Open in app

Sign in

Write

Sign in

Ways to Secure Amazon Connect

Amresh Balaji
Sandeza
Published in
7 min readAug 13, 2020

To secure the sensitive information we get from the users i.e Card Details and other personal information ,we at Sandeza have come up with certain steps to follow such that the data is not compromised .Below are 3 useful ways to protect the sensitive data :

1) Encrypting sensitive data using Public-Key Cryptography:

Amazon Connect uses AWS Encryption Software Development KIT (SDK) to encrypt and decrypt customer provided data.It makes use of Public-Key Cryptography where the public key and private key is used to secure the data.

The below steps are based on the Creating a secure IVR solution with Amazon Connect blog by AWS .

The main steps involved in this are:

Step 1: Creating the encryption and decryption keys :

You can either generate keys using OpenSSL or use 3rd party Keys .

The easiest way to generate your keys is to use OpenSSL. A macOS computer comes preinstalled with OpenSSL ,but for windows check out this link .

Run the following command:

openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout blog.connect.private.key -days 730 -out blog.connect.certificate.pem

You need to enter certain information for you to generate the keys .

The 2 generated files are:

  • A private key file: connect.private.key
  • A certificate file: connect.certificate.pem (This will be valid for 2 years(730 days) )

To generate the public key run the following command :

openssl x509 -pubkey -noout -in blog.connect.certificate.pem > blog.connect.public.key

A public key with the name blog.connect.public.key will be generated .

Note: You can also use 3rd party encryption and decryption keys but amazon connect only supports X. 509 certificate.

Step 2: Storing the private key in AWS Parameter Store :

There are two ways to store this :

a) Uploading the key directly to the parameter store using AWS CLI:

If you have your AWS CLI configured and the right IAM permissions in your AWS account to access AWS Systems Manager Parameter Store you can run the following command :

aws ssm put-parameter --type SecureString --name CONNECT_INPUT_DECRYPTION_KEY --description "Private key for decryption of Amazon Connect collected data" --value "$(<blog.connect.private.key)"

This will upload your key to the parameter store with the name CONNECT_INPUT_DECRYPTION_KEY.

b) Manually saving the key in the parameter store :

In the AWS Console go to the Systems Manager and Click on Parameter Store under the Application Management. Click on Create Parameter.

Give the name for the key as CONNECT_INPUT_DECRYPTION_KEY and select standard tier.

Choose the type as SecureString ,select the KMS key source you want and paste the contents of the private key (connect.private.key) in the Value to create the parameter.

Step 3: Creating the Lambda to decrypt the values:

You can create the lambda by directly launching a cloud formation stack or by manually configuring it .

The cloud formation stack generates a Node.js Lambda .

To create the Lambda manually find the code below :

a) For Node JS

b) For Python

Note: AWS Encryption SDK only supports Python 2.7

The Lambda you create will take about 18 seconds to decrypt an input (since decryption needs more processing power ) so change the Timeout to 10min and Memory to 2048mb ,so that the values are decrypted faster.

Add the Lambda to your connect instance under the Contact Flows tab .

Step 4: Upload our public key to Amazon Connect :

  1. Open your Amazon Connect Console and select Contact Flows.
  2. Choose Add Key, and paste the content of your public key file blog.connect.public.key. You can use any text editor to open the file and copy its content.
  3. Choose Add to save the public key, as shown in the following example. You now have a Key ID generated for your public key.The Key ID will be used in the next step.

Note: You can only store up to 2 keys at a time and switch between them in the contact flows.

Step 5: Creating a contact flow to encrypt the input:

  1. Login to your connect instance as an Administrator.
  2. Select Contact Flows under Routing.
  3. Choose the Sample secure input with no agent contact flow.

In the contact flow choose the Store Customer Input.

Select Encrypt entry and paste the Key ID you had created in Step 3 under the Key ID and paste the contents of your certificate (blog.connect.certificate.pem) that you had generated in Step 1 . Save and publish the contact flow.

Note: You can use the “Use attribute” and dynamically switch between the different keys .

Step 6: Checking the contact flow:

Set the contact flow to any phone number that you have claimed and test the flow.

Verify the logs to check if the input is encrypted.

Note: It’s safe to send the sensitive information encrypted while you make API calls in the lambda and decrypt then at the backend .

2) Passing sensitive information through the contact flow:

The Lambda returns sensitive values to the contact flow which will be used further in the flow, storing them in the Set contact attributes block is dangerous .

The values in the Contact attributes can be easily accessed easily through the Contact Search or can be seen in the Cloudwatch Logs.

Contact Search
Attributes being logged in the Contact Trace Records(CTR)

To avoid this we should not set any sensitive information in the Contact Attributes and keep them in the External Attribute.

An external attribute according to Amazon Connect is the value that is returned from a Lambda function

The external attributes in Amazon Connect are neither logged in Cloudwatch nor logged in the Contact Search.

To achieve this we can follow these :

a) Returning the values from Lambda function that are going to be used in the flow:

The values should be returned from the lambda function .

Values being returned from a Lambda function.

For returning multiple values that are going to be used further in a flow we use a single variable and store all the values in it .

Values being stored in a single variable and returned.

These variables can be unpacked in the flow whenever their values are needed .

Unpacking and using the values

b) Using the values in the flow:

If those values are going to be used further in the flow, they can be accessed by :

For Lambda Function :

  • Go to the Invoke AWS Lambda function block
  • In the Function input parameters click on Add a parameter
  • Select Use attribute and select type as External
  • Give the corresponding Destination key and Attribute
Sending parameters to Lambda function

For playing Prompts :

  • Open the Play prompt block
  • Select Text-to-speech or chat text

The variable can be accessed by adding “$.External.’’ before the variable name. i.e $.External.Company to access the variable Company.

Adding a prompt

3) Disabling and Enabling logging while getting sensitive information :

Enabling logging in the contact flows helps us in troubleshooting by looking at the logs in Cloudwatch , but this can be dangerous as Amazon Connect logs everything ,even the sensitive data that user enters .

So to avoid sensitive data from being logged we can simply disable logging when getting the input and enable logging after the input.

Simple contact flow with disabling and enabling logging

These are all the best ways in Amazon Connect to secure the data from being compromised . We at Sandeza have implemented a highly secure IVR system for one of our customers and summed up all the practices that we’ve followed.

Sandeza, an AWS Consulting partner, specializes in provisioning Analytics/ML/AI solutions, with a particular focus on modern Contact Center deployment. Our ‘Arta’ platform helps manage multiple Connect deployments/accounts, and integrations with leading 3'rd party CRM platforms. Please reach us at connect@sandeza-inc.com.

Amazon Connect
AWS
AWS Lambda
Encryption
Amazon Web Services

--

--

Amresh Balaji
Sandeza

Written by Amresh Balaji

6 Followers
Editor for

Senior Cloud Engineer @ Sandeza Inc

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams