Secure and distribute Alexa skills with Alexa for Business
I am from the Solutions Prototyping team. I build prototypes using AWS services for Global customers who use Alexa for Business, along with many other AWS Services within their organizations. Many of these customers build voice-enabled solutions in their organizations. This voice first design strategy makes securing Alexa Skills a top priority. This blog post provides details to create, secure, and distribute these private Alexa skills using Alexa for Business. For more information about private Alexa skills, see Private Skills.
This scenario assumes that a company needs an Alexa skill that provides key performance insights into the company financials. Such skills are typically used by leaders in different business units to get an overview of such areas as business trends, financial performance, and potential risks. Building an Alexa skill that deals with such sensitive data requires many considerations, including the following:
- The Alexa skill Lambda function must be deployed within an Amazon VPC. This provides access to API operations or data stores running within the VPC and on-premises private networks.
- The Alexa skill should support authentication mechanisms to ensure that only authorized users within the company can use the skill.
- The Alexa skill must not be discoverable in the public Alexa store. Its availability must be only to a selected user base within the company.
Each of these requirements is discussed in the following sections.
Deploy AWS Lambda within a VPC
The most efficient way to build the cloud-based service for a custom Alexa private skill is by using AWS Lambda. For most private Alexa skills, these Lambda functions must communicate with API operations or data stores hosted within a virtual private cloud (VPC) or within on-premises networks connected to Amazon VPC through a VPN or AWS Direct Connect. This requires that the Lambda function be deployed into a VPC. For more information about configuring Lambda within a VPC and Lambda’s scaling behavior within a VPC, see Configuring a Lambda Function to Access Resources in an Amazon VPC.
The following diagram shows the network architecture with a Lambda function configured within a VPC. It also shows how an Alexa skill communicates with such VPC deployed Lambda functions.
This Lambda function can communicate with API operations and data stores deployed within the VPC; for example, Amazon RDS and Amazon Redshift. It also communicates with those deployed in on-premises networks over AWS Direct Connect. For more information about the prescriptive architectural guidance on VPCs, see AWS Answers. For more information about AWS Security best practices, see this whitepaper.
Implementing authentication for an Alexa skill
For the purposes of this post, we use an Alexa skill called “Business Insights.” This skill provides users with a flash briefing about key performance indicators (KPIs) of a company’s financials. You can download the source code for this skill from this GitHub repository.
The information provided by this skill isn’t relevant to the public. Therefore, it is deployed as a private skill using Alexa for Business so that it is available only to business leaders and employees in the company.
To deploy this private skill into your Amazon Developer Account and distribute it to Alexa for Business, follow the instructions documented in the Readme file of the GitHub repo.
To secure the skill:
- The skill sends a 4-digit time-based security PIN by SMS to the user’s registered device to authenticate user utterances.
- The skill prompts the user for this PIN when an intent is run, and the user hasn’t been authenticated previously in the session. For more information about intents, see Create Intents, Utterances, and Slots.
- When the user-uttered PIN is valid, the intent responds with the KPI information. The skill maintains a required mapping of the DeviceID and the user’s phone number in a DynamoDB table, which is required for users to receive SMS notifications.
For more information about setting up the required mapping, see the “Testing the Skill” section of the GitHub repository.
Distributing private Alexa skills to enrolled users using Alexa for Business
If you followed the Instructions in the GitHub repo for deploying and distributing the Alexa skill as a Private Skill, this skill is listed under Private skills in the Alexa for Business service within your AWS account. This is shown in the following example:
The next step is to distribute this private skill to enrolled users. To do so:
- Open the Alexa for Business console.
- Choose Skills, Private skills.
- In the list, select the skill published to your account, then choose Review.
- To enable the skill for your Alexa for Business organization, choose Enable.
- To make the skill available for enrolled users to discover and enable, choose Private skills, then select the Available to users check box.
- Set up user enrollment. For information about how to set up and manage enrolled users, see Set up Enrollment.
- Invite users. – For information about inviting users, see Inviting Users.
- Invited users are sent an email that lets them link the AWS account used to manage Alexa devices with their corporate email ID. When users choose to do so, an option to join Alexa for Business is provided as shown in the following example:
9. Choosing Join Now allows users to join and use Alexa for Business. When they do, they have access to the private skills enabled for use by the Alexa for Business IT administrator.
This blog post showed that deploying a skill’s Lambda function within a VPC provides a mechanism to access data within VPCs or on-premises private networks. It also showed how skills can be enabled to enforce authentication mechanisms using a security code sent through SMS. The skill was then distributed as a private skill to be available within an organization using Alexa for Business.