Introduction

As organizations across industries seek to elevate their customer service capabilities, the adoption of cloud-based contact centre solutions like Amazon Connect has emerged as a strategic priority. For NatWest Group, a leading banking and financial services group in the United Kingdom, the opportunity to enhance customer experiences through an Amazon Connect-powered contact centre was a critical initiative that would drive long-term loyalty and competitive advantage.

However, implementing and managing a comprehensive DevSecOps ecosystem for such a large-scale deployment can present its own set of challenges. Recognizing this, NatWest embarked on a strategic journey to not only deploy Amazon Connect but also to build a robust DevSecOps ecosystem that would ensure the long-term success and resilience of their contact centre transformation.

Drawing upon the organization’s extensive experience and lessons learned, this guide provides valuable insights and best practices from NatWest’s journey. By embracing a DevSecOps approach, the organization has been able to deliver efficient, secure, and scalable customer experiences, setting a benchmark in the industry.

Challenges Faced by NatWest

• Managing a shared, enterprise-wide Amazon Connect instance: NatWest chose to deploy a single, shared Amazon Connect instance across multiple business units and teams. While this approach offered benefits in terms of resource optimization and consistency, it also introduced complex challenges in areas such as resource segregation, release management, and cross-team collaboration.

• Ensuring robust security and compliance: As a banking and financial services group, NatWest was acutely aware of the need to maintain the highest standards of security and compliance for their contact centre operations. Protecting sensitive customer data and adhering to industry regulations were paramount concerns that required a comprehensive security strategy.

• Accelerating the pace of innovation: In an increasingly competitive and fast-paced market, NatWest recognized the need to rapidly develop and deploy new features and capabilities for their Amazon Connect-powered contact centre. The organization sought to optimize their deployment processes to keep pace with evolving customer demands.

• Driving operational efficiency and consistency: With multiple teams and business units leveraging the shared Amazon Connect instance, NatWest aimed to maintain consistency across their contact centre environment. The organization sought to address duplicate efforts, siloed workflows, and a lack of standardization to improve operational efficiency and agility.

NatWest’s Approach

Recognizing the challenges, NatWest embarked on a strategic initiative to implement a comprehensive DevSecOps ecosystem for their Amazon Connect platform, embracing Amazon Connect and implementing a DevSecOps ecosystem. This approach was designed to improve customer experiences, drive operational efficiencies, and fortify the organization’s security posture.

Working closely with the AWS Professional Services team, NatWest implemented a multi-faceted approach that addressed their key challenges:

Environment Strategy

At the core of NatWest’s DevSecOps approach was the implementation of a well-defined environment strategy for their Amazon Connect instance. Instead of a siloed, multi-instance setup, the organization chose to have a single Amazon Connect instance shared across all business units. This approach ensured consistency in management, streamlined resource utilization, and enabled efficient collaboration between teams.

To support their development, testing, and production needs, NatWest implemented the following environment structure:

• Sandbox environment: A dedicated playground for developers to experiment, explore, and familiarize themselves with Amazon Connect features without impacting other environments.
• Development environment: A separate AWS account used for active development and initial testing of new features or configurations.
• Testing environment: A dedicated AWS account for comprehensive system integration testing, including functional testing, before promoting changes to higher environments.
• Pre-production environment: A final validation step before deploying to production, hosted in a separate AWS account and closely mirroring the production setup.
• Pre-production disaster recovery environment: A disaster recovery environment for the pre-production setup, deployed in a different AWS region to ensure business continuity.
• Production environment: The live customer-facing environment, hosted in a dedicated AWS account with strict security measures.
• Production disaster recovery environment: A failover environment in a different AWS region, acting as a backup in case of a regional outage.

By segregating their environments across separate AWS accounts and regions, NatWest maintained a clear separation of concerns, enhanced security, and enabled efficient testing and disaster recovery strategies. This setup allowed the organization to manage their Amazon Connect instance effectively, ensuring a smooth development lifecycle, robust testing, and high availability for their contact centre operations.

Infrastructure as Code (IaC) Strategy

NatWest has a shared Amazon Connect environment utilized by various business units. To manage this infrastructure, the organization employs Terraform as their IaC tool. Rather than a one-size-fits-all approach, NatWest has adopted a modular strategy, defining infrastructure in smaller, more manageable units.

Decentralized approach for independent management

This modular approach allows different teams to independently manage and release their respective infrastructure components using dedicated Terraform code repositories. By embracing this decentralized structure, NatWest has been able to mitigate the risk of widespread issues caused by changes in a monolithic repository. Moreover, this strategy accelerates the release process and reduces the potential impact radius of any problems introduced in the infrastructure.

Opinionated resource naming and tagging

To prevent resource conflicts and ensure consistency across teams, NatWest has implemented an opinionated resource naming and tagging strategy. Recognizing the importance of providing flexibility while adhering to organizational policies and standards, the team has created custom Terraform modules for common resource types in the Amazon Connect.

These opinionated modules enforce consistent naming conventions, tagging standards, and adherence to predefined policies (security, compliance, etc.). By leveraging these modules, NatWest ensures that resources created by different teams follow a consistent approach across the entire Amazon Connect platform. Below is the list of terraform modules defined for Amazon Connect:

• Amazon Connect
• AWS Lambda
• Amazon Lex
• Amazon DynamoDB
• Other Common Resources: Amazon Simple Storage Service (S3), AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), Amazon Kinesis

This modular, opinionated approach not only enables independent infrastructure management by teams but also promotes consistency, adherence to best practices, and alignment with organizational policies.

Deployment Strategies

In addition to their robust Infrastructure as Code (IaC) approach, NatWest has also optimized the deployment processes for critical components within their Amazon Connect. By streamlining the deployment strategies for key resources like Amazon Lex bots, and Amazon QuickSight assets, the organization has been able to accelerate the development and delivery of new features and capabilities, ensuring seamless and consistent experiences for their customers.

Amazon Lex deployment strategy

A crucial part of NatWest’s customer self-service journeys for their Amazon Connect contact centre is the utilization of multiple Amazon Lex bots, specifically focusing on Amazon Lex V2. To enable their teams to quickly develop and deploy these Lex bots, NatWest has implemented an automated deployment strategy using export and import CI/CD pipelines.

Managing the deployment of complex Amazon Lex bot schemas can be challenging, especially when using traditional Infrastructure as Code (IaC) tools like AWS CloudFormation. The YAML or JSON definitions required for these tools can quickly become unwieldy and difficult to maintain. To address this, NatWest has adopted a more streamlined approach:

• Developers create and build Amazon Lex bots using the user-friendly Lex console.
• Once a bot has been thoroughly tested, developers leverage an export pipeline to capture the bot’s schema as code and store it in a Git repository.
• For deployment to higher environments (e.g., development, testing, production), NatWest uses an import CI/CD pipeline. This pipeline retrieves the bot schema from the Git repository and deploys the bot to the target environment.

By eliminating the need for manual IaC code writing, this export-and-import approach has helped NatWest streamline their Lex bot deployment process and accelerate the overall development and delivery cycle.

Amazon QuickSight deployment strategy

Alongside their contact centre operations, NatWest also utilizes Amazon QuickSight for creating dashboards and reports to support data-driven decision-making. As the demand for these assets grew across multiple environments, the organization found that manually deploying and managing QuickSight resources was a time-consuming and error-prone process.

To address this challenge, NatWest defined a strategy that allows their developers to quickly build and customize QuickSight dashboards, analyses, datasets, and data sources using the QuickSight console. The organization then leverages export and import pipelines to accelerate the deployment of these assets across different environments.

The QuickSight asset deployment process at NatWest is as follows:

• Users create and customize the desired QuickSight assets (dashboards, analyses, data sets, data sources) using the QuickSight console.
• Once the assets are ready, the developers export them as a JSON bundle using the QuickSight export API, which is integrated into NatWest’s QuickSight export pipeline.
• The exported JSON bundle is stored in the version control system (Git), treating it as source code.
• During deployments to different environments (e.g., development, testing, production), NatWest’s QuickSight import pipeline leverages the QuickSight import API to deploy the JSON bundle into the target QuickSight account.

This approach avoids the need to define complex Infrastructure as Code (IaC) resources in tools like AWS CloudFormation or Terraform, which can be unwieldy when dealing with large or intricate QuickSight configurations. Instead, the export and import pipelines enable NatWest to treat QuickSight assets as code, store them in version control, and deploy them consistently across environments.

By combining the ease of use of the QuickSight console with the automated export and import pipelines, NatWest has been able to foster developer agility while ensuring consistent and reliable deployments of their data visualization and analytics assets across the organization.

Security Controls

Security was a paramount concern for NatWest, given the sensitive nature of their contact centre operations and the need to protect customer data. To address this, the organization implemented a comprehensive DevSecOps security strategy, focusing on both preventive and detective controls to safeguard their Amazon Connect.

Preventive controls

NatWest took a proactive approach to implementing preventive security controls across their DevSecOps

• Resource naming and Tagging policies: The organization enforced consistent and meaningful resource naming conventions and tagging standards to ensure better visibility and control over the infrastructure.
• Secure configurations: NatWest leveraged their opinionated Terraform modules to carefully configure Amazon Connect, AWS Lambda, Amazon Lex, and other supporting services. These modules incorporated security best practices and organizational policies, ensuring the infrastructure was deployed in a secure and compliant manner.
• Static Code Scanning: As part of the CI/CD pipelines, NatWest implemented security scanning tools like Checkov for Terraform code and Bandit for Python code to continuously scan for vulnerabilities and misconfigurations.
• AWS Service Control Policies (SCPs): The organization leveraged AWS SCPs to enforce strict guardrails and restrict certain actions, such as denying the deletion of Amazon Connect instance and sensitive data like Amazon Connect contact records, call recordings, etc.

Detective controls

To complement the preventive measures, NatWest also implemented a robust set of detective controls, including:

• AWS Config: NatWest leveraged AWS Config, both with out-of-the-box and custom configuration rules, to continuously monitor the configuration of resources and detect any drifts or changes.
• AWS Inspector: The organization enabled AWS Inspector to periodically scan AWS Lambda functions for vulnerabilities and misconfigurations, providing valuable insights to address potential security issues.
• Security monitoring and alerting: NatWest established a comprehensive security monitoring and alerting framework by integrating services like Amazon CloudWatch and AWS Security Hub, enabling quick identification and response to security incidents.

This multilayered DevSecOps approach, combining preventive and detective controls, ensured a strong security posture for NatWest’s contact centre operations. The organization was able to proactively mitigate risks, detect and address security incidents in a timely manner, and maintain the highest levels of data protection for their customers.

Utilities for Accelerating Development and Deployment

To further streamline the development and deployment of their Amazon Connect, NatWest created a suite of custom-built utilities and accelerators. These included:

Export contact flow as Terraform template utility

One of the key utilities developed by NatWest was a contact flow export tool. This allowed the organization to export contact flows developed using the Amazon Connect console as Terraform templates, replacing hardcoded ARNs with Terraform variables. By leveraging this utility, NatWest was able to:

• Treat contact flows as Infrastructure as Code, enabling version control and consistent deployments across environments.
• Avoid manual configurations when deploying contact flows to target environments, as the Terraform templates could be applied directly.
• Ensure consistency and reusability of common contact flow components, such as shared AWS Lambda functions and Lex bots, by referencing them through Terraform variables.

Contact Lens rules export and import pipelines

In addition to the contact flow management utility, NatWest also created export and import pipelines for their Amazon Connect Contact Lens rules. This allowed the organization to version control the Contact Lens rules configurations and deploy them consistently across environments, ensuring a standardized approach to conversational analytics.

Performance metrics reporting

To provide visibility into the overall performance of their Amazon Connect contact centre, NatWest developed custom reporting utilities. These tools gathered and analysed logs and metrics from various sources, such as Amazon Connect, Amazon Lex, DynamoDB, AWS Lambda, etc. to generate comprehensive performance reports. This enabled the organization to make data-driven decisions and continuously optimize the efficiency and reliability of their contact centre operations.

By leveraging this suite of custom-built utilities, NatWest was able to significantly reduce the time and effort required to build, test, and deploy their Amazon Connect-based contact centre services, ultimately driving greater efficiency and agility across the organization.

Benefits Realized

By implementing a comprehensive DevSecOps ecosystem for their Amazon Connect platform, NatWest has achieved several key benefits:

• Standardized and consistent approach: The organization has established a standardized and consistent approach to managing Amazon Connect resources across multiple environments and business units, reducing complexity and ensuring alignment with organizational policies.

• Improved security posture: The implementation of preventive and detective security controls has fortified the overall security of NatWest’s contact centre environment and protected sensitive customer data.

• Increased efficiency and reliability: The adoption of automated deployments and Infrastructure as Code has increased the efficiency and reliability of NatWest’s contact centre operations, enabling the organization to respond quickly to evolving customer needs.

• Streamlined release processes: NatWest has implemented robust testing, validation, and rollback mechanisms, ensuring the smooth and reliable delivery of new features and capabilities to their contact centre.

• Accelerated development and deployment: The various deployment strategies, utilities, and accelerators developed by NatWest have significantly reduced the time and effort required to build, test, and deploy components for their Amazon Connect platform.

Conclusion

By implementing a comprehensive DevSecOps ecosystem for their Amazon Connect Contact centre, NatWest has demonstrated its commitment to delivering efficient, secure, and scalable customer experiences.

The holistic DevSecOps framework adopted by NatWest has enabled the organization to address the complex challenges inherent in modernizing a contact centre operation. By establishing a standardized and consistent approach to managing their Amazon Connect resources, NatWest has reduced complexity, improved security, and increased the efficiency and reliability of their contact centre operations.

Furthermore, the organization’s innovative deployment strategies, including the utilization of export-and-import pipelines for Lex bots and QuickSight assets, have accelerated the development and delivery of new capabilities. Coupled with the custom-built utilities and accelerators, this has empowered NatWest’s teams to be more agile in responding to evolving customer needs.

The strategies and best practices outlined in this comprehensive guide can serve as a valuable reference for organizations looking to modernize their own contact centre operations and unlock the full potential of Amazon Connect. By embracing a DevSecOps mindset and leveraging the breadth of capabilities within the AWS, businesses can enhance customer satisfaction, improve operational efficiency, and maintain a robust security posture.

As the financial services industry continues to evolve, NatWest’s DevSecOps journey with Amazon Connect stands as a testament to the transformative power of a holistic, customer-centric approach to technology modernization. This guide provides a roadmap for other organizations aspiring to achieve similar levels of success in their contact centre transformations.

About the Authors

Abhay Kumar is a Director of Engineering at Natwest. He is responsible for Architecture, Development, Maintenance, Quality and Security of the Contact Centre Platform.

Prateek Guleria is a DevOps Lead at Natwest. Entrusted with performing automations, overseeing the development and implementation of CI/CD and maintaining cloud infrastructure on AWS platform.

Krishanu Bhar is a Senior Solutions Architect at Natwest, he focuses on designing secure, scalable, and compliant cloud solutions tailored to the financial industry’s unique needs. He is passionate about leveraging AWS technologies to drive digital transformation and optimize banking operations.

Anand Jumnani is a DevOps Consultant at Amazon Web Services based in United Kingdom.

Alex Buckhurst is a Senior Amazon Connect consultant at Amazon Web Services with a focus on innovation and building customer-centric designs. In his downtime, Alex enjoys playing squash, perfecting his BBQ skills, and cherishing moments with his family.

Wajahat Khan is a Senior Connect Consultant at Amazon Web Services in United Kingdom.