AWS connect documentation change
Summary
Renamed 'Amazon Connect' to 'Connect Customer' throughout the document, including section titles, content, and links. Updated references to administrators, agents, and service contacts accordingly.
Security assessment
The changes are purely branding/naming updates with no modifications to security practices, vulnerabilities, or features. No evidence of security vulnerability fixes or new security documentation was introduced.
Diff
diff --git a/connect/latest/adminguide/security-bp.md b/connect/latest/adminguide/security-bp.md index ae8e50f5a..a7263cd1b 100644 --- a//connect/latest/adminguide/security-bp.md +++ b//connect/latest/adminguide/security-bp.md @@ -7 +7 @@ -Amazon Connect Security JourneyData Security in Amazon ConnectIdentity and Access ManagementDetective controlsInfrastructure protectionData protectionAmazon Connect security vectorsResources +Connect Customer Security JourneyData Security in Connect CustomerIdentity and Access ManagementDetective controlsInfrastructure protectionData protectionConnect Customer security vectorsResources @@ -9 +9 @@ Amazon Connect Security JourneyData Security in Amazon ConnectIdentity and Acces -# Design principles for developing a secure contact center in Amazon Connect +# Design principles for developing a secure contact center in Connect Customer @@ -11 +11 @@ Amazon Connect Security JourneyData Security in Amazon ConnectIdentity and Acces -Security includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. This section provides an overview of design principles, best practices, and questions surrounding security for Amazon Connect workloads. +Security includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. This section provides an overview of design principles, best practices, and questions surrounding security for Connect Customer workloads. @@ -13 +13 @@ Security includes the ability to protect information, systems, and assets while -## Amazon Connect Security Journey +## Connect Customer Security Journey @@ -15 +15 @@ Security includes the ability to protect information, systems, and assets while -After you’ve made the decision to move your workload to Amazon Connect, in addition to reviewing [Security in Amazon Connect](./security.html) and [Security Best Practices for Amazon Connect](./security-best-practices.html), follow these guidelines and steps to understand and implement your security requirements relative to the following core security areas: +After you’ve made the decision to move your workload to Connect Customer, in addition to reviewing [Security in Connect Customer](./security.html) and [Security Best Practices for Connect Customer](./security-best-practices.html), follow these guidelines and steps to understand and implement your security requirements relative to the following core security areas: @@ -17 +17 @@ After you’ve made the decision to move your workload to Amazon Connect, in add - + @@ -25 +25 @@ When you move computer systems and data to the cloud, security responsibilities -Which AWS services you use will determine how much configuration work you have to perform as part of your security responsibilities. When you use Amazon Connect, the shared model reflects AWS and customer responsibilities at a high-level, as shown in the following diagram. +Which AWS services you use will determine how much configuration work you have to perform as part of your security responsibilities. When you use Connect Customer, the shared model reflects AWS and customer responsibilities at a high-level, as shown in the following diagram. @@ -27 +27 @@ Which AWS services you use will determine how much configuration work you have t - + @@ -31 +31 @@ Which AWS services you use will determine how much configuration work you have t -Third-party auditors assess the security and compliance of Amazon Connect as part of multiple AWS compliance programs. These include [SOC](https://aws.amazon.com/compliance/soc-faqs/), [PCI](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/), [HIPAA](https://aws.amazon.com/compliance/hipaa-compliance/), [C5 (Frankfurt)](https://aws.amazon.com/compliance/bsi-c5/), and [HITRUST CSF](https://aws.amazon.com/compliance/hitrust/). +Third-party auditors assess the security and compliance of Connect Customer as part of multiple AWS compliance programs. These include [SOC](https://aws.amazon.com/compliance/soc-faqs/), [PCI](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/), [HIPAA](https://aws.amazon.com/compliance/hipaa-compliance/), [C5 (Frankfurt)](https://aws.amazon.com/compliance/bsi-c5/), and [HITRUST CSF](https://aws.amazon.com/compliance/hitrust/). @@ -37 +37 @@ For a list of AWS services in scope of specific compliance programs, see [AWS Se -Region selection to host the Amazon Connect instance depends on data sovereignty restrictions and where the contacts and agents are based. After that decision is made, review network requirements for Amazon Connect and ports and protocols that you need to allow. Additionally, to reduce the blast radius use the domain allow list or allowed IP address ranges for your Amazon Connect instance. +Region selection to host the Connect Customer instance depends on data sovereignty restrictions and where the contacts and agents are based. After that decision is made, review network requirements for Connect Customer and ports and protocols that you need to allow. Additionally, to reduce the blast radius use the domain allow list or allowed IP address ranges for your Connect Customer instance. @@ -39 +39 @@ Region selection to host the Amazon Connect instance depends on data sovereignty -For more information, see [Set up your network to use the Amazon Connect Contact Control Panel (CCP)](./ccp-networking.html). +For more information, see [Set up your network to use the Connect Customer Contact Control Panel (CCP)](./ccp-networking.html). @@ -54 +54 @@ We recommend reviewing each AWS service in your solution against the security re -## Data Security in Amazon Connect +## Data Security in Connect Customer @@ -56 +56 @@ We recommend reviewing each AWS service in your solution against the security re -During your security journey, your security teams may require a deeper understanding of how data is handled in Amazon Connect. See the following resources: +During your security journey, your security teams may require a deeper understanding of how data is handled in Connect Customer. See the following resources: @@ -58 +58 @@ During your security journey, your security teams may require a deeper understan - * [Detailed network paths for Amazon Connect](./detailed-network-paths.html) + * [Detailed network paths for Connect Customer](./detailed-network-paths.html) @@ -60 +60 @@ During your security journey, your security teams may require a deeper understan - * [Infrastructure security in Amazon Connect](./infrastructure-security.html) + * [Infrastructure security in Connect Customer](./infrastructure-security.html) @@ -62 +62 @@ During your security journey, your security teams may require a deeper understan - * [Compliance validation in Amazon Connect](./compliance-validation.html) + * [Compliance validation in Connect Customer](./compliance-validation.html) @@ -73 +73 @@ Review your workload diagram and architect an optimum solution on AWS. This incl -### Types of Amazon Connect Personas +### Types of Connect Customer Personas @@ -75 +75 @@ Review your workload diagram and architect an optimum solution on AWS. This incl -There are four types of Amazon Connect personas, based on the activities being performed. +There are four types of Connect Customer personas, based on the activities being performed. @@ -77 +77 @@ There are four types of Amazon Connect personas, based on the activities being p - + @@ -79 +79 @@ There are four types of Amazon Connect personas, based on the activities being p - 1. AWS administrator – AWS administrators create or modify Amazon Connect resources and may also delegate administrative access to other principals by using the AWS Identity and Access Management (IAM) service. The scope of this persona is focused on creating and administering your Amazon Connect instance. + 1. AWS administrator – AWS administrators create or modify Connect Customer resources and may also delegate administrative access to other principals by using the AWS Identity and Access Management (IAM) service. The scope of this persona is focused on creating and administering your Connect Customer instance. @@ -81 +81 @@ There are four types of Amazon Connect personas, based on the activities being p - 2. Amazon Connect administrator – Service administrators determine which Amazon Connect features and resources employees should access within the Amazon Connect admin website. The service administrator assigns security profiles to determine who can access the Amazon Connect admin website and what tasks they can perform. The scope of this persona is focused on creating and administering your Amazon Connect contact center. + 2. Connect Customer administrator – Service administrators determine which Connect Customer features and resources employees should access within the Connect Customer admin website. The service administrator assigns security profiles to determine who can access the Connect Customer admin website and what tasks they can perform. The scope of this persona is focused on creating and administering your Connect Customer contact center. @@ -83 +83 @@ There are four types of Amazon Connect personas, based on the activities being p - 3. Amazon Connect agent – Agents interact with Amazon Connect to perform their job duties. Service users may be contact center agents or supervisors. + 3. Connect Customer agent – Agents interact with Connect Customer to perform their job duties. Service users may be contact center agents or supervisors. @@ -85 +85 @@ There are four types of Amazon Connect personas, based on the activities being p - 4. Amazon Connect Service contact – The customer who interacts with your Amazon Connect contact center. + 4. Connect Customer Service contact – The customer who interacts with your Connect Customer contact center. @@ -92 +92 @@ There are four types of Amazon Connect personas, based on the activities being p -IAM Administrative access should be limited to approved personnel within your organization. IAM administrators should also understand what IAM features are available to use with Amazon Connect. For IAM best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the _IAM User Guide_. Also see [Amazon Connect identity-based policy examples](./security_iam_id-based-policy-examples.html). +IAM Administrative access should be limited to approved personnel within your organization. IAM administrators should also understand what IAM features are available to use with Connect Customer. For IAM best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the _IAM User Guide_. Also see [Connect Customer identity-based policy examples](./security_iam_id-based-policy-examples.html). @@ -94 +94 @@ IAM Administrative access should be limited to approved personnel within your or -### Amazon Connect Service Administrator Best Practices +### Connect Customer Service Administrator Best Practices @@ -96 +96 @@ IAM Administrative access should be limited to approved personnel within your or -Service administrators are responsible for managing Amazon Connect users, including adding users to Amazon Connect give them their credentials, and assign the appropriate permissions so they can access the features needed to do their job. Administrators should start with a minimum set of permissions and grant additional permissions as necessary. +Service administrators are responsible for managing Connect Customer users, including adding users to Connect Customer give them their credentials, and assign the appropriate permissions so they can access the features needed to do their job. Administrators should start with a minimum set of permissions and grant additional permissions as necessary. @@ -98 +98 @@ Service administrators are responsible for managing Amazon Connect users, includ -[Security profiles for Amazon Connect and Contact Control Panel (CCP) access](./connect-security-profiles.html) help you manage who can access the Amazon Connect dashboard and Contact Control Panel, and who can perform specific tasks. Review the granular permissions granted within the default security profiles available natively. Custom security profiles can be set up to meet specific requirements. For example, a power agent who can take calls but also has access to reports. After this is finalized, users should be assigned to the correct security profiles. +[Security profiles for Connect Customer and Contact Control Panel (CCP) access](./connect-security-profiles.html) help you manage who can access the Connect Customer dashboard and Contact Control Panel, and who can perform specific tasks. Review the granular permissions granted within the default security profiles available natively. Custom security profiles can be set up to meet specific requirements. For example, a power agent who can take calls but also has access to reports. After this is finalized, users should be assigned to the correct security profiles. @@ -102 +102 @@ Service administrators are responsible for managing Amazon Connect users, includ -For extra security, we recommend that you require multi-factor authentication (MFA) for all IAM users in your account. MFA can be [set up through AWS IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) or your SAML 2.0 identity provider, or Radius server, if that's more applicable for your use case. After MFA is set up, a third text box becomes visible on the Amazon Connect login page to provide the second factor. +For extra security, we recommend that you require multi-factor authentication (MFA) for all IAM users in your account. MFA can be [set up through AWS IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) or your SAML 2.0 identity provider, or Radius server, if that's more applicable for your use case. After MFA is set up, a third text box becomes visible on the Connect Customer login page to provide the second factor. @@ -106 +106 @@ For extra security, we recommend that you require multi-factor authentication (M -In addition to storing users in Amazon Connect, you can [enable single sign-on (SSO) to Amazon Connect](./configure-saml.html) by using identity federation. Federation is a recommended practice to allow for employee lifecycle events to be reflected in Amazon Connect when they are made in the source identity provider. +In addition to storing users in Connect Customer, you can [enable single sign-on (SSO) to Connect Customer](./configure-saml.html) by using identity federation. Federation is a recommended practice to allow for employee lifecycle events to be reflected in Connect Customer when they are made in the source identity provider. @@ -116 +116 @@ Credentials such as API keys should be stored outside of your flow application c -Logging and monitoring are important for the availability, reliability and, performance of contact center. You should log relevant information from Amazon Connect Flows to Amazon CloudWatch and build alerts and notifications based on the same. +Logging and monitoring are important for the availability, reliability and, performance of contact center. You should log relevant information from Connect Customer Flows to Amazon CloudWatch and build alerts and notifications based on the same. @@ -118 +118 @@ Logging and monitoring are important for the availability, reliability and, perf -You should define log retention requirements and lifecycle policies early on, and plan to move log files to cost-efficient storage locations as soon as practical. Amazon Connect public APIs log to AWS CloudTrail. You should review and automate actions set up based on CloudTrail logs. +You should define log retention requirements and lifecycle policies early on, and plan to move log files to cost-efficient storage locations as soon as practical. Connect Customer public APIs log to AWS CloudTrail. You should review and automate actions set up based on CloudTrail logs. @@ -124 +124 @@ The AWS cloud provides flexible infrastructure and tools to support both sophist -Fraud detection and prevention for incoming contacts can be implemented by customizing Amazon Connect Flows per the customer requirements. As an example, customers can check incoming contacts against previous contact activity in DynamoDB, and then take action, such as disconnecting a contact because they are a blocked contact. +Fraud detection and prevention for incoming contacts can be implemented by customizing Connect Customer Flows per the customer requirements. As an example, customers can check incoming contacts against previous contact activity in DynamoDB, and then take action, such as disconnecting a contact because they are a blocked contact. @@ -128 +128 @@ Fraud detection and prevention for incoming contacts can be implemented by custo -Although there is no infrastructure to manage in Amazon Connect, there could be scenarios where your Amazon Connect instance needs to interact with other components or applications deployed in infrastructure residing on-premises. Consequently, it is important to ensure that networking boundaries are considered under this assumption. Review and implement specific Amazon Connect infrastructure security considerations. Also, review contact center agent and supervisor desktops or VDI solutions for security considerations. +Although there is no infrastructure to manage in Connect Customer, there could be scenarios where your Connect Customer instance needs to interact with other components or applications deployed in infrastructure residing on-premises. Consequently, it is important to ensure that networking boundaries are considered under this assumption. Review and implement specific Connect Customer infrastructure security considerations. Also, review contact center agent and supervisor desktops or VDI solutions for security considerations. @@ -130 +130 @@ Although there is no infrastructure to manage in Amazon Connect, there could be -You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud to create a private network for resources such as databases, cache instances, or internal services. Amazon Connect your function to the VPC to access private resources during execution. +You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud to create a private network for resources such as databases, cache instances, or internal services. Connect Customer your function to the VPC to access private resources during execution. @@ -138 +138 @@ Customers should analyze the data traversing through and interacting with the co - * On-premises data in hybrid Amazon Connect architectures + * On-premises data in hybrid Connect Customer architectures @@ -143 +143 @@ Customers should analyze the data traversing through and interacting with the co -After analyzing the scope of the data, data classifications should be performed paying attention to identifying sensitive data. Amazon Connect conforms to the AWS shared responsibility model. [Data protection in Amazon Connect](./data-protection.html) includes best practices like using MFA and TLS and the use of other AWS services, including Amazon Macie. +After analyzing the scope of the data, data classifications should be performed paying attention to identifying sensitive data. Connect Customer conforms to the AWS shared responsibility model. [Data protection in Connect Customer](./data-protection.html) includes best practices like using MFA and TLS and the use of other AWS services, including Amazon Macie. @@ -145 +145 @@ After analyzing the scope of the data, data classifications should be performed -Amazon Connect [handles variety of data related to contact centers](./data-handled-by-connect.html). This includes phone call media, call recordings, chat transcripts, contact metadata as well as flows, routing profiles and queues. Amazon Connect handles data at rest by segregating data by account ID and instance ID. All data exchanged with Amazon Connect is protected in transit between the user's web browser and Amazon Connect using open standard TLS encryption. +Connect Customer [handles variety of data related to contact centers](./data-handled-by-connect.html). This includes phone call media, call recordings, chat transcripts, contact metadata as well as flows, routing profiles and queues. Connect Customer handles data at rest by segregating data by account ID and instance ID. All data exchanged with Connect Customer is protected in transit between the user's web browser and Connect Customer using open standard TLS encryption. @@ -157 +157 @@ Perform input validation to ensure that only properly formed data is entering th -## Amazon Connect security vectors +## Connect Customer security vectors @@ -159 +159 @@ Perform input validation to ensure that only properly formed data is entering th -Amazon Connect security can be divided into three logical layers as illustrated in the following diagram: +Connect Customer security can be divided into three logical layers as illustrated in the following diagram: @@ -161 +161 @@ Amazon Connect security can be divided into three logical layers as illustrated - + @@ -163 +163 @@ Amazon Connect security can be divided into three logical layers as illustrated - 1. **Agent workstation**. The agent workstation layer is not managed by AWS and consists of any physical equipment and third-party technologies, services, and endpoints that facilitate your agent’s voice, data, and access the Amazon Connect interface layer. + 1. **Agent workstation**. The agent workstation layer is not managed by AWS and consists of any physical equipment and third-party technologies, services, and endpoints that facilitate your agent’s voice, data, and access the Connect Customer interface layer. @@ -167 +167 @@ Follow your security best practices for this layer with special attention to the - * Plan identity management keeping in mind best practices noted in [Security Best Practices for Amazon Connect](./security-best-practices.html). + * Plan identity management keeping in mind best practices noted in [Security Best Practices for Connect Customer](./security-best-practices.html). @@ -169 +169 @@ Follow your security best practices for this layer with special attention to the - * Mitigate insider threat and compliance risk associated with workloads that handle sensitive information, by creating a secure IVR solution that enables you to bypass agent access to sensitive information. By encrypting contact input in your flows, you’re able to capture information securely without exposing it to your agents, their workstations, or their operating environments. For more information, see [Encrypt sensitive customer input in Amazon Connect](./encrypt-data.html). + * Mitigate insider threat and compliance risk associated with workloads that handle sensitive information, by creating a secure IVR solution that enables you to bypass agent access to sensitive information. By encrypting contact input in your flows, you’re able to capture information securely without exposing it to your agents, their workstations, or their operating environments. For more information, see [Encrypt sensitive customer input in Connect Customer](./encrypt-data.html). @@ -171 +171 @@ Follow your security best practices for this layer with special attention to the - * You are responsible for maintaining the allowlist of AWS IP addresses, ports, and protocols needed to use Amazon Connect. + * You are responsible for maintaining the allowlist of AWS IP addresses, ports, and protocols needed to use Connect Customer. @@ -173 +173 @@ Follow your security best practices for this layer with special attention to the - 2. **AWS** : The AWS layer includes Amazon Connect and AWS integrations including AWS Lambda, Amazon DynamoDB, Amazon API Gateway, Amazon S3, and other services. Follow the security pillar guidelines for AWS services, with special attention to the following: + 2. **AWS** : The AWS layer includes Connect Customer and AWS integrations including AWS Lambda, Amazon DynamoDB, Amazon API Gateway, Amazon S3, and other services. Follow the security pillar guidelines for AWS services, with special attention to the following: @@ -175 +175 @@ Follow your security best practices for this layer with special attention to the - * Plan identity management, keeping in mind best practices noted in [Security Best Practices for Amazon Connect](./security-best-practices.html). + * Plan identity management, keeping in mind best practices noted in [Security Best Practices for Connect Customer](./security-best-practices.html). @@ -179 +179 @@ Follow your security best practices for this layer with special attention to the - * Amazon Connect can integrate with AWS Lambda functions that run inside of a customer VPC through the [VPC endpoints for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html). + * Connect Customer can integrate with AWS Lambda functions that run inside of a customer VPC through the [VPC endpoints for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html). @@ -187 +187 @@ This layer also covers integrations customers may have with other third-party so - * ANI Fraud detection solutions using [Amazon Connect telephony metadata](./connect-attrib-list.html#telephony-call-metadata-attributes) and [partner solutions](https://aws.amazon.com/connect/partners/) can be used to protect against caller ID spoofing. + * ANI Fraud detection solutions using [Connect Customer telephony metadata](./connect-attrib-list.html#telephony-call-metadata-attributes) and [partner solutions](https://aws.amazon.com/connect/partners/) can be used to protect against caller ID spoofing. @@ -189 +189 @@ This layer also covers integrations customers may have with other third-party so - * [Amazon Connect Voice ID](./voice-id.html) and other voice biometric partner solutions can be used to enhance and streamline the authentication process. Active voice biometric authentication allows contacts the option to speak specific phrases and use those for voice signature authentication. Passive voice biometrics allow contacts to register their unique voiceprint and use their voiceprint to authenticate with any voice input that meets sufficient length requirements for authentication. + * [Connect Customer Voice ID](./voice-id.html) and other voice biometric partner solutions can be used to enhance and streamline the authentication process. Active voice biometric authentication allows contacts the option to speak specific phrases and use those for voice signature authentication. Passive voice biometrics allow contacts to register their unique voiceprint and use their voiceprint to authenticate with any voice input that meets sufficient length requirements for authentication. @@ -191 +191 @@ This layer also covers integrations customers may have with other third-party so - * Maintain the [application integration](./app-integration.html) section in the Amazon Connect console for adding any third-party application or integration points to your allowlist, and remove unused endpoints. + * Maintain the [application integration](./app-integration.html) section in the Connect Customer console for adding any third-party application or integration points to your allowlist, and remove unused endpoints. @@ -195 +195 @@ This layer also covers integrations customers may have with other third-party so -For an integration that enables Amazon Connect to communicate with Amazon Kinesis and Amazon Redshift to enable the streaming of contact records, see [Amazon Connect integration: Data streaming](https://aws.amazon.com/quickstart/connect/data-streaming/). +For an integration that enables Connect Customer to communicate with Amazon Kinesis and Amazon Redshift to enable the streaming of contact records, see [Connect Customer integration: Data streaming](https://aws.amazon.com/quickstart/connect/data-streaming/). @@ -206 +206 @@ For an integration that enables Amazon Connect to communicate with Amazon Kinesi - * [Security in Amazon Connect](./security.html) + * [Security in Connect Customer](./security.html)