AWS for Industries
FSI Services Spotlight: Feature Amazon Connect
This edition of the Financial Services Industry (FSI) Services Spotlight monthly blog series highlights five key considerations for customers running workloads on Amazon Connect: achieving compliance, data protection, compute environment isolation, audits with APIs, and access control/security. Across each area, we will examine specific guidance, suggested reference architectures, and technical code to help streamline Amazon Connect service approval.
Amazon Connect is an omnichannel cloud contact center. You can create a contact center in a few steps, add agents anywhere, and start engaging with your customers. It supports personalized customer experiences through dynamic chat and voice communications. Meanwhile, agents can conveniently handle all customers from a single interface. Furthermore, Amazon Connect scales up or down to meet demand, with the flexibility to onboard tens of thousands of agents working from anywhere. This flexibility can save up to 80% compared to traditional contact center solutions, along with minimum fees, long-term commitments, or upfront licensing charges.
Customers such as Intuit use Amazon Connect to process over 16.5 million calls annually. Their director of contact center engineering even said, “It took two weeks to deploy their integrated contact center using Amazon Connect, from installation to getting agents up-and-running on the solution.” DLT Rhode Island uses Amazon Connect to power chatbots that keep community members informed in response to COVID-19 and other policy matters.
Achieving compliance with Amazon Connect
Security and compliance are a shared responsibility between AWS and the customer. AWS will operate, manage, and protect the infrastructure running the AWS services. Customer responsibility is determined by the service selected – the more managed services are used; the less customer configuration is required. With Amazon Connect being a managed service, customers are responsible for fewer controls to secure their call center. On the customer-side of the shared responsibility model, customers should first determine their requirements for network connectivity, encryption, and access to other AWS resources. In the following sections we’ll dive deeper into those topics.
Amazon Connect falls under the scope of the following compliance programs regarding AWS’s side of the shared responsibility model. The compliance programs covered by Amazon Connect include:
- SOC 1,2,3
- PCI
- IRAP Protected
- ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015
- OSPAR
- C5
- MTCS
In the following sections, we’ll cover topics on the customer side of the shared responsibility model.
Data protection with Amazon Connect
Compliance regulations, such as PCI DSS, require encrypting that data at rest throughout the data lifecycle. Two aspects require data encryption with Amazon Connect. First, we must encrypt application data, external data integrations, Amazon Connect Wisdom, Amazon Connect Voice ID, and Amazon Connect Customer Profiles.
Amazon Connect makes this both easy and secure with encryption data keys that are unique per each customer account. Use an AWS-managed KMS key or create a customer-managed KMS key. To manage the KMS keys used for encrypting and decrypting your Amazon Connect resources, use the AWS Key Management Service (AWS KMS). After your data is encrypted, Amazon Connect handles the authentication of accessing and decrypting your data transparently. You can select ‘Enable encryption’ on the console, AWS Command Line Interface (AWS CLI), or via API. For more information, see Encryption at rest for Amazon Connect.
All of the data exchanged with Amazon Connect is protected in transit between the user’s web browser and Amazon Connect using industry-standard TLS encryption. When Amazon Connect integrates with AWS services, such as AWS Lambda, Amazon Kinesis, or Amazon Polly, that data is always encrypted using TLS.
Isolation of computing environments with Amazon Connect
Each Amazon Connect call-center server has a VM-enforced isolation boundary, and it doesn’t share the underlying kernel, CPU resources, memory resources, or elastic network interface with another instance.
Customers can apply network-level controls to their contact center and agent workloads, such as security groups and network ACLs. Amazon Connect creates an elastic network interface (ENI) in their specified VPC, and then attaches it to the managed instance. This feature gives customers control over the network-level access of the services within Amazon Connect. This approach simplifies rule management and firewall call center agent access. For more information, see Security Groups for your VPC and Network ACLs.
AWS PrivateLink lets you privately access Amazon Connect Voice ID API operations without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don’t require public IP addresses to communicate with Amazon Connect Voice ID for querying conversation participants and modifying call domains. Moreover, traffic between your VPC and Amazon Connect doesn’t leave the Amazon network.
Additionally, customers can improve their security posture by attaching a least privilege consistent endpoint policy to their VPC endpoint that controls Amazon Connect access. These features let customers restrict API calls to Amazon Connect from specific caller contexts (e.g., IP-Range filtering). See the complete list of details and considerations when using VPC Endpoints with Amazon Connect for more information. The following policy denies a specific account from calling Amazon Connect.
{
"Statement": [
{
"Id": "DenySpecificAccount",
"Action": "contact:*",
"Effect": "Deny",
"Resource": "*",
"Principal": {
"AWS": [
"123456789012"
]
}
}
]
}
Automating audits with APIs with Amazon Connect
Customers can build custom Config rules using API calls related to Amazon Connect using AWS CloudTrail. CloudTrail is an AWS service that helps customers enable the governance, compliance, and operational and risk auditing of their AWS account. CloudTrail provides an aggregated repository of AWS API calls and changes to resources for over 180 AWS services, a number that continues growing. CloudTrail records API calls made to the Amazon Connect service. The following are some essential APIs to make sure that only approved changes occur.
- The DeleteUser and UpdateUser* API calls control the ability to delete a user within an Amazon Connect instance or update a user’s hierarchy, identity information, phone configuraiton, routing configuration, and security profile. These APIs should only be called by Amazon Connect administrators, and they should be monitored using CloudTrail and Config.
- The CreateUser and CreateInstance API calls control the ability to create a user or an Amazon Connect instance. These should also be monitored in CloudTrail to make sure that new instances or users are only created by authorized IAM roles.
- The CreateIntegrationAssociation and DeleteIntegrationAssociation API calls control the ability to create or delete AWS resource associations with an Amazon Connect instance.
Monitoring these APIs in CloudTrail makes sure that only appropriate actions are taken against your Amazon Connect resources. For a complete list of Amazon Connect APIs, review the Amazon Connect API References.
The following is an example of what a CloudTrail log looks like for the CreateDomain API:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA5STZEFPSWCM4YHJB2:SampleUser",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/SampleUser",
"accountId": "111122223333",
"accessKeyId": "AAAAAAA1111111EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEZEFPSWCM4YHJB2",
"arn": "arn:aws:iam::111122223333:role/SampleRole",
"accountId": "111122223333",
"userName": "SampleRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-17T01:55:39Z"
}
}
},
"eventTime": "2021-08-17T01:55:41Z",
"eventSource": "voiceid.amazonaws.com",
"eventName": "CreateDomain",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.179",
"userAgent": "aws-sdk-java/1.11.590 Mac_OS_X/10.14.6 Java_HotSpot(TM)_64-Bit_Server_VM/25.202-b08 java/1.8.0_202 vendor/Oracle_Corporation",
"requestParameters": {
"description": "HIDDEN_DUE_TO_SECURITY_REASONS",
"name": "HIDDEN_DUE_TO_SECURITY_REASONS",
"serverSideEncryptionConfiguration": {
"kmsKeyId": "alias/sample-customer-managed-key"
}
},
"responseElements": {
"domain": {
"arn": "arn:aws:voiceid:us-west-2:111122223333:domain/ExampleOsAjzg9xoByUatN",
"createdAt": "Aug 17, 2021, 1:55:40 AM",
"description": "HIDDEN_DUE_TO_SECURITY_REASONS",
"domainId": "UcUuCPFOsAjzg9xoByUatN",
"domainStatus": "ACTIVE",
"name": "HIDDEN_DUE_TO_SECURITY_REASONS",
"serverSideEncryptionConfiguration": {
"kmsKeyId": "arn:aws:kms:us-west-2:111122223333:key/1111111-7741-44b1-a5fe-7c6208589bf3"
},
"updatedAt": "Aug 17, 2021, 1:55:40 AM"
}
},
"requestID": "11111111-b358-4637-906e-67437274fe4e",
"eventID": "1111111-a4d1-445e-ab62-8626af3c458d",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
FSI customers can use AWS Audit Manager to continuously audit their AWS usage and simplify risk and compliance assessments with regulations and industry standards. Audit Manager also automates evidence collection and organizes the evidence as defined by the control set in the framework selected, such as PCI-DSS, SOC 2, and GDPR. Furthermore, Audit Manager collects data from sources such as CloudTrail to compare the environment’s configurations against the compliance controls. By logging all of the Amazon Connect operations in CloudTrail, Audit Manager’s integration with CloudTrail becomes advantageous to make sure that the appropriate security controls exist. For example, consider the encryption requirement in SOC 2. Rather than querying across all of the CloudTrail logs to make sure that the Amazon Simple Storage Service (Amazon S3) bucket for Amazon Connect’s output is encrypted, customers can centrally see whether the requirement is being met in Audit Manager. Audit Manager saves time with automated evidence collection and provides audit-ready reports for customer review. The Audit Manager assessment report uses cryptographic verification to help you make sure that the integrity of the assessment report. The following screenshot illustrates the configuration of a custom control for a data source for the Amazon Connect action of interest.
Operational access and security with Amazon Connect
In the previous section, we discussed detection methods. However, you must utilize prevention methods to have API calls fail when unauthorized access occurs. When you are securing your Amazon Connect resources, consider three areas to create Least-Privilege AWS Identity and Access Management (IAM) roles:
- Development users – These are the developers who use Amazon Connect on a day-to-day basis to build their applications.
- Service administrators – This is typically a team or individual within an organization who is in charge of Amazon Connect resources and determines the developers’ permissions for Amazon Connect.
- Application resources – These are the application resources that read from and write to Amazon Connect resources within an AWS environment. Typical examples are Amazon Elastic Compute Cloud (Amazon EC2) instances, Lambda Functions, Amazon S3, and Amazon EventBridge.
Service administrators are the individuals or teams responsible for securing and creating Amazon Connect instances within AWS environments. They will typically create the IAM permissions for service users to make sure that the downstream users follow the least privilege principle. Furthermore, these individuals will use service-linked roles to provide predefined permissions for Amazon Connect to operate. Service administrators should also consider utilizing tag-based access controls and Amazon Connect resource tags. This enables the service administrator to provision access-based control tags within Amazon Connect that limit a user’s access to resources containing matching tags. For example, users tagged with a ‘Role:Developer’ access control tag can only utilize certain Amazon Connect resources that are also tagged with ‘Role:Developer’.
Service users are the individuals (developers, call center administrators, etc.) who access and modify the Amazon Connect implementation on a day-to-day basis to build their applications. The service administrator creates and scopes their IAM policies depending on their job role and access needs. Some examples of these policies are read-only console access, the creation of Amazon Connect instances within a specific AWS account, the prevention of deleting an Amazon Connect instance, and many more. Moreover, there are managed policies that customers can use if they have basic a separation of duties. However, we recommend using the managed policy as a baseline and modifying it to create custom policies based on your business needs.
The following AWS managed policies, which you can attach to users in your account, are specific to Amazon Connect:
- AmazonConnect_FullAccess – Allows full read/write access to Amazon Connect
- AmazonConnectReadOnlyAccess – Allows read-only access to Amazon Connect
- AmazonConnectVoiceIDFullAccess – Allows full access to Amazon Connect Voice ID
For a deeper dive into IAM for Amazon Connect read through examples within our documentation.
However, access control to the Amazon Connect resources doesn’t stop with the creation of restrictive IAM policies. Customers should make sure that multi-factor authentication (MFA) is set up through their SAML 2.0 identity provider. Once MFA is setup, Amazon Connect will prompt the user with a third text box at login so that they can enter their MFA code. Additionally, if customers must use the Log in for emergency access URL, this should only be done in emergency situations and not for daily use.
Furthermore, customers should consider utilizing Service control policies (SCPs) within AWS Organizations. SCPs offer central control over the maximum available permissions for all of the customer’s organization accounts. Unlike IAM policies, SCPs are guardrails which let customers set the maximum privilege within an account or set of accounts regardless of the IAM roles created within them. An example might be restricting the ability to delete an Amazon Connect IAM role or instance. Both examples are shown in the following SCP:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonConnectRoleDenyDeletion",
"Effect": "Deny",
"Action": [
"iam:DeleteRole"
],
"Resource": [
"arn:aws:iam::*:role/Amazon Connect user role"
]
},
{
"Sid": "AmazonConnectInstanceDenyDeletion",
"Effect": "Deny",
"Action": [
"connect:DeleteInstance",
"connect:DestroyInstance"
],
"Resource": [
"Amazon Connect instance ARN"
]
}
]
}
Conclusion
In this post, we reviewed Amazon Connect, highlighting essential information that can help FSI customers accelerate the service’s approval within these five categories: achieving compliance, data protection, computing environment isolation, automating audits with APIs, and operational access and security. Although this isn’t a one-size-fits-all approach, the guidance can be adapted to meet the organization’s security and compliance requirements. We also provided a consolidated list of crucial areas for Amazon Connect call centers.
Make sure that you visit our AWS Industries blog channel, and stay tuned for more FSI news and best practices.