Security - AI Powered Speech Analytics for Amazon Connect

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

User Authentication

The AI Powered Speech Analytics for Amazon Connect solution uses a combination of Amazon Connect and AWS Security Token Service (AWS STS) to authenticate users. Agents log into a web UI using Amazon Connect user credentials to set their availability and answer calls. AWS STS provides temporary credentials for agents to access Amazon API Gateway, Amazon Comprehend, Amazon Translate, and to store the complete customer transcription history.


        User authentication diagram

Figure 2: User authentication diagram

  1. Agents log into the web client using their Amazon Connect credentials and set their availability to answer calls.

  2. When an end user calls into the call center, Amazon Connect invokes an AWS Lambda function to create an AWS STS token, and stores the token in the call attributes.

  3. The agent uses the web client to accept a call. After accepting a call, the web client uses the Amazon Connect SDK to retrieve the AWS STS token from the call attributes and updates the AWS SDK configuration to use the AWS STS token for authenticating AWS API calls.

  4. The web client uses the AWS STS token to create an authenticated web socket connection to Amazon API Gateway, provides their 16-character connection ID and 32-character contact ID, and receives real-time transcriptions as they are stored in Amazon DynamoDB.

  5. The web client uses the AWS STS token to send the transcriptions to Amazon Comprehend and Amazon Translate for sentiment analysis and translation throughout the call.

  6. Once the call is completed, the web client uses the AWS STS temporary credentials to store the transcription in the customer-defined Amazon Simple Storage Service (Amazon S3) bucket, and the AWS STS credentials are removed from the call attributes.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to create Regional resources.

Amazon CloudFront

This solution deploys a web console hosted in an Amazon Simple Storage Service (Amazon S3) bucket. To help reduce latency and improve security, this solution includes an Amazon CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.