# Get started with Amazon Connect
**Tip**
For an online workshop that leverages a case study and includes hands-on labs, see [Introduction to Amazon Connect](https://catalog.workshops.aws/amazon-connect-introduction/en-US/introduction) by AWS Workshop Studio.
Use these steps to set up your contact center.
1. [Create an Amazon Connect instance](amazon-connect-instances.md). Use an instance to contain all the resources and settings related to your contact center. You specify how you plan to manage user accounts, whether your contact center will accept incoming calls and make outbound calls, and review the location where data will be stored in your Amazon S3 bucket.
1. [Set up contact center phone numbers for your Amazon Connect instance](ag-overview-numbers.md). If you're using voice, either claim a phone number that AWS provides, or port your current phone number to Amazon Connect. If you choose to port your numbers, we suggest claiming a number so you can test Amazon Connect and build your contact center while waiting for your numbers to be ported over.
1. [Set up routing in Amazon Connect](connect-queues.md). Create your queues and routing profiles, and set your hours of operation. In your routing profiles, specify the channels that agents should use: voice, chat, tasks, or all three. You also specify how many chats and tasks an agent can manage at the same time.
1. [Flows in Amazon Connect](connect-contact-flows.md). Establish a flow to define the customer experience with your contact center from start to finish. A single flow works for voice, chat, and tasks, which makes your design more efficient. When you build flows and configure the blocks, indicate how the flow should work for voice, chat, and tasks.
1. Add users, which are your managers and agents, and configure their settings. Assign a routing profile to each agent, specify whether they are using a softphone or desk phone, and set how long they have for **After contact work**. For instructions, see [Add users to Amazon Connect](user-management.md) and [Set up your contact center agents in Amazon Connect](connect-agents.md).
1. If you're using chat, we provide several tools to help you enable your customer-facing app to engage with Amazon Connect chat. For more information, see [Set up your customer's chat experience in Amazon Connect](enable-chat-in-app.md).
## Next steps
There's a lot you can do to optimize your contact center. Here are a couple of additional steps that you may find useful:
1. [Monitor live & recorded conversations](monitoring-amazon-connect.md). Monitor live conversations and review past conversations. This is a way that managers can coach agents and help them improve. For voice conversations, set up recording in your flows. For chat conversations, set up recording at the instance level.
To learn how to monitor conversations, see [Enable enhanced multi-party contact monitoring in Amazon Connect](monitor-conversations.md).
1. [Create conversational AI bots in Amazon Connect](connect-conversational-ai-bots.md). Use Amazon Lex in your contact center to reduce the load on your agents. For example, a bot can handle the initial interaction before the chat is routed to an agent, and also answer common questions for the customer.
## Take a free online class
Check out the following free online classes:
+ [Introduction to Amazon Connect and the Contact Control Panel (CCP)](https://explore.skillbuilder.aws/learn/course/external/view/elearning/12303/introduction-to-amazon-connect-and-the-connect-control-panel-ccp)
+ [Amazon Connect: Introduction to the Administrative Interface](https://explore.skillbuilder.aws/learn/course/external/view/elearning/12328/amazon-connect-introduction-to-the-administrative-interface)
+ [Amazon Connect: Creating and Managing Amazon Connect Instances](https://explore.skillbuilder.aws/learn/course/external/view/elearning/12304/amazon-connect-creating-and-managing-amazon-connect-instances)
+ [Amazon Connect: Implementing Chat in Amazon Connect](https://explore.skillbuilder.aws/learn/course/external/view/elearning/14504/amazon-connect-implementing-chat-in-connect)
+ [Amazon Connect: Implementing Tasks in Amazon Connect](https://explore.skillbuilder.aws/learn/course/external/view/elearning/14209/amazon-connect-implementing-task-on-connect)
# Tutorials: An introduction to Amazon Connect
The tutorials in this section are provided to help you start using Amazon Connect. They show you how to set up your first instance, and test a sample voice and chat experience. Next, they show you how to set up an IT Help Desk contact center that uses the features in Amazon Lex.
These tutorials are suitable for both knowledge workers and developers.
**Prerequisite**
+ An AWS account. If you don't already have one, create an account at: [aws.amazon.com](https://aws.amazon.com/).
**Print the tutorials**
If you want to print the tutorials, choose the PDF icon at the top of any page, as shown in the following image.
![\[A page in the Amazon Connect documentation, the PDF link under the title of the page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-print.png)
A PDF version of the documentation opens. Press **Ctrl\$1Home** to return to the beginning of the PDF, then scroll down to the table of contents. Choose which pages to print.
**Topics**
+ [Set up your Amazon Connect instance](tutorial1-set-up-your-instance.md)
+ [Test the sample voice and chat experience in Amazon Connect](tutorial1-explore-voice-and-chat.md)
+ [Create an IT help desk in Amazon Connect](tutorial1-create-helpdesk.md)
# Set up your Amazon Connect instance
You can have multiple instances of Amazon Connect. Each instance contains all the resources related to your contact center, such as phone numbers, agent accounts, and queues.
In this tutorial, you open Amazon Connect, create an instance of Amazon Connect, and claim a phone number that you can use for testing.
**Topics**
+ [Step 1: Launch Amazon Connect](#tutorial1-login-aws)
+ [Step 2: Create an instance](#tutorial1-create-instance)
+ [Step 3: Claim a phone number for your instance](#tutorial1-claim-phone-number)
## Step 1: Launch Amazon Connect
This step walks you through finding Amazon Connect in the AWS console, and opening the Amazon Connect console.
1. Log in to the [AWS Management Console](https://console.aws.amazon.com/console) (https://console.aws.amazon.com/console) using your AWS account.
1. In the AWS Management Console, at the top of the page, choose the **Services** drop-down menu.
![\[The AWS Management console, the services dropdown menu.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-access-services.png)
1. In the search box, type **Amazon Connect**.
![\[The search box, Amazon Connect in the dropdown list of results.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-access-services2.png)
1. Choose **Amazon Connect**.
If this is the first time you've been to the Amazon Connect console, you'll see the following Welcome page.
![\[The Amazon Connect welcome page, the get started button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-amazon-connect-getting-started.png)
1. Choose **Get started**.
**Congratulations\$1** You found and accessed Amazon Connect. You can use these same steps to search for and launch any AWS service.
Go to [Step 2: Create an instance](#tutorial1-create-instance).
## Step 2: Create an instance
1. On the **Amazon Connect virtual contact center instances** page, choose **Add an instance**.
1. On the **Set identity** page, in the **Access URL** box, type a unique name for your instance. For example, the following image shows **mytest10089** as a name. Choose a different name for your instance. Then choose **Next**.
![\[The set identity page, the Access URL box.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-name-instance.png)
1. On the **Add administrator** page, add a new administrator account for Amazon Connect. Use this account to log in to your instance later using the unique access URL. Choose **Next**.
![\[The add administrator page, the username and password boxes.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-create-admin.png)
1. The user name will be your Amazon Connect login. It's case sensitive.
1. The password must be between 8-64 characters, and must contain at least one uppercase letter, one lowercase letter, and one number.
1. On the **Set telephony** page, accept the default settings to allow incoming and outgoing calls. Choose **Next**.
![\[The set telephony page, telephony options section.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-telephony-defaults.png)
1. On the **Data storage** page, accept the default settings and choose **Next**.
![\[The default settings for storing data and flow logs, enable customer profiles option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-data-storage.png)
1. On the **Review and create** page, choose **Create instance**.
![\[The review and create page, the create instance button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-review-create-instance.png)
1. After the instance is created, choose **Get started**.
![\[The Amazon Connect instances page, the Getting started button in the top right corner.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-done-created-instance.png)
1. On the **Welcome to Amazon Connect** page, choose **Skip for now**.
![\[The Welcome to Amazon Connect page, the Skip for now link.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-skip-for-now.png)
1. You're now on the Amazon Connect dashboard. Your instance name (also called an **alias**) displays in the URL. On the left is the navigation menu.
![\[The Amazon Connect dashboard page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-dashboard.png)
1. Your instance alias is located in the first part of the URL.
1. The navigation menu.
Congratulations\$1 You set up your instance and now you're on the Amazon Connect dashboard. Go to [Step 3: Claim a phone number for your instance](#tutorial1-claim-phone-number).
## Step 3: Claim a phone number for your instance
In this step, you set up a phone number so that you can experiment with Amazon Connect.
1. On the Amazon Connect navigation menu, choose **Channels**, **Phone numbers**.
![\[The Amazon Connect navigation menu, channels icon, phone numbers option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-routing-phone-numbers.png)
1. On the right side of the **Manage Phone numbers** page, choose **Claim a number**.
![\[The Manage phone numbers page, the Claim a number button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-claim-a-number-button.png)
1. Select the **DID (Direct Inward Dialing)** tab. Use the drop-down arrow to choose your country/region. If you're in the US, you can specify the area code you want for your number, and only available numbers with that area code will be displayed. When numbers are returned, choose one.
![\[The Claim phone number page, DID (Direct Inward Dialing) tab.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-claim-number.png)
1. Write down the phone number. You call it later in this tutorial.
1. In the **Description** box, type this note: **this number is for testing**.
![\[The Description box, the flow IVR dropdown menu.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-claim-number2.png)
1. In the **Flow / IVR** box, choose the drop-down arrow, and then choose **Sample inbound flow (first contact experience)**.
1. Choose **Save**.
**Congratulations\$1** You set up your instance and claimed a phone number. Now you're ready to experience how chat and voice work in Amazon Connect. Go to [Test the sample voice and chat experience in Amazon Connect](tutorial1-explore-voice-and-chat.md).
# Test the sample voice and chat experience in Amazon Connect
To better understand what the voice and chat experiences are like for your agents and customers, you can test them without doing any development.
This tutorial shows you how to access and use the [Contact Control Panel (CCP)](agent-user-guide.md). The CCP is a web page that agents use to accept and manage voice and chat contacts.
**Prerequisites**
This tutorial is part of a series. If you performed Tutorial 1, you're ready to go. If not, here's what you need:
+ An AWS account
+ A configured Amazon Connect instance
+ An Amazon Connect administrative account
+ A claimed phone number
**Topics**
+ [Step 1: Handle a voice contact](#tutorial1-explore-voice)
+ [Step 2: Use the CCP to handle a chat contact](#tutorial1-test-2)
## Step 1: Handle a voice contact
1. On the Amazon Connect navigation menu, choose **Dashboard**.
![\[The dashboard icon on the navigation menu.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-dashboard-menu.png)
1. On the **Dashboard** page, choose **Test chat**.
![\[The dashboard page, the text chat link.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-test-chat.png)
1. On the **Test Chat** page, choose **Activate Contact Control Panel**.
![\[The test chat page, the Activate Contact Control Panel link.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-activate-ccp.png)
1. If your browser prompts you to grant microphone access, choose **Allow**.
![\[The browser prompts to allow your instance to access your microphone.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-allow-microphone.png)
1. If your browser prompts you to allow notifications, choose **Allow**.
![\[The browser prompts to allow notifications.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-allow-notifications.png)
1. In the test CCP, set your status to **Available**.
![\[The CCP, the Available status setting.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-testccp-available.png)
1. Use your mobile phone to call the phone number that you claimed earlier. If you didn't write down the number, you can find it by going to **Channels**, **Phone numbers**.
1. When your call is joined to Amazon Connect you'll hear "Press 1 to be put in queue for an agent, 2 to ..." This is the [Sample inbound flow](sample-inbound-flow.md) that Amazon Connect runs by default. You're going to change this later in the tutorial.
1. You can play around with the different options in the Sample inbound flow. To connect to an agent, press **1**, **1**, **1**.
1. In the CCP, choose **Accept call**.
![\[The CCP, an incoming call.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-accept-call.png)
1. You'll see what the CCP looks like when an agent is connected to a customer.
![\[The CCP, a connected call.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-first-call.png)
1. Choose **End call**.
Now the contact is in the After Contact Work (ACW) state. This is when the agent might enter some notes about the contact.
![\[The CCP, after call work, the close contact button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-acw.png)
1. Choose **Close contact**. This frees the agent to take another incoming contact.
Well done\$1 You've handled your first voice contact\$1
**Tip**
As an administrator, you can launch the CCP from anywhere on the Amazon Connect console by choosing the phone icon on the top of the page.
![\[The phone icon at the top of the Amazon Connect console that launches the CCP.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-phone-icon.png)
### Next step
Go to [Step 2: Use the CCP to handle a chat contact](#tutorial1-test-2) to experience how to handle a chat contact.
## Step 2: Use the CCP to handle a chat contact
In Step 1, you used the Contact Control Panel (CCP) to manage a voice contact. In this step, you experience how to use the CCP to manage a chat contact.
1. This procedure assumes you've completed [Step 1: Handle a voice contact](#tutorial1-explore-voice). If you haven't, please do so now.
1. On the **Test chat** page, choose the chat bubble to start a chat.
![\[The test chat page, the chat bubble.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-chat-bubble.png)
1. The Sample inbound flow automatically transfers to you a queue. However, you can type a message as the customer and the agent receives it. For example, *I need help resetting my password*.
![\[A chat conversation in the CCP, showing messages from the flow, and customer.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-start-chat.png)
1. In the CCP, accept the incoming chat.
![\[The CCP, an incoming chat, the button to accept the chat.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-accept-chat.png)
1. Use the CCP to send chat messages to the customer.
1. When you're done chatting, choose **End chat**. Then in the CCP, choose **Close contact**.
Congratulations\$1 You've experienced what it's like to chat using Amazon Connect.
Next, try Tutorial 3 to set up an IT Help Desk. It shows you how to set up routing, create a flow, and then test the custom voice and chat experience. Go to [Create an IT help desk in Amazon Connect](tutorial1-create-helpdesk.md).
# Create an IT help desk in Amazon Connect
This tutorial shows you how to create an IT Help Desk. It shows how to create an Amazon Lex bot that finds out why the customer is calling. You next create a flow to use the customer's input to route them to the right queue.
**Prerequisite**
This tutorial is part of a series. If you performed Tutorial 1, you're ready to go. If not, here's what you need:
+ An AWS account
+ A configured Amazon Connect instance
+ An Amazon Connect administrative account
+ A claimed phone number
**Topics**
+ [Step 1: Create an Amazon Lex bot](#tutorial1-create-amazon-lex-bot)
+ [Step 2: Add permissions to Amazon Lex bot](#tutorial1-add-permissions-for-bot)
+ [Step 3: Set up routing](#tutorial1-set-up-routing)
+ [Step 4: Create a contact flow](#tutorial1-create-contact-flow)
+ [Step 5: Assign the contact flow to the phone number](#tutorial1-assign-contact-flow-to-number)
+ [Step 6: Test a custom voice and chat experience](#tutorial1-try-it)
## Step 1: Create an Amazon Lex bot
Bots provide an efficient way to offload repetitive tasks from your agents. This tutorial shows how to use the bot to find out why customers are calling the IT Help Desk. Later, we use the customer's response to route them to the right queue.
In previous tutorials, you used the Amazon Connect console. In this tutorial to set up a bot, you use the Amazon Lex console.
This step has five parts to it.
**Topics**
+ [Part 1: Create an Amazon Lex bot](#tutorial1-create-amazon-lex-bot-step1)
+ [Part 2: Add intents](#tutorial-lex-bot-intents)
+ [Part 3: Build and test](#tutorial-lex-bot-build)
### Part 1: Create an Amazon Lex bot
This step assumes it's the first time you've opened the Amazon Lex console. If you've created a Amazon Lex bot before, your steps differ slightly from the ones in this section.
1. Choose the following link to open the Amazon Lex console, or enter the URL in your web browser: **[https://console.aws.amazon.com/lex/](https://console.aws.amazon.com/lex/)**.
1. If this is the first time you've created Amazon Lex bot, choose **Get Started**. Otherwise, you're already in the Amazon Lex dashboard.
![\[The Amazon Lex console, the bots page, the create bot button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-console1.png)
1. Choose **Create a blank bot**.
![\[The configure bot settings page, the create a blank bot option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot.png)
1. Enter the following information:
+ **Bot name **— For this tutorial, name the bot **HelpDesk**.
![\[The the bot configuration section, the bot name box, the description box.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-bot-config1.png)
+ IAM permissions: Choose **Create a role with basic Amazon Lex permissions**.
![\[The IAM permissions section, the option to Create a role with basic Amazon Lex permissions.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-iam-permissions.png)
+ **COPPA**— Choose whether the bot is subject to the [Children's Online Privacy Protection Act](https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule).
+ **Idle session timeout**— Choose how long the bot should wait to get input from a caller before ending the session.
1. Choose **Next**.
1. On the **Add language to bot** page, choose the language and voice for your bot to use when speaking to callers. The default voice for Amazon Connect is Joanna.
![\[The Add language to bot page, the select language dropdown menu set to English.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-bot-config2.png)
1. Choose **Done**.
Go to [Part 2: Add intents to your Amazon Lex bot](#tutorial-lex-bot-intents).
### Part 2: Add intents to your Amazon Lex bot
An intent is the action the user wants to perform. In this part, add two intents to the bot. Each intent represents a reason that users call the Help Desk: password reset and network issues.
1. In the Amazon Lex console, in the **Intent details** section, enter **PasswordReset** as the name of your intent.
![\[The Amazon Lex console, the Intent page, the Intent details section, the intent name.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot4.png)
1. Scroll to the **Sample utterances** section.
![\[The sample utterances section, the box to add utterances, the add utterance button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-utterances.png)
1. Type **I forgot my password**, and then choose **Add utterance**. Then add **reset my password** and choose **Add utterance** again.
1. Choose **Save intent**.
1. On the left navigation menu, choose **All intents list**.
1. On the left navigation menu, choose **Back to intents list**.
![\[The Amazon Lex navigation menu, the back to intents list link.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-bot-config3.png)
1. Choose **Add intent**, **Add empty intent**, and assign the name **NetworkIssue**. Scroll down the page and add the following sample utterances:
+ **I can't access the internet**
+ **my email is down**
When you're done, go to [Part 3: Build and test the Amazon Lex bot](#tutorial-lex-bot-build).
### Part 3: Build and test the Amazon Lex bot
Build and test your bot to make sure that it works as intended before you publish it.
1. In the Amazon Lex console, choose **Build**. The build may take a minute or two.
![\[The Amazon Lex console, the Build button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot11.png)
1. When it's finished building, choose **Test**.
1. Test the **PasswordReset** intent. In the **Test Draft version** pane, type **I forgot my password**, and press **Enter**.
![\[The test draft version page, the box to enter an intent such as I forgot my password.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot12.png)
1. The verification looks like what's shown in the following image.
![\[The verification message from Amazon Lex, Intent PasswordReset is fullfilled.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot13.png)
1. To confirm that the **NetworkIssue** intent is working, type **my email is down**. The verification looks like what's shown in the following image.
![\[The verification message from Amazon Lex, Intent NetworkIssue is fullfilled.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot14.png)
Go to [Step 2: Add permissions to Amazon Lex bot](#tutorial1-add-permissions-for-bot).
## Step 2: Add permissions to Amazon Lex bot
To use a bot in your flow, add it to your Amazon Connect instance.
1. Open the [Amazon Connect console (https://console.aws.amazon.com/connect/).](https://console.aws.amazon.com/connect/)
1. Choose the name of the instance that you created.
![\[The Amazon Connect virtual contact center instances page, the instance alias.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot18.png)
1. Do not log in on the name page (this method of logging in is for emergency access only). Rather, choose **Flows**.
![\[The Amazon Connect left-side navigation pane, the flows option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot19.png)
1. Under **Amazon Lex**, use the drop-down arrow to choose **HelpDesk**. Under **Alias**, choose **TestBotAlias**, and then choose **\$1 Add Lex Bot**, and then choose **Add Amazon Lex Bot**.
![\[The flows page, the Amazon Lex section.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-lex-custom-bot20.png)
1. When you're done, choose Amazon Connect to navigate back to instances page.
![\[The instance name in a breadcrumb at the top of the Contact flows page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial-connect-instances2.png)
1. Choose the access URL of your instance.
![\[The Amazon Connect console, the Account overview page, the Access information section, the Access URL.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-instance-url.png)
The **Access URL** takes you back to the Amazon Connect dashboard.
## Step 3: Set up routing
In this step, you start at the Amazon Connect console for your instance. This step shows how to set up your queues, create a routing profile, and then assign your user account to the profile.
1. On the navigation menu, go to **Routing**, **Queues**.
![\[The Amazon Connect navigation menu, the Routing icon, the Queues option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-routing-queues.png)
1. Choose **Add queue**.
![\[The Queues page, the Add queue button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-new-queue-button.png)
1. Complete the **Add queue** page, as shown in the following image, to add a queue named **PasswordReset**. When done, choose **Save**.
![\[The Add queue page, Queue details section and Hours of operation section.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-create-queue.png)
The following image shows the **Settings** section of the **Add queue** page. Add your default caller ID name and outbound caller ID number.
![\[The Add queue page, settings section.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-create-queue1.png)
For the purposes of this tutorial, leave the following empty: Outbound whisper flow, Quick connect, and Maximum contact in queue.
1. Add a queue named **NetworkIssue**. Complete the **Add queue** page like you did for the **PasswordReset** queue.
When done, you'll have three queues.
![\[The Queues page, the Basic queue, the Network Issue queue, and the Password Reset queue.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-queues.png)
1. On the navigation menu, go to **Users**, **Routing Profiles**.
![\[The Amazon Connect navigation menu, the Users icon, the Routing profiles option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-routing-profiles.png)
1. Choose **Add routing profile**.
![\[The Routing profiles page, the Add routing profile button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-new-profile.png)
1. Assign a name to the new profile (for example, **Test routing profile**). Enter a description, select **Voice**, **Chat**, and set **Maximum chats** to **1.**
![\[The Routing profile details section, and settings section.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-profiles1.png)
1. In the **Queues** section, use the drop-down arrow to search for the queues you just created. Choose **NetworkIssue**, select **Voice** and **Chat**. Choose **Add Queue**.
![\[The Queues section, the Add queue button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-queue-button.png)
1. Add the **PasswordReset** queue. Select **Voice** and **Chat**, and then choose **Save**.
1. Under **Default outbound queue**, use the drop-down arrow to choose **BasicQueue**.
![\[The Default outbound queue section.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-outbound-queue.png)
1. When done, scroll to the top of the page, and choose **Save** to save the profile.
1. On the navigation menu, go to **Users**, **User management**.
![\[The Amazon Connect navigation menu, Users icon, User management option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-user-management.png)
1. On the **User management** page, select your login name.
1. On the **Edit** page, in the **Settings** section, in the **Routing profile** dropdown menu, choose the routing profile you created, for example, **Test routing profile**. Choose **Save**.
![\[The settings section, routing profile dropdown menu.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-edit-user2.png)
Routing is all set up and ready to go.
## Step 4: Create a contact flow
Although Amazon Connect comes with a set of [built-in flows](contact-flow-default.md), you can create your own flows to determine how a customer experiences your contact center. The flows contain the prompts that customers hear or see, and they transfer them to the right queue or agent, among other things.
In this step, create a flow that's specific to the IT Help Desk experience that you're creating.
1. On the Amazon Connect navigation menu, go to **Routing**, **Flows**.
![\[The navigation menu, Routing icon, flows option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-routing-contact-flows.png)
1. Choose **Create flow**.
![\[On flows and flow modules page the create flow button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-create-contact-flow.png)
1. The flow designer opens. Enter a name for the flow, such as **Test flow**.
![\[The flow designer, the option to edit the name of the flow.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-name-contact-flow.png)
1. Use the search box to search for the following block, and drag them onto the grid: [Set logging behavior](set-logging-behavior.md), [Set voice](set-voice.md), and [Play prompt](play.md).
![\[The flow designer, set logging behavior block, set voice block, play prompt block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-blocks1.png)
1. Use your mouse to drag an arrow from the **Entry** block to the **Set logging behavior** block.
![\[The flow designer, set logging behavior block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-connect-blocks1.png)
1. Connect the remaining blocks, as shown in the following image.
![\[The flow designer, set logging behavior block, set voice block, play prompt block all connected.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-connect-blocks2.png)
1. Choose the **Play prompt** title to open its properties page.
![\[The flow designer, play prompt block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-play-prompt-title.png)
1. Configure the **Play prompt** block, as shown in the following image, and then choose **Save**. Choose **Text-to-speech or chat text**, choose **Set manually**, enter *Welcome to the IT Help desk*.
![\[The play prompt block, properties page, text-to-speech or chat text, set manually, Welcome to the IT help desk.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-play-prompt1.png)
1. Add a [Get customer input](get-customer-input.md) block and connect to the **Play prompt** block.
![\[The play prompt success branch connected to the Get customer input block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-get-customer-input3.png)
1. Choose the title of the [Get customer input](get-customer-input.md) block to open the properties page.
![\[The Get customer input block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-add-get-customer-input.png)
1. Configure the **Get customer input** block, as shown in the following images. Choose **Text-to-speech or chat text**, **Set manually**, and enter *How can I help* in the text box. Set the **Interpret as** dropdown box to **Text**.
![\[The Properties page of the Get customer input block.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-configure-get-customer-input1.png)
The following image shows the Amazon Lex tab. Choose the name of your Amazon Lex bot from the dropdown list. For **Alias** enter **\$1LATEST**.
![\[The Amazon Lex tab, the name and alias of the bot.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-configure-get-customer-input2.png)
1. While still in the **Get customer input** block, choose **Add an intent**.
![\[The Intents section, the Add an intent option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-configure-get-customer-input4.png)
1. Enter the names of the intents that you created in the Amazon Lex bot, such as PasswordReset and NetworkIssue. They are case sensitive\$1
![\[The Intents section, the PasswordReset intent and NetworkIssue intent.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-configure-get-customer-input3.png)
1. Choose **Save**.
1. Add a **Play prompt** block and connect it to the **PasswordReset** branch.
1. Choose the **Play prompt** title to open its properties page. Configure the **Play prompt** block with the message *We're putting you in a queue to help you with password reset.* Choose **Save**.
1. Add a second **Play prompt** block and connect it to the **NetworkIssue** branch.
1. Choose the **Play prompt** title to open its properties page. Configure the **Play prompt** block with the message *We're putting you in a queue to help you with your network issues.* Choose **Save**.
1. Add a [Disconnect / hang up](disconnect-hang-up.md) block to the grid. Connect the **Default** and **Error** branches to it.
1. Add a [Set working queue](set-working-queue.md) block to the grid. Connect the **Play prompt** block for PasswordReset.
![\[Flow designer with Play prompt connected to PasswordReset queue.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-set-working-queue1b.png)
1. Choose the **Set working queue** title to open its properties page. Configure the **Set working queue** block by using the drop-down arrow to choose the **PasswordReset** queue. Choose **Save**
![\[Set working queue properties with PasswordReset queue selected.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-set-working-queue2.png)
1. Add a **Set working queue** block for NetworkIssue, and configure it with the NetworkIssue queue.
![\[Flow designer with Play prompt connected to NetworkIssue queue.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-set-working-queue3.png)
1. Drag two **Transfer to queue** blocks (from the **Terminate/Transfer** group) onto the grid.
1. Connect each of the **Set working queue** blocks to a **Transfer to queue** block.
1. Drag another **Disconnect/hang up** block onto the grid. Connect all of the remaining **Error** and **At capacity** branches to it.
1. The completed flow looks similar to the following image.
![\[Complete flow with Entry point, prompts, customer input branches, and queue transfers.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-contact-flow-finisheda.png)
1. Choose **Save**, and then choose **Publish**.
![\[The Publish and Save buttons on the flow designer.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-save-publish.png)
**Tip**
Any blocks that aren't connected or configured correctly generate an error. If this happens, double-check that all branches are connected.
1. When the flow publishes, it displays the message that it saved successfully.
![\[The message Flow saved successfully.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-contact-flow-published.png)
If the flow doesn't save, double-check that all the branches are connected to blocks. That's the most common reason flows don't publish.
## Step 5: Assign the contact flow to the phone number
1. On the navigation menu, go to **Channels**, **Phone Numbers**.
1. On the **Manage Phone numbers** page, choose your phone number.
![\[The manage phone numbers page, your phone number.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-click-on-phone-number.png)
1. Use the drop-down box to choose the flow you just created, and then choose **Save**.
![\[The edit phone numbers page, the flow dropdown box, the flow you created.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-assign-contact-flow-to-phone-number.png)
Everything is all set up\$1 Now you're ready to test your IT Help Desk. Continue on to [Step 6: Test a custom voice and chat experience](#tutorial1-try-it).
## Step 6: Test a custom voice and chat experience
You're ready to try out the Amazon Lex bot, routing, and flow. The first step is to tell Amazon Connect which flow you want to test.
1. On the navigation menu, go to the **Dashboard** and choose **Test chat**.
1. Choose **Test Settings**.
![\[The test chat page, test settings option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-test-settings1.png)
1. Use the drop-down box to choose the flow you created, for example, **Test flow**. Choose **Apply**.
![\[The system settings section, the flow dropdown menu, your flow.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-test-settings2.png)
### Test a custom chat experience
1. If needed, choose the chat bubble to start a chat.
![\[The test chat page, the chat bubble.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-chat-bubble.png)
1. Amazon Connect automatically detects a contact and runs the flow that you created. It displays messages from the flow.
![\[Chat widget showing automated messages from the bot.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-test-chat2.png)
1. Enter that you need help resetting a password. Then accept the incoming chat. The following image shows you what the chat and agent interfaces look like when you're trying them.
![\[Chat widget with password reset request and agent CCP view.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tutorial1-test-chat3.png)
1. In the customer pane on the right, choose **End chat** to close the chat window.
1. In the test CCP, choose **Close contact** to end the After Contact Work (ACW).
### Test a custom voice experience
1. If the test chat window is still open, choose **End chat** to close it. Then you can try the voice experience.
1. Call your phone number.
1. When prompted, say *I'm having trouble accessing the internet*. You should hear the message that you're being transferred to the NetworkIssue queue.
**Tip**
After you're transferred, you'll hear this message:
*Thank you for calling. Your call is very important to us and will be answered in the order it was received.*
This message is generated by a [default flow](contact-flow-default.md) named [Default customer queue](default-customer-queue.md).
1. Switch to the test CCP and accept the incoming call.
1. After you accept the call, but before you're connected to the customer, you'll hear an inbound whisper stating what queue the contact is in, for example, NetworkIssue. This helps you know what the customer is calling about.
The inbound whisper is generated by a [default flow](contact-flow-default.md) named [Default agent whisper](default-agent-whisper.md).
1. When done, end the call.
1. In the CCP, choose **Clear contact** to end After Contact Work (ACW).
**Congratulations\$1** You built and tested an omnichannel IT Help Desk that leverages Amazon Lex and offers customers both chat and voice.
**Tip**
If you don't want to keep the phone number that you claimed for testing, you can release it back to inventory. For instructions, see [Release a phone number from Amazon Connect back to inventory](release-phone-number.md).
# Architectural guidance for Amazon Connect
This topic provides guidance and best practices for designing and building reliable, secure, efficient, and cost-effective systems for your Amazon Connect contact center workloads. Using this guidance can help you build stable and efficient workloads, allowing you to focus on innovation, reduce costs, and improve your customer's experience.
This content is intended for chief technology officers (CTOs), architects, developers, and operations team members.
**Topics**
+ [Services to use with Amazon Connect](related-services-amazon-connect.md)
+ [Amazon Connect workload layers](workload-layers.md)
+ [Scenario and deployment approaches](scenario-deployment-approaches.md)
+ [Single Instance or Multiple Instances?](single-instance-multiple-instances.md)
+ [Operational Excellence](operational-excellence.md)
+ [Security for contact centers](security-bp.md)
+ [Load and penetration / security testing](load-and-penetration-testing.md)
+ [Reliability in Amazon Connect](reliability-bp.md)
+ [Performance efficiency for Amazon Connect workloads](performance-efficiency-bp.md)
+ [Cost optimization for Amazon Connect workloads](cost-optimization-bp.md)
# The power of AWS with Amazon Connect
**This topic is for developers and administrators who are interested in an overview of which other AWS services you can integrate with Amazon Connect. **
The following diagram shows some of the other AWS services you can use with Amazon Connect.
![\[Icons for all the services you can use with Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/connect-overview2.png)
## Development
You can use AWS Lambda functions to either look up or post data to sources outside of Amazon Connect. For example, you can look up an inbound caller on Salesforce based on the customer’s phone number. The function may return such results as the customer name, membership level (for example, frequent flyer), last order, and order status. Then based on that information, the call can be routed to an Amazon Lex bot or an agent.
You can also use Lambda with AWS databases like DynamoDB to create dynamic routing abilities. For example, you can retrieve a prompt in a specific language, based on input from the customer.
API Gateway and Step Functions further enhance the abilities of Lambda.
For more information, see:
+ [Grant Amazon Connect access to your AWS Lambda functions](connect-lambda-functions.md)
## Storage
Amazon Connect uses Amazon Simple Storage Service (Amazon S3) to store recorded conversations and exported reports. When you set up Amazon Connect, it creates default buckets for these requirements, or you can point it to existing Amazon S3 infrastructure. For more information, see [Step 4: Data storage](amazon-connect-instances.md#get-started-data-storage) in [Create an Amazon Connect instance](amazon-connect-instances.md).
VPC endpoints are not supported.
You can also manage the Amazon S3 policies to move data to Amazon Glacier for less expensive long-term storage. However, it breaks the link in the contact record in Amazon Connect. To fix this, use a Lambda function to rename the Amazon Glacier object to match the data in the contact record.
## Database
You can use AWS databases with Amazon Connect for a variety of reasons. For example, with DynamoDB, you can create quick tables of data.
You can also create tables of dynamic information for call routing. For example, a Lambda function can write inbound calls to a DynamoDB table, then query the table to see if there are other matches for the phone number. If so, a decision can be made to send the caller to the same queue as before, or to flag them as a repeat caller.
For more information, see:
+ Blog post: [Creating dynamic, personalized experiences in Amazon Connect](https://aws.amazon.com/blogs/contact-center/creating-dynamic-personalized-experiences-in-amazon-connect/)
## Analytics
Amazon Connect tracks all interactions using [contact records](about-contact-states.md#ctr-events). Contact records are used for real-time and historical metrics reports. You can also use Amazon Kinesis to stream them to an AWS database like Amazon Redshift or Amazon Athena for BI analysis (Quick, or a third party such as Tableau). There are AWS CloudFormation templates available to set up this functionality for Amazon Redshift and Athena.
To perform analysis on your flow logs, you can set up an Amazon Kinesis stream to stream your flow log data from CloudWatch to a data warehouse service, such as Amazon Redshift. You can combine the flow log data with other Amazon Connect data in your warehouse, or run queries to identify trends or common issues with a flow.
For more information, see:
+ [Develop live media streaming in Amazon Connect](access-media-stream-data.md)
+ Blog post: [Recovering abandoned calls with Amazon Connect](https://aws.amazon.com/blogs/contact-center/recovering-abandoned-calls-with-amazon-connect/)
## Machine Learning (ML) and Artificial Intelligence (AI)
Amazon Connect uses the following services for ML/AI:
+ Amazon Lex—Lets you create a chatbot to use as Interactive Voice Response (IVR). For more information, see [Add an Amazon Lex bot to Amazon Connect](amazon-lex.md).
+ Amazon Polly—Provides text-to-speech in all flows. For more information, see [Add text-to-speech to prompts in flow blocks in Amazon Polly](text-to-speech.md) and [SSML tags supported by Amazon Connect](supported-ssml-tags.md).
+ Amazon Transcribe—Grabs conversation recordings from Amazon S3, and transcribes them to text so you can review them.
+ Amazon Comprehend—Takes the transcription of recordings, and applies speech analytics machine learning to the call to identify sentiment, keywords, adherence to company policies, and more.
## Messaging services
Amazon Connect uses the following services for messaging:
+ Amazon Pinpoint—Use as an outbound messaging trigger for events; for example, bulk messaging (such as outbound marketing campaigns). For more information, see this blog post: [Using Amazon Pinpoint to send text messages in Amazon Connect](https://aws.amazon.com/blogs/contact-center/using-amazon-pinpoint-to-send-text-messages-in-amazon-connect/).
+ Amazon Simple Notification Service (Amazon SNS)—Use to send and receive SMS and other channel notifications. Amazon SNS is particularly useful for sending alerts and validations.
+ Amazon Simple Email Service (Amazon SES)—Use to send validation e-mails, such as a password reset bot sending a confirmation of the transaction.
## Security
Amazon Connect uses the following services for added security:
+ AWS Identity and Access Management (IAM)—Use to manage permissions for users. Amazon Connect users require permission for services. For more information, see [Identity and access management for Amazon Connect](security-iam.md).
+ Directory Service—Amazon Connect supports user federation through the internal directory (created in the Amazon Connect instance), using Active Directory integration (MAD, ADFS) or SAML 2.0.
For more information, see:
+ [Plan your identity management in Amazon Connect](connect-identity-management.md)
+ Blog post: [Enabling federation with AWS Single Sign-On and Amazon Connect](https://aws.amazon.com/blogs/contact-center/enabling-federation-with-aws-single-sign-on-and-amazon-connect/)
## Management
Amazon Connect uses the following services for monitoring usage:
+ Amazon CloudWatch—Collects logs, service metrics, performance metrics for Amazon Connect. For more information, see [Monitoring your Amazon Connect instance using CloudWatch](monitoring-cloudwatch.md).
+ AWS CloudTrail—Provides a record of Amazon Connect API calls.
For more information about Amazon Connect and AWS CloudTrail, see [Log Amazon Connect API calls with AWS CloudTrail](logging-using-cloudtrail.md).
+ CloudFormation—Amazon Connect supports using CloudFormation for initiating an instance with all the supported channels enabled. For more information, see [AWS::Connect::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-connect-instance.html).
# Amazon Connect workload layers
You can separate Amazon Connect workloads into the following layers: telephony, Amazon Connect interface/API, flows/IVR, agent workstation, and metric and reporting.
## Telephony
![\[A graphic showing how telephony works for Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/telephony.png)
**Important**
TFN connecting to multiple carriers is only available in the US.
Amazon Connect is integrated with multiple telephony providers with redundant dedicated network paths to three or more Availability Zones in every Region where the service is offered today. Capacity, platform resiliency, and scaling are handled as part of the managed service, allowing you to efficiently ramp from 10 to 10,000\$1 agents without worrying about the management or configuration of underlying platform and telephony infrastructure. Workloads are load balanced across a fleet of telephony media servers, allowing new updates and features to be delivered to you with no downtime required for maintenance or upgrades. If a particular component, data center, or an entire Availability Zone experiences failure, the affected endpoint is taken out of rotation, allowing you to continue to provide a consistent quality experience for your customers.
![\[A graphic showing how telephony works for Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/telephony2.png)
When a voice call is placed to an Amazon Connect instance, the telephony layer is responsible for controlling the endpoint that your customer calls into through their carrier, across the PSTN and into Amazon Connect. This layer represents the audio path established between Amazon Connect and the customer. Through the Amazon Connect interface layer, you can configure things like outbound caller ID, assign flow/IVRs to phone numbers, enable live media streaming, enable call recording, and the ability to claim phone numbers without any prior traditional telephony knowledge or experience. Additionally, when migrating workloads to Amazon Connect, you have the option to port your existing phone numbers by opening a support case in your AWS Management Console. You can also forward your existing phone numbers to numbers that you’ve claimed in your Amazon Connect instance until you are fully migrated.
## Amazon Connect Interface/API
The Amazon Connect interface layer is the access point that your agents and contact center supervisors and administrators will use to access Amazon Connect components like reporting and metrics, user configuration, call recordings, and the Contact Control Panel (CCP). This is also the layer responsible for:
+ Single Sign-On (SSO) integration user authentication
+ Custom desktop applications created using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API that may provide additional functionality and/or integrate with existing Customer Relationship Management (CRM) systems including the [Amazon Connect Salesforce CTI Adapter](salesforce-integration.md).
+ Amazon Connect contact-facing chat interface
+ Chat web server hosting the Amazon Connect Chat API
+ Any Amazon API Gateway endpoints and corresponding AWS Lambda functions necessary to route chat contacts to Amazon Connect.
Anything your agents, managers, supervisors, or contacts use to access, configure, or manage Amazon Connect components from a web browser or API is considered the Amazon Connect interface layer.
![\[A graphic showing Amazon Connect interface and API.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/connectinterface.png)
### Flow / IVR
The Flow/IVR layer is the primary architectural vehicle for Amazon Connect and serves as the point of entry and first line of communication with customers reaching out to your contact center. After a customer contacts your Amazon Connect instance, a flow controls the interaction between Amazon Connect, the contact, and the agent, allowing you to:
+ Dynamically invoke AWS Lambda functions to make API calls.
+ Send real-time IVR and voice data to third-party endpoints through Amazon Kinesis.
+ Access resources inside your VPC and behind your VPN.
+ Call other AWS services like Amazon Pinpoint to send SMS messages from the IVR.
+ Perform data dips to database like Amazon DynamoDB to service your contacts.
+ Call Amazon Lex directly from the flow to invoke a Lex bot for Natural Language Understanding (NLU) and Automatic Speech Recognition (ASR).
+ Play dynamic and natural Text-to-Speech through Amazon Polly, and use SSML and Neural Text-to-Speech (NTTS) to achieve the most natural and human-like text-to-speech voices possible.
Flows enable you to dynamically prompt contacts, collect and store contact attributes, and route appropriately. You can assign a flow to multiple phone numbers, and manage and configure it through Amazon Connect.
![\[A graphic showing flows and IVR.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/contactflowivr.png)
## Agent workstation
The agent workstation layer is not managed by AWS. It consists of any physical equipment and third-party technologies, services, and endpoints that facilitate your agent’s voice, data, and access the Amazon Connect interface layer. Components in the agent workstation layer include:
+ The Contact Control Panel (CCP) agent hardware
+ Network path
+ Agent headset or handset
+ VDI environment
+ Operating system and web browser
+ Endpoint security
+ All networking components and infrastructure
+ Internet Service Provider (ISP) or Direct Connect dedicated network path to AWS.
+ All other aspects of your agent’s operating environment including power, facilities, security, and ambient noise.
![\[A graphic agent workstation.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/agentworkstation.png)
## Metric and reporting
The metric and reporting layer includes the components responsible for delivering, consuming, monitoring, alerting, or processing real-time and historical metrics for your agents, contacts, and contact center. This includes all native and third-party components responsible for facilitating the processing, transmission, storage, retrieval, and visualization of real-time or historical contact center metrics, activity audit, and monitoring data. For example:
+ Call recordings and scheduled reports stored in Amazon Simple Storage Service (Amazon S3).
+ Contact records that you can export to AWS database services like Amazon Redshift or your own on-premises data warehouse with Amazon Kinesis.
+ Real-time dashboards you create with Amazon OpenSearch Service and Kibana.
+ Amazon CloudWatch metrics generated that you can use to set alarms based on static thresholds, set up Amazon SNS notifications to alert to your administrators and supervisors, or launch AWS Lambda functions in response to the event.
![\[A graphic metrics and reporting.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/metricandreporting.png)
# Scenario and deployment approaches in Amazon Connect
Amazon Connect offers self-service configuration and enables dynamic, personal, and natural customer engagement at any scale with a variety of migration and integration options. In this section, we explain the following scenarios and deployment approaches to consider when designing a workload for Amazon Connect:
+ Traditional contact center
+ Inbound
+ Outbound
+ Hybrid contact center
+ Legacy contact center migration
+ Virtual desktop infrastructure (VDI)
## Traditional contact center
The traditional contact center requires a significant telephony, media, networking, database, and compute infrastructure footprint that can span multiple vendors and data center locations to service contacts. Each individual solution and vendor have unique hardware, software, networking, and architectural requirements that have to be met while resolving versioning, compatibility, and licensing conflicts.
It is common to have separate vendors and infrastructure requirements for local and remote agent hardware and VPN connectivity, Text-To-Speech (TTS), Automatic Call Distribution (ACD), Interactive Voice Response (IVR), voice audio and data, physical desk phones, voice recording, voice transcriptions, chat, reporting, database, Computer Telephony Integration (CTI), Automatic Speech Recognition (ASR), and Natural Language Understanding (NLP). Your contact center architecture and infrastructure becomes more complicated when you consider multi-stage development, quality assurance, and test environments.
![\[Traditional contact center.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/traditionalcontactcenter.png)
A typical Amazon Connect deployment solves or reduces many of the challenges associated with versioning, compatibility, licensing, contact center telephony infrastructure, and maintenance. It gives you the flexibility to create instances in new locations in minutes and migrate components individually, or in parallel, to best meet your individual business objectives. You can use flows for your IVR/ACD, have voice and data delivered through a supported web browser to your agent’s softphone, port your existing phone numbers, redirect softphone audio to an existing desk phone, invoke an Amazon Lex bot natively within your flow for ASR and NLP, and use the same flow for chat and voice. You can use Amazon Connect Contact Lens to automatically generate voice transcriptions, perform key word identification and sentiment analysis, and categorize contacts. For agent CTI data and real-time voice streaming, you can use Amazon Connect Agent Event Streams and Kinesis Video Streams. You can also create multi-stage development, quality assurance, and test environments at no additional cost and only pay for what you use.
## Inbound
Inbound is a contact center term used to describe a communication request initiated by a contact to the center. Contacts can reach your Amazon Connect instance for inbound self-service or to speak with a live agent in a variety of ways, including voice and chat. Voice contacts go through the PSTN and are routed to the Amazon Connect Instance telephony entry point through the phone number claimed in your instance. You can reserve a phone number with Amazon Connect directly, port your existing phone number, or forward voice contacts to Amazon Connect. Amazon Connect can provide local and toll-free numbers in all Regions where the service is supported.
![\[A diagram showing an inbound request initiated by a contact to the center.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/inbound.png)
When a phone call is placed to a number claimed in or ported to your Amazon Connect instance, the flow associated with the called number will be invoked. You can define the flow using flow blocks that can be configured with no coding knowledge required. The flow determines how the contact should be processed and routed, optionally prompting the contact for additional information to assist in routing decisions, storing those attributes to the contact details, and, if necessary, routing that contact to an agent with all of the call details and transcripts gathered along the way. Through the flow, you can invoke AWS Lambda functions to query customer information, call other AWS services like Amazon Pinpoint to send SMS text messages, and use native AWS service integrations including Amazon Lex for NLU/NLP and Kinesis Video Streams for real-time streaming of voice calls.
If an inbound contact needs to reach an agent, the contact is put into a queue and routed to an agent when they change their status to Available, according to your routing configuration. When the available agent’s contact is accepted manually or through auto-accept configuration, Amazon Connect connects the contact with the agent.
![\[A diagram showing an inbound contact in a queue.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/inbound2.png)
When an inbound contact comes from a browser or mobile app request for a chat session, the request is routed to a web service or Amazon API Gateway endpoint that calls the Amazon Connect chat API to invoke the flow configured in your request. You can use the same flows for chat and voice, where the experience is managed and routed dynamically, based on the logic defined in the flow.
## Outbound
Amazon Connect allows you the ability to programmatically make outbound contact attempts to local and international endpoints, reduce agent set-up time between contacts, and improve agent productivity. By using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API and [StartOutboundVoiceContact](https://docs.aws.amazon.com/connect/latest/APIReference/API_StartOutboundVoiceContact.html), you can develop your own outbound solution or take advantage of existing partner integrations that work with your CRM data to create dynamic, personalized experiences for your contacts and empowering your agents with the tools and resources they need to service those contacts.
Outbound campaigns are typically driven by contact data exported from CRMs and separated into contact lists. Those contacts are prioritized and either delivered to the agents to initiate after a period of preview or programmatically contacted using the Amazon Connect Outbound API, driven by your flow logic, and connecting to agents as needed. Typical outbound contact center use cases include fraud and service alerts, collections, and appointment confirmations.
## Hybrid
If you have requirements to transfer contacts between Amazon Connect and legacy contact center technologies, you can use a Hybrid model architecture to pass contact data with the transfer. For example, a sales business unit on a legacy contact center platform may need to transfer a call to the service business unit that’s been migrated to Amazon Connect. Without a Hybrid architecture, call details will be lost and may require the contact to repeat information. This could increase handle times and may result in contact calling again for the same purpose.
Hybrid architectures require you to claim as many phone numbers as your expected maximum concurrent contacts and an intermediary state database accessible by both Amazon Connect and your legacy contact center platform. When a transfer is required to the other platform, you will use one of these phone numbers as a unique identifier, flag it as in-use in your intermediary database, insert your contact details, and use that number as your ANI or DNIS when you transfer the contact. When the contact is received by the other contact center platform, you will query the intermediary database for the contact details based on the unique ANI or DNIS you used. Hybrid architectures are typically used as an interim migration step because of the additional cost and complexity associated.
### IVR-only
You may choose to use Amazon Connect to drive the contact’s IVR experience while your agent population remains on your legacy contact center platform. With this approach, you can use Amazon Connect flows to drive self-service and routing logic, and, if necessary, transfer the contact to the target agent or agent queue on your legacy contact center platform.
![\[A diagram showing a customer Interactive Voice Response experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/hybridivr.png)
In this diagram, the contact dials a phone number claimed in your Amazon Connect instance for service. If they need to be transferred to an agent on your legacy contact center platform, an AWS Lambda function is invoked to query an available unique phone number, flag it as in-use, and write relevant contact details to an intermediary database. The contact is then transferred to the legacy contact center platform with the phone number returned from the Lambda function. The legacy contact center will then perform a query on the intermediary database for the contact details, route accordingly, and reset the contact data in the intermediary database, allowing the phone number to be used again.
### Agent-only
With this approach, your legacy contact center IVR drives the contact’s IVR self-serve and routing logic, and, if necessary, transfers the contact to Amazon Connect to route to your agent population.
![\[A diagram showing an Agent only experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/hybridagentonly.png)
In this diagram, the contact dials a phone number claimed with your legacy contact center platform. If they need to be transferred to an agent on Amazon Connect, the legacy contact center platform will query an available unique phone number, flag it as in-use, and write relevant contact details to an intermediary database. The contact will then be transferred to Amazon Connectwith the phone number returned by the legacy contact center’s query. Amazon Connect will then query the contact details from the intermediary database using AWS Lambda, route accordingly, and reset the contact data in the intermediary database, allowing the phone number to be used again.
### Mixed
In this scenario, you may have your IVR and agents operating in parallel on Amazon Connect and your legacy contact center platform to allow for site, agent group, or line-of-business migrations.
![\[A diagram showing a hybrid Agent only and Interactive Voice Response experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/hybridmixed.png)
## Legacy contact center migration
When you are evaluating Amazon Connect for new or existing workloads, there are several strategies you can consider. For situations that require contact details to be included when contacts are transferred between Amazon Connect and your legacy contact center solution, a Hybrid model architecture will be required until the migration is complete. The approaches described in this section allow you to move specific lines of business in phases, manage training and support, and mitigate risks associated with change.
### New workload
You may decrease risk associated with changes to existing business units and increase flexibility and digital innovation potential by adopting a net new workload on Amazon Connect. Net new workloads that do not require the Hybrid model architecture are less complex, are not affected by change in business process or agent routine, and have a faster time to market. Adopting a net new workload allows you to take advantage of usage-based, pay-as-you-go pricing. Your contact center resources are available to create a new experience for their end users, test and implement it to evaluate the platform, gain confidence, and build the skills and operational mechanisms to prepare for larger migration across existing workloads.
### IVR First
You may choose to use Amazon Connect to drive the contact’s IVR experience while your agent population remains on your legacy contact center platform. With this approach, you can use Amazon Connect Flows to drive self-service and routing logic, and, if necessary, transfer the contact to the target agent or agent queue on your legacy contact center platform.
### IVR Last
With this approach, your legacy contact center IVR drives the contact’s IVR self-serve and routing logic, and, if necessary, transfers the contact to Amazon Connect to route to your agent population.
### Line of business segmentation
If your lines of business have separate IVRs or don’t require contact transfers to legacy contact center platforms, you may want to consider a line of business migration approach. For example, selecting your service desk for internal support as your first line of business to migrate. After migrating your service desk IVR and agent population to Amazon Connect, you may choose to forward your existing contact to Amazon Connect, porting the endpoint after testing and business validation is completed.
### Site or agent group segmentation
If your contact center has a global footprint, services contacts from multiple countries, or is managed independently by a respective geography or location, you may want to consider a migration approach based on a physical site or geography of agents. Each agent population and/or geography can have its own unique requirements and considerations that may not apply globally. Approaching your migration this way will allow each site or agent group to gain the skills they need to continue to operate independently before moving onto the next.
## Virtual desktop infrastructure (VDI)
While you can use the Amazon Connect Contact Control Panel (CCP) within Virtual Desktop Infrastructure (VDI) environments, it will add another layer of complexity to your solution that warrants separate POC efforts and performance testing to optimize. The configuration/support/optimization is best handled by your VDI support team and the following deployment models are the most commonly implemented.
### VDI client with local browser access
You can build a custom CCP with the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API by creating a CCP with no media for call signaling. This way, the media is handled on the local desktop using standard CCP, and the signaling and call controls are handled on the remote connection with the CCP with no media. The following diagram describes this approach.
![\[VDI client with local browser access.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/vdi.png)
### Citrix VDI with Amazon Connect audio optimization
If you use Citrix Virtual Desktop Infrastructure (VDI) environment, you can build a custom CCP with the Amazon Connect RTC JavaScript library which integrates with Citrix United Communications SDK (ucsdk) and automatically redirects the media from your local desktop to Amazon Connect. This enables your agents to use Citrix VDI client applications, such as Citrix Workspaces, to connect to their custom agent applications or custom CCPs. This removes the need to develop and manage a separate agent application, like dual-CCPs, for audio media redirection for their Citrix environments. The following diagram describes that approach:
![\[Amazon Connect media workflow for Citrix VDI environments.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/vdi-citrix.png)
**Note**
This solution requires you to allow WebRTC signaling traffic between your VDI server and Amazon Connect, and the media connection between the agent’s desktop and Amazon Connect. For more information, see the [Set up your network to use the Amazon Connect Contact Control Panel (CCP)](ccp-networking.md) documentation.
### Amazon WorkSpaces VDI with Amazon Connect audio optimization
By using Amazon WorkSpaces, a Virtual Desktop Infrastructure (VDI) environment, you have the capability to create a customized Contact Control Panel (CCP) by leveraging the Amazon Connect Real-Time Communications (RTC) JavaScript library. This library seamlessly integrates with the Amazon WorkSpaces SDK, enabling automatic media redirection from your local desktop to Amazon Connect. This eliminates the need to develop and manage a separate agent application, such as dual-CCPs, specifically for audio media redirection within their WorkSpaces environments. The following diagram illustrates this approach.
![\[Amazon Connect and Workspaces environment.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/vdi-connect.png)
### Omnissa VDI with Amazon Connect audio optimization
The Omnissa Virtual Desktop Infrastructure (VDI) solution enables a streamlined integration with Amazon Connect through the implementation of a custom Contact Control Panel (CCP).
By leveraging the Amazon Connect RTC JavaScript library in conjunction with Omnissa's Horizon WebRTC SDK, audio processing is optimized by redirecting media streams directly from the agent's local endpoint to Amazon Connect. This architecture eliminates the traditional challenges of audio routing through virtual desktops, providing agents with a superior voice experience while using their Omnissa VDI environment. The solution removes the complexity of managing separate audio redirection applications, offering a single, unified interface for agent interactions. The following diagram illustrates this architectural approach.
![\[Amazon Connect and Omnissa environment.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/omnissa-6.png)
### VDI client without local browser access
Sometimes the VDI client does not have access to a local browser. In this scenario, you can create a single CCP instance with media run from the VDI server allowing access to enterprise resources. For this deployment model UDP audio is usually enabled on the VDI OS. This deployment model requires extensive testing to calibrate the different VDI server parameters to optimize quality of experience:
![\[VDI client without local browser access.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/vdinobrowser.png)
# Amazon Connect: Single Instance or Multiple Instances?
## Single instance of Amazon Connect (including single ACGR pair)
### Best For
A centralized contact center operation with shared infrastructure and unified customer experience.
### Pros
+ **Lower operational overhead** – Manage/maintain single system, less duplication of setup/config.
+ **Centralized management** – Unified metrics, reporting, queues, routing profiles, users, etc.
+ **Consistent customer experience** – Common IVR, flows, and settings across teams.
### Cons
+ **Data/tenant isolation design** – Data isolation across business units, brands, or regions must be designed.
+ **Single Geographic Location** – Latency can be high in regions far away from the instance.
+ **Service Quota Management** – Service quota management can be more challenging due to difficulty in anticipating usage and growth across multiple business units.
## Multiple instances of Amazon Connect
### Best For
Enterprises with geographic, regulatory, or security requirements infeasible to implement in single-region (telephony, data segregation, latency due to physical distance, etc.).
### Pros
+ **Strong isolation** – Each BU or region can have its own agents, routing, reporting. Isolation is required for agents in India, South Korea, and South Africa.
+ **Tailored configurations** – Flows, prompts, integrations can be customized per instance.
+ **Simpler data residency** – Can be useful for compliance in multinational organizations.
+ **Reduced blast radius** – An issue in one instance doesn't affect others.
+ **Geographic proximity** – Regions can be chosen to keep local telephony traffic local.
### Cons
+ **Higher management overhead** – Need to maintain and update multiple environments.
+ **Fragmented reporting** – Multi-region reporting currently needs to be built.
+ **Increased costs** – Each instance may require duplicate resources (Lambda, Amazon Lex, API).
+ **Inconsistent user experience** – Unless strictly governed, each instance may drift in flow design, customer experience, customer security models, etc.
## Summary
The decision of single- vs. multiple-instance architecture is nuanced, and highly dependent on the nature of the customer's requirements. Considering the scalability, customizability, programmability, and security of Amazon Connect, we generally recommend single-instance Amazon Connect architectures (including a single Amazon Connect Global Resiliency pair) in the absence of compelling requirements requiring multiple regions.
# Operational excellence in Amazon Connect workloads
Operational excellence includes the ability to run and monitor systems to deliver business value and continually improve supporting processes and procedures. This section consists of design principles, best practices, and questions surrounding the operational excellence of Amazon Connect workloads.
## Prepare
Consider the following areas to prepare for an Amazon Connect workload.
### AWS account
With AWS Organizations, you can set up multiple AWS accounts for each level of your development, staging, and quality assurance environments. This allows you to centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. This is the starting point for consuming AWS services along with a cloud adoption framework.
### Region selection
Amazon Connect Region selection is contingent upon data governance requirements, use case, services available in each Region, telephony costs in each region, and latency in relation to your agents, contacts, and external transfer endpoint geography.
### Telephony
+ **Phone number porting** Open a porting request as far in advance of your pending go-live date as possible.
When porting phone numbers for critical workloads, include all requirements and use case information in your claim/port number several months before the go-live date. This includes requests for live cutover support, communication prior, during, and after cutover, monitoring, and anything else specific to your use case.
For detailed information about porting your numbers, see [Port a current phone number to Amazon Connect](port-phone-number.md).
+ **Carrier diversity** In the US, you should use Amazon Connect telephony services for US toll-free numbers, allowing you to route toll-free traffic across multiple suppliers in an active-active fashion at no additional charge. In situations where you are forwarding inbound traffic to an Amazon Connect phone number, you should request redundant DID or Toll-Free numbers across multiple telephony providers. If you are claiming or porting multiple DID or Toll-Free numbers outside of the US, you should request that those numbers be claimed or ported to a variety of telephony providers for increased resiliency.
+ **International toll-free and high-concurrency DIDs** If you are using an existing toll-free national service to redirect inbound traffic to DIDs, you should request DID phone numbers across multiple telephony providers. A general recommendation for this configuration is 100 sessions per-DID and your AWS Solutions Architect can help with capacity calculations and setup.
+ **Testing** Thoroughly test all use case scenarios, preferably using the same or similar environment as your agents and customers. Ensure that you test several inbound and outbound scenarios for quality of experience, Caller ID functionality, and measure latency to ensure it falls within acceptable range for your use case. Any deviations from your target agent and customer environments need to be measured and accounted for. For more information, including use case testing instructions and criteria, see [Troubleshooting Issues with the Contact Control Panel (CCP)](troubleshooting.md).
### Agent workstation
The Amazon Connect Call Control Panel (CCP) has specific network and hardware requirements that must be met to ensure the highest quality of service for your agents and contacts:
+ Set Up Your Network for CCP use and ensure that your agent hardware meets minimum requirements.
+ Ensure that you have used the Amazon Connect Check Amazon Connectivity Tool on the same network segment as your agents to verify that your network and environment is configured correctly for CCP use.
+ Calculate PSTN latency for use cases that require agents and contacts to be in geographically distant locations
+ Review the [Troubleshooting Issues with the Contact Control Panel (CCP)](troubleshooting.md) section to create runbooks and playbooks for your agents and supervisors to follow should they encounter issues.
+ Set up monitoring for your agent workstations and consider partner solutions for call quality monitoring. Your goal with monitoring your agent workstations should be the ability to identify the source of any potential network and resource contention. For example, consider a typical agent’s softphone network connection path to Amazon Connect:
![\[Agent workstation monitoring.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/agentworkstation-oe.png)
Without setting up monitoring at the local LAN/WAN, path to AWS, and agent workstation levels, it’s difficult and often impossible to determine if a voice quality issue is originating from your agent’s workstation, their private LAN/WAN, ISP, AWS, or the contact itself. Setting up logging and alerting mechanisms proactively is critical in determining root cause and optimizing your environment for voice quality.
### Configure your existing directory
If you are already using an Directory Service directory to manage users, you can use the same directory to manage user accounts in Amazon Connect. This must be decided and configured when you create your Amazon Connect instance. You cannot change the identity option you select after you create the instance. For example, if you decide to change the directory you selected to enable Single Sign On (SSO) for your instance, you can delete the instance and create a new one. When you delete an instance, you lose all configuration settings and metrics data for it
### Service Quotas
Review the default service quotas for each service involved in your workload as well as the default service quotas for Amazon Connect and request increases where applicable. When requesting an increase for Amazon Connect, be sure to use expected values without additional padding for fluctuations. Fluctuations are considered automatically when you make your request.
### AWS Enterprise support
AWS Enterprise Support is recommended for business and/or mission-critical workloads on AWS. Both Enterprise Support and Well-Architected Review with an AWS Solutions Architect are required to qualify for the Amazon Connect Service Level Agreement.
### AWS well-architected review
Before any migration or implementation to Amazon Connect, follow our best practices by using the AWS Well-Architected Framework, Operational Excellence. The Framework provides a consistent approach for you to evaluate architectures and implement designs that will scale over time based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization. We also recommend using AWS Enterprise Support for business and mission-critical workloads in AWS. Both Enterprise Support and Well-Architected Review with your AWS Solutions Architect are required to qualify for the Amazon Connect Service Level Agreement.
## Operate
Consider the following areas to operate an Amazon Connect workload.
### Logging and monitoring
See [Monitoring your Amazon Connect instance using CloudWatch](monitoring-cloudwatch.md) and [Log Amazon Connect API calls with AWS CloudTrail](logging-using-cloudtrail.md).
### Contact attributes
Amazon Connect allows you to dynamically set and reference contact attributes within flows to create dynamic and personalized experiences for your contacts, create powerful self-service applications, data-driven IVRs, integrations with other AWS services, simplify phone number management, and allows for custom real-time and historical reporting and analytics. The following are Best practices and considerations you can follow to reduce complexity, prevent data loss, and ensure a consistent quality of experience for your contacts.
Note the following considerations:
+ Data size – To prevent truncation, the size limitation for contact attributes you can set in a Set contact attributes block varies depending on the charset, encoding, and language used. While this is generally enough data to play a short story for a contact, it is possible to exceed this limit, truncating any attributes set over the 32KB.
+ Data sensitivity – Note if any attributes being set, queried, and referenced are sensitive or fall under any regulatory guidelines and ensure that the data is being treated appropriately for your use case.
+ Data persistence – Any attributes set using the Set contact attributes block will be included in the contact record for your contact and available for screen pop to any custom agent desktop using the Streams API. Any time the attribute is referenced within your flow and logging is enabled for the flow, the name and value of the attribute will be logged to Amazon CloudWatch.
**Best practices**
+ Monitor usage – As you implement new functionality, onboard new business units, and iterate on existing flows, look up your current attribute usage in contact search, copy the attributes to a text editor, add the new attributes, and ensure that you do not exceed the 32KB size limitation. Be sure to account for variable length fields like firstName and lastName and ensure that, even when the maximum space is used in a field, that you are still below the 32KB limitation.
+ Clean-up – If data persistence isn’t required, you can set an attribute with the same name and a blank value to prevent the data from being stored to the contact record or passed in a screen pop to an agent using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API while freeing up the bytes that data would have otherwise used in the contact record.
+ Sensitive data – Use the **Store customer input** block to collect sensitive DTMF input from your contacts and use envelope encryption to protect both the raw data and the data keys used to encrypt them. Store sensitive data in a separate database where persistence is required, use the **Set logging behavior** flow block to disable logging whenever sensitive information is referenced, and remove, clean up, or obfuscate sensitive data using the **Set contact attributes** block Clean-up method outlined previously. For more information, see [Compliance validation in Amazon Connect](compliance-validation.md).
### Telephony
In the US, use toll-free phone numbers wherever possible to load balance across multiple carriers for additional route and carrier redundancy. This also helps to decrease time to resolution when compared to DID phone numbers, which must be managed by a single carrier. In situations where you use DIDs, load balance across numbers from multiple carriers, when possible, to increase reliability. Make sure that you handle all error paths in your flow appropriately, and implement the best practices, requirements, and recommendations located in [Troubleshooting Issues with the Contact Control Panel (CCP)](troubleshooting.md).
If you’re forwarding your existing telephony provider’s phone numbers to Amazon Connect, ensure that the process to change the forward destination to an alternative DID/toll-free number or otherwise remove the forward is defined and well-understood by your operations team. Ensure that you have Runbooks and Playbooks specifically for production readiness assessments, phone number porting and forwarding processes, and troubleshooting audio issues that could arise when transferring calls from your existing telephony provider. You also want a repeatable process that your operations team can follow to determine if the source of these audio issues is Amazon Connect or your existing telephony provider.
### Amazon Connect APIs
Amazon Connect throttling quotas are by account, and not instance. You should consider the following best practices when working with Amazon Connect APIs:
#### Implement a caching/queuing solution
To decrease API data query overhead and avoid throttling, you can use an intermediary database like Amazon DynamoDB to store API call results rather than calling the API from all endpoints interested in the API data. For example, the following diagram represents the use of the Amazon Connect metric API from multiple sources that need to consume this information:
![\[Implement a caching and queuing solution.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/amazonconnectapis-oe.png)
Rather than having separate AWS Lambda functions, each with their own polling requirements, you can have a single AWS Lambda function write all interesting data to Amazon DynamoDB. Rather than having each endpoint go to the API directly to retrieve the data, they point to DynamoDB, as illustrated in the following diagram:
![\[A diagram showing endpoints pointing to DynamoDB instead of retrieving data from the API.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/amazonconnectapis2-oe.png)
This architecture allows you to change polling intervals and add endpoints, as needed, without worrying about exceeding service quotas, giving you the ability to scale to however many concurrent connections your database solution supports. You can use this same concept with querying any real-time data feeds from Amazon Connect. For situations where you need to perform an API action, like an Outbound API call, you can use this same concept in combination with Amazon Simple Queue Service to queue API requests Using AWS Lambda with SQS.
#### Exponential back off and retry strategies
You can run into situations where API throttling limits get exceeded. This can happen when the API calls fail and are retried repeatedly or made directly from multiple concurrent endpoints without a caching or queuing solution implemented. To avoid exceeding your service quotas and impacting downstream processes, you should consider using exponential back off and retry strategies within your AWS Lambda functions in combination with caching and queueing.
### Change management
Two of the primary drivers for moving workloads to the Amazon Connect are flexibility and speed to market. To ensure operational excellence without sacrificing agility, follow these best practices:
+ **Modular flows**: Flows in Amazon Connect are similar to modern application building where smaller, purpose-built components allow for more flexibility, control, and ease of management when compared to monolithic alternatives. You can make your flows small and re-usable, combining the modular flows into an end-to-end experience with **Transfer to flow** blocks. This approach allows you to reduce risk during change implementation, allow you to test single, smaller changes rather than regression testing the entire experience, and will make it easier to identify and address issues with your flows during testing.
+ **Repositories**: Back up all versions of all flows to a repository of your choice using contact flow Import/Export as part of your change management process.
+ **Distribute by percentage**: To reduce risk encountered during change management and experiment with new experiences for your contacts, you can use the **Distribute by percentage** block to route a subset of your traffic to new flows while leaving the other traffic on the original experience.
+ **Measuring results**: Data driven decision making is key to successfully driving meaningful changes for your business. Having a key metric to measure your changes against is absolutely necessary. For all changes you’re making, you need to plan for how you will measure success. For example, if you’re implementing self-service functionality for your contacts, what percentage of contacts do you expect to self-serve to consider the workload successful or what other metrics are you measuring to determine success?
+ **Rollbacks**: Ensure that there is a clear, well-defined, and well-understood process to back out any changes to the previous state, specific to the change performed. For example, if you publish a new flow version, ensure that the change instructions include documentation on how to roll back to the previous flow version.
### Routing profiles
Understanding how priority, delay, and overflow routing work within Amazon Connect is critical to maximizing agent productivity, reducing contact wait times, and ensuring the best quality of experience for your contacts.
### Routing in Amazon Connect
Contact routing in Amazon Connect is done through a collection of queues and routing configurations called a routing profile. A queue is equivalent to a skill or proficiency that agent needs to possess to service contacts for that queue. A routing profile can be viewed a set of skills that you can match to your contact’s needs
Within your flow, you can prompt for additional information and, if they need to reach an agent, you can use the flow configuration to place them in the appropriate queue. In the following example, Savings, Checking, and Loans are individual queues or skills and the three routing profiles are unique skillsets, or groups of skills:
![\[Routing by groups of queues.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile1.png)
Each agent is assigned to only one routing profile based on their skillset, and many agents with similar skillset can share the same routing profile:
![\[Routing by skillset.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile2.png)
Each phone number or chat endpoint will be associated with one flow. The flow executes its logic, which may involve prompting the customer for information, to determine the contact’s needs, and eventually routes the contact into an appropriate queue. The following diagram depicts how routing profile, queue, and flow work together to service a contact:
![\[Routing diagram showing how a routing profile, queue, and flow work together to service a contact.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile3.png)
To illustrate how you might determine various queues, routing profiles, and agent assignments to the routing profiles, consider the following table:
![\[Routing by groups of queues.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile4.png)
On the top row, you’ve identified your skills or queues. In the left column, you have your list of agents, and in the middle, you’ve checked the skills supported by each of the agents. You can sort the matrix grouped by the common set of skill requirements across our agent population. This helps identify the routing profiles as one marked in the green box (which consists of two queues), which you can assign agents to. As a result of this exercise, you have identified four routing profiles, and assign your 13 agents to them accordingly.
Based on the previous table, an incoming call from a contact needing the Savings skill could be served by three groups of agents in the three routing profiles 1, 2, and 4 as depicted in the following diagram:
![\[Routing by groups of queues.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/routingprofile5.png)
### Priority and delay
Using the combination of priority and delay in different Routing Profiles, you can create flexible routing strategies.
![\[A diagram showing priority and delay in a Routing Profiles to create a routing strategy.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/priorityandelay.png)
The preceding routing profile example shows a set of queues, and their respective priority and delay. The lower the number, the higher the priority. All higher priority calls must be processed before a lower priority call will be processed. This is a difference from systems that will eventually process lower priority of calls based upon a weighting factor.
You can also add a delay to each of the queues within each of the routing profiles. Any call coming into the queue will be held for the specified period of delay assigned to the designated queue. The call will be held for the delay period, even when agents are available. You might use this in situations where you have a group of agents who are reserved to help you meet your Service Level Agreements (SLAs), but are otherwise assigned to other tasks or queues. If a call doesn’t get answered within a specified period of time, these agents would become eligible to receive a call from the designated queue. For example, consider the following diagram:
![\[A diagram showing the Savings queue routing a call to an available agent.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/priorityandelay2.png)
This diagram shows an SLA of 30 seconds. A call comes in for the Savings queue. The Savings queue immediately looks for an agent in the "Savings" routing profile due to the configuration of 0 delay in the profile for the queue. Because of the configuration of 15 delay for Senior Agents, they will not be eligible to receive the Savings contact for 15 seconds. After 15 seconds elapses, the contact becomes available for a Senior Level agent and Amazon Connect looks for the Longest Available across both routing profiles.
### Path to service
When you are designing customer experiences in Amazon Connect, plan to ensure a path to service. There are many planned and unplanned events that can impact the customer experience as they traverse through Amazon Connect Flows. The following sample customer experience shows some suggested checks to ensure a consistent quality experience for your contacts:
![\[Diagram showing a Path to service to respond to unplanned events that could affect customer service.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/pathtoservice.png)
This sample customer experience takes into account planned events such as Holidays and Business hours as well as unplanned events, like agents not staffed during business hours. With this logic, you can also account for emergency situations, such as contact center closures because of inclement weather or service disruptions. Consider the following concepts as illustrated in the diagram:
+ **Self-service**: In a typical IVR, you can include any greetings and disclaimer messages such as call recording announcements upfront, which can be followed by self-service options. Self-service brings cost and performance optimizations for your contact center and enables your organization to serve customers 24x7, regardless of holidays, business hours, or availability of agents. Always include a path to service in case customers are unable to self-serve and need human assistance. For example, if you are using Amazon Lex bots for self-service, you can make use of fallback intents to escalate conversations for human assistance.
+ **Holidays**: Many enterprise customers have a central repository that holds corporate holidays. You can use an AWS Lambda function to data dip into that repository and offer holiday treatment to customers. Additionally, you can also store corporate holidays in DynamoDB along with a custom message for each holiday. For example, if your enterprise observes December 25 as Christmas, you could have a holiday prompt or Text to Speech, "We are currently closed for Christmas. Please call back on December 26 when our normal business hours will resume."
![\[A diagram showing how Amazon Connect uses AWS Lambda and DynamoDB to play messages to customers.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/holidays.png)
+ **Business hours**: After holidays have been verified, you can check for business hours and, if outside of business hours, you can change the experience dynamically for your contacts. If the contact occurs during business hours, you can identify customer intent for calls and map to certain queues in your contact center, increasing the likelihood of getting to the correct agent, and decreasing the amount of time it takes your contact to reach service. It is highly recommended to map defaults as customers could be calling for a reason you haven’t accounted for yet or may respond in a way you don’t expect.
+ **Emergency messages**: After you have identified customer intent for call, it is suggested to implement an emergency check treatment. In the event of an emergency situation that impacts your contact center, you can store an emergency True/False flag in an intermediary database like DynamoDB. To allow your supervisors and administrators to set this flag dynamically, with no code, you can build a separate IVR that authenticates your Amazon Connect administrators based upon ANI and PIN number verification for internal use only. In the event of emergency, your supervisors can call into that dedicated line from their phones and after authentication set the Emergency flag to true for scenarios such as contact center closure due to inclement weather or ISP outage at the physical location of contact center.
+ **Emergency message API**: You can also consider building an AWS API gateway with AWS Lambda function at the back end to set the Emergency flag to true/false securely in the database. Your supervisors can securely access that API through web to toggle disaster mode or dynamically toggle it in response to an external event. In your Amazon Connect instance, every contact that comes in through the flow will use AWS Lambda to check for that emergency flag and, in case of disaster mode, you can dynamically make announcements and provide a customer with a path to service. This will further ensure business continuity and mitigate the impact of situations like these from affecting your customers.
+ **Check agent staffing**: Before transferring to the queue in your flow, you can check agent staffing to ensure that an agent is logged in to service the contact. For example, you may have an agent busy servicing another contact that might become available in the next five minutes, or you may not have anyone logged into the system at all. During these instances, you will prefer a different customer experience rather than making them wait in the queue for an agent to become available.
+ **Route to service**: When you transfer the call to the queue, you can offer queued callbacks, queue overflows, or tiered routing using Amazon Connect routing profiles to offer a consistent, high-quality experience for your callers that meet your Service Level requirements.
## Resources
**Documentation**
+ [DevOps and AWS](https://aws.amazon.com/devops/)
+ [Amazon Connect Service API Documentation](https://docs.aws.amazon.com/connect/latest/APIReference/welcome.html)
**Blog**
+ [How to handle unexpected contact spikes with Amazon Connect](https://aws.amazon.com/blogs/contact-center/how-to-handle-unexpected-contact-spikes-with-amazon-connect/)
**Video**
+ [DevOps at Amazon](https://www.youtube.com/watch?v=esEFaY0FDKc.pdf)
# Design principles for developing a secure contact center in Amazon Connect
Security includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. This section provides an overview of design principles, best practices, and questions surrounding security for Amazon Connect workloads.
## Amazon Connect Security Journey
After you’ve made the decision to move your workload to Amazon Connect, in addition to reviewing [Security in Amazon Connect](security.md) and [Security Best Practices for Amazon Connect](security-best-practices.md), follow these guidelines and steps to understand and implement your security requirements relative to the following core security areas:
![\[A diagram showing the core security areas to implement in Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/securityjourney.png)
### Understanding the AWS Security Model
When you move computer systems and data to the cloud, security responsibilities become shared between you and AWS. AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.
![\[Understanding the AWS Security Model.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/shareresponsibilitymodel.png)
Which AWS services you use will determine how much configuration work you have to perform as part of your security responsibilities. When you use Amazon Connect, the shared model reflects AWS and customer responsibilities at a high-level, as shown in the following diagram.
![\[AWS shared responsibility model for Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/shareresponsibilitymodelforamazonconnect.png)
### Compliance Foundations
Third-party auditors assess the security and compliance of Amazon Connect as part of multiple AWS compliance programs. These include [SOC](https://aws.amazon.com/compliance/soc-faqs/), [PCI](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/), [HIPAA](https://aws.amazon.com/compliance/hipaa-compliance/), [C5 (Frankfurt)](https://aws.amazon.com/compliance/bsi-c5/), and [HITRUST CSF](https://aws.amazon.com/compliance/hitrust/).
For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS Services Compliance Programs](https://aws.amazon.com/compliance/programs/).
### Region selection
Region selection to host the Amazon Connect instance depends on data sovereignty restrictions and where the contacts and agents are based. After that decision is made, review network requirements for Amazon Connect and ports and protocols that you need to allow. Additionally, to reduce the blast radius use the domain allow list or allowed IP address ranges for your Amazon Connect instance.
For more information, see [Set up your network to use the Amazon Connect Contact Control Panel (CCP)](ccp-networking.md).
### AWS services integration
We recommend reviewing each AWS service in your solution against the security requirements of your organization. See the following resources:
+ [Security in AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-security.html)
+ [Security and Compliance in DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security.html)
+ [Security in Amazon Lex](https://docs.aws.amazon.com/lex/latest/dg/security.html)
## Data Security in Amazon Connect
During your security journey, your security teams may require a deeper understanding of how data is handled in Amazon Connect. See the following resources:
+ [Detailed network paths for Amazon Connect](detailed-network-paths.md)
+ [Infrastructure security in Amazon Connect](infrastructure-security.md)
+ [Compliance validation in Amazon Connect](compliance-validation.md)
### Workload diagram
Review your workload diagram and architect an optimum solution on AWS. This includes analyzing and deciding which additional AWS services should be included in your solution and any third-party and on-premises applications that need to be integrated.
## AWS Identity and Access Management (IAM)
### Types of Amazon Connect Personas
There are four types of Amazon Connect personas, based on the activities being performed.
![\[Types of Amazon Connect personas.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/amazonconnectpersonas.png)
1. AWS administrator – AWS administrators create or modify Amazon Connect resources and may also delegate administrative access to other principals by using the AWS Identity and Access Management (IAM) service. The scope of this persona is focused on creating and administering your Amazon Connect instance.
1. Amazon Connect administrator – Service administrators determine which Amazon Connect features and resources employees should access within the Amazon Connect admin website. The service administrator assigns security profiles to determine who can access the Amazon Connect admin website and what tasks they can perform. The scope of this persona is focused on creating and administering your Amazon Connect contact center.
1. Amazon Connect agent – Agents interact with Amazon Connect to perform their job duties. Service users may be contact center agents or supervisors.
1. Amazon Connect Service contact – The customer who interacts with your Amazon Connect contact center.
### IAM Administrator Best Practices
IAM Administrative access should be limited to approved personnel within your organization. IAM administrators should also understand what IAM features are available to use with Amazon Connect. For IAM best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. Also see [Amazon Connect identity-based policy examples](security_iam_id-based-policy-examples.md).
### Amazon Connect Service Administrator Best Practices
Service administrators are responsible for managing Amazon Connect users, including adding users to Amazon Connect give them their credentials, and assign the appropriate permissions so they can access the features needed to do their job. Administrators should start with a minimum set of permissions and grant additional permissions as necessary.
[Security profiles for Amazon Connect and Contact Control Panel (CCP) access](connect-security-profiles.md) help you manage who can access the Amazon Connect dashboard and Contact Control Panel, and who can perform specific tasks. Review the granular permissions granted within the default security profiles available natively. Custom security profiles can be set up to meet specific requirements. For example, a power agent who can take calls but also has access to reports. After this is finalized, users should be assigned to the correct security profiles.
### Multi-Factor Authentication
For extra security, we recommend that you require multi-factor authentication (MFA) for all IAM users in your account. MFA can be [set up through AWS IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) or your SAML 2.0 identity provider, or Radius server, if that's more applicable for your use case. After MFA is set up, a third text box becomes visible on the Amazon Connect login page to provide the second factor.
### Identity Federation
In addition to storing users in Amazon Connect, you can [enable single sign-on (SSO) to Amazon Connect](configure-saml.md) by using identity federation. Federation is a recommended practice to allow for employee lifecycle events to be reflected in Amazon Connect when they are made in the source identity provider.
### Access to Integrated Applications
Steps within your flows may need credentials to access information in external applications and systems. To provide credentials to access other AWS services in a secure way, use IAM roles. An IAM role is an entity that has its own set of permissions, but that isn't a user or group. Roles also don't have their own permanent set of credentials and are automatically rotated.
Credentials such as API keys should be stored outside of your flow application code, where they can be retrieved programmatically. To accomplish this, you can use AWS Secrets Manager or an existing third-party solution. Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
## Detective controls
Logging and monitoring are important for the availability, reliability and, performance of contact center. You should log relevant information from Amazon Connect Flows to Amazon CloudWatch and build alerts and notifications based on the same.
You should define log retention requirements and lifecycle policies early on, and plan to move log files to cost-efficient storage locations as soon as practical. Amazon Connect public APIs log to AWS CloudTrail. You should review and automate actions set up based on CloudTrail logs.
Amazon S3 is the best choice for long-term retention and archiving of log data, especially for organizations with compliance programs that require log data to be auditable in its native format. After log data is in an S3 bucket, define lifecycle rules to automatically enforce retention policies and move these objects to other, cost-effective storage classes, such as Amazon S3 Standard - Infrequent Access (Standard - IA) or Amazon Glacier.
The AWS cloud provides flexible infrastructure and tools to support both sophisticated in cooperation with offerings and self-managed centralized-logging solutions. This includes solutions such as Amazon OpenSearch Service and Amazon CloudWatch Logs.
Fraud detection and prevention for incoming contacts can be implemented by customizing Amazon Connect Flows per the customer requirements. As an example, customers can check incoming contacts against previous contact activity in DynamoDB, and then take action, such as disconnecting a contact because they are a blocked contact.
## Infrastructure protection
Although there is no infrastructure to manage in Amazon Connect, there could be scenarios where your Amazon Connect instance needs to interact with other components or applications deployed in infrastructure residing on-premises. Consequently, it is important to ensure that networking boundaries are considered under this assumption. Review and implement specific Amazon Connect infrastructure security considerations. Also, review contact center agent and supervisor desktops or VDI solutions for security considerations.
You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud to create a private network for resources such as databases, cache instances, or internal services. Amazon Connect your function to the VPC to access private resources during execution.
## Data protection
Customers should analyze the data traversing through and interacting with the contact center solution.
+ Third party and external data
+ On-premises data in hybrid Amazon Connect architectures
After analyzing the scope of the data, data classifications should be performed paying attention to identifying sensitive data. Amazon Connect conforms to the AWS shared responsibility model. [Data protection in Amazon Connect](data-protection.md) includes best practices like using MFA and TLS and the use of other AWS services, including Amazon Macie.
Amazon Connect [handles variety of data related to contact centers](data-handled-by-connect.md). This includes phone call media, call recordings, chat transcripts, contact metadata as well as flows, routing profiles and queues. Amazon Connect handles data at rest by segregating data by account ID and instance ID. All data exchanged with Amazon Connect is protected in transit between the user's web browser and Amazon Connect using open standard TLS encryption.
You can specify AWS KMS keys to be used for encryption including bring your own key (BYOK). Additionally, you can use key management options within Amazon S3.
### Protecting Data Using Client-Side Encryption
Your use case may require encryption of sensitive data that is collected by flows. For example, to gather appropriate personal information to customize the customer experience when they interact with your IVR. To do this you can use public-key cryptography with the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html). The AWS Encryption SDK is a client-side encryption library designed to make it efficient for everyone to encrypt and decrypt data using open standards and best practices.
### Input validation
Perform input validation to ensure that only properly formed data is entering the flow. This should happen as early as possible in the flow. For example, when prompting a customer to say or enter a telephone number, they may or may not include the country code.
## Amazon Connect security vectors
Amazon Connect security can be divided into three logical layers as illustrated in the following diagram:
![\[Amazon Connect security vectors.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/securityvectors.png)
1. **Agent workstation**. The agent workstation layer is not managed by AWS and consists of any physical equipment and third-party technologies, services, and endpoints that facilitate your agent’s voice, data, and access the Amazon Connect interface layer.
Follow your security best practices for this layer with special attention to the following:
+ Plan identity management keeping in mind best practices noted in [Security Best Practices for Amazon Connect](security-best-practices.md).
+ Mitigate insider threat and compliance risk associated with workloads that handle sensitive information, by creating a secure IVR solution that enables you to bypass agent access to sensitive information. By encrypting contact input in your flows, you’re able to capture information securely without exposing it to your agents, their workstations, or their operating environments. For more information, see [Encrypt sensitive customer input in Amazon Connect](encrypt-data.md).
+ You are responsible for maintaining the allowlist of AWS IP addresses, ports, and protocols needed to use Amazon Connect.
1. **AWS**: The AWS layer includes Amazon Connect and AWS integrations including AWS Lambda, Amazon DynamoDB, Amazon API Gateway, Amazon S3, and other services. Follow the security pillar guidelines for AWS services, with special attention to the following:
+ Plan identity management, keeping in mind best practices noted in [Security Best Practices for Amazon Connect](security-best-practices.md).
+ Integrations with other AWS services: Identify each AWS service in the use case as well as any third-party integration points applicable for this use case.
+ Amazon Connect can integrate with AWS Lambda functions that run inside of a customer VPC through the [VPC endpoints for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html).
1. **External**: The External layer includes contact points including chat, click-to-call endpoints, and the PSTN for voice calls, integrations you may have with legacy contact center solutions in a Hybrid contact center architecture, and integrations you may have with other third-party solutions. Any entry point or exit point for a third party in your workload is considered the external layer.
This layer also covers integrations customers may have with other third-party solutions and applications such as CRM systems, work force management (WFM), and reporting and visualization tools and applications, such as Tableau and Kibana. You should consider the following areas when securing the external layer:
+ You can [create contact filters for repeat and fraudulent contacts](https://aws.amazon.com/blogs/contact-center/how-to-protect-against-spam-calls-for-click-to-dial/) using AWS Lambda to write contact details to DynamoDB from within your flow, including ANI, IP address for click-to-dial and chat endpoints, and any other identifying information to track how many contact requests occur during a given period of time. This approach allows you to query and add contacts to deny lists, automatically disconnecting them if they exceed reasonable levels.
+ ANI Fraud detection solutions using [Amazon Connect telephony metadata](connect-attrib-list.md#telephony-call-metadata-attributes) and [partner solutions](https://aws.amazon.com/connect/partners/) can be used to protect against caller ID spoofing.
+ [Amazon Connect Voice ID](voice-id.md) and other voice biometric partner solutions can be used to enhance and streamline the authentication process. Active voice biometric authentication allows contacts the option to speak specific phrases and use those for voice signature authentication. Passive voice biometrics allow contacts to register their unique voiceprint and use their voiceprint to authenticate with any voice input that meets sufficient length requirements for authentication.
+ Maintain the [application integration](app-integration.md) section in the Amazon Connect console for adding any third-party application or integration points to your allowlist, and remove unused endpoints.
+ Send only the data necessary to meet minimum requirements to external systems that handle sensitive data. For example, if you have only one business unit using your call recording analytics solution, you can set an AWS Lambda trigger in your S3 bucket to process contact records, check for the business unit’s specific queues in the contact record data, and if it is a queue that belongs to the unit, send only that call recording to the external solution. With this approach, you only send the data necessary and avoid the cost and overhead associated with processing unnecessary recordings.
For an integration that enables Amazon Connect to communicate with Amazon Kinesis and Amazon Redshift to enable the streaming of contact records, see [Amazon Connect integration: Data streaming](https://aws.amazon.com/quickstart/connect/data-streaming/).
## Resources
**Documentation**
+ [AWS Cloud Security](https://aws.amazon.com/security/)
+ [Security in Amazon Connect](security.md)
+ [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [AWS Compliance](https://aws.amazon.com/compliance/)
+ [AWS Security blog](https://aws.amazon.com/blogs/security/)
**Articles**
+ [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html)
+ [Introduction to AWS Security](https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/introduction-aws-security.pdf)
+ [AWS Security Best Practices](https://aws.amazon.com/architecture/security-identity-compliance/)
**Videos**
+ [AWS Security State of the Union](https://www.youtube.com/watch?v=Wvyc-VEUOns)
+ [AWS Compliance - The Shared Responsibility Model](https://www.youtube.com/watch?v=U632-ND7dKQ)
# Load and penetration / security testing policies for Amazon Connect
Amazon Connect regularly performs rigorous testing to ensure our service delivers the security, reliability, and availability required to support world-class contact centers of all sizes.
Amazon Connect has developed policies and requirements governing your the ability to conduct your own security assessments (such as penetration tests) and load testing to validate your environments and ensure they are production-ready. This topic explains the policies and requirements.
## Security and penetration testing
Due to the inherent risk of damage from security testing, Amazon Connect does not support any customer security or penetration tests, as explained on this AWS Cloud Security page: [Penetration Testing](https://aws.amazon.com/security/penetration-testing). It is not listed as a permitted service under **Customer Service Policy for Penetration Testing**.
Amazon Connect has a rigorous security and penetration test routine. If you have requirements related to security, ask your AWS account team (Technical Account Manager or Solution Architect) for assistance.
## Load testing
Amazon Connect considers load tests as any tests that:
+ Target specific endpoints
+ Generate synthetic traffic targeted at concentrated sources
+ Maintain a higher than normal sustained volume of traffic
+ Can accidentally exceed expected limits
These differences present potential risks for unintended impact to external endpoints, other customers, or AWS services. You are required to follow our load test policy for any plans that meet this criteria.
Our load test policy requires that customers:
+ Only test out of hours: from 6PM-6AM in the local timezone of the AWS Region being tested.
+ Identify an emergency contact who is reachable during the load test.
+ Provide a document and detailed view of the planned load test.
**Important**
**You must receive approval from AWS for your load test a minimum of two weeks in advance of the test date.**
**To submit a request for a load test**
1. Send email to **amazon-connect-load-test-requests@amazon.com** **and copy your AWS account team (Technical Account Manager or Solution Architect).**
1. Upon receipt, the Amazon Connect team will provide you with the Load Test Request intake form.
The Amazon Connect load test team responds to emails within 48 working hours. If you do not receive a response within that time, please follow up.
The Amazon Connect team will review your request. We will:
+ Determine whether there are any risks.
+ Validate whether there are any considerations with the load test having the ability to be detected and/or reported as being abusive.
+ Given where the test is designed, determine whether it might be unintentionally abusive and/or impactful to other entities.
+ Determine whether you have mitigations applied to your instances, which can impact your tests as well as your production workloads.
If we determine there is not likely to be an impact, we will provide a **written approval** to proceed.
For tests that might have impact, we will ask you to take additional steps, such as:
+ Running the instance generating traffic from a separate AWS account or Region.
+ Adjusting the tests to minimize risk, or working with AWS closely to understand the scenarios and processes.
**Important**
Even with approval from AWS, you are responsible for:
Any damages to AWS, other AWS customers, or external entities that are caused by your testing activities.
Compliance with applicable laws in jurisdictions in which you operate, including laws and regulations governing cybersecurity or misuse of IT systems.
Any load test run without approval from AWS will result in mitigation actions being taken against the AWS account up to and including suspension of service. Unauthorized testing may also be considered a violation of law and subject to criminal prosecution.
# Reliability in Amazon Connect
Reliability includes the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. As resiliency is handled as part of the service, there are no reliability practices unique to Amazon Connect beyond of what is covered in [Operational excellence in Amazon Connect workloads](operational-excellence.md). You can find prescriptive guidance on implementation in the [Reliability Pillar](https://d0.awsstatic.com/whitepapers/architecture/AWS-Reliability-Pillar.pdf) whitepaper.
## Resources
**Documentation**
+ [AWS Service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html)
+ [Resilience in Amazon Connect](disaster-recovery-resiliency.md)
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html)
**Whitepaper**
+ [Reliability Pillar](https://d0.awsstatic.com/whitepapers/architecture/AWS-Reliability-Pillar.pdf)
**Video**
+ [Embracing Failure: Fault-Injection and Service Reliability](https://www.youtube.com/watch?v=wrY7XoOnysg)
**Product**
+ [Trusted advisor](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/): An online tool that provides you real-time guidance to help you provision your resources following AWS best practices.
# Performance efficiency for Amazon Connect workloads
Performance efficiency includes the ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. This section provides an overview of design principles, best practices, and questions surrounding performance efficiency for Amazon Connect workloads. You can find prescriptive guidance on implementation in the [Performance Efficiency Pillar]( https://d0.awsstatic.com/whitepapers/architecture/AWS-Performance-Efficiency-Pillar.pdf) whitepaper.
## Architectural design
There are two fundamental architectural design principles to consider when designing experiences for the contact center:
+ Reductionism is a philosophical tenet stating that by analyzing a system to its ultimate component parts, you can unravel it at deeper levels.
+ Holism, in contrast, states that by considering the whole picture one gets a deeper and more complete view of a situation than by analyzing it into its component parts
The reductionist approach focuses on each individual component (IVR, ACD, Speech Recognition) on its own and often results in a disjointed customer experience that, when evaluated individually, may meet performance requirements for the use case. However, when evaluated end-to-end, can result in decreased quality of experience for your contacts while funneling development efforts into operational silos. This approach complicates regression testing, increases time to market, and limits the development of cross-discipline operational resources critical to the success of your contact center.
A holistic view of the contact center is shown in the following diagram:
![\[A holistic view of the contact center.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/architecturaldesign.png)
The holistic approach results focus on a more complete and cohesive experience for customers, and not which technology will provide which part of that experience.
Let the customer and what they want define and guide your efforts. The experiences that you create for your contacts should not be static or an end state, but should serve as a starting point that should be iterated on continuously based on customer feedback. The regular collection and review of operational and tuning data surrounding how your contacts are interacting and navigating throughout their journey should drive that iteration. Your goal should be dynamic and personalized experiences for contacts reaching your company. This can be accomplished through dynamic data-driven contact design and routing, resulting in an experience that conforms to your contact and their individual needs.
You can start with the default experience, building out your flows, but refactoring your single flow into two to enable future segmentation:
![\[Refactoring your single flow into two.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/architecturaldesign2.png)
In your next iteration, identify additional experiences that you need to plan for and build routing and, if necessary, flows for each. For example, you may want to play different prompts for a contact that is past due on their bill or that may have tried to contact multiple times for the same purpose. With this approach, you are working towards personalized, dynamic experiences that are pertinent to your contacts and why they are contacting you. In addition to improving the quality of experience for your contacts and decreasing handle times, you’re encouraging contact self-service by providing a more intelligent and flexible experience. Your next iteration may look like the following illustration:
![\[Next iteration of flow.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/architecturaldesign3.png)
## Flow design
A flow defines the customer experience with your contact center from start to finish. Your flow configuration can have a direct impact on performance, operational efficiency, and ease of maintenance.
Many Large businesses support multiple phone numbers, business units, prompts, queues, and other Amazon Connect resources. While it is possible to have unique flows for each phone number and line of business, it can lead to a one-to-one mapping of phone numbers and flows. This results in unnecessary service quota requests and a large number of flows to support and maintain. A one-to-one mapping of DNIS and Flow implementation is illustrated in the following figure:
![\[Flow design example showing a one-to-one mapping of a DNIS and Flow implementation.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/contactflowdesign.png)
Alternatively, you should consider an approach that results in Multiple DNIS to one or few flows by using the dynamic nature of Amazon Connect Flows. With this approach, you can store configuration information like Prompts, Queues, Business Hours, Whisper Prompts/Flows, Queues, Queue Treatments and Hold Messages etc., in NoSQL Database DynamoDB. In Amazon Connect, you can associate multiple phone numbers to the same flow and use the Lambda function to look up configurations for that phone number. This allows you to dynamically define the contact’s experience based on the attributes returned from DynamoDB.
For example, you can play prompts or use Text-to-Speech (TTS) to greet callers based upon the lookups in DynamoDB or associate queues using dynamic attributes supported in flow blocks. The result with this approach is a flow implementation that is efficient to build, maintain, and support:
![\[An example flow design for using prompts and Text-to-Speech to greet callers.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/contactflowdesign2.png)
## Load testing
If you need to run load or scale testing, you can employ third-party or partner solutions to run load tests, or develop your own custom solution using the Amazon Connect [StartOutboundVoiceContact](https://docs.aws.amazon.com/connect/latest/APIReference/API_StartOutboundVoiceContact.html) API to generate calls combined with browser automation scripts to simulate agent behavior. Before to performing load tests, review and follow [Load and penetration / security testing policies for Amazon Connect](load-and-penetration-testing.md).
## Agent enablement
Amazon Connect provides a readily available browser-based Contact Control Panel (CCP) for agents to interact with customer contacts. Your agents use the CCP to accept contacts, chat with contacts, transfer them to other agents, put them on hold, and perform other key tasks. You can realize significant performance efficiency through the creation of custom agent desktop solutions using the [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) API. Consider using the Streams API to increase performance efficiency in the following areas:
+ CRM integration - The Streams API allows you to embed the CCP in your CRM application, create your own interface, or integrate with other AWS services and partner solutions to provide your agents with the tools and resources they need to service your contacts. With a custom desktop, like the Amazon Connect and [Salesforce integration](salesforce-integration.md), your agents can get a comprehensive view of customer and contact in a single interface without managing multiple screens and interfaces.
+ Authentication - You can configure SAML for identity management in Amazon Connect and use IAM Identity Center (SSO) to allow your agents to use the same credentials they use to access your other systems and avoid the need to enter them multiple times.
+ Agent automation - In addition to streamlining your agent experience, you can automate common, repeatable tasks. For example, automatically creating cases or pre-filling webforms and offering a screen pop with relevant information when a contact is offered. This can reduce handle times and improve the quality of experience for your agents and contacts.
+ Enhanced capabilities - You can also enhance/extend the CCP functionality to include real-time [Transcriptions, Translations, Suggested Actions and Knowledge base integrations](https://aws.amazon.com/solutions/implementations/ai-powered-speech-analytics-for-amazon-connect/). Integrating enhanced capabilities with your agent desktop will allow skilled agents to service contacts more efficiently and unskilled agents to provide service when skilled agents aren’t available. For example, you can use this approach to automatically translate a chat contact for unskilled agent that doesn’t know the language. When your agent replies, you can automatically translate the text to the contact’s language, allowing for real-time bilingual communication.
## Using other AWS services
This section discusses AWS services that you can use to improve performance, identify areas of opportunity, and gain valuable insights into your contact data.
### AWS Lambda
You can use AWS Lambda in your Amazon Connect Flows to perform data dips for customer information, send SMS text messages, and with other services like Amazon S3 to automatically distribute scheduled reports. For more information, see [Best Practices for Working with AWS Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html).
### Direct Connect
Direct Connect is a cloud service solution that makes it more efficient to establish a dedicated network connection from your premises to AWS. It provides a durable, consistent connection rather than relying on your ISP to dynamically route requests to AWS resources. It allows you to configure your edge router to redirect AWS traffic across dedicated fiber rather than traversing the public WAN and establish private connectivity between AWS and your data center, office, or colocation environment. In many cases, this can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.
While Direct Connect does not solve issues specific to private LAN/WAN traversal to your edge router, it can help solve for latency and connectivity issues between your edge router and AWS resources. It can also solve for latency and poor call quality between your edge router and AWS resources.
Depending on your VDI environment, you may not be able to take advantage of Direct Connect as it requires you to configure your edge router to redirect AWS traffic across dedicated fiber rather than traversing the public WAN. If the VDI environment is hosted outside of your local DXC-enabled network, you may not be able to take full advantage of Direct Connect.
Do not use Direct Connect for "QoS" or "increased security." Direct Connect can cause performance degradation in cases where the latency from the agent workstation is higher than the ISP’s path to the Amazon Connect instance. Direct Connect does not offer additional security when compared to an ISP as Amazon Connect voice and data is already encrypted.
### Amazon Polly
Amazon Connect offers a native integration with Amazon Polly, allowing you to play dynamic and natural Text-to-Speech (TTS), use Speech Synthesis Markup Language (SSML), and take advantage of Neural Text-to-Speech (NTTS) to achieve the most natural and human-like text-to-speech voices possible.
### Amazon Lex
Your contact’s path to service can be a challenging experience that doesn’t always meet up to their expectations. Your contacts may wait on hold, repeat information, need to be transferred, and ultimately, spend too much time getting what they need. AI is playing a role in improving this customer experience in call centers to include engagement through chatbots — intelligent, natural language virtual assistants. These chatbots are able to recognize human speech and understand the caller’s intent without requiring the caller to speak in specific phrases. Contacts can perform tasks such as changing a password, requesting a balance on an account, or scheduling an appointment without ever speaking to an agent.
Amazon Lex is a service that allows you to create intelligent conversational chatbots. It lets you turn your Amazon Connect contact center flows into natural conversations that provide personalized experiences for your callers. Using the same technology that powers Amazon Alexa, an Amazon Lex chatbot can be attached to your Amazon Connect Flow to recognize the intent of your caller, ask follow-up questions, and provide answers. Amazon Lex maintains context and manages the dialogue, dynamically adjusting the responses based on the conversation, so your contact center can perform common tasks for callers, to address many customer inquiries through self-service interactions. Additionally, Amazon Lex chatbots support an optimal (8 kHz) telephony audio sampling rate, to provide increased speech recognition accuracy and fidelity for your contact center voice interactions.
Building an effective Amazon Lex bot requires providing simple and realistic utterances as training sets to the bot, periodically reviewing your bot’s performance, updating your utterance set, and modifying the bot based on such a review. For more information, see the following resources:
+ [Monitoring in Amazon Lex](https://docs.aws.amazon.com/lex/latest/dg/monitoring-aws-lex.html)
+ [Building Better bots using Amazon Lex](https://aws.amazon.com/blogs/machine-learning/building-better-bots/)
### Amazon Kinesis
For situations where you need to gain additional insight from your contact metrics and real-time data from Amazon Connect, you can:
+ Export your contact record data to Amazon Redshift using Amazon Kinesis.
+ Use Amazon Kinesis video stream (KVS) and AWS Lambda to transcribe call recordings or voice contacts in real-time using Amazon Transcribe and send the resulting text to Amazon Comprehend for sentiment analysis.
+ Leverage the [Amazon Connect Agent Event Kinesis Stream](agent-event-streams.md) for real-time agent CTI and schedule adherence data.
### Amazon OpenSearch Service and Kibana
Using Amazon OpenSearch Service and Kibana to process real-time Amazon Connect data gives you a flexible way to query and visualize real-time and historical Amazon Connect data beyond native reporting capabilities.
### Amazon Connect Contact Lens
Contact Lens is a set of machine learning (ML) capabilities integrated into Amazon Connect that allow contact center supervisors to better understand the sentiment, trends, and compliance risks of customer conversations to effectively train agents, replicate successful interactions, and identify crucial company and product feedback. Contact Lens transcribes contact center calls to create a fully searchable archive and surface valuable customer insights.
## Resources
**Documentation**
+ [Best practices design patterns: optimizing Amazon S3 performance](https://docs.aws.amazon.com/AmazonS3/latest/userguide/optimizing-performance.html)
+ [ Amazon EBS volume performance on Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSPerformance.html)
**Whitepaper**
+ [Performance Efficiency Pillar]( https://d0.awsstatic.com/whitepapers/architecture/AWS-Performance-Efficiency-Pillar.pdf)
**Video**
+ [AWS re:Invent 2016: Scaling Up to Your First 10 Million Users (ARC201)](https://www.youtube.com/watch?v=n28lDDdlnVg)
+ [AWS re:Invent 2017: Deep Dive on Amazon EC2 Instances](https://www.youtube.com/watch?v=mZy6E2I5Rek)
# Cost optimization for Amazon Connect workloads
Cost Optimization includes the ability to run systems to deliver business value at the lowest price point. This section provides an overview of design principles, best practices, and questions surrounding cost optimization for Amazon Connect workloads. You can find prescriptive guidance on implementation in the [Cost Optimization Pillar - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html) .
Consider the following areas for cost optimization for Amazon Connect workloads.
## Region selection
Amazon Connect Region selection is one of the first decision customers make when adopting Amazon Connect for their contact center workloads. While latency and voice quality are important aspects to Region selection, you should evaluate Region selection from a cost perspective as well. Telephony pricing for Claimed Phone Numbers Per Day and Per Minute Inbound Usage can be different for countries depending upon the AWS Region in which you select to instantiate your Amazon Connect Instance. You can find telephony price for each Region at [Amazon Connect Pricing](https://aws.amazon.com/connect/pricing/) page.
## Callbacks
You can provide a callback in your flow for callers during high call volume periods or long wait times. You can use callbacks to reduce cost and improve the quality of experience for your contacts. When your contact opts-in for the callback, Amazon Connect will retain the position in the queue and allow the caller to disconnect. When an agent becomes available to service your contact, Amazon Connect will place an outbound call to the number configured to connect the contact to your agent. A sample callback flow is included in every instance at creation. You can also use AWS Lambda and Amazon DynamoDB to prevent duplicate callback requests.
## Storage
With Amazon Connect, you can configure your instance and flows to store call recordings and chat transcripts of caller’s interactions for compliance, quality monitoring, and training purposes. Voice contacts are not recorded unless an agent is connected to the caller. If multiple agents are connected, each will have an associated call recording or transcript. Amazon Connect stores voice recordings in Amazon S3 according to your Amazon S3 Lifecycle policy configuration. With the call recordings stored in Amazon S3, you can use Amazon S3 tiers of storage to manage retention and optimize cost. For example, you can transition objects using Amazon S3 Lifecycle to move call recordings and transcripts over three months old to Amazon Glacier to reduce storage cost.
## Self-service
Amazon Connect’s pay-as-you-go pricing model can result in lower costs as compared to traditional licensing-based contact centers. However, the traditional contact center infrastructure that spans automatic call distribution (ACD) systems, IVR, telephony and work force management (WFM) systems plays a proportionately small contribution to the overall cost of contact center operations. The largest contributor to the cost of the contact center often comes from human capital and the real estate required to provide an operating environment for your agents. Amazon Connect flows can be used natively with Amazon Lex for NLU, NLP, and ASR and Amazon Polly for lifelike Text-to-Speech (TTS) to build highly engaging user experiences and natural conversational interactions across voice and text. By using an Amazon Lex chatbot in your Amazon Connect call center, callers can perform tasks such as changing a password, requesting a balance on an account, or scheduling an appointment, without needing to speak to an agent. These self-service options result in better customer experience and lowers your cost per contact.
![\[Diagram showing self-service options reducing costs and improving customer experience.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/architecture/selfservice.png)
## Click-to-call
You can use click-to-call in Amazon Connect to initiate a voice call using the [StartOutboundVoiceContact](https://docs.aws.amazon.com/connect/latest/APIReference/API_StartOutboundVoiceContact.html) API for authentication through web or mobile application to reduce call handle times and improve the quality of experience. With this approach, you’re able to offer your contact the ability to bypass IVR authentication, pass contextual information like URLs, recent web/mobile activity, and user data to your flows to create dynamic, personalized experiences. For example, a contact browsing your website to purchase an item or member of a financial institution who is already authenticated in the mobile app and wants to speak with an agent about a recent transaction.
## Redirect voice contacts to chat
With Amazon Connect, you can allow agents to handle multiple chat conversations simultaneously where they would only able to handle one voice conversation. When you don't have a voice agent available, you can send an SMS text message to your customer to offer a link to chat with an agent right away.
## Use softphones instead of deskphones
We recommend agents use softphones instead of deskphones. Deskphones have a cost associated with them as the calls and audio are extended to the agents over PSTN.
## Resources
**Documentation**
+ [Analyzing Your Costs with Cost Explorer](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html)
+ [AWS Cloud Economics Center](https://aws.amazon.com/economics/)
+ [What are AWS Cost and Usage Reports](https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html)
**Whitepaper**
+ [Cost Optimization Pillar](https://d0.awsstatic.com/whitepapers/architecture/AWS-Cost-Optimization-Pillar.pdf)
# Plan your identity management in Amazon Connect
Before you [set up your Amazon Connect instance](amazon-connect-instances.md), you should decide how you want to manage your Amazon Connect users. A user is anyone who needs an Amazon Connect account: agents, call center managers, analysts, and more.
**You cannot change the option you select for identity management after you create an instance**. Instead, you must delete the instance and create a new one. However, if you delete an instance, you lose its configuration settings and metrics data.
When you create your instance, you can choose from one of the following identity management solutions:
+ **Store users with Amazon Connect**—Choose this option if you want to create and manage user accounts within Amazon Connect.
When you manage users in Amazon Connect, the user name and password for each user is specific to Amazon Connect. Users must remember a separate user name and password to log in to Amazon Connect.
+ **Link to an existing directory**—Choose this option to use an existing Active Directory. Users will log in to Amazon Connect using their corporate credentials.
If you choose this option, the directory must be associated with your account, set up in Directory Service, and be active in the same Region in which you create your instance. If you plan to choose this option, you should prepare your directory before you create your Amazon Connect instance. For more information, see [Use an existing directory for identity management in Amazon Connect](directory-service.md).
+ **SAML 2.0-based authentication**—Choose this option if you want to use your existing network identity provider to federate users with Amazon Connect. Users can only log in to Amazon Connect by using the link configured through your identity provider. If you plan to choose this option, you should configure your environment for SAML before you create your Amazon Connect instance. For more information, see [Configure SAML with IAM for Amazon Connect](configure-saml.md).
# Use an existing directory for identity management in Amazon Connect
If you are already using a Directory Service directory to manage users, you can use the same directory to manage user accounts in Amazon Connect. You can also create a new directory in Directory Service to use for Amazon Connect. The directory you choose must be associated with your AWS account, and must be active in the AWS Region in which you create your instance. You can associate an Directory Service directory with only one Amazon Connect instance at a time. To use the directory with a different instance, you must delete the instance with which it is already associated.
The following Directory Service directories are supported in Amazon Connect:
+ [Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html)—Directory Service lets you run Microsoft Active Directory as a managed service.
+ [Active Directory Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html)—AD Connector is a directory gateway you can use to redirect directory requests to your on-premises Microsoft Active Directory.
+ [Simple Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_simple_ad.html)—Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory compatible server.
You cannot change the identity option you select after you create the instance. If you decide to change the directory you selected, you can delete the instance and create a new one. When you delete an instance, you lose all configuration settings and metrics data for it.
There is no additional charge for using an existing or a proprietary directory in Amazon Connect. For information about the costs associated with using Directory Service, see [Directory Service Pricing Overview](https://aws.amazon.com/directoryservice/pricing/).
The following limitations apply to all new directories created using Directory Service:
+ Directories can only have alphanumeric names. Only the '.' character can be used.
+ Directories cannot be unbound from an Amazon Connect instance after they have been associated.
+ Only one directory can be added to an Amazon Connect instance.
+ Directories cannot be shared across multiple Amazon Connect instances.
# Configure SAML with IAM for Amazon Connect
Amazon Connect supports identity federation by configuring Security Assertion Markup Language (SAML) 2.0 with AWS IAM to enable web-based single sign-on (SSO) from your organization to your Amazon Connect instance. This allows your users to sign in to a portal in your organization hosted by a SAML 2.0 compatible identity provider (IdP) and log in to an Amazon Connect instance with a single sign-on experience without having to provide separate credentials for Amazon Connect.
## Important notes
Before you begin, note the following:
+ These instructions do not apply to Amazon Connect Global Resiliency deployments. For information that applies to Amazon Connect Global Resiliency, see [Integrate your identity provider (IdP) with an Amazon Connect Global Resiliency SAML sign in endpoint](integrate-idp.md).
+ Choosing SAML 2.0-based authentication as the identity management method for your Amazon Connect instance requires the configuration of [AWS Identity and Access Management federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
+ The user name in Amazon Connect must match the RoleSessionName SAML attribute specified in the SAML response returned by the identity provider.
+ Amazon Connect does not support reverse federation. That is, you can't login directly into Amazon Connect. If you tried, you'd get a *Session Expired* message. The authentication should be done from the Identity Provider (IdP) and not the Service Provider (SP) (Amazon Connect).
+ Most identity providers by default use the global AWS sign-in endpoint as the Application Consumer Service (ACS), which is hosted in US East (N. Virginia). We recommend overriding this value to use the regional endpoint that matches the AWS Region where your instance was created.
+ All Amazon Connect usernames are case sensitive, even when using SAML.
+ If you have old Amazon Connect instances that were set up with SAML and you need to update your Amazon Connect domain, see [Personal settings](update-your-connect-domain.md#new-domain-settings).
## Overview of using SAML with Amazon Connect
The following diagram shows the order in which steps take place for SAML requests to authenticate users and federate with Amazon Connect. It is not a flow diagram for a threat model.
![\[Overview of the request flow for SAML authentication requests with Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-overview.png)
SAML requests go through the following steps:
1. The user browses to an internal portal that includes a link to log in to Amazon Connect. The link is defined in the identity provider.
1. The federation service requests authentication from the organization's identity store.
1. The identity store authenticates the user and returns the authentication response to the federation service.
1. When authentication is successful, the federation service posts the SAML assertion to the user's browser.
1. The user's browser posts the SAML assertion to the AWS sign in SAML endpoint (https://signin.aws.amazon.com/saml). AWS sign in receives the SAML request, processes the request, authenticates the user, and initiates a browser redirect to the Amazon Connect endpoint with the authentication token.
1. Using the authentication token from AWS, Amazon Connect authorizes the user and opens Amazon Connect in their browser.
## Enabling SAML-based authentication for Amazon Connect
The following steps are required to enable and configure SAML authentication for use with your Amazon Connect instance:
1. Create an Amazon Connect instance and select SAML 2.0-based authentication for identity management.
1. Enable SAML federation between your identity provider and AWS.
1. Add Amazon Connect users to your Amazon Connect instance. Log in to your instance using the administrator account created when you created your instance. Go to the **User Management** page and add users.
**Important**
**For a list of allowed characters in user names**, see the documentation for the `Username` property in the [CreateUser](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html) action.
Due to the association of an Amazon Connect user and an AWS IAM Role, the user name must match exactly the RoleSessionName as configured with your AWS IAM federation integration, which typically ends up being the user name in your directory. The format of the username should match the intersection of the format conditions of the [RoleSessionName](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and an [Amazon Connect user](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html#connect-CreateUser-request-DirectoryUserId), as shown in the following diagram:
![\[Ven diagram of rolesessionname and Amazon Connect user.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-ven-diagram.png)
1. Configure your identity provider for the SAML assertions, authentication response, and relay state. Users log in to your identity provider. When successful, they are redirected to your Amazon Connect instance. The IAM role is used to federate with AWS, which allows access to Amazon Connect.
## Select SAML 2.0-based authentication during instance creation
When you are creating your Amazon Connect instance, select the SAML 2.0-based authentication option for identity management. On the second step, when you create the administrator for the instance, the user name that you specify must exactly match a user name in your existing network directory. There is no option to specify a password for the administrator because passwords are managed through your existing directory. The administrator is created in Amazon Connect and assigned the **Admin** security profile.
You can log in to your Amazon Connect instance, through your IdP, using the administrator account to add additional users.
## Enable SAML federation between your identity provider and AWS
To enable SAML-based authentication for Amazon Connect, you must create an identity provider in the IAM console. For more information, see [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
The process to create an identity provider for AWS is the same for Amazon Connect. Step 6 in the above flow diagram shows the client is sent to your Amazon Connect instance instead of the AWS Management Console.
The steps necessary to enable SAML federation with AWS include:
1. Create a SAML provider in AWS. For more information, see [Creating SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html).
1. Create an IAM role for SAML 2.0 federation with the AWS Management Console. Create only one role for federation (only one role is needed and used for federation). The IAM role determines which permissions the users that log in through your identity provider have in AWS. In this case, the permissions are for accessing Amazon Connect. You can control the permissions to features of Amazon Connect by using security profiles in Amazon Connect. For more information, see [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html).
In step 5, choose **Allow programmatic and AWS Management Console access**. Create the trust policy described in the topic in the procedure *To prepare to create a role for SAML 2.0 federation*. Then create a policy to assign permissions to your Amazon Connect instance. Permissions start on step 9 of the *To create a role for SAML-based federation* procedure.
**To create a policy for assigning permissions to the IAM role for SAML federation**
1. On the **Attach permissions policy** page, choose **Create policy**.
1. On the **Create policy** page, choose **JSON**.
1. Copy one of the following example policies and paste it into the JSON policy editor, replacing any existing text. You can use either policy to enable SAML federation, or customize them for your specific requirements.
Use this policy to enable federation for all users in a specific Amazon Connect instance. For SAML-based authentication, replace the value for the `Resource` to the ARN for the instance that you created:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"arn:aws:connect:us-east-1:361814831152:instance/2fb42df9-78a2-2e74-d572-c8af67ed289b/user/${aws:userid}"
]
}
]
}
```
------
Use this policy to enable federation to a specific Amazon Connect instances. Replace the value for the `connect:InstanceId` to the instance ID for your instance.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"connect:InstanceId": "2fb42df9-78a2-2e74-d572-c8af67ed289b"
}
}
}
]
}
```
------
Use this policy to enable federation for multiple instances. Note the brackets around the listed instance IDs.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"connect:InstanceId": [
"2fb42df9-78a2-2e74-d572-c8af67ed289b",
"1234567-78a2-2e74-d572-c8af67ed289b"]
}
}
}
]
}
```
------
1. After you create the policy, choose **Next: Review**. Then return to step 10 in the *To create a role for SAML-based federation* procedure in the [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) topic.
1. Configure your network as a SAML provider for AWS. For more information, see [Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
1. Configure SAML Assertions for the Authentication Response. For more information, [Configuring SAML Assertions for the Authentication Response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html).
1. For Amazon Connect, leave the **Application Start URL** blank.
1. Override the Application Consumer Service (ACS) URL in your identity provider to use the regional endpoint that coincides with the AWS Region of your Amazon Connect instance. For more information, see [Configure the identity provider to use regional SAML endpoints](#regionally-isolated-saml).
1. Configure the relay state of your identity provider to point to your Amazon Connect instance. The URL to use for the relay state is comprised as follows:
`https://region-id.console.aws.amazon.com/connect/federate/instance-id`
Replace the *region-id* with the Region name where you created your Amazon Connect instance, such as us-east-1 for US East (N. Virginia). Replace the *instance-id* with the instance ID for your instance.
For a GovCloud instance, the URL is **https://console.amazonaws-us-gov.com/**:
+ https://console.amazonaws-us-gov.com/connect/federate/instance-id
**Note**
You can find the instance ID for your instance by choosing the instance alias in the Amazon Connect console. The instance ID is the set of numbers and letters after '/instance' in the **Instance ARN** displayed on the **Overview** page. For example, the instance ID in the following Instance ARN is *178c75e4-b3de-4839-a6aa-e321ab3f3770*.
arn:aws:connect:us-east-1:450725743157:instance/*178c75e4-b3de-4839-a6aa-e321ab3f3770*
## Configure the identity provider to use regional SAML endpoints
To provide the best availability we recommend using the regional SAML endpoint that coincides with your Amazon Connect instance instead of the default global endpoint.
The following steps are IdP agnostic; they work for any SAML IdP (for example, Okta, Ping, OneLogin, Shibboleth, ADFS, AzureAD, and more).
1. Update (or override) the Assertion Consumer Service (ACS) URL. There are two ways you can do this:
+ **Option 1**: Download the AWS SAML metadata and update the `Location` attribute to the Region of your choice. Load this new version of the AWS SAML metadata into your IdP.
Following is an example of a revision:
``
+ **Option 2**: Override the AssertionConsumerService (ACS) URL in your IdP. For IdPs like Okta that provide prebaked AWS integrations, you can override the ACS URL in the AWS admin console. Use the same format to override to a Region of your choice (for example, https://*region-id*.signin.aws.amazon.com/saml).
1. Update the associated role trust policy:
1. This step needs to be done for every role in every account that trusts the given identity provider.
1. Edit the trust relationship, and replace the singular `SAML:aud` condition with a multivalued condition. For example:
+ Default: "`SAML:aud`": "https://signin.aws.amazon.com/saml".
+ With modifications: "`SAML:aud`": [ "https://signin.aws.amazon.com/saml", "https://*region-id*.signin.aws.amazon.com/saml" ]
1. Make these changes to the trust relationships in advance. They should not be done as part of a plan during an incident.
1. Configure a relay state for the Region-specific console page.
1. If you don't do this final step, there's no guarantee that the Region-specific SAML sign in process will forward the user to the console sign in page within the same Region. This step is most varied per identity provider, but there are a blogs (for example, [How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page](https://aws.amazon.com/blogs//security/how-to-use-saml-to-automatically-direct-federated-users-to-a-specific-aws-management-console-page/)) that show the use of relay state to achieve deep linking.
1. Using the technique/parameters appropriate for your IdP, set the relay state to the console endpoint that matches (for example, https://*region-id*.console.aws.amazon.com/connect/federate/*instance-id*).
**Note**
Ensure that STS is not disabled in your additional Regions.
Ensure no SCPs are preventing STS actions in your additional Regions.
## Use a destination in your relay state URL
When you configure the relay state for your identity provider, you can use the destination argument in the URL to navigate users to a specific page in your Amazon Connect instance. For example, use a link to open the CCP directly when an agent logs in. The user must be assigned a security profile that grants access to that page in the instance. For example, to send agents to the CCP, use a URL similar to the following for the relay state. You must use [URL encoding](https://en.wikipedia.org/wiki/Percent-encoding) for the destination value used in the URL:
+ `https://us-east-1.console.aws.amazon.com/connect/federate/instance-id?destination=%2Fccp-v2%2Fchat&new_domain=true`
Another example of a valid URL is:
+ `https://us-east-1.console.aws.amazon.com/connect/federate/instance-id?destination=%2Fagent-app-v2`
For a GovCloud instance, the URL is **https://console.amazonaws-us-gov.com/**. So the address would be:
+ `https://console.amazonaws-us-gov.com/connect/federate/instance-id?destination=%2Fccp-v2%2Fchat&new_domain=true`
If you want to configure the destination argument to a URL outside of the Amazon Connect instance, such as your own custom website, first add that external domain to the account's approved origins. For example, perform the steps in the following order:
1. In the Amazon Connect console add https://*your-custom-website*.com to your approved origins. For instructions, see [Use an allowlist for integrated applications in Amazon Connect](app-integration.md).
1. In your identity provider configure your relay state to ` https://your-region.console.aws.amazon.com/connect/federate/instance-id?destination=https%3A%2F%2Fyour-custom-website.com`
1. When your agents log in they are taken directly to https://*your-custom-website*.com.
## Add users to your Amazon Connect instance
Add users to your connect instance, making sure that the user names exactly match the users names in your existing directory. If the names do not match, users can log in to the identity provider, but not to Amazon Connect because no user account with that user name exists in Amazon Connect. You can add users manually on the **User management** page, or you can bulk upload users with the CSV template. After you add the users to Amazon Connect, you can assign security profiles and other user settings.
When a user logs in to the identity provider, but no account with the same user name is found in Amazon Connect, the following **Access denied** message is displayed.
![\[An Access denied error for a user whose name is not in Amazon Connect.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-access-denied.png)
**Bulk upload users with the template**
You can import your users by adding them to a CSV file. You can then import the CSV file to your instance, which adds all users in the file. If you add users by uploading a CSV file, make sure that you use the template for SAML users. You can find on the **User management** page in Amazon Connect. A different template is used for SAML-based authentication. If you previously downloaded the template, you should download the version available on the **User management** page after you set up your instance with SAML-based authentication. The template should not include a column for email or password.
## SAML user logging in and session duration
When you use SAML in Amazon Connect, users must log in to Amazon Connect through your identity provider (IdP). Your IdP is configured to integrate with AWS. After authentication, a token for their session is created. The user is then redirected to your Amazon Connect instance and automatically logged in to Amazon Connect using single sign-on.
As a best practice, you should also define a process for your Amazon Connect users to log out when they are finished using Amazon Connect. They should log out from both Amazon Connect and your identity provider. If they do not, the next person that logs in to the same computer can log in to Amazon Connect without a password since the token for the previous sessions is still valid for the duration of the session. It's valid for 12 hours.
**About session expiration**
Amazon Connect sessions expire 12 hours after a user logs in. After 12 hours, users are automatically logged out, even if they are currently on a call. If your agents stay logged in for more than 12 hours, they need to refresh the session token before it expires. To create a new session, agents need to log out of Amazon Connect and your IdP and then log in again. This resets the session timer set on the token so that agents are not logged out during an active contact with a customer. When a session expires while a user is logged in, the following message is displayed. To use Amazon Connect again, the user needs to log in to your identity provider.
![\[Error message displayed when the session expires for a SAML-based user.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-session-expired.png)
**Note**
If you see the **Session expired** message while logging in, you probably just need to refresh the session token. Go to your identity provider and log in. Refresh the Amazon Connect page. If you still get this message, contact your IT team.
# Troubleshoot SAML with Amazon Connect
This article explains how to troubleshoot and resolve some of the most common issues customers encounter when using SAML with Amazon Connect.
If you're troubleshooting your integration with other identity providers such as Okta, PingIdentify, Azure AD, and more, see [Amazon Connect SSO Setup Workshop](https://catalog.workshops.aws/workshops/33e6d0e7-f927-4531-abb1-f28a86ba0872/en-US).
## Error Message: Access Denied. Your account has been authenticated, but has not been onboarded to this application.
![\[The error message: access denied.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-access-denied.png)
### What does this mean?
This error means that the user has successfully authenticated using SAML into the AWS SAML login endpoint. However, the user could not be matched/found inside Amazon Connect. This usually indicates one of the following:
+ The username in Amazon Connect doesn't match the `RoleSessionName` SAML attribute specified in the SAML response returned by the identity provider.
+ The user doesn't exist in Amazon Connect.
+ The user has two separate profiles assigned to them with SSO.
### Resolution
Use the following steps to check the RoleSessionName SAML attribute specified in the SAML response returned by the identity provider, and then retrieve and compare with the login name in Amazon Connect.
1. Perform a HAR capture (**H**TTP **AR**chive) for the end-to-end login process. This captures the network requests from the browser side. Save the HAR file with your preferred file name, for example, **saml.har**.
For instructions, see [How do I create a HAR file from my browser for an AWS Support case?](https://aws.amazon.com/premiumsupport/knowledge-center/support-case-browser-har-file/)
1. Use a text editor to find the SAMLResponse in the HAR file. Or, run the following commands:
`$ grep -o "SAMLResponse=.*&" azuresaml.har | sed -E 's/SAMLResponse=(.*)&/\1/' > samlresponse.txt`
+ This searches for the SAMLresponse in the HAR file and saves it to a **samlresponse.txt** file.
+ The response is URL encoded and the contents are Base64 encoded.
1. Decode the URL response and then decode the Base64 contents using a third-party tool or a simple script. For example:
`$ cat samlresponse.txt | python3 -c "import sys; from urllib.parse import unquote; print(unquote(sys.stdin.read()));" | base64 --decode > samlresponsedecoded.txt`
This script uses a simple python command to decode the SAMLResponse from its original URL encoded format. Then it decodes the response from Base64 and outputs the SAML Response in plain text format.
1. Check the decoded response for the needed attribute. For example, the following image shows how to check `RoleSessionName`:
![\[The grep command to check rolesessionname.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-rolesessionname.png)
1. Check whether the username returned in from the previous step exists as a user in your Amazon Connect instance:
\$1 aws connect list-users --instance-id [INSTANCE\$1ID] \$1 grep \$1username
+ If the final grep does not return a result then this means that the user does not exist in your Amazon Connect instance or it has been created with a different case/capitalization.
+ If your Amazon Connect instance has many users, the response from the ListUsers API call maybe paginated. Use the `NextToken` returned by the API to fetch the rest of the users. For more information, see [ListUsers](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListUsers.html).
### Example SAML Response
Following is an image from a sample SAML Response. In this case, the identity provider (IdP) is Azure Active Directory (Azure AD).
![\[a sample SAML Response.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-saml-response.png)
## Error Message: Access denied, Please contact your AWS account administrator for assistance.
![\[Error Message: Access denied.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/saml-troubleshooting-access-denied-admin.png)
### What does this mean?
The role that the user has assumed has successfully authenticated using SAML. However, the role doesn't have permission to call the GetFederationToken API for Amazon Connect. This call is required so the user can log in to your Amazon Connect instance using SAML.
### Resolution
1. Attach a policy that has the permissions for `connect:GetFederationToken` to the role found in the error message. Following is a sample policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"arn:aws:connect:ap-southeast-2:111122223333:instance/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/user/${aws:userid}"
]
}
]
}
```
------
1. Use the IAM console to attach the policy. Or, use the attach-role-policy API, for example:
`$ aws iam attach-role-policy —role-name [ASSUMED_ROLE] —policy_arn [POLICY_WITH_GETFEDERATIONTOKEN]`
## Error Message: Session Expired
If you see the **Session expired** message while logging in, you probably just need to refresh the session token. Go to your identity provider and log in. Refresh the Amazon Connect page. If you still get this message, contact your IT team.
## Additional resources for Amazon Connect
In addition to using the contents of this guide, you can learn more about Amazon Connect by using the following resources.
**Topics**
+ [Amazon Connect API Reference](#acp-api)
+ [Amazon Connect Streams](#streams)
+ [Amazon Connect Chat UI Examples](#chat-example)
### Amazon Connect API Reference
The [Amazon Connect API Reference](https://docs.aws.amazon.com/connect/latest/APIReference/) describes the API actions that are used to set up and manage your contact center.
### Amazon Connect Streams
The [Amazon Connect Streams](https://github.com/aws/amazon-connect-streams) documentation describes how to integrate your existing web applications with Amazon Connect. Streams gives you the power to embed the Contact Control Panel (CCP) UI components into your page, and/or handle agent and contact state events directly giving you the power to control agent and contact state through an object oriented event driven interface. You can use the built in interface or build your own from scratch: Streams gives you the power to choose.
### Amazon Connect Chat UI Examples
The [Amazon Connect Chat SDK and Sample Implementations](https://github.com/amazon-connect/amazon-connect-chat-ui-examples/) provides examples of how to enable your app to engage with Amazon Connect chat.
# Get administrative support for Amazon Connect
If you are an administrator and need to contact support for Amazon Connect, choose one of the following options:
+ If you have an AWS Support account, go to [Support Center](https://console.aws.amazon.com/support/home) and submit a ticket.
+ Otherwise, open the [AWS Management Console](https://console.aws.amazon.com/) and choose **Amazon Connect**, **Support**, **Create case**.
It's helpful to provide the following information:
+ Your contact center instance ID/ARN. To find your instance ARN, see [Find your Amazon Connect instance ID or ARN](find-instance-arn.md).
+ Your region.
+ A detailed description of the issue.