Unlock organization-wide auditing ability for Amazon Connect flow changes

Maintaining a comprehensive audit trail and centralized visibility into contact center operations is crucial for security, compliance, and operational best practices. In our previous blog post, “Investigate Amazon Connect API activity across your organization using AWS CloudTrail and Amazon Athena“, we explored how customers can leverage AWS CloudTrail and Amazon Athena to gain visibility and auditability into the various API calls being made within their Amazon Connect contact center environments. This was an important first step in empowering organizations to monitor and investigate their contact center operations.

Now, Amazon Connect has taken this a step further by providing AWS CloudTrail support for flow management activities in the Amazon Connect console. This means that any time a user adds, updates, or deletes a contact flow, a record of that activity is captured in the CloudTrail logs. This new feature offers even greater visibility, reporting, and compliance benefits for contact center teams.

In this follow-up blog post, we will dive deeper into how customers can centrally analyze and audit these Amazon Connect flow management activities across their entire AWS environment . By combining the power of AWS CloudTrail and Amazon Athena, organizations can answer crucial questions such as:

• Who last updated this critical contact flow?
• When was this flow last saved or deleted?
• What flow management activities are happening across our various AWS accounts and regions?

Overview of the solution

With the new CloudTrail support for Amazon Connect flow management, organizations can centrally audit activities across accounts and regions. By capturing detailed records, customers can track who made changes to contact flows, when, and from where. Enabling CloudTrail logging is a good first step, but it’s insufficient when managing environments across multiple AWS accounts and regions. Customers can query CloudTrail logs using Amazon Athena to analyze flow management activities across their entire AWS Organization.

Prerequisites

1. Basic understanding of Amazon Connect public APIs
2. Ability to create an organizational trail in AWS CloudTrail

Use cases

1. Auditing contact flow lifecycle management

Scenario: The contact center operations team wants to track the creation, modification, and deletion of flows over time.
Solution: CloudTrail logs tracks and record contact flow lifecycle events such as CreateContactFlow and DeleteContactFlow.
You can query CloudTrail logs stored in Amazon S3 using Athena to get a comprehensive view of the flow lifecycle events. To do so:

1. Navigate to Athena Console and choose Explore the query editor. On right hand pane, use the Query editor to enter and run queries.
2. To check all contact flows created after a particular time, and who made them, run the below query in Query editor:

SELECT json_extract_scalar(responseelements, '$.ContactFlowId') as ContactFlowId, json_extract_scalar(requestparameters, '$.InstanceId') as InstanceId, userIdentity.arn, eventtime
FROM "default"."cloudtrail_logs"
WHERE userIdentity.arn IS NOT NULL AND eventName='CreateContactFlow' AND eventTime > '2024-06-26 00:00:00'

3. The query result provides the Amazon Resource Names (ARNs) of the users who created the corresponding contact flows, along with the time.

Figure 1: Query Results for Auditing contact flow lifecycle management

4. You can now get the Amazon Connect unique user IDs (UUIDs) from the ARN field in the results. The UUIDs are in the last segment of the ARN, as highlighted in the image above. With these user IDs, you can now get information about the users by calling the DescribeUser API.
5. To do so, launch AWS CloudShell by navigating to your AWS Management console and in the Search box, type CloudShell, and then choose CloudShell:

Figure 2: CloudShell Service Access

6. You can now describe Amazon Connect user details by calling the DescribeUser API within the CloudShell terminal:

aws connect describe-user --user-id <enter your user id here> --instance-id <enter your user id here>

Figure 3: describe-user API query results

2. Detecting unauthorized changes to a critical contact flow

Scenario: The contact center manager wants to find out which user updated a particular contact flow.
Solution: Demonstrate how to use the solution to identify the user, time, and details of the unauthorized update.

1. Navigate to the Athena Console and choose Explore the query editor. On right hand pane, use Query editor to enter and run queries.
2. To find out which user updated a particular contact flow, run the below query in Query editor:

SELECT json_extract_scalar(requestparameters, '$.InstanceId') as InstanceId, json_extract_scalar(requestparameters, '$.ContactFlowId') as ContactFlowId, userIdentity.arn, eventTime
FROM "default"."cloudtrail_logs"
WHERE userIdentity.arn IS NOT NULL AND eventName='UpdateContactFlowContent' AND eventTime > '2024-06-26 00:00:00'

3. The query result provides the Amazon Resource Names (ARNs) of the users who updated the corresponding contact flows, along with the instance ids:

Figure 4: Detecting unauthorized changes to a critical contact flow query results

4. The ARN column represent the user-id identifier as a long string. You can now get the Amazon Connect unique user IDs (UUIDs) from the ARN field as shown in the above results. The UUIDs are in the last segment of the ARN.
5. With these user IDs, you can now get information about the users by calling the DescribeUser API.
6. To describe Amazon Connect user details, navigate to CloudShell terminal and run the below command:

aws connect describe-user --user-id <enter your user id here> --instance-id <enter your instance id here>

Figure 5: describe-user API results

3. Investigating contact flow-to-phone number associations

Scenario: The contact center manager wants to understand which phone numbers are associated with which contact flows, and track any changes to these associations.
Solution: Demonstrate how to use the AssociatePhoneNumberContactFlow API call in CloudTrail logs to monitor and audit these flow-to-phone number mappings. To do so:

1. Navigate to Athena Console .Choose Explore the query editor. On right hand pane, use the Query editor to enter and run queries.
   To check which phone numbers are associated with which contact flows, run the below query in Query editor:

SELECT json_extract_scalar(requestparameters, '$.InstanceId') as InstanceId, json_extract_scalar(requestparameters, '$.PhoneNumberId') as PhoneNumberId, userIdentity.arn, eventTime
FROM "default"."cloudtrail_logs"
WHERE userIdentity.arn IS NOT NULL AND eventName='AssociatePhoneNumberContactFlow'AND eventTime > '2024-06-26 00:00:00'

2. The result of above query provides you the phone number id associated within instance ID and the ARN of the user made the change to the flow (as explained in previous section).

Figure 6: Query results for Investigating contact flow-to-phone number associations

3. To check which phone number the PhoneNumberId maps to, navigate to CloudShell terminal and run the below command:

aws connect describe-phone-number --phone-number-id <enter the phone number id here>

Figure 7: describe-phone-number query results

Conclusion

In this blog post, we explored how the new AWS CloudTrail support for Amazon Connect flow management pages can help organizations centrally analyze and audit their contact center operations. By leveraging the powerful combination of CloudTrail and Amazon Athena, customers can gain unprecedented visibility and auditability into who is making changes to their critical contact flows, when those changes were made, and from which AWS accounts or regions.

Throughout this post, we’ve covered several important use cases that demonstrate the value of this centralized auditing solution:

1. Auditing Contact Flow Lifecycle Management: By querying the CloudTrail logs, organizations can track the full lifecycle of their contact flows, including when they were created, modified, and deleted. This provides valuable insights for the contact center operations team.
2. Detecting Unauthorized Changes to a Critical Contact Flow: We showed how customers can use CloudTrail and Athena to investigate who made unauthorized updates to a flow handling sensitive customer data, helping to ensure the security and compliance of their contact center.
3. Investigating Contact Flow-to-Phone Number Associations: Customers can also leverage additional API call captured in CloudTrail to monitor and audit the critical mappings, such as the mapping between their contact flows and phone numbers, ensuring these associations are properly managed.

With the ability to centrally analyze Amazon Connect flow management activities across their entire AWS environment, organizations can significantly improve the visibility, security, and compliance of their contact center operations. By following the guidance outlined in this blog post, customers can quickly implement this powerful auditing solution and start gaining the insights they need to make more informed decisions and better serve their customers.

About the authors

Guy Bachar

Guy Bachar is a Senior Solutions Architect at AWS based in New York, he specializes in assisting Capital Markets customers with their cloud transformation journeys. His expertise encompasses identity management, security, and unified communication.

Pranjal Gururani

Pranjal Gururani is a Senior Solutions Architect at AWS based out of Seattle. Pranjal works with various customers to architect cloud solutions that address their business challenges. He enjoys hiking, kayaking, skydiving, and spending time with his family during spare time.

Agasthi Kothurkar

Agasthi Kothurkar is a Principal Solutions Architect with AWS based out of Boston. Agasthi works with enterprise customers as they transform their business by adopting the Cloud. His areas of focus are Cloud Native Application Architecture, Cloud Migrations, IT Strategy, and Transformation. He is passionate about applying Cloud technologies to resolve complex real world business problems.