AWS Security ChangesHomeSearch

AWS connect documentation change

Service: connect · 2026-07-01 · Documentation low

File: connect/latest/adminguide/sr-system-req.md

Summary

Reorganized network requirements section and added detailed documentation for rule-based redaction including browser requirements, client app versions, extension deployment, and Chrome 147 policy configuration.

Security assessment

The changes document security-related features (rule-based redaction and extension management) but show no evidence of addressing an existing vulnerability. The additions focus on configuration requirements for data redaction capabilities and secure extension updates, which are preventive security measures rather than vulnerability fixes.

Diff

diff --git a/connect/latest/adminguide/sr-system-req.md b/connect/latest/adminguide/sr-system-req.md
index 631d7244a..8d7866445 100644
--- a//connect/latest/adminguide/sr-system-req.md
+++ b//connect/latest/adminguide/sr-system-req.md
@@ -7 +7 @@
-System requirementsNetwork requirementsBrowser enterprise policy for local network access
+System requirementsNetwork requirementsBrowser enterprise policy for local network accessRequirements for rule-based redaction
@@ -41 +41 @@ When Windows multi-session configuration is enabled allowing multiple agents to
-  * **Port used for screen recording** : The Connect Customer Client Application communicates with the CCP through a local websocket on port 5431 (on Windows) and 25431 (on Chrome OS).
+### URLs to add to your firewall allow list
@@ -43 +43 @@ When Windows multi-session configuration is enabled allowing multiple agents to
-  * **URLs to add to your firewall allowlist** : To ensure smooth screen recording functionality, add the following URL patterns to your allowlist:
+To ensure smooth screen recording functionality, add the following URL patterns to your allow list.
@@ -45 +45 @@ When Windows multi-session configuration is enabled allowing multiple agents to
-    * From CCP: `connect-recording-staging-*.s3.dualstack.your-region-name.amazonaws.com`. If you prefer to not use wild cards, the list of endpoints is available at https://screenrecording.connect.aws/config/connect-recording-endpoint-allowlist.json. This list may be updated in the future. Refer to the `createDate` at the top of the file to check for updates.
+#### Client App authentication
@@ -47 +47 @@ When Windows multi-session configuration is enabled allowing multiple agents to
-    * From screen recording client application: `https://your-connect-instance-alias.my.connect.aws/taps/client/auth`
+`https://your-connect-instance-alias.my.connect.aws/taps/client/auth`
@@ -49 +49,32 @@ When Windows multi-session configuration is enabled allowing multiple agents to
-  * **Sequence diagram** : The following sequence diagram shows the network calls between different components involved in screen recording.
+#### Screen recording upload (from CCP)
+
+We recommend the wildcard `connect-recording-staging-*.s3.dualstack.your-region-name.amazonaws.com`
+
+If you prefer not to use wildcards, the full list of endpoints is available at [https://screenrecording.connect.aws/config/connect-recording-endpoint-allowlist.json](https://screenrecording.connect.aws/config/connect-recording-endpoint-allowlist.json)
+
+This list may be updated in the future. Refer to the `createDate` field at the top of the file to check for updates.
+
+#### Browser extension updates (required for rule-based redaction)
+
+If you use [rule-based redaction](./rule-based-redaction-screen-recording.html), the agent's browser must be able to download and update the Connect Customer browser extension. Allow outbound HTTPS to the following.
+
+We recommend the wildcard `https://screenrecording.connect.aws/*`, which covers all current and future extension paths for both browsers.
+
+If you prefer not to use wildcards, allow these specific URLs:
+
+Browser | URL  
+---|---  
+Google Chrome and Microsoft Edge | `https://screenrecording.connect.aws/chromeos/amazon-connect-extension/releases/updates.xml`  
+Google Chrome and Microsoft Edge | `https://screenrecording.connect.aws/chromeos/amazon-connect-extension/releases/amazon-connect-extension.crx`  
+Mozilla Firefox | `https://screenrecording.connect.aws/firefox/amazon-connect-extension/releases/updates.json`  
+Mozilla Firefox | `https://screenrecording.connect.aws/firefox/amazon-connect-extension/releases/amazon-connect-extension.xpi`  
+  
+For extension identifiers and deployment instructions, see [Deploy the browser extension](./deploy-browser-extension.html).
+
+### Port used for screen recording
+
+The Connect Customer Client Application communicates with the CCP through a local websocket on port 5431 (on Windows) and 25431 (on Chrome OS).
+
+### Sequence diagram
+
+The following sequence diagram shows the network calls between different components involved in screen recording.
@@ -80,0 +112,25 @@ For more details on this browser change, see [New permission prompt for Local Ne
+## Requirements for rule-based redaction
+
+If you use [Rule-based redaction for screen recordings](./rule-based-redaction-screen-recording.html), agent workstations must meet the following additional requirements.
+
+  * **Browser** – One of the following:
+
+    * Google Chrome 120 or later
+
+    * Microsoft Edge 120 or later
+
+    * Mozilla Firefox 120 or later
+
+Browsers other than Chrome, Edge, and Firefox do not report URLs to the Connect Customer Client Application, so URL rules cannot match pages in those browsers. You can still match windows in those browsers by using window title rules based on the browser's window title.
+
+  * **Connect Customer Client Application** – Version 3.0.2 or later. See [Connect Customer Client Application](./amazon-connect-client-app.html).
+
+  * **Connect Customer browser extension** – Version 2.1.0 or later. The extension must be installed and enabled on every browser that agents use during recorded contacts. See [Deploy the browser extension](./deploy-browser-extension.html).
+
+  * **Chrome 147 local network access policy** – If agents use Chrome version 147 or later, configure the **LocalNetworkAccessAllowedForUrls** enterprise policy to allow local network access from the Connect Customer CCP origin to 127.0.0.1:5431. For details, see Browser enterprise policy for local network access.
+
+
+
+
+Display scaling from 100% through 200% is supported on single-monitor and multi-monitor workstations.
+