutionRole

AWSLambdaKinesisExecutionRole

SCVKMSAccessPolicy

SCVKinesisDataStreamAccessPolicy

The CTRDataSyncFunction Lambda function uses this role to invoke Update Voice Call API. See Update a Voice Call Record.

SCVPostCallAnalysisTriggerFunctionRoleResource

AWSLambdaBasicExecutionRole

SCVSSMAccessPolicy

SCVKMSAccessPolicy

SCVLambdaAccessPolicy

SCVAmazonConnectAccessPolicy


s3:GetObject

s3:GetBucketNotification

The PostCallAnalysisTriggerFunction Lambda function uses this role to send analytics events after the voice call ends to persist Contact-Lens-generated intelligence signals.

SCVInvokeTelephonyIntegrationApiFunctionRole

AWSLambdaBasicExecutionRole

SCVSSMAccessPolicy

The InvokeTelephonyIntegrationApiFunction Lambda function uses this role and CreateVoiceCall API to create Salesforce Voice calls. See Create a Voice Call Record.

SCVInvokeSalesforceRestApiFunctionRole

AWSLambdaBasicExecutionRole

SCVSSMAccessPolicy

The InvokeSalesforceRestApiFunction Lambda function uses this role to perform REST API operations.

SCVSSMLambdaExecutionRole

AWSLambdaBasicExecutionRole

SCVSSMAccessPolicy

Salesforce Voice Provisioning Service uses this role to create "Systems Manager" -- "Parameter Store" -- "Secure String" typed parameters.

SCVS3Role

"s3:GetObject",

"kms:Decrypt",

"s3:ListBucket"

After voice calls are stored in the AWS S3 bucket, an agent can play the recorded voice calls in Salesforce. Salesforce uses this role to gain access in the AWS S3 bucket and play voice call recordings. 

SCVKvsTranscriberRole

AWSLambdaBasicExecutionRole

SCVKMSAccessPolicy

SCVSSMAccessPolicy


"transcribe:DeleteTranscriptionJob",

"transcribe:DeleteMedicalTranscriptionJob",

"transcribe:GetTranscriptionJob",

"transcribe:GetMedicalTranscriptionJob",

"transcribe:GetVocabulary",

"transcribe:GetMedicalVocabulary",

"transcribe:GetVocabularyFilter",

"transcribe:ListTranscriptionJobs",

"transcribe:ListMedicalTranscriptionJobs",

"transcribe:ListVocabularies",

"transcribe:ListMedicalVocabularies",

"transcribe:ListVocabularyFilters",

"transcribe:StartStreamTranscription",

"transcribe:StartMedicalStreamTranscription",

"transcribe:StartTranscriptionJob",

"transcribe:StartMedicalTranscriptionJob",

"kinesisvideo:Describe*",

"kinesisvideo:Get*",

"kinesisvideo:List*"

"connect:UpdateContactAttributes"

The kvsTranscriber Lambda function uses this role and Telephony Integration API to send transcription data based on the Amazon Connect's video stream. See Create a Transcript

SCVKvsConsumerTriggerRole

AWSLambdaBasicExecutionRole

SCVLambdaAccessPolicy

The kvsConsumerTrigger Lambda function uses this role to trigger the KVSTranscriber Lambda function to invoke and process the Kinesis video stream.

SCVContactLensConsumerFunctionRole

AWSLambdaBasicExecutionRole

AWSLambdaKinesisExecutionRole

SCVKMSAccessPolicy

SCVKinesisDataStreamAccessPolicy

SCVLambdaAccessPolicy

SCVSSMAccessPolicy

The ContactLensConsumerFunction Lambda function uses this role to enable real-time transcription from Contact Lens.

SCVIDPLambdaRole


"iam:*SamlProvider"


AWSLambdaBasicExecutionRole

The ProviderCreator Lambda function uses this role to create "IAM" -- "Identity Provider," where Salesforce serves as the identity provider. Salesforce Voice Provisioning Service creates this Lambda resource.

SCVAmazonConnectManagementRole

AWSLambdaBasicExecutionRole

SCVKinesisDataStreamAccessPolicy

SCVKMSAccessPolicy

SCVAmazonConnectAccessPolicy

Salesforce Voice Provisioning Service uses this role to perform Amazon Connect configuration tasks, such as creating and removing users, routing profiles, queues, and quick connects.

SCVConnectConfiguratorLambdaRole

AWSLambdaBasicExecutionRole

SCVAmazonConnectAccessPolicy

SCVKMSAccessPolicy

SCVKinesisDataStreamAccessPolicy

SCVLambdaAccessPolicy


"s3:ListAllMyBuckets",

"s3:GetBucketLocation",

"s3:GetBucketAcl",

"s3:CreateBucket",

"iam:PutRolePolicy",

"ds:DescribeDirectories"

The ConnectConfigurationFunction Lambda function uses this role to execute the API call on the Amazon Connect instance. This role is used to perform Amazon Connect management and configure the Amazon Connect instance. Salesforce Voice Provisioning Service creates this Lambda function.

SCVTrailLogGroupRole

"logs:CreateLogStream",

"logs:PutLogEvents"

The scvCloudTrail service uses this role to produce all event record data and write it to the S3 Bucket for CloudTrail. 

  • For Salesforce Voice with Partner Telephony from Amazon Connect, the bucket name is scv-${AWS::AccountId}-byoa-cloudtrail. 

  • For Salesforce Voice, the bucket name is scv-${AWS::AccountId}-cloudtrail.

SCVVoiceMailAudioProcessingRole

AWSLambdaBasicExecutionRole

AmazonKinesisVideoStreamsReadOnlyAccess

SCVKinesisDataStreamAccessPolicy

SCVLambdaAccessPolicy


"s3:GetObject",

"s3:PutObject",

"s3:PutObjectTagging"

The VoiceMailAudioProcessing Lambda function uses this role to process CTR Kinesis Data Stream and capture voicemail recording files.

SCVVoiceMailPackagingRole

AWSLambdaBasicExecutionRole

SCVLambdaAccessPolicy

SCVSSMAccessPolicy


"connect:UpdateContactAttributes"

"s3:GetObject",

"s3:PutObject",

"s3:GetObjectTagging",

"s3:PutObjectTagging"

"transcribe:DeleteTranscriptionJob",

"transcribe:GetTranscriptionJob",

"transcribe:ListTranscriptionJobs"

The VoiceMailPackagingFunction Lambda function uses this role to call CTR and execute OmniFlow API to enable voicemail functionality.

SCVVoiceMailTranscribeRole

AWSLambdaBasicExecutionRole

SCVSSMAccessPolicy


"transcribe:DeleteTranscriptionJob",

"transcribe:DeleteMedicalTranscriptionJob",

"transcribe:GetTranscriptionJob",

"transcribe:GetMedicalTranscriptionJob",

"transcribe:GetVocabulary",

"transcribe:GetMedicalVocabulary",

"transcribe:GetVocabularyFilter",

"transcribe:ListTranscriptionJobs",

"transcribe:ListMedicalTranscriptionJobs",

"transcribe:ListVocabularies",

"transcribe:ListMedicalVocabularies",

"transcribe:ListVocabularyFilters",

"transcribe:StartStreamTranscription",

"transcribe:StartMedicalStreamTranscription",

"transcribe:StartTranscriptionJob",

"transcribe:StartMedicalTranscriptionJob"

"connect:UpdateContactAttributes"

"s3:GetObject",

"s3:PutObject",

"s3:GetObjectTagging",

"s3:PutObjectTagging"

The VoiceMailTranscribeFunction Lambda function uses this role to process voicemail recording files and transcribe voicemails.

SCVRealtimeAlertRole

AWSLambdaBasicExecutionRole

SCVSSMAccessPolicy

SCVLambdaAccessPolicy


"connect:Get*",

"connect:Describe*",

"connect:List*",

The RealtimeAlert Lambda function uses this role and REST API to create Salesforce Voice real-time alerts. REST API publishes RealtimeAlertEvent events. See RealtimeAlertEvent.

SCVHandleContactEventsRole

AWSLambdaBasicExecutionRole

LambdaManagedPolicyResource

The HandleContactEventsFunction Lambda function uses this role to clear Pending Service Routing requests when Amazon Connect publishes customer disconnect events.

[ContactCenter]-SAMLRole

{

"Action": "connect:GetFederationToken",

"Resource": [

"arn:aws:connect:*:403503132786:instance/83ccfc13-d248-4768-af7c-9970643cb520/user/${aws:userid}"

],

"Effect": "Allow",

"Sid": "ConnectSSOPolicySid"

}

Amazon Connect uses this role after a user is authenticated into AWS using SAML protocol for agent and supervisor single sign-on. After the user is authenticated, Amazon Connect establishes a session based on the user's security profile.

[ContactCenter]-ConnectCallRole

{

"Action": [

"connect:SuspendContactRecording",

"connect:ResumeContactRecording"

],

"Resource": "arn:aws:connect:*:AWS ACCOUNT NUMBER :instance/AMAZON CONNECT INSTANCE ID/contact/*",

"Effect": "Allow",

"Sid": "ConnectCallRoleSid"

}

A Service user uses this role to stop and resume call recordings.

SCVRetentionPeriodFunctionRole

AWSLambdaExecute

AWSLambdaBasicExecutionRole

"logs:CreateLogStream",

"logs:PutRetentionPolicy",

"logs:CreateLogGroup",

"logs:PutLogEvents",

"logs:DescribeLogGroups"

The RetentionPeriodFunction Lambda function uses this role to clean up CloudWatch logs that are older than 120 days.

Permission Boundary

Some resources have wildcard access and service actions. To set up tighter access, create permission boundaries.

 

See Also

Knowledge Article Number

000981150

 
Loading
Salesforce Help | Article