AWS connect high security documentation change
Summary
Added section 'Amazon Connect WebRTC security best practices' with guidance on protecting Participant Tokens
Security assessment
The change introduces security documentation about protecting bearer tokens (Participant Tokens) that could lead to impersonation attacks if mishandled. It provides concrete security controls like authentication requirements, secure transport, and token lifecycle management.
Diff
diff --git a/connect/latest/adminguide/security-best-practices.md b/connect/latest/adminguide/security-best-practices.md index 4404353fa..2682c21f2 100644 --- a//connect/latest/adminguide/security-best-practices.md +++ b//connect/latest/adminguide/security-best-practices.md @@ -5 +5 @@ -Amazon Connect preventative security best practicesAmazon Connect detective security best practicesAmazon Connect Chat security best practices +Amazon Connect preventative security best practicesAmazon Connect detective security best practicesAmazon Connect Chat security best practicesAmazon Connect WebRTC security best practices @@ -18,0 +19,2 @@ Amazon Connect provides a number of security features to consider as you develop + * Amazon Connect WebRTC security best practices + @@ -107,0 +110,19 @@ The following security recommendations can help safeguard against XSS attacks: +## Amazon Connect WebRTC security best practices + +For both WebRTC and chat contacts, participants are issued a Participant Token, which is a bearer token that uniquely identifies them within a contact session. Because possession of this token grants access, its exposure can lead to impersonation attacks. Therefore, protecting this token is critical. + +The following security recommendations can help safeguard against impersonation attacks: + + * **Authenticate users before token issuance**. Ensure that robust authentication and authorization checks are performed before vending a participant token to any client or external service. + + * **Minimize token exposure**. Do not log participant tokens or embed them in URLs. Use secure transport (HTTPS/TLS) for all token exchanges.. + + * **Respond to token leaks quickly**. If a token leak is detected, immediately terminate or stop the associated contact to prevent unauthorized access. + + * **Use least privilege principles**. Limit token lifespan wherever possible, ensuring tokens are valid only for the duration necessary. + + * **Monitor and audit**. Track token usage and access patterns to detect anomalies or potential abuse. + + + +