Call Ingestion (0)

The LCA solution uses Amazon Chime Voice Connector to ingest phone call audio from your on-premises Private Branch Exchanges (PBXs) and Session Border Controllers (SBCs) using the SIPREC protocol.

Amazon Chime Voice Connector is a regional managed service (currently in the us-east-1 and us-west-2 regions). When you deploy it in your AWS account, it creates an endpoint with a unique hostname that is accessible over the public Internet. Your SBC or telephony systems are configured to establish a SIPREC trunk that sends a copy of your contact center calls to this endpoint.

Configuration Options:

The Amazon Chime Voice Connector endpoint supports TLS to encrypt the SIPREC signaling and SRTP to encrypt media streams. It is strongly recommended to use encryption with your Chime Voice Connector endpoint. When you configure it to use TLS and SRTP encryption, the endpoint rejects unencrypted connections. You can configure an allow-list to only permit connections from your IP addresses. The destination IP address ranges and ports are documented in the Amazon Chime Voice Connector Network configuration page.

User Interface and API (16)

Agents and supervisors from your contact center can connect to a web application to view details of calls completed or in-progress. The web application is downloaded from an Amazon CloudFront distribution created in your account. The web application uses a GraphQL API provided by the AWS AppSync service. The web application provides links to audio recordings from an Amazon S3 bucket in your account.

The hostnames of the CloudFront distribution, AppSync API and the recording S3 bucket are unique to your AWS account. You can enable access to those specific hostnames from the agent’s/supervisor’s machines.

Configuration Options:

Amazon CloudFront can restrict access to specific geographical regions. Additionally, for the Amazon CloudFront web distribution and/or AWS AppSync API, you can use AWS WAF to protect against attacks and restrict access by IP addresses. Access to the S3 recording bucket can be restricted to your IP addresses using a bucket policy. See:

Use CloudFront geo restriction to restrict access from geographic regions and Limit Amazon S3 bucket access to certain IPs or VPCs

You can also use custom hostnames for the web app URL distributed via Amazon CloudFront and the Amazon API if you prefer using your own DNS domains. See: Using custom URLs by adding alternate domain names and Configuring custom domain names.

Inter-network traffic

privacy

The LCA solution use integrations between AWS Services.

AWS services operate in secure segregated networks accessed only via defined service endpoints over HTTPS/port 443, and enforce encryption, authentication, and authorization policies.

For information on IP ranges by service, see: aws ip ranges.

For information on security and compliance of AWS infrastructure, see:

- AWS Infrastructure Security

- Security documentation by service – eg: DynamboDB

Inter-service communications used by the LCA solution are indicated and numbered on the LCA architecture diagram above. In each case, connections between services, including connections to data storage services - Amazon DynamoDB (6,14), Amazon S3 (8,15), Amazon Kinesis (1,2,9,10) - are routed within the Amazon managed network infrastructure to the associated service endpoint which allows access to the target service only if the requests are encrypted using TLS with ephemeral keys associated with valid IAM roles and policies (See Identity and Access Management below).

Data transmitted over networks is encrypted to help secure your data from eavesdropping and man-in-the-middle attacks. This includes the following components and services:

- The Amazon Chime Voice Connector endpoint supports TLS to encrypt the SIPREC signaling and SRTP to encrypt media streams

- The LCA web application enforces the use of TLS including: CloudFront distribution automatically redirects unencrypted connections to HTTPS. The AppSync API only supports TLS endpoints. The S3 buckets have a bucket policy to enforce access only via TLS

- AWS API calls made from Lambda functions to other services (e.g. Amazon Kinesis Video Streams, Amazon S3, AWS AppSync, Amazon Transcribe, Amazon Comprehend, Amazon DynamoDB) are encrypted using TLS

Data at rest is encrypted to help secure your data from unauthorized access to the underlying storage. This includes the following components and services:

- Amazon S3 buckets provisioned by the LCA solution are configured to use server-side AES-256 encryption. Amazon S3 encrypts your data at the object level as it writes it to disks and decrypts it for you when you access it. See: Protecting data using server-side encryption

- Amazon DynamoDB tables provisioned by the LCA solution are configured to use server-side AES-256 encryption with DynamoDB owned keys. See: DynamoDB Encryption at Rest

- Amazon CloudWatch log groups use server-side encryption for the log data at rest using Amazon CloudWatch managed keys. See: Encrypt log data in CloudWatch Logs

- Ephemeral storage associated to AWS Lambda compute environments are encrypted using service managed keys

- Integration services used by the LCA solution such as Amazon Amazon Kinesis Video Streams, Amazon Kinesis Data Streams are configured to use encryption at rest with AWS KMS keys managed by AWS. Other integration services such as Amazon EventBridge also use encryption at rest by default

The AWS services used by the LCA solution use AWS Identity & Access Management (IAM) to manage authentication and authorization.

The LCA solution implements IAM roles with least privilege policies to provide the minimally required permissions between components. AWS API requests between components are authenticated using temporary credentials and using the AWS Signature Version 4 signing process.

The S3 buckets provisioned by the solution are configured with public access blocked to prevent accidental unauthenticated data exposure.

Access to the web application and the AppSync API is secured using an Amazon Cognito user pool. This user pool allows you to create users that are allowed to sign in to the application. After successfully authenticating a user, Amazon Cognito issues JSON web tokens (JWT) that is used to secure and authorize access to the AppSync APIs, or exchange for temporary AWS credentials

Configuration Options:

You can use AWS IAM to manage administrative access to AWS resources services from the AWS Console or via API requests. See: Security best practices in IAM.

You can enable multi factor authentication (MFA) in the Amazon Cognito user pool. See: Adding MFA to a user pool.

You can use Amazon Cognito to federate with your existing identity providers to provide single sign on (SSO). This includes federation via SAML identity providers. See: Adding user pool sign-in through a third party.

Administrative API calls of AWS services used by the LCA solution are logged via AWS CloudTrail. AWS CloudTrail logs management events across AWS services by default and is available for free.

The LCA AppSync API uses Amazon CloudWatch to record GraphQL API requests which can be used to audit and monitor application level user interactions.

Configuration Options:

You can log API data events to Amazon S3 and Amazon DynamoDB (at an additional charge). See: Logging data events for AWS CloudTrail trails.

You can also enable access logs for S3 buckets and CloudFront distributions. See: Enabling Amazon S3 server access logging and Configuring and using Amazon CloudFront logs

Configuration Options:

You can configure data lifecycle rules to expire data including:

- Amazon S3 buckets. See: Managing your Amazon S3 storage lifecycle

- Amazon DynamoDB. See: Amazon DynamoDB Time to Live (TTL)

 - The LCA solution automates DynamoDB data retention. (a) Event cache records created by the CallTranscriber are automatically deleted after 1 day. (b) Call metadata, transcriptions, and analytic records created by AppSync are retained for the number of days specified by the RetentionDays parameter of the LCA CloudFormation template when the LCA solution is deployed or updated (default 90 days).

- Amazon CloudWatch Logs. See: Amazon CloudWatch Logs data retention

For a list of AWS services in scope of specific compliance programs, see AWS Services in Scope by Compliance Program. For general information, see AWS Compliance Programs.

You can download third-party audit reports using AWS Artifact. For more information, see Downloading Reports in AWS Artifact.

Update/Patch/

hardening

The LCA solution is based on fully managed and serverless AWS services that do not require customers to configure or maintain a physical or virtual machine. Patches and feature updates are managed by the services and transparent to users. (Exception is an EC2 instance only deployed in demo mode that is used host an Asterisk telephony server).

Software dependencies are monitored using an automated process that identifies known vulnerable dependencies and are updated periodically based on the associated risk.

The LCA solution development process includes application security reviews, threat modeling and static code analysis. The solution is scanned for common security issues (e.g. OWASP Top 10) covering the CloudFormation templates, Lambda functions and the web user interface.

The code of the solution is fully open source which allows you to directly review its security posture.

Push access to the GitHub code repository is strictly limited to a small number of AWS employees authorized to release updates to the code.