How do I set up a deny list in my Amazon Connect contact center that allows agents to flag numbers in real time?

15 minute read
0

I want to allow agents in my Amazon Connect contact center to add numbers to a deny list in real time. I also want to allow agents to add numbers to the list manually.

Short description

To allow agents in your Amazon Connect contact center to add numbers to a deny list in real time, complete the following steps:

  • Create an Amazon DynamoDB table that holds denied numbers.
  • Create an AWS Identity and Access Management (IAM) role. Then, an AWS Lambda function can assume the role to either look up or add denied numbers in DynamoDB.
  • Create a Lambda function (function A) that stores the denied numbers in the DynamoDB table.
  • Create a second Lambda function (function B) that queries the DynamoDB table for calls from a number on the deny list.
  • Add the Lambda functions to your Amazon Connect instance.
  • Create an inbound contact flow that's associated with a claimed number. The contact flow must invoke function B to check an incoming call against the deny list in DynamoDB.
    If the number isn't on the deny list, then the function transfers the call to your regular customer queue flow.
    -or-
    If the number is on the deny list, then the function plays an audio prompt and disconnects the call.
  • Create a transfer to queue flow that invokes function A when an agent adds a number to the deny list.
  • Create a quick connect that allows agents to use the Contact Control Panel (CCP) to add numbers to the deny list.

Note: You can also edit the DynamoDB table directly to manually add numbers to the deny list.

Resolution

To set up a deny list in an Amazon Connect contact center, the agent uses a function (function A). The agent uses function A to add the flagged numbers, and function B to query the flagged list.

Important: Complete these steps in the same AWS Region that your Amazon Connect instance is in.

Create a DynamoDB table that holds denied numbers

  1. Open the DynamoDB console.
  2. Choose Create DynamoDB table.
  3. On the Create DynamoDB table page, enter the following information:
    For Table name, enter DenylistingTable.
    In the Partition key panel, for Primary key, enter ContactNumber.
    For Data type, choose String.
  4. Choose Create.
    Note: For more information, see Write data to a table using the console or AWS Command Line Interface (AWS CLI).

Create an IAM role that a Lambda function can assume to either look up or add denied numbers in DynamoDB

1.    Create an IAM role that uses the following JSON policy:
Important: Make sure that the AWSLambdaBasicExecutionRole is included in the policy along with the DynamoDB permissions. If the AWSLambdaBasicExecutionRole isn't included in the policy, then the function won't invoke.

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "cloudwatch:GetInsightRuleReport",
      "Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "iam:PassedToService": [
            "application-autoscaling.amazonaws.com",
            "application-autoscaling.amazonaws.com.cn",
            "dax.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": [
            "replication.dynamodb.amazonaws.com",
            "dax.amazonaws.com",
            "dynamodb.application-autoscaling.amazonaws.com",
            "contributorinsights.dynamodb.amazonaws.com",
            "kinesisreplication.dynamodb.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "VisualEditor3",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "cloudwatch:DeleteAlarms",
        "sns:Unsubscribe",
        "dynamodb:*",
        "lambda:GetFunctionConfiguration",
        "datapipeline:CreatePipeline",
        "kinesis:ListStreams",
        "logs:CreateLogStream",
        "kinesis:DescribeStreamSummary",
        "resource-groups:GetGroup",
        "cloudwatch:DescribeAlarmsForMetric",
        "lambda:DeleteFunction",
        "sns:Subscribe",
        "iam:GetRole",
        "application-autoscaling:RegisterScalableTarget",
        "sns:ListSubscriptionsByTopic",
        "datapipeline:ListPipelines",
        "dax:*",
        "lambda:ListFunctions",
        "sns:CreateTopic",
        "application-autoscaling:DeleteScalingPolicy",
        "cloudwatch:GetMetricStatistics",
        "logs:CreateLogGroup",
        "resource-groups:CreateGroup",
        "application-autoscaling:DescribeScalingPolicies",
        "lambda:ListEventSourceMappings",
        "application-autoscaling:PutScalingPolicy",
        "cloudwatch:DescribeAlarms",
        "resource-groups:ListGroupResources",
        "ec2:DescribeSubnets",
        "lambda:DeleteEventSourceMapping",
        "datapipeline:ActivatePipeline",
        "resource-groups:GetGroupQuery",
        "tag:GetResources",
        "sns:DeleteTopic",
        "cloudwatch:GetMetricData",
        "sns:ListTopics",
        "sns:SetTopicAttributes",
        "lambda:CreateEventSourceMapping",
        "datapipeline:DescribePipelines",
        "cloudwatch:ListMetrics",
        "cloudwatch:DescribeAlarmHistory",
        "application-autoscaling:DescribeScalingActivities",
        "kms:DescribeKey",
        "datapipeline:PutPipelineDefinition",
        "application-autoscaling:DescribeScalableTargets",
        "datapipeline:QueryObjects",
        "iam:ListRoles",
        "datapipeline:DescribeObjects",
        "kinesis:DescribeStream",
        "sns:ListSubscriptions",
        "resource-groups:ListGroups",
        "datapipeline:GetPipelineDefinition",
        "logs:PutLogEvents",
        "ec2:DescribeSecurityGroups",
        "resource-groups:DeleteGroup",
        "cloudwatch:PutMetricAlarm",
        "ec2:DescribeVpcs",
        "kms:ListAliases",
        "datapipeline:DeletePipeline",
        "application-autoscaling:DeregisterScalableTarget"
      ],
      "Resource": "*"
    }
  ]
}

2.    Attach the following second JSON policy to the IAM role:

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:*",
        "dynamodb:*"
      ],
      "Resource": "*"
    }
  ]
}

Create a Lambda function (function A) that stores denied numbers in the DynamoDB table

Use the following Python code to create a Lambda function. Attach the following permissions to the role associated with the Lambda function:

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

import json
import boto3 

client = boto3.client('dynamodb')

def lambda_handler(event, context):
    response = client.put_item(
    TableName='DenylistingTable',
    Item={
        'ContactNumber':{
            'S':event['Details']['ContactData']['CustomerEndpoint']['Address']
        }
    }
    )
    
    return{'Success':True}

  {
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:<region>:<account-number>:table/DenylistingTable"
      }
    ]
  }

Create a second Lambda function (function B) that queries the DynamoDB table to check if an incoming call is from a number on the deny list

Create a second Lambda function with the following permissions:

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

import json
import boto3 

client = boto3.client('dynamodb')

def lambda_handler(event, context):
    
    response = client.query(
        TableName="DenylistingTable",
        Select= 'ALL_ATTRIBUTES',
        KeyConditionExpression='ContactNumber = :ConNum',
        ExpressionAttributeValues={":ConNum":{
            "S": event['Details']['ContactData']['CustomerEndpoint']['Address']
        }
      }
    )
    if (len(response['Items']) == 0):
        return {'Success':'false'}
    else:
        return {'Success':'true'}

    {
     "Version": "2012-10-17",
     "Statement": [{
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": "dynamodb:Query",
         "Resource": "arn:aws:dynamodb:<region>:<account-number>:table/DenylistingTable"
      }
    ]
  }

Add the Lambda functions (function A and function B) to your Amazon Connect instance

  1. Open the Amazon Connect console.
  2. In the Instance Alias column, choose the name of your Amazon Connect instance.
  3. In the left navigation pane, choose Contact flows.
  4. In the AWS Lambda section, choose the Function dropdown list. Then, choose the name of function A.
    Note: The Function dropdown list names only the functions that are in the same AWS Region as your Amazon Connect instance. If no functions are listed, then choose Create a new Lambda function to create a new function in the correct Region.
  5. Choose Add Lambda Function. Then, confirm that the Amazon Resource Name (ARN) of the function is added under Lambda Functions.
  6. Repeat steps 1-5 to add function B to your Amazon Connect instance. For step 4, make sure that you choose the name of function B.

For more information, see Invoke AWS Lambda functions.

Create an inbound contact flow

Create a new inbound contact flow that's associated with a claimed number. After you choose Create contact flow, the contact flow designer opens.

In the contact flow designer, complete the following steps:

Note: The following is an example of a basic inbound contact flow. Add or edit blocks for your use case.

Add a Set logging behavior block

Important: If you haven't done so, then turn on contact flow logging for your instance.

To turn on contact flow logs in your Amazon Connect CloudWatch Logs, use a Set logging behavior block.

  1. Choose Set.
  2. Drag and drop a Set logging behavior block onto the canvas to the right of the Entry point block.
  3. Choose the block title (Set logging behavior). The block's settings menu opens.
  4. Choose Enable.

Add an Invoke AWS Lambda function block

To invoke function B and check if an incoming call is from a number on the deny list, use an Invoke AWS Lambda function block.

  1. Choose Integrate.
  2. Drag and drop an Invoke AWS Lambda function block onto the canvas to the right of the Set logging behavior block.
  3. Choose the block title (Invoke AWS Lambda function). The block's settings menu opens.
  4. Choose the name of function B.
  5. Choose Save.

Add a Check contact attributes block

To confirm that the number is on the deny list, use a Check contact attributes block.

  1. Choose Branch.
  2. Drag and drop a Check contact attributes block onto the canvas to the right of the Invoke AWS Lambda function block.
  3. Choose the block title (Check contact attributes). The block's settings menu opens.
  4. For Type, choose External.
  5. For Attribute, choose Success.
  6. Choose Add another Parameter twice to create two parameters.
  7. Under Conditions to check, choose Equals for both parameters. Then, for the value of the first parameter, enter true. For the value of the second parameter, enter false.
  8. Choose Save.

Add a Play prompt block

To play a prompt that informs agents when a deny list request error occurs, use a Play prompt block.

  1. Choose Interact.
  2. Drag and drop a Play prompt block onto the canvas to the right of the Invoke AWS Lambda function block. Then, connect the Play prompt block to the Error output of the Invoke AWS Lambda function block.
  3. Choose the block title (Play prompt). The block's settings menu opens.
  4. For Prompts, choose Text-to-speech. Then, choose one of the following:
    Enter text allows you to play text as a lifelike audio message.
    -or-
    Enter dynamically allows you to upload .wav files to play a recorded audio message.
  5. Choose Save.

Add a Transfer to queue block

To end the contact flow and transfer the call to your regular customer queue flow, use a Transfer to queue block.

  1. Choose Terminate/Transfer.
  2. Drag and drop a Transfer to queue block onto the canvas to the right of the Play prompt block.
    Note: You don't need to configure any settings for the Transfer to queue block for this use case.

Add a Disconnect block

To disconnect a caller from the contact flow if the incoming call is from a number that's on the deny list, add a Disconnect block.

  1. Choose Terminate/Transfer.
  2. Drag and drop a Disconnect block onto the canvas to the right of the Transfer to queue block.
    Note: You don't need to configure any settings for the Disconnect block for this use case.

Activate the contact flow

  1. To save a draft of the flow, Choose Save.
  2. To activate the flow, Choose Publish.

Create a Transfer to queue flow that allows agents to add numbers to the deny list in real time

Create a new Transfer to queue flow. After you choose Create contact flow, the contact flow designer opens.

In the contact flow designer, complete the following steps:

Add a Play prompt block

To let agents know that a number is in the process of being added to the deny list, use a Play prompt block.

  1. Choose Interact.
  2. Drag and drop a Play prompt block onto the canvas to the right of the Entry point block.
  3. Choose the block title (Play prompt). The block's settings menu opens.
  4. For Prompts, choose Text-to-speech. Then, choose either Enter text or Enter dynamically to create an audio message.
  5. Choose Save.

Add an Invoke AWS Lambda function block

To use the CCP to invoke function A when an agent adds a number to the deny list, use an Invoke AWS Lambda function block.

  1. Choose Integrate.
  2. Drag and drop an Invoke AWS Lambda function block onto the canvas to the right of the Play prompt block.
  3. Choose the block title (Invoke AWS Lambda function). The block's settings menu opens.
  4. Choose the name of function A.
  5. In the Function input parameters section, choose Add a parameter, and then choose Use attribute. Then, complete the following steps:
    For Destination key, enter CustomerNumber.
    For Type, choose System.
    For Attribute, choose Customer Number.
  6. Choose Save.

Add a second Play prompt block

To let agents know that a number is on the deny list, use a second Play prompt block.

  1. Choose Interact.
  2. Drag and drop a Play prompt block onto the canvas to the right of the Invoke AWS Lambda function block. Then, connect the Play prompt block to the Success output of the Invoke AWS Lambda function block.
  3. Choose the block title (Play prompt). The block's settings menu opens.
  4. For Prompts, choose Text-to-speech. Then, choose either Enter text or Enter dynamically to create an audio message.
  5. Choose Save.

Add a third Play prompt block

To let agents know that a number isn't on the deny list because of an error, use a third Play prompt block.

  1. Choose Interact.
  2. Drag and drop a Play prompt block onto the canvas to the right of the Invoke AWS Lambda function block. Then, connect the Play prompt block to the Error output of the Invoke AWS Lambda function block.
  3. Choose the block title (Play prompt). The block's settings menu opens.
  4. For Prompts, choose Text-to-speech. Then, choose either Enter text or Enter dynamically to create an audio message.
  5. Choose Save.

Add a Disconnect block

To disconnect agents from the contact flow, add a Disconnect block.

  1. Choose Terminate/Transfer.
  2. Drag and drop a Disconnect block onto the canvas to the right of the three Play prompt blocks.
  3. Connect all the flow's branches to the Disconnect block.
    Note: You don't need to configure any settings for the Disconnect block for this use case.

Activate the Transfer to queue flow

  1. To save a draft of the flow, choose Save.
  2. To activate the flow, choose Publish.

Create a quick connect that allows agents to use the CCP to add numbers to the deny list

Use the Amazon Connect console to create a quick connect that has the following settings:

  1. For Name, enter a name for the quick connect. For example: Deny list.
    For Type, choose Queue.
    For Destination, enter the name of the queue that you want to have the deny list functionality.
  2. Add the quick connect to the queues assigned to the agents that you want to have access to the deny list feature.
  3. Add the quick connect to the queues assigned to the agents that you want to have access to the deny list feature.

After you complete the steps, an agent can use the deny list quick connect in the CCP to add numbers to the deny list. When a call comes in to your Amazon Connect contact center from that number, the call is automatically disconnected. The call is not placed in a queue.

Note: If a customer hangs up during this process, then the call is disconnected. Quick connects can't be used to add the numbers to the deny list by the agent if disconnected. You must add the number manually.

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
5 Comments

It looks like this article is missing the python code. Can this be added?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Is there any update on this? That missing python code appears to be the last piece needed for this to work

replied 10 months ago

Any update on fixing the python code ? Querying the dynamo table keeps failing.

ShawnS
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago