Safeguard your environment and reduce reputational risk using Amazon Connect attachment scanning

The ability to share attachments between customers and agents during a chat interaction offers significant benefits to enhance the overall customer experience. By allowing customers to share files such as documents, images, or screenshots during a chat session, it facilitates clearer communication and provides a more comprehensive understanding of the customer’s issue. This can lead to faster problem resolution and a more personalized interaction. Agents can use attachments to share product guides, troubleshooting steps, or any necessary information, enriching the support provided. Additionally, the ability to send relevant visuals can aid in explaining complex concepts, reducing misunderstandings, and improving customer satisfaction. For example, an agent can send a copy of a recent hotel invoice or a customer can share a photo of a damaged product.

While enabling the capabilities to send and receive attachments is critical to enhance conversations, it opens the door to potentially malicious files that may be infected with malware, viruses, ransomware, Trojan horses, inappropriate pictures, and more. Malicious files can pose a significant threat that could lead to compromising both customer and agent data. This not only impacts the recipient’s system but can also introduce reputational risk and cause organizations to lose customers and revenue.

Amazon Connect allows customers and agents to share files using chat and enable agents to upload files to cases using Amazon Connect Cases. In a chat scenario, attachments are included in the chat transcript, to help ensure the full context from the conversation is available if a contact is transferred to another agent. The files are also stored in Amazon Simple Storage Service (S3) bucket to allow access from other systems such as customer relationship management (CRM) or case management systems.

In this blog, I will demonstrate how organizations can integrate a third-party or homegrown attachment scanner and use it to approve or reject attachments in Amazon Connect. By implementing this strategy, businesses can enhance cyber resilience, mitigate risk posed by malicious activities, with security and compliance requirements top of mind.

Solution Overview

This solution uses Amazon Rekognition Content Moderation to identify inappropriate, unwanted, or offensive content in images based on general or business-specific standards and practices. For example, an Amazon Rekognition based scanner uses machine learning to detect explicit content. This helps create a safe user experience, provide brand safety assurances to customers and comply with local and global regulations.

You will create an AWS Lambda function “ConnectAttachmentScanner” to invoke Amazon Rekognition DetectModerationLabels API to detect explicit content in a specified JPEG or PNG format image. This Lambda function will be responsible for passing information about the location of the image that needs to be scanned. The response returned by the Lambda function will contain the approval status of the image scanning process. In this example, an image is only rejected if one or more label categories exist in the Lambda function response.

To setup the attachment scanner integration with Amazon Connect, you will use CreateIntegrationAssociation API to specify the Amazon Resource Name (ARN) of the AWS Lambda and set the integration type parameter to “FILE_SCANNER”.

Architecture

1. Customer initiates a chat from your website using the communications widget hosted by Amazon Connect or mobile application using the Amazon Connect Chat SDK
2. The chat is routed to an available agent based on your Amazon Connect Flow configuration.
3. The customer or agent sends a chat attachment and the file is uploaded to Amazon S3 bucket
4. Amazon Connect instance invokes the attachment scanner AWS Lambda function that handles scanning files
5. Scanner Lambda function retrieves the file from S3 bucket
6. Scanner Lambda function calls Amazon Rekognition DetectModetationLabel API
7. Amazon Connect marks the attachment APPROVED or REJECTED based on the Lambda status response. If the result is REJECTED, the attachment files in S3 are automatically deleted from both staging and final locations

Walkthrough

This walkthrough will show you how to create an image-based scanner using AWS Serverless Application Model (SAM). You will deploy the SAM application, which builds the required infrastructure to implement the scanner. Then, you will integrate the deployed image scanner with your Amazon Connect instance, test the solution using the test chat utility available within the Amazon Connect console and finally, clean up the deployment.

Prerequisites

For this walkthrough, you should have the following prerequisites:

• An AWS account
• An IAM User with programmatic access
• An existing Amazon Connect instance with attachments enabled
• AWS IAM with access to create users, policies and roles
• Local installation of AWS SAM CLI and experience using the AWS CLI
• Amazon S3 bucket name where chat attachments are stored. For more information, see Update data storage in the Amazon Connect Administrator Guide

Step 1: Assign permissions to your IAM user account

You can use the AWS Management Console to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a permissions boundary. You can also embed an inline policy.

To embed an inline policy for a user or role (console)

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
2. In the navigation pane, choose Users
3. In the list, choose the name of the user to embed a policy in
4. Choose the Permissions tab
5. Select Add permissions dropdown and then choose Create inline policy
6. In the Policy editor section, choose the JSON option

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "0",
               "Effect": "Allow",
               "Action": [
                   "iam:GetRole",
                   "iam:PassRole",
                   "iam:DetachRolePolicy",
                   "iam:CreateRole",
                   "iam:DeleteRole",
                   "iam:AttachRolePolicy",
                   "iam:PutRolePolicy",
                   "iam:DeleteRolePolicy",
               ],
               "Resource": "arn:aws:iam::111122223333:role/sam-app-LambdaRole-*"
           },
           {
               "Sid": "1",
               "Effect": "Allow",
               "Action": [
                   "connect:CreateIntegrationAssociation"
               ],
               "Resource": "arn:aws:connect:aa-example-1:111122223333:instance/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa/integration-association/*"
               
           },
           {
               "Sid": "2",
               "Effect": "Allow",
               "Action": [
                   "lambda:AddPermission",
                   "lambda:RemovePermission",
                   "lambda:CreateFunction",
                   "lambda:TagResource",
                   "lambda:GetFunction",
                   "lambda:DeleteFunction",
                   "lambda:PutFunctionConcurrency"
               ],
               "Resource": "arn:aws:lambda:aa-example-1:111122223333:function:sam-app-ConnectAttachmentScanner-*"
               
           }
       ]
   }

7. In the preceding command, do the following:
   • Replaceaa-example-1 with AWS Region
   • Replace111122223333 with AWS Account ID
   • Replacea1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa with Amazon Connect instance ID
     For instructions on how to Find your Amazon Connect instance ID/ARN, navigate the Amazon Connect Administrator Guide.
8. Provide a policy name and click Create policy

Step 2: Build and deploy your SAM application

In this step, you will deploy a SAM application which creates our Amazon Rekognition image-based scanner serverless application. If you are unfamiliar with using the AWS SAM CLI, learn how to install and setup AWS SAM CLI by navigating to How to use AWS SAM in the AWS Serverless Application Model Developer Guide.

1. Using Git, clone the repository from GitHub

   git clone https://github.com/aws-samples/safeguard-your-environment-and-reduce-reputational-risk-using-amazon-connect-attachment-scanning

2. Browse to the directory where the repository is downloaded

   cd safeguard-your-environment-and-reduce-reputational-risk-using-amazon-connect-attachment-scanning

3. Build the solution with SAM

   sam build

4. Deploy the solution. During the interactive flow, the AWS SAM CLI prompts you with options to configure your application’s deployment settings. Replace S3BucketName with your Amazon Connect chat attachment S3 bucket

   sam deploy –-guided
   
   
   Configuring SAM deploy
   ======================
   
           Looking for config file [samconfig.toml] :  Found
           Reading default arguments  :  Success
   
           Setting default arguments for 'sam deploy'
           =========================================
           Stack Name [sam-app]: ENTER
           AWS Region [eu-west-2]: ENTER or provide the desired region
   	Parameter ConnectBucketName []: S3BucketName
           #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
           Confirm changes before deploy [Y/n]: ENTER
           #SAM needs permission to be able to create roles to connect to the resources in your template
           Allow SAM CLI IAM role creation [Y/n]: ENTER
           #Preserves the state of previously provisioned resources when an operation fails
           Disable rollback [y/N]: ENTER
           Save arguments to configuration file [Y/n]: ENTER
           SAM configuration file [samconfig.toml]: ENTER
           SAM configuration environment [default]: ENTER
   
   Previewing CloudFormation changeset before deployment
   ======================================================
   Deploy this changeset? [y/N]: y   
   
   Successfully created/updated stack - sam-app in aa-example-1

Step 3: View and verify your deployed application

To view your deployed application, do the following:

1. Open the AWS CloudFormation console directly with the URL https://console.aws.amazon.com/cloudformation
2. Select Stacks
3. Identify your stack by application name and select it to view your resources
4. Navigate to your AWS Lambda function sam-app-ConnectAttatchmentScanner-021345abcdef6789
   
5. Copy your Lambda function ARN as this information is needed in the next step

Step 3: Integrate your Amazon Connect instance with the attachment scanner

Using the AWS CLI, run the following command:

aws connect create-integration-association \
--instance-id a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa \
--integration-type FILE_SCANNER \
--integration-arn arn:aws:lambda:aa-example-1:111122223333:function:sam-app-ConnectAttachmentScanner-021345abcdef6789

Successful response:
{
"IntegrationAssociationId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"IntegrationAssociationArn": "arn:aws:connect:aa-example-1:111122223333:instance/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa/integration-association/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}

In the preceding command, do the following:

• Replacea1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa with Amazon Connect instance Id
• Replacearn:aws:lambda:aa-example-1:111122223333:function:sam-app-ConnectAttachmentScanner-021345abcdef6789 with Attachment scanner AWS Lambda function ARN

Test the solution

In this section, we will test the attachment scanner solution using an Amazon Connect hosted communication chat widget. You can also use the Test chat utility available within the Amazon Connect admin website to verify the attachment scanner functionality.

Scenario

Maria Garcia, a customer of AnyCompany Retail. Two days ago, she received a new smart watch to track her fitness goals. After unboxing the watch, Maria realized it is missing features such measuring blood oxygen levels. She logins into her AnyCompany account to request a refund and starts a chat conversation via the web application.

John Stiles, an experienced agent at AnyCompany accepts the chat contact. He starts by greeting Maria and offers to assist with her refund request. John requests Maria to upload the proof of purchase of the smart watch she wants to return. Maria selects the pin icon to attach the required document and inadvertently uploads a photo of her prescription medicine that was also saved in her pictures folder. The prescription medicine image is rejected by the scanner that is configured to block drug related content.

Customer Experience

Maria uploads the proof of purchase for her new smart watch. The attachment scanner accepts the file and displays it to John.

Agent Experience

John follows the guidelines for refund requests and shares AnyCompany Retail return policy with Maria. In this document, Maria can read useful information such as the expected processing time for her request. She also finds the shipping label which she can print and attach it to her parcel.

Agent Experience

Customer Experience

Cleaning up

To avoid incurring future charges, navigate to the root of your project and execute the following command:

sam delete 
Are you sure you want to delete the stack sam-app in the region aa-example-1  ? [y/N]: y 
Are you sure you want to delete the folder sam-app in S3 which contains the artifacts? [y/N]: y

This deletes the AWS SAM application by deleting the AWS CloudFormation stack including the artifacts that were packaged and deployed to Amazon S3.

To delete the attachment scanner association from your Amazon Connect instance, run the following command:

aws connect delete-integration-association \ 
--instance-id a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa\ 
--integration-association-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111

In the preceding command, do the following using values obtained from Step 3:

• Replacea1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa with Amazon Connect instance Id
• Replacea1b2c3d4-5678-90ab-cdef-EXAMPLE11111 with Attachment scanner integration association Id

Conclusion

This blog post provided a walk-through on how to integrate Amazon Connect with an attachment scanner solution to approve or reject attachments. Using this feature, you can:

• Plugin your existing threat scanning solution to Amazon Connect
• Ensure you operate a safe environment which protects your customers against malicious activities
• Reduce reputational risk and improve customer experience

Please visit the Amazon Connect Administrator Guide to learn more Amazon Connect and setting up attachment scanning.

Ready to transform your customer service experience with Amazon Connect? Contact us

Marwan Bassyouni is a Customer Experience Specialist Solutions Architect at Amazon Web Services for AWS WWSO Applications. He specializes in Amazon Connect and empowers organizations across various industries to achieve business goals through through Customer Experience solutions (CX) and digital transformation. In his free time, Marwan can be found enjoying quality time with his family on beach trips, and pushing his limits in the gym. As a passionate Manchester United supporter, he’s always ready to discuss the latest match or transfer news.