View a markdown version of this page

Rule-based redaction for agent screen recordings in Connect Customer - Amazon Connect Customer

Rule-based redaction for agent screen recordings in Connect Customer

Rule-based redaction for agent screen recordings automatically hides sensitive content from recorded agent desktops based on the browser pages and application windows that agents view during a contact. When an agent navigates to a URL or opens an application window that matches one of your redaction rules, the matching window is masked in the final recording. Redaction is applied when the recording is assembled, so the original unredacted video is not exposed to users who only have access to redacted recordings.

Use rule-based redaction to enforce internal privacy policies that prohibit capturing specific applications or pages that contain customer data.

An example of rule-based redaction applied to an agent screen recording.

How rule-based redaction works

Rule-based redaction evaluates each browser page and application window the agent views during a recorded contact against the redaction rules you configure, and produces a redacted version of the recording in which matching windows are masked. The rest of the agent's screen is unchanged.

The redacted recording is produced in addition to the unredacted original. Both versions are stored in your Amazon S3 bucket under separate prefixes, so you can grant access to each version independently through security profile permissions.

Rule-based redaction runs in three stages.

  • Configure – In a contact flow, add a Set recording, analytics, and processing behavior block, enable screen recording, and enable redaction. In the same block, specify URL rules that match browser pages, window title rules that match native application windows, or both, and choose a mode that either hides or shows the matched content. Redaction applies to every contact that runs through the flow. For instructions, see Configure rule-based redaction.

  • Record – When an agent handles a contact that runs through the flow, their screen is recorded as usual. For rules to match, the Connect Customer browser extension must be installed on every browser the agent uses. For deployment instructions, see Deploy the browser extension.

  • Review – After the contact ends, a redacted version of the recording is available on the contact detail page, subject to the user's security profile. For details, see Review agent screen recordings and Permissions for redacted recordings.

What a redacted recording looks like

The redacted recording is identical to the unredacted recording except that browser windows and application windows that match a rule are masked. The following image shows the same agent screen recorded with rule-based redaction off (left) and on (right) with a rule that redacts aws.amazon.com.

A side-by-side comparison of an agent screen recording with redaction off and on.

Redaction modes

Rule-based redaction uses one of two modes.

  • Denylist - hide matching content – Only content that matches a rule is masked in the final recording; all other content remains visible. Use this mode when agents work across a wide range of applications and you only need to hide specific pages or applications that contain sensitive data.

  • Allowlist - show matching content – Only content that matches a rule remains visible in the final recording; all other browser windows and native application windows are masked. Use this mode when agents are expected to work in a small set of approved applications and you want to exclude everything else.

What rule-based redaction does not do

  • It does not redact voice or chat content. For call recording redaction, see Use sensitive data redaction with Contact Lens. When rule-based redaction is enabled for a contact, Connect Customer stitches the redacted video with the redacted call recording if Contact Lens call recording redaction is also enabled, and with no audio otherwise.

  • It does not hide content at the field level. Entire matching windows are masked; individual fields, DOM elements, or regions within a window cannot be selectively hidden.

  • It does not apply redaction in real time. Redaction is applied only when the recording is assembled after the contact ends.

  • It does not push configuration changes to contacts that are already in progress. Updates to a configuration take effect for the next new contact.

Permissions for redacted recordings

Rule-based redaction introduces two new security profile permissions that control who can view and download redacted screen recordings. Together with the existing screen recording permissions, they let you grant broad access to redacted recordings while restricting the unredacted originals to a smaller group.

Both new permissions are in the Recordings and Transcripts category of the security profile. For general information about security profiles, see Security profiles.

Permission Grants the ability to
Screen recording (redacted) - Access Open the contact detail page media player and view redacted screen recordings.
Screen recording (redacted) - Enable download button Download redacted screen recordings. Requires Screen recording (redacted) - Access.

You assign permissions in the Connect Customer admin website. On the navigation menu, choose Users, then Security profiles.

If a user has both the unredacted and redacted access permissions, and redaction was enabled for the contact, the contact detail page displays the redacted recording.

Limitations

  • URL-based rules match browser pages on Google Chrome, Microsoft Edge, and Mozilla Firefox. Browsers other than Chrome, Edge, and Firefox do not report URLs to the Connect Customer Client Application, so URL rules cannot match pages in those browsers. You can still match windows in other browsers by using window title rules based on the browser's window title.

  • The redacted recording is produced in addition to the unredacted original. Both files are stored in your Amazon S3 bucket. Use Amazon S3 lifecycle policies if you need to expire the unredacted originals on a different shorter schedule than the redacted versions.

  • Each flow block supports up to 100 URL and window title rules. Each pattern string is 1 to 128 characters.

  • Windows is the only supported agent workstation operating system.

Where redacted recordings are stored

Redacted recordings are stored in the same Amazon S3 bucket as unredacted recordings, under a separate prefix.

s3://your-bucket/Analysis/ScreenRecordings/Redacted/year/month/day/contact-id_screen_recording_redacted_UTC-timestamp.mp4

Users with the appropriate permission can view and download redacted recordings from the contact detail page in the Connect Customer admin website. For instructions, see Review agent screen recordings.

AWS Region availability

Rule-based redaction is available in the same AWS Regions that support Connect Customer agent screen recording. For the current list of supported Regions, see Connect Customer endpoints and quotas.

Next steps

To start using rule-based redaction, complete the following steps.

  • Confirm that your Connect Customer instance, agent workstations, and browsers meet the requirements. See System and network requirements.

  • Update the Connect Customer Client Application to version 3.0.2 or later on every agent workstation. See Connect Customer Client Application.

  • Deploy the Connect Customer browser extension to every browser that agents use during recorded contacts. See Deploy the browser extension.

  • In a contact flow, add or update a Set recording, analytics, and processing behavior block to enable screen recording, enable redaction, and configure your rules and mode. See Configure rule-based redaction.

  • Grant the appropriate security profile permissions to the users who need to view redacted or unredacted recordings.

For information about reviewing recordings after they are redacted, see Review agent screen recordings. For troubleshooting, see Download log files for the screen recording app. For frequently asked questions, see Frequently asked questions about Connect Customer screen recording capabilities.