Security Best Practices for Amazon Connect - Amazon Connect
Amazon Connect preventative security best practicesAmazon Connect detective security best practicesAmazon Connect Chat security best practices

Security Best Practices for Amazon Connect

Amazon Connect provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don't represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Amazon Connect preventative security best practices

  • Ensure that all profile permissions are as restrictive as possible. Allow access to only those resources absolutely required for the user's role. For example, don't give agents permissions to create, read, or update users in Amazon Connect.

  • Ensure that multi-factor authentication (MFA) is set up through your SAML 2.0 identity provider, or Radius server, if that's more applicable for your use case. After MFA is set up, a third text box becomes visible on the Amazon Connect login page to provide the second factor.

  • If you use an existing directory through AWS Directory Service or SAML-based authentication for identity management, ensure that you follow all security requirements appropriate for your use case.

  • Use the Log in for emergency access URL on the instance page of the AWS console only in emergency situations, not for daily use. For more information, see Emergency admin login.

Use service control policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. An SCP defines a guardrail, or sets limits, on the actions that the account's administrator can delegate to users and roles in the affected accounts. You can use SCPs to protect critical resources associated with your Amazon Connect workload.

Set a Service Control Policy to prevent the deletion critical resources

If you’re using SAML 2.0-based authentication and delete the AWS IAM Role that is used for authenticating Amazon Connect users, users won't be able to login to the Amazon Connect instance. You will need to delete and recreate users to be associated with a new Role. This results in the deletion of all data associated with those users.

To prevent the accidental deletion of critical resources and to protect the availability of your Amazon Connect instance, you can set a Service Control Policy (SCP) as an additional control.

Following is an example SCP that can be applied at the AWS Account, Organizational Unit, or Organizational Root to prevent the deletion of the Amazon Connect instance and associated Role:

{    
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AmazonConnectRoleDenyDeletion",
      "Effect": "Deny",
      "Action": [
        "iam:DeleteRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/Amazon Connect user role"
      ]
    },
    {
      "Sid": "AmazonConnectInstanceDenyDeletion",
      "Effect": "Deny",
      "Action": [
        "connect:DeleteInstance"         
      ],
      "Resource": [
        "Amazon Connect instance ARN"
      ]
    }
  ]
}

Amazon Connect detective security best practices

Logging and monitoring are important for the availability, reliability and, performance of contact center. You should log relevant information from Amazon Connect flows to CloudWatch and build alerts and notifications based on the same.

Define log retention requirements and lifecycle policies early on, and plan to move log files to cost-efficient storage locations as soon as practical. Amazon Connect public APIs log to CloudTrail. Review and automate actions based on CloudTrail logs.

We recommend Amazon S3 for long-term retention and archiving of log data, especially for organizations with compliance programs that require log data to be auditable in its native format. After log data is in an Amazon S3 bucket, define lifecycle rules to automatically enforce retention policies and move these objects to other, cost-effective storage classes, such as Amazon S3 Standard - Infrequent Access (Standard - IA) or Amazon S3 Glacier.

The AWS Cloud provides flexible infrastructure and tools to support both sophisticated partner offerings and self-managed centralized-logging solutions. This includes solutions such as Amazon OpenSearch Service and Amazon CloudWatch Logs.

You can implement fraud detection and prevention for incoming contacts by customizing Amazon Connect flows per your requirements. For example, you can check incoming contacts against previous contact activity in Dynamo DB and then take actions such as disconnecting a contact who is on a deny list.

Amazon Connect Chat security best practices

When you integrate with the Amazon Connect Participant Service directly (or use the Amazon Connect Chat Java Script library) and use WebSocket or streaming endpoints to receive messages for your frontend applications or websites, you must protect your application from DOM-based XSS (cross-site scripting) attacks.

The following security recommendations can help safeguard against XSS attacks:

  • Implement proper output encoding to help prevent malicious scripts from executing.

  • Do not mutate DOM directly. For example, don't use innerHTML to render chat response contents. It might contain malicious Javascript code that can lead to an XSS attack. Use frontend libraries like React to escape and sanitize any executable code included in the chat response.

  • Implement a Content Security Policy (CSP) to restrict the sources from which your application can load scripts, styles, and other resources. This adds an extra layer of protection.