# Data protection in Amazon Connect
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Connect. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Connect or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
**Topics**
+ [Data handled by Amazon Connect](data-handled-by-connect.md)
+ [Encryption at rest in Amazon Connect](encryption-at-rest.md)
+ [Encryption in transit in Amazon Connect](encryption-in-transit.md)
+ [Key management in Amazon Connect](key-management.md)
+ [VPC endpoints (AWS PrivateLink)](vpc-interface-endpoints.md)
+ [Service Improvement and how to opt out from using your data for service improvement](data-opt-out.md)
# Data handled by Amazon Connect
Data held within Amazon Connect is segregated by the AWS account ID and the Amazon Connect instance ID. This ensures that data can be accessed only by the authorized users of a specific Amazon Connect instance.
Amazon Connect handles a variety of data related to the contact center, including but not limited to the following categories.
+ **Resources and configurations** – This includes queues, flows, users, routing profiles, and task templates.
+ **Contact metadata** – This includes connection time, handle time, source number (ANI), destination number (DNIS), and user defined contact attributes.
+ **Agent-related performance data** – This includes login time, status changes, and contacts handled.
+ **Phone call audio streams** – When enabled, this also includes call recordings.
+ **Chat transcripts** – Included only if enabled in flows.
+ **Screen recordings** – Included only if enabled in flows.
+ **Attachments** – Included only if enabled at the instance level.
+ **Integration configuration** – Includes user defined name, description and metadata when creating integration with external applications.
+ **Knowledge documents** – This includes documents used by agents to handle contacts.
+ **Voiceprints** – When Amazon Connect Voice ID is enabled, a voiceprint is created from the customer's voice for future authentication. Similarly, a voiceprint is created while registering a fraudster in the Voice ID system for future fraud detection.
+ **Speaker and Fraudster Audio** – When Amazon Connect Voice ID is enabled, the audio used for enrolling speakers and registering fraudsters is stored so that Voice ID can re-enroll and reregister them in future when there is a need to do so.
+ **Forecasts, capacity plans, and schedules** – Included only if enabled and created.
Amazon Connect stores the following Personally Identifiable Information (PII) data related to your customers:
+ The customer's phone number: ANI for inbound calls, and DNIS for outbound calls or transfers.
+ If you are using Amazon Connect Customer Profiles, all this data could potentially be PII. This data is always encrypted at rest using either a customer managed key or an AWS owned key. The Amazon Connect Customer Profiles data is segregated by the AWS account ID and the domain. Multiple Amazon Connect instances can share a single Customer Profiles domain.
+ For outbound campaigns, Amazon Pinpoint passes customer phone numbers and relevant attributes to Amazon Connect. On the Amazon Connect side, these are always encrypted at rest using either a customer managed key or an AWS owned key. The outbound campaigns data is segregated by the Amazon Connect instance ID and are encrypted by instance-specific keys.
## External application data
Amazon AppIntegrations enables you to integrate with external applications. It stores references to other AWS resources and client-service specified metadata. No data is stored other than incidentally while being processed. When syncing data periodically with an Amazon Connect service, data is encrypted using a customer managed key and stored temporarily for one month.
## Phone call media
Amazon Connect is in the audio path for calls handled by the service. It is therefore responsible for relaying the call’s media stream between participants. This can include the audio between a customer and a flow / IVR, the audio between a customer and an agent, or mixing the audio between multiple parties in a conference or during a transfer. There are two types of phone calls:
+ PSTN calls. This includes inbound customer calls, outbound calls placed by agents to customers, and calls to an agent’s physical phone, if this option has been enabled in the Contact Control Panel (CCP).
+ Softphone calls placed to the agent’s browser.
PSTN calls are connected between Amazon Connect and various telecommunications carriers using either private circuits maintained between Amazon Connect and our providers or existing AWS internet connectivity. For PSTN calls routed over the public internet, signaling is encrypted with TLS and the audio media is encrypted with SRTP.
Softphone calls are established to the agent’s browser with an encrypted WebSocket connection using TLS. The audio media traffic to the browser is encrypted in transit using DTLS-SRTP.
## Call recordings and screen recordings
At the instance-level, by default the call recording and screen recording capabilities are available when an Amazon S3 bucket is created for them. You determine which contacts are recorded by specifying it in the flows. This allows for more detailed control over which contacts are recorded.
Note the following behavior for call recordings:
+ The call recording feature has options for choosing whether to record the customer and system audio during IVR interactions or any combination of customer, agent, or both during agent interactions.
+ There are a total of two possible recordings per contact: one for automated interactions (that is, IVR) and one for agent interactions. Enabling or disabling recording for automated interactions takes effect immediately. Conversely, modifying recording for agent interactions only takes effect after the agent joins the call.
+ Agent audio is NOT transmitted to Amazon Connect when the agent is not on a call. On November 9, 2023, Amazon Connect deployed an optimization to improve agent productivity that pre-configures the microphone media stream of the agent's browser before the contact arrives. This reduces setup time for both incoming and outgoing calls. As a result, the microphone icon in the agent's browser appears to be on, even when the agent is not on a call.
+ When a customer is on hold during agent interaction, the agent is still recorded.
+ The transfer conversation between agents is recorded.
+ When a call is transferred during a flow or IVR interaction (for example, by using the Transfer to phone number block) the recording continues to capture what the customer says and hears even after they are tranferred to an external voice system.
+ Any transfers to external numbers during the agent interaction are not recorded after the agent leaves the call.
+ If a participant mutes their own microphone, for example, to consult with a someone sitting next to them, their side-bar conversation is not recorded.
Screen recording only records the agent's screen if the contact is enabled for screen recording. Screen recording begins when the agent accepts a contact and ends with the agent completes the after contact work. Screen recording supports the voice, chat, and task channels.
**Important**
During a video call or screen sharing session, agents are able to see the customer's video or screen share even when the customer is on hold. It is the customer's responsibility to handle PII accordingly. If you want to change this behavior, you can build a custom CCP and communication widget. For more information, see [Integrate in-app, web, video calling, and screen sharing natively into your application](config-com-widget2.md).
You can limit access to the call and screen recordings based on user permissions. Recordings can be searched and played back within the Amazon Connect admin website.
### Call recording and screen recording storage
Call and screen recordings are stored in two phases:
+ Recordings intermediately held within Amazon Connect during and after the contact, but before delivery.
+ Recordings delivered to your Amazon S3 bucket.
The recordings that are stored in your Amazon S3 bucket are secured using a KMS key that was configured when your instance was created.
At all times, you maintain full control over the security of call recordings delivered to your Amazon S3 bucket.
### Access to call recordings and screen recordings
You can search for and listen to call recordings or view screen recordings in Amazon Connect. To determine which users can do this, assign them the appropriate permissions in their security profile. If AWS CloudTrail is enabled, access to specific recordings by Amazon Connect users is captured in CloudTrail.
The capabilities of Amazon S3, AWS KMS, and IAM put you in full control of who has access to call recording data.
## Contact metadata
Amazon Connect stores metadata related to contacts that flow through the system and allows authorized users to access this information. The Contact Search feature allows you to search and view contact data, such as origination phone numbers or other attributes set by the flow, that are associated with a contact for diagnostics or reporting purposes.
Contact data classified as PII that is stored by Amazon Connect is encrypted at rest using a key that is time-limited and specific to the Amazon Connect instance. Specifically, the customer origination phone number is cryptographically hashed with a key that is specific to the instance to allow for use in contact search. For contact search, the encryption key is not time-sensitive.
The following data stored by Amazon Connect is treated as sensitive:
+ Origination phone number
+ Outbound phone number
+ External numbers dialed by agents for transfers
+ External numbers transferred to by a flow
+ Contact name
+ Contact description
+ All contact attributes
+ All contact references
## Contact Lens real-time processing
Content processed by Contact Lens in real-time is encrypted at rest and in transit. Data is encrypted with keys owned by Contact Lens.
Contact Lens persists data (transcript, category names, etc.) on the Amazon Connect side for a short period of time. This is to ensure that the API serves data continuously, for up to 24h after contact terminates.
## Voiceprints and Voice ID audio recordings
When you enable Amazon Connect Voice ID, it computes voiceprints out of your customer's speech for authenticating them in future, and stores the data. Similarly, when you enable fraud detection, it stores the voiceprint for each fraudster registered in Voice ID.
While enrolling a customer into Voice ID for authentication and fraud detection, you must specify a `CustomerSpeakerId` for them. Since Voice ID stores biometric information for each speaker, we strongly recommend that you use an identifier that does not contain PII in the `CustomerSpeakerId` field.
## Speaker and Fraudster Audio
When you enable Amazon Connect Voice ID, it stores a compacted version of the audio (called utterances) that it aggregated while enrolling a speaker or registering a fraudster. This audio is used in the future whenever the voiceprints for the speakers and fraudsters need to be regenerated. The data is retained until the speaker/fraudster is deleted. The original audio used for enrollment or evaluation is deleted after a 24 hour retention period.
The data is retained until the speaker/fraudster is deleted or opted out.
## Outbound campaigns
For outbound campaigns, Amazon Pinpoint passes customer phone numbers and relevant attributes to Amazon Connect. On Amazon Connect, these are always encrypted at rest using either a customer managed key or an AWS owned key. The outbound campaigns data is segregated by the Amazon Connect instance ID and are encrypted by instance specific keys.
## Task templates
Any processing of task template resources in Amazon Connect is encrypted at rest and in transit. Data is encrypted with an AWS KMS key.
## Forecasts, Capacity Plans, and Schedules
When forecasts, capacity plans, and schedules are generated, they are always encrypted at rest and in transit. Data is encrypted with an AWS KMS key.
# Encryption at rest in Amazon Connect
Contact data classified as PII, or data that represents customer content being stored by Amazon Connect, is encrypted at rest (that is, before it is put, stored, or saved to a disk) using AWS KMS encryption keys owned by AWS. For information about AWS KMS keys, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*. Contact data in non-temporary storage is encrypted such that data encryption keys generated from the KMS keys are not shared across Amazon Connect instances.
Amazon S3 server-side encryption is used to encrypt conversation recordings (voice and chat). Call recordings, screen recordings, and transcripts are stored in two phases:
+ Recordings intermediately held within Amazon Connect during and after the contact, but before delivery.
+ Recordings delivered to your Amazon S3 bucket.
The recordings and chat transcripts that are stored in your Amazon S3 bucket are secured using a KMS key that was configured when your instance was created.
For more information about key management in Amazon Connect, see [Key management in Amazon Connect](key-management.md).
**Topics**
+ [Amazon AppIntegrations](#encryption-at-rest-appintegrations)
+ [Amazon Connect Cases](#encryption-at-rest-cases)
+ [Amazon Connect Customer Profiles](#encryption-at-rest-customer-profiles)
+ [Connect AI agents](#encryption-at-rest-wisdom)
+ [Amazon Connect Voice ID encryption at rest](#encryption-at-rest-voiceid)
+ [Outbound campaigns encryption at rest](#encryption-at-rest-outboundcommunications)
+ [Forecasts, capacity plans, and schedules](#forecasts-encryption-at-rest-)
## Amazon AppIntegrations data encryption at rest
When you create a DataIntegration encrypted with a customer managed key, Amazon AppIntegrations creates a grant on your behalf by sending a `CreateGrant` request to AWS KMS. Grants in AWS KMS are used to give Amazon AppIntegrations access to a KMS key in your account.
You can revoke access to the grant, or remove the access that Amazon AppIntegrations has to the customer managed key at any time. If you do, Amazon AppIntegrations can not access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data.
External application data that Amazon AppIntegrations processes is encrypted at rest in an S3 bucket using the customer managed key that you provided during configuration. Integration configuration data is encrypted at rest using a key that is time-limited and specific to the user account.
Amazon AppIntegrations requires the grant to use the customer managed key for the following internal operations:
+ Send `GenerateDataKeyRequest` to AWS KMS to generate data keys encrypted by your customer managed key.
+ Send `Decrypt` requests to AWS KMS to decrypt encrypted data keys so that they can be used to encrypt your data.
## Amazon Connect Cases encryption at rest
All customer provided data in case fields, case comments, descriptions of the fields and templates stored by Amazon Connect Cases is encrypted at rest using encryption keys stored in AWS Key Management Service (AWS KMS).
Amazon Connect Cases service owns, manages, monitors, and rotates the encryption keys (that is, AWS owned keys) to meet the high security standards. Payload of the case event streams is temporarily (typically for a few seconds) stored in Amazon EventBridge before it is made available through the default-bus in customers account. EventBridge also encrypts the entire payload at rest using AWS owned keys.
## Amazon Connect Customer Profiles encryption at rest
All user data stored in Amazon Connect Customer Profiles is encrypted at rest. Amazon Connect Customer Profiles encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.
Organizational policies, industry or government regulations, and compliance requirements often require the use of encryption at rest to increase the data security of your applications. Customer Profiles integrated with AWS KMS to enable its encryption at rest strategy. For more information, see [AWS Key Management Service Concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the AWS Key Management Service Developer Guide.
When creating a new domain, you must provide a [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) that the service will use to encrypt your data in transit and at rest. The customer managed key is created, owned, and managed by you. You have full control over the customer managed key (AWS KMS charges apply).
You can specify an encryption key when you create a new domain or profile object type or switch the encryption keys on an existing resources by using the AWS Command Line Interface (AWS CLI), or the Amazon Connect Customer Profiles Encryption API. When you choose a customer managed key, Amazon Connect Customer Profiles creates a grant to the customer managed key that grants it access to the customer managed key.
AWS KMS charges apply for a customer managed key. For more information about pricing, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).
## Connect AI agents encryption at rest
All user data stored in Connect AI agents is encrypted at rest using encryption keys stored in AWS Key Management Service. If you optionally provide a customer managed key, Connect AI agents uses it to encrypt knowledge content stored at rest outside of Connect AI agents search indices. Connect AI agents uses dedicated search indices per customer and they are encrypted at rest by using AWS owned keys stored in AWS Key Management Service. Additionally, you can use CloudTrail to audit any data access using the Connect AI agents APIs.
AWS KMS charges apply when using a key that you provide. For more information about pricing, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).
## Amazon Connect Voice ID encryption at rest
Amazon Connect Voice ID stores customer voiceprints which cannot be reverse-engineered to obtain the enrolled customer's speech or identify a customer. All user data stored in Amazon Connect Voice ID is encrypted at rest. When creating a new Voice ID domain, you must provide a customer managed key that the service uses to encrypt your data at rest. The customer managed key is created, owned, and managed by you. You have full control over the key.
You can update the KMS key in the Voice ID domain by using the `update-domain` command in AWS Command Line Interface (AWS CLI), or the [UpdateDomain](https://docs.aws.amazon.com/voiceid/latest/APIReference/API_UpdateDomain.html) Voice ID API.
When you change the KMS key, an asynchronous process will be triggered to re-encrypt the old data with the new KMS key. After this process completes, all of your domain's data will be encrypted under the new KMS key, and you may safely retire the old key. For more information, see [UpdateDomain](https://docs.aws.amazon.com/voiceid/latest/APIReference/API_UpdateDomain.html).
Voice ID creates a grant to the customer managed key that grants it access to the key. For more information, see [How Amazon Connect Voice ID uses grants in AWS KMS](#voiceid-uses-grants).
Following is a list of data that is encrypted at rest using the customer managed key:
+ **Voiceprints**: The voiceprints generated while enrolling the speakers and registering fraudsters into the system.
+ **Speaker and fraudster audio**: The audio data used for enrolling the speakers and registering the fraudsters.
+ **CustomerSpeakerId**: The customer-provided SpeakerId while enrolling the customer into Voice ID.
+ **Customer-provided metadata**: These include free-form strings such as `Domain` `Description`, `Domain Name`, `Job Name`, and more.
AWS KMS charges apply for a customer managed key. For more information about pricing, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).
### How Amazon Connect Voice ID uses grants in AWS KMS
Amazon Connect Voice ID requires a grant to use your customer managed key. When you create a domain, Voice ID creates a grant on your behalf by sending a see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS. The grant is required to use your customer managed key for the following internal operations:
+ Send [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) requests to AWS KMS to verify that the symmetric customer managed key ID provided is valid.
+ Send [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) requests to KMS key to create data keys with which to encrypt objects.
+ Send [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) requests to AWS KMS to decrypt the encrypted data keys so that they can be used to encrypt your data.
+ Send [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) requests to AWS KMS when the key is updated to re-encrypt a limited set of data using the new key.
+ Store files in S3 using the AWS KMS key to encrypt the data.
You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Voice ID won't be able to access any of the data encrypted by the customer managed key, which affects all the operations that are dependent on that data, leading to `AccessDeniedException` errors and failures in the asynchronous workflows.
### Customer managed key policy for Voice ID
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access) in the *AWS Key Management Service Developer Guide*.
Following is an example key policy which gives a user the permissions they need to call all Voice ID APIs using the customer managed key:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow key access to Amazon Connect VoiceID.",
"Effect": "Allow",
"Principal": {
"AWS": "your_user_or_role_ARN"
},
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"voiceid.us-east-1.amazonaws.com"
]
}
}
}
]
}
```
------
For information about specifying permissions in a policy, see [Specifying KMS keys in IAM policy statements](https://docs.aws.amazon.com/kms/latest/developerguide/cmks-in-iam-policies.html) in the AWS Key Management Service Developer Guide.
For information about troubleshooting key access, see [Troubleshooting key access](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html) in the AWS Key Management Service Developer Guide.
### Voice ID encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is an optional set of key-value pairs that contain additional contextual information about the data. AWS KMS uses the encryption context as [ additional authenticated data](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html) to support [authenticated encryption](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs).
When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request.
Voice ID uses the same encryption context in all AWS KMS cryptographic operations, where the key is `aws:voiceid:domain:arn` and the value is the resource Amazon Resource Name (ARN) [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).
```
"encryptionContext": {
"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId"
}
```
You can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in logs generated by CloudTrail or Amazon CloudWatch Logs.
#### Using encryption context to control access to your customer managed key
You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key. You can also use encryption context constraints in a grant.
Amazon Connect Voice ID uses an encryption context constraint in grants to control access to the customer managed key in your account or Region. The grant constraint requires that the operations that the grant allows use the specified encryption context.
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context.
```
{
"Sid": "Enable DescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Enable CreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId""
}
}
}
```
### Monitoring your encryption keys for Voice ID
When you use an AWS KMS customer managed key with Voice ID, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that Voice ID sends to AWS KMS.
The following examples is a sample AWS CloudTrail event for `CreateGrant` operation called by Voice ID to access data encrypted by your customer managed key:
------
#### [ CreateGrant ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA5STZEFPSZEOW7NP3X:SampleUser1",
"arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/SampleUser",
"accountId": "111122223333",
"accessKeyId": "AAAAAAA1111111EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA5STZEFPSZEOW7NP3X",
"arn": "arn:aws:iam::111122223333:role/SampleRole",
"accountId": "111122223333",
"userName": "SampleUser"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2021-09-14T23:02:23Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "voiceid.amazonaws.com"
},
"eventTime": "2021-09-14T23:02:50Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "SampleIpAddress",
"userAgent": "Example Desktop/1.0 (V1; OS)",
"requestParameters": {
"constraints": {
"encryptionContextSubset": {
"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId"
}
},
"retiringPrincipal": "voiceid.amazonaws.com",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111",
"operations": [
"CreateGrant",
"Decrypt",
"DescribeKey",
"GenerateDataKey",
"GenerateDataKeyPair",
"GenerateDataKeyPairWithoutPlaintext",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo"
],
"granteePrincipal": "voiceid.amazonaws.com "
},
"responseElements": {
"grantId": "00000000000000000000000000000cce47be074a8c379ed39f22b155c6e86af82"
},
"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",
"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "voiceid.amazonaws.com"
},
"eventTime": "2021-10-13T15:12:39Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "voiceid.amazonaws.com",
"userAgent": "voiceid.amazonaws.com",
"requestParameters": {
"keyId": "alias/sample-key-alias"
},
"responseElements": null,
"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",
"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "voiceid.amazonaws.com"
},
"eventTime": "2021-10-12T23:59:34Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "voiceid.amazonaws.com",
"userAgent": "voiceid.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111",
"encryptionContext": {
"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId"
},
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",
"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "35d58aa1-26b2-427a-908f-025bf71241f6",
"eventCategory": "Management"
}
```
------
#### [ GenerateDataKeyWithoutPlaintext ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "voiceid.amazonaws.com"
},
"eventTime": "2021-10-13T00:26:41Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-west-2",
"sourceIPAddress": "voiceid.amazonaws.com",
"userAgent": "voiceid.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111",
"encryptionContext": {
"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId"
},
"keySpec": "AES_256"
},
"responseElements": null,
"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",
"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "35d58aa1-26b2-427a-908f-025bf71241f6",
"eventCategory": "Management"
}
```
------
#### [ ReEncrypt ]
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "voiceid.amazonaws.com"
},
"eventTime": "2021-10-13T00:59:05Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ReEncrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "voiceid.amazonaws.com",
"userAgent": "voiceid.amazonaws.com",
"requestParameters": {
"destinationEncryptionContext": {
"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId"
},
"destinationKeyId": "arn:aws:kms:us-west-2:111122223333:key/44444444-3333-2222-1111-EXAMPLE11111",
"sourceEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"sourceAAD": "SampleSourceAAAD+JXBmH+ZJNM73BfHE/dwQALXp7Sf44VwvoJOrLj",
"destinationAAD": "SampleDestinationAAAD+JXBmH+ZJNM73BfHE/dwQALXp7Sf44VwvoJOrLj",
"sourceEncryptionContext": {
"aws:voiceid:domain:arn": "arn:aws:voiceid:us-west-2:111122223333:domain/sampleDomainId"
},
"destinationEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"sourceKeyId": "arn:aws:kms:us-west-2:111122223333:key/55555555-3333-2222-1111-EXAMPLE22222"
},
"responseElements": null,
"requestID": "ed0fe4ab-305b-4388-8adf-7e8e3a4e80fe",
"eventID": "31d0d7c6-ce5b-4caf-901f-025bf71241f6",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-9999999999999"
},
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/00000000-1111-2222-3333-7777777777777"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"sharedEventID": "35d58aa1-26b2-427a-908f-025bf71241f6",
"eventCategory": "Management"
}
```
------
## Outbound campaigns encryption at rest
Outbound campaigns stores customer phone numbers and relevant attributes. This information is always encrypted at rest, using either a customer managed key or an AWS owned key. The data is separated by the Amazon Connect instance ID and is encrypted by instance specific keys.
You can provide your own customer managed key when onboarding to Outbound campaigns.
The service uses your customer-managed key to encrypt sensitive data at rest. This key is created, owned, and fully managed by you, giving you complete control over its usage and security.
If you do not provide your own customer managed key, then Outbound campaigns encrypts sensitive data at rest using an AWS owned key specific to your Amazon Connect instance. You can't view, manage, use, or audit AWS owned keys. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*.
AWS KMS charges apply for a customer managed key. For more information about pricing, see [AWS KMS pricing](https://aws.amazon.com/kms/pricing/).
### How outbound campaigns uses grants in AWS KMS
Outbound campaigns requires a grant to use your customer managed key. When you onboard to outbound campaigns using the AWS console or the `StartInstanceOnboardingJob` API, Outbound campaigns creates a grant on your behalf by sending a `CreateGrant` request to AWS KMS. Grants in AWS KMS are used to give the Amazon Connect Outbound campaigns service-linked role access to a KMS key in your account.
Outbound campaigns requires the grant to use the customer managed key for the following internal operations:
+ Send [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) requests to AWS KMS to verify that the symmetric customer managed key ID provided is valid.
+ Send a `GenerateDataKeyWithoutPlainText` request to AWS KMS to generate data keys encrypted by your customer managed key.
+ Send `Decrypt` requests to AWS KMS to decrypt encrypted data keys so that they can be used to encrypt your data.
You can revoke access to the grant, or remove the access that outbound campaigns has to the customer managed key at any time. If you do, outbound campaigns can not access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data.
### Customer managed key policy for outbound campaigns
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access) in the *AWS Key Management Service Developer Guide*.
Following is an example key policy which gives a user the permissions they need to call outbound campaigns [StartInstanceOnboardingJob](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-outbound-campaigns_StartInstanceOnboardingJob.html), [PutDialRequestBatch](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-outbound-campaigns_PutDialRequestBatch.html) and [PutOutboundRequestBatch](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-outbound-campaigns_PutOutboundRequestBatch.html) API using the customer managed key:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow key access to Amazon Connect outbound campaigns.",
"Effect": "Allow",
"Principal": {
"AWS": "your_user_or_role_ARN"
},
"Action": [
"kms:Decrypt",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "connect-campaigns.us-east-1.amazonaws.com",
"kms:EncryptionContext:aws:accountId": "111122223333",
"kms:EncryptionContext:aws:connect:instanceId": "InstanceID"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:Describe*"
],
"Resource": "*"
}
]
}
```
------
For information about specifying permissions in a policy, see [Specifying KMS keys in IAM policy statements](https://docs.aws.amazon.com/kms/latest/developerguide/cmks-in-iam-policies.html) in the AWS Key Management Service Developer Guide.
For information about troubleshooting key access, see [Troubleshooting key access](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html) in the AWS Key Management Service Developer Guide.
### Outbound campaigns encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is an optional set of key-value pairs that contain additional contextual information about the data. AWS KMS uses the encryption context as [ additional authenticated data](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html) to support [authenticated encryption](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#digital-sigs).
When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request.
Outbound campaigns uses the same encryption context in all AWS KMS cryptographic operations, where the key are aws:accountId and aws:connect:instanceId and the value is the aws account id and Connect instance id.
```
"encryptionContext": {
"aws:accountId": "111122223333",
"aws:connect:instanceId": "sample instance id"
}
```
You can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in logs generated by CloudTrail or Amazon CloudWatch Logs.
#### Using encryption context to control access to your customer managed key
You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key. You can also use encryption context constraints in a grant.
Outbound campaigns uses an encryption context constraint in grants to control access to the customer managed key in your account or region. The grant constraint requires that the operations that the grant allows use the specified encryption context.
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context.
```
{
"Sid": "Enable DescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Enable CreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:accountId": "111122223333",
"kms:EncryptionContext:aws:connect:instanceId": "sample instance id"
}
}
}
```
### Monitoring your encryption keys for Outbound campaigns
When you use an AWS KMS customer managed key with your outbound campaigns resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that Amazon Location sends to AWS KMS.
The following examples are AWS CloudTrail events for CreateGrant, GenerateDataKeyWithoutPlainText, DescribeKey, and Decrypt to monitor KMS operations called by Amazon Location to access data encrypted by your customer managed key:
------
#### [ CreateGrant ]
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-08-27T18:40:57Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "connect-campaigns.amazonaws.com"
},
"eventTime": "2024-08-27T18:46:29Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "connect-campaigns.amazonaws.com",
"userAgent": "connect-campaigns.amazonaws.com",
"requestParameters": {
"constraints": {
"encryptionContextSubset": {
"aws:connect:instanceId": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"aws:accountId": "111122223333"
}
},
"granteePrincipal": "arn:aws:iam::111122223333:role/aws-service-role/connect-campaigns.amazonaws.com/AWSServiceRoleForConnectCampaigns_EXAMPLE",
"retiringPrincipal": "arn:aws:iam::111122223333:role/aws-service-role/connect-campaigns.amazonaws.com/AWSServiceRoleForConnectCampaigns_EXAMPLE",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"operations": [
"Decrypt",
"Encrypt",
"DescribeKey",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo"
]
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
```
------
#### [ GenerateDataKeyWithoutPlainText ]
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:connect-campaigns-session",
"arn": "arn:aws:sts::111122223333:assumed-role/AWSServiceRoleForConnectCampaigns_EXAMPLE/connect-campaigns-session",
"accountId": "111122223333",
"accessKeyId": "AROAIGDTESTANDEXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/aws-service-role/connect-campaigns.amazonaws.com/AWSServiceRoleForConnectCampaigns_EXAMPLE",
"accountId": "111122223333",
"userName": "AWSServiceRoleForConnectCampaigns_EXAMPLE"
},
"attributes": {
"creationDate": "2024-08-27T18:46:29Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "connect-campaigns.amazonaws.com"
},
"eventTime": "2024-08-27T18:46:29Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-west-2",
"sourceIPAddress": "connect-campaigns.amazonaws.com",
"userAgent": "connect-campaigns.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:connect:instanceId": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"aws:accountId": "111122223333"
},
"keyId": "arn:aws:kms:us-west-2:586277393662:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"keySpec": "AES_256"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ DescribeKey ]
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:connect-campaigns-session",
"arn": "arn:aws:sts::111122223333:assumed-role/AWSServiceRoleForConnectCampaigns_EXAMPLE/connect-campaigns-session",
"accountId": "111122223333",
"accessKeyId": "AROAIGDTESTANDEXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/aws-service-role/connect-campaigns.amazonaws.com/AWSServiceRoleForConnectCampaigns_EXAMPLE",
"accountId": "111122223333",
"userName": "AWSServiceRoleForConnectCampaigns_EXAMPLE"
},
"attributes": {
"creationDate": "2024-08-27T18:46:29Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "connect-campaigns.amazonaws.com"
},
"eventTime": "2024-08-27T18:46:29Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "connect-campaigns.amazonaws.com",
"userAgent": "connect-campaigns.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"grantTokens": [
"EL7BPAGG-KDm8661M1pl55WcQD_9ZgFwYXN-SAMPLE"
]
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
------
#### [ Decrypt ]
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAIOSFODNN7EXAMPLE3",
"arn": "arn:aws:iam::111122223333:role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-08-27T18:40:57Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "connect-campaigns.amazonaws.com"
},
"eventTime": "2024-08-27T19:09:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "connect-campaigns.amazonaws.com",
"userAgent": "connect-campaigns.amazonaws.com",
"requestParameters": {
"encryptionContext": {
"aws:connect:instanceId": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"aws:accountId": "111122223333"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
```
------
## Forecasts, capacity plans, and schedules
When you create forecasts, capacity plans, and schedules, all data are encrypted at rest using AWS owned key encryption keys stored in AWS Key Management Service.
# Encryption in transit in Amazon Connect
All data exchanged with Amazon Connect is protected in transit between the user’s web browser and Amazon Connect using industry-standard TLS encryption. [Which version of TLS?](infrastructure-security.md#supported-version-tls)
External data is additionally encrypted while being processed by AWS KMS.
When Amazon Connect integrates with AWS services, such as AWS Lambda, Amazon Kinesis, or Amazon Polly, data is always encrypted in transit using TLS.
When event data is forwarded from external applications to Amazon Connect it is always encrypted in transit using TLS.
# Key management in Amazon Connect
You can specify AWS KMS keys, including bring your own keys (BYOK), to use for envelope encryption with Amazon S3 input/output buckets.
When you associate the AWS KMS key to the S3 storage location in Amazon Connect, the API caller's permissions (or the console user's permissions) are used to create a grant on the key with the corresponding Amazon Connect instance service role as the grantee principal. For the service linked role specific to that Amazon Connect instance, the grant allows the role to use the key for encryption and decryption. For example:
+ If you call the [DisassociateInstanceStorageConfig](https://docs.aws.amazon.com/connect/latest/APIReference/API_DisassociateInstanceStorageConfig.html) API to dissociate the AWS KMS key from the S3 storage location in Amazon Connect, the grant is removed from the key.
+ If you call the [AssociateInstanceStorageConfig](https://docs.aws.amazon.com/connect/latest/APIReference/API_AssociateInstanceStorageConfig.html) API to associate the AWS KMS key to the S3 storage location in Amazon Connect but you don't have the `kms:CreateGrant` permission, the association will fail.
Use the [https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/kms/list-grants.html](https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/kms/list-grants.html) CLI command to list all grants for the specified customer managed key.
For information about AWS KMS keys see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*.
## Connect AI agents
Connect AI agents stores knowledge documents that are encrypted at rest in S3 using a BYOK or a service-owned key. The knowledge documents are encrypted at rest in Amazon OpenSearch Service using a service-owned key. Connect AI agents stores agent queries and call transcripts using a BYOK or a service-owned key.
The knowledge documents used by Connect AI agents are encrypted by an AWS KMS key.
## Amazon AppIntegrations
Amazon AppIntegrations doesn't support BYOK for encryption of configuration data. When syncing external application data, periodically you are required to BYOK. Amazon AppIntegrations requires a grant to use your customer managed key. When you create a data integration, Amazon AppIntegrations sends a `CreateGrant` request to AWS KMS on your behalf. You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Amazon AppIntegrations won't be able to access any of the data encrypted by the customer managed key, which affects Amazon Connect services that are dependent on that data.
## Customer Profiles
For Customer Profiles, you can specify AWS KMS keys to use for encrypting your data. If you don't specify a customer managed key, Amazon Connect Customer Profiles provides encryption by default for your data at rest using an AWS-owned encryption key.
Before you turn on Data Store for a new or existing domain, you must configure an AWS KMS key.
You can also define individual KMS keys for your Object Types. When encrypting customer data, we use the Object Type KMS key if present. Otherwise, we use the domain's KMS key.
After you enable Data Vault, you can't update KMS keys for your domain or Object Types. While you can create new Object Types with new keys, you can't modify existing key settings.
## Voice ID
For using Amazon Connect Voice ID, it is mandatory to provide a customer managed key KMS key (BYOK) while creating a Amazon Connect Voice ID domain, which is used to encrypt all the customer data at rest.
## Outbound campaigns
Outbound campaigns encrypts all sensitive data using an AWS owned key or a customer managed key. As the customer managed key is created, owned, and managed by the you, you have full control over the customer managed key (AWS KMS charges apply).
# Amazon Connect and interface VPC endpoints (AWS PrivateLink)
You can establish a private connection between your VPC and a subset of endpoints in Amazon Connect by creating an interface VPC endpoint. Following are the supported endpoints:
+ Amazon AppIntegrations
+ Customer Profiles
+ Outbound campaigns
+ Voice ID
+ Connect AI agents
+ Amazon Connect Service
Interface endpoints are powered by [AWS PrivateLink](https://aws.amazon.com/privatelink), a technology that enables you to privately access Amazon Connect APIs without an internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with the Amazon Connect APIs that integrate with AWS PrivateLink.
For more information, see the [AWS PrivateLink Guide](https://docs.aws.amazon.com/vpc/latest/privatelink/).
## Creating an interface VPC endpoint for Amazon Connect
You can create an interface endpoint using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *AWS PrivateLink Guide*.
Amazon Connect supports the following service names:
+ com.amazonaws.*region*.app-integrations
+ com.amazonaws.*region*.cases
+ com.amazonaws.*region*.profile
+ com.amazonaws.*region*.connect-campaigns
+ com.amazonaws.*region*.voiceid
+ com.amazonaws.*region*.wisdom (This is for Connect AI agents.)
+ com.amazonaws.*region*.connect
+ com.amazonaws.*region*.connect-fips (This is for creating an endpoint for Amazon Connect Service that complies with the Federal Information Processing Standard (FIPS).)
If you enable private DNS for an interface endpoint, you can make API requests to Amazon Connect using the default DNS name for the Region. For example, voiceid.us-east-1.amazonaws.com. For more information, see [DNS hostnames](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html#interface-endpoint-dns-hostnames) in the *AWS PrivateLink Guide*.
## Creating a VPC endpoint policy
You can attach an endpoint policy to your VPC endpoint that controls access. The policy specifies the following information:
+ The principal that can perform actions.
+ The actions that can be performed.
+ The resources on which actions can be performed.
For more information, see [Control access to services using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *AWS PrivateLink Guide*.
### Example: VPC endpoint policy
The following VPC endpoint policy grants access to the listed Amazon Connect Voice ID actions for all principals on all resources.
```
{
"Statement":[
{
"Effect":"Allow",
"Action":[
"voiceid:CreateDomain",
"voiceid:EvaluateSession",
"voiceid:ListSpeakers"
],
"Resource":"*",
"Principal":"*"
}
]
}
```
Following is another example. In this one, the VPC endpoint policy grants access to the listed outbound campaigns actions for all principals on all resources.
```
{
"Statement":[
{
"Effect":"Allow",
"Action":[
"connect-campaigns:CreateCampaign",
"connect-campaigns:DeleteCampaign",
"connect-campaigns:ListCampaigns"
],
"Resource":"*",
"Principal":"*"
}
]
}
```
# Amazon Connect Service Improvement and how to opt out from using your data for service improvement
When you enable Amazon Connect, we may use Your Content processed by Amazon Connect to develop and improve your experience.
Benefits to allowing AWS to use Your Content for service improvement:
By making Your Content available to improve Amazon Connect, you help us innovate faster, customize features to meet your needs, and deliver better support. More specifically, this enables us to enhance the service to:
+ Deliver smarter capabilities faster - improve Connect based on your real-world usage patterns and specific requirements
+ Prevent problems proactively - identify and address issues before they impact your experience and business outcomes
+ Resolve issues faster - diagnose and fix problems that arise more quickly
All this helps Amazon Connect partner with you to continuously improve your business performance.
When the following Amazon Connect features are enabled, we can use Your Content to develop and improve your experience. These feature-level opt-outs will be discontinued on March 31, 2026:
+ **Amazon Connect Contact Lens**
+ **Amazon Connect Customer Profiles**
+ **Amazon Connect forecasting, capacity planning, and scheduling**
+ **Outbound campaigns**
+ **Connect AI agents**
Only Amazon employees will have access to the data. Your trust, privacy, and the security of Your Content are our highest priority and ensure that our use complies with our commitments to you. For more information, see [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/).
You can always choose to opt out of having your data used to develop and improve Amazon Connect by using an AWS Organizations opt-out policy. For information about how to opt out, see [AI services opt-out policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html) in the *AWS Organizations User Guide*.
To check your opt-out status, please review the opt-out policy configured by your organization. [Click here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html#ai-opt-out-policy-syntax-reference) to learn more about opt-out policy syntax and examples.
**Note**
For you to use the opt-out policy, your AWS accounts must be centrally managed by AWS Organizations. If you haven't already created an organization for your AWS accounts, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org) in the *AWS Organizations User Guide*.
Opting out results in:
+ No use of your data by AWS for service improvement.