AWS Contact Center
Configure granular access controls using resource tags in Amazon Connect
Introduction
Organizations today are challenged by an evolving privacy and regulatory landscape, which can vary by geography, industry, or business need. To comply with these privacy regulations, contact center administrators are often required to enforce least-access privileges to sensitive resources used within their contact centers.
With the tag-based access controls in Amazon Connect, you can now enable granular access controls for Amazon Connect resources within the Amazon Connect administration console. Tags are Key:Value pairs which enable you to manage, search for, filter, and control access to Amazon Connect resources by role, team, line of business or other criteria. For example, tag-based access controls can give one administrator access to fully manage all agents, while we can create another administrator role that limits the admin to only viewing and managing agents within the business unit that they work for.
In this post, we first discuss the additional Amazon Connect resources that now support resource tagging through the Amazon Connect administration console. Then, we will show how administrators of a fictitious company, Octank, can configure tags for specific Amazon Connect resources, and then define least-privileged access to these resources using tag-based access controls.
The benefits of this solution apply to contact center administrators, managers, compliance stakeholders, and third parties like business process outsourcers (BPOs) alike:
- Enables customers to sort and filter resource by logical groupings, based on business need
- Protects customers from sharing sensitive information (i.e. PII) with unintended stakeholders
Solution Overview
To deploy this solution, you will complete the following steps:
- Configure access control and resource tags to specific resources.
- Configure resource tags and access control tags programmatically.
Before configuring resource tagging and tag-based access controls, Octank has the following internal data governance and business requirements:
- Create three contact center admin roles that limit access to users, routing profiles, and queues.
- Limit the first contact center role to just those resources tagged with
Country:Argentina - Limit the second contact center role to just those resources tagged
BPO:Octank - Limit the third contact center role to resources tagged with both
Country:ArgentinaBPO:Octank
- Limit the first contact center role to just those resources tagged with
Prerequisites
For this walkthrough, it is assumed that you understand and have access to the following resources:
- An AWS account with administrator access for Amazon Connect
- Amazon Connect instance that has been deployed.
- Amazon Connect user with Admin security profile privileges
- Basic familiarity with Tagging AWS Resources
Amazon Connect resources that support resource tagging
In addition to the existing capabilities for tagging resources in Amazon Connect you can now tag configurable resources within the Amazon Connect administration console. The following table shows resources that now support tags within the administration console as well as which resources support tags at the API/CLI level.
| Amazon Connect Resource | Support tagging in the Amazon Connect administration console | Support tagging at API and CLI level |
| User Management | Yes | Yes |
| Security Profiles | Yes | Yes |
| Routing Profiles | Yes | Yes |
| Queues | Yes | Yes |
| Flows | No | Yes |
| Hierarchy Groups | No | Yes |
| Hours of Operation | No | Yes |
| Quick Connects | No | Yes |
| Prompts | No | Yes |
| Instances | No | Yes |
| Task Templates | No | Yes |
| Phone Numbers | No | Yes |
| Traffic Distribution Groups | No | Yes |
| Agent Status | No | Yes |
Walkthrough of configuring access control tags and resource tags
The first section provides instructions on how to configure resource tags within the Amazon Connect administration console by first configuring security profiles with access control tags and resource tags. The subsequent sections contain instructions for configuring resource tags for users, queues and routing profiles. The final section contains instructions for modifying and testing different access-controlled security profiles using a sample user to verify granular access.
Set up Security Profiles with Access control tags
This section explains how to configure both access control and resource tags for security profiles within the Amazon Connect administration console by creating three security profiles with granular access controls.
- Sign in to the Amazon Connect administration console with a user assigned a security profile containing admin privileges.
- Select Users, Security Profiles.
- Choose Add new security profiles.
- Choose Add a new security profile.
- Enter Name and Description for the security profile. You can name the Security profile with the name “tagsecurityprofile1”
- Select the Security profile permissions. Grant “All” access to Routing profiles, Queues, Security profiles, and Users.
- Expand Show advanced settings
- Under Access control, select Users, Queues, and Routing Profiles as Resources and for access control Tags add the Key:Value
Country:Argentina - For the resource Tags, add your preferred resource tags (for example: Createdby:ABC)
- Choose Save. If the Save button isn’t active, it means you’re logged in with an Amazon Connect account that doesn’t have the required security profile permissions.
- Repeat this process for creating the security profiles tagsecurityprofile2, and tagsecurityprofile3 by configuring security profile name, permissions, access controlled resources, access control tags and the resource tags as mentioned below:
| Security Profile Name | Permissions | Access control | Access control Tags | Resource Tags |
| tagsecurityprofile1 | Routing Profiles, Queues, Users – All | Routing Profiles, Queues, Users | Country:Argentina | Createdby: ABC |
| tagsecurityprofile2 | Routing Profiles, Queues, Users – All | Routing Profiles, Queues, Users | BPO:Octank | Createdby: ABC |
| tagsecurityprofile3 | Routing Profiles, Queues, Users – All | Routing Profiles, Queues, Users | Country:Argentina, BPO:Octank | Createdby: ABC |
Once completed, you will have the following 3 security profiles with the following access control tags:
- tagsecurityprofile1 with the access control tag as
Country:Argentina, - tagsecurityprofile2 with the access control tag
BPO:Octankand - tagsecurityprofile3 with access control tags
Country:ArgentinaandBPO:Octank.
You can use these security profiles to apply data governance and business requirements that Octank has and we cover that after setting up the resource tags for Users, Queues and Routing profiles.
Set up Users with Resource Tags
This section explains how to configure users and apply resource tags within the Amazon Connect administration console.
Now, you will create one user with sub-administrator privileges and granular access controls applied, and three agents to view/manage. You will name the logins as tagadmin, taguser1, taguser2 and taguser3. Lastly, configure the routing profiles, security profiles and resource tags as mentioned below:
| Login | First Name | Last Name | Routing profile | Security Profile | Resource Tag1 | Resource Tag2 |
| tagadmin | Admin | Tag | Basic Routing Profile | tagsecurityprofile1 | ||
| taguser1 | Test1 | Tag | Basic Routing Profile | Agent | Country:Argentina | |
| taguser2 | Test2 | Tag | Basic Routing Profile | Agent | BPO:Octank | |
| taguser3 | Test3 | Tag | Basic Routing Profile | Agent | Country:Argentina | BPO:Octank |
- Log in to the Amazon Connect administration console with a user assigned a security profile containing admin privileges.
- Select Users, User management.
- Choose Add new users.
- Choose Add a user manually.
- Enter First Name, Last Name, Login, security profile and routing profile using the samples given in the table above for each user. You need to provide an email address and password while creating the user.
- You may skip this step for sub-administrator and follow this step only for creating agents. Expand Show advanced settings and add Key:Value using the resource tags samples given in the table above:
- Choose Save. If the Save button isn’t active, it means you’re logged in with an Amazon Connect account that doesn’t have the required security profile permissions.
- Repeat this process for creating the sub-administrator (tagadmin) and 3 agents (taguser1,taguser2 and taguser3)
Once completed, you will have one sub-administrator named tagadmin, and three agents with the following resource tags:
- taguser1 with the resource tag as
Country:Argentina. - taguser2 with the resource tag
BPO:Octank. - taguser3 with two resource tags
Country:ArgentinaandBPO:Octank.
Set up Queues with Resource Tags
This section explains how to configure resource tags for queues within the Amazon Connect administration console.
Next, create three queues tagqueue1, tagqueue2 and tagqueue3 with the hours of operation and resource tags as mentioned below:
| Queue Name | Hours of operation | Resource Tag1 | Resource Tag2 |
| tagqueue1 | Basic Hours | Country:Argentina | |
| tagqueue2 | Basic Hours | BPO:Octank | |
| tagqueue3 | Basic Hours | Country:Argentina | BPO:Octank |
- Log in to the Amazon Connect administration console, with a user assigned a security profile containing admin privileges.
- Select Routing, Queues.
- Choose Add queue.
- Enter Queue Name (eg: tagqueue1) and Description. For Hours of operation, you can select Basic Hours.
- Under Settings, go to the Tags section and add Key:Value for your preferred resource tags as shown below
- Choose Save. If the Save button isn’t active, it means you’re logged in with an Amazon Connect account that doesn’t have the required security profile permissions.
- Repeat this process for creating the remaining queues: tagqueue2 and tagqueue3
Once completed, you will have three queues, with the following resource tags:
- tagqueue1 with the resource tag as
Country:Argentina. - tagqueue2 with the resource tag
BPO:Octank. - tagqueue3 with two resource tags
Country:ArgentinaandBPO:Octank.
Set up Routing Profiles with Resource Tags
This section explains how to configure resource tags for routing profiles within the Amazon Connect administration console.
Next, create three routing profiles with the following names tagroutingprofile1, tagroutingprofile2, and tagroutingprofile3, with the voice channel, default outbound queue, and resource tags as mentioned below:
| Routing Profile Name | Select a Channel | Default outbound queue | Resource Tag1 | Resource Tag2 |
| tagroutingprofile1 | Voice | BasicQueue | Country:Argentina | |
| tagroutingprofile2 | Voice | BasicQueue | BPO:Octank | |
| tagroutingprofile3 | Voice | BasicQueue | Country:Argentina | BPO:Octank |
- Log in to the Amazon Connect administration console, with a user assigned a security profile containing admin privileges.
- Select Users, Routing profiles.
- Choose Add routing profile.
- Enter Routing profile Name (eg: tagroutingprofile1) and Description.
- Under Settings, Set Channel and concurrency, select Voice as the channel, leave Queues as is, and for Default outbound queue select BasicQueue.
- For Tags, add Key:Value for your preferred resource tags as shown below
- Choose Save. If the save button isn’t active, it means you’re logged in with an Amazon Connect account that doesn’t have the required security profile permissions.
- Repeat this process for creating the routing profiles tagroutingprofile2 and tagroutingprofile3
Once completed, you will have three routing profiles with the following resource tags:
- tagroutingprofile1 with the resource tag as
Country:Argentina. - tagroutingprofile2 with the resource tag
BPO:Octank. - tagroutingprofile3 with two resource tags
Country:ArgentinaandBPO:Octank.
Now that you have configured resource tags for users, queues and routing profiles, and have configured security profiles with access control and resource tags, you can validate the granular access that the sub-administrator tagadmin has.
Verify Access Controls
To verify granular access controls,
- Login to Amazon Connect administration console in an incognito window using the sub-administrator user named tagadmin.
- Select Users, User management. You will see users with at-least one resource tag key as “Country” and value as “Argentina”. In this case, its taguser1 and taguser3
- Choose Routing, Queues. You will see Queues with at-least one resource tag key as “Country” and value as “Argentina”. In our case, it’s tagqueue1 and tagqueue3
- Choose Users, Routing profiles. You will see Routing profiles with at-least one resource tag key as “Country” and value as “Argentina”. In our case, it’s tagroutingprofile1 and tagroutingprofile3
Note:
- If you create a security profile or change an existing security profile by adding access control tags, it will become more restrictive.
- No access control tags will apply to a user until the security profile is assigned.
Update Access control and Verify
Now, let’s change the Security Profile for the sub-administrator user (tagadmin) and verify the access granted. To do this,
- Log in to the Amazon Connect administration console
- Select Users, User management.
- Select the user tagadmin and click on Edit
- Change the security profile for the user tagadmin from tagsecurityprofile1 to tagsecurityprofile2. Note the different access control tags within the dropdown.
- Choose Save.
- Refresh the incognito window where you have logged in as the sub-administrator (user named tagadmin). Only the users, queues and routing profiles containing the tag
BPO:Octankshould be accessible. The user tagadmin will be able to be see taguser2 & taguser3 users, tagqueue2 & tagqueue3 queues and tagroutingprofile2 & tagroutingprofile3 profiles. - Finally, change the security profile for the user tagadmin from tagsecurityprofile2 to tagsecurityprofile3 and verify the access. Only the users, queues and routing profiles with the tags
Country:ArgentinaandBPO:Octankshould be accessible. The user tagadmin will be able to be see user taguser3 , tagqueue3 queue and tagroutingprofile3 profile.
Programmatically Configure Granular Access Controls Using the Amazon Connect APIs and SDK
You can programmatically configure Granular Access Controls on Amazon Connect resources using the Amazon Connect APIs.
- For creating security profiles with resource tags and access control tags, you can use the Create Security profile API
- For creating User with tags, you can use Create User API
- For creating Routing profile with tags, you can use Create Routing Profile API
- For creating Queues with tags, you can use Create Queues API
Clean up
- Once you logged in to your Amazon Connect administration console, delete users that you created as part of this blog.
- If you have set up an Amazon Connect instance as part of this, you can go to Amazon Connect AWS console and delete your connect instance.
Conclusion
In this blog, we explained how you can use Amazon Connect resource tags and access control tags to enable granular access to Amazon Connect resources. You can now explore this concept to create multiple groups by team, role, or other criteria and express more complex access control conditions for various Amazon Connect resources when the requirements change during the life of your Amazon Connect instance.
Join us for AWS Contact Center Day, a free virtual event where you’ll learn about the future of customer service, how machine learning can optimize customer and agent experiences—and more. Register now »
About the Authors
Dilin Joy
Dilin Joy is a Partner Solutions Architect at Amazon Web Services. He works with a leading Global System Integrator (GSI) to provide architectural guidance and support them in building strategic industry solutions on AWS.
Behrang KHAKISEDDIGH
Behrang KHAKISEDDIGH is a Senior Partner Solutions Architect at Amazon Web Services. He works with a leading Global System Integrator (GSI) to provide architectural guidance and support them in building strategic industry solutions on AWS.
Mike Cairns
Mike Cairns is a Partner Solutions Architect at Amazon Web Services. He works with a leading Global System Integrator (GSI) to provide architectural guidance and support them in building strategic industry solutions on AWS.
Tommy Graham
Tommy Graham is a Senior Product Manager, Technical at Amazon Web Services. He enjoys working with customers to identify solutions to their challenges, and using data-driven decision making to drive his work.
Additional Resources
Release notes for Amazon Connect