AWS Contact Center
Creating a Secure Emergency Outage Message in Amazon Connect
In the contact center space, there is often a need for management to invoke a temporary message that is situationally driven. Common use cases could be weather-related closures, fire alarms, or other facility issues. During these incidents contact center management wants to enable customers to hear up to date information on extended wait times and offer additional options outside of your call queue. With Amazon Connect, you can build a feature that enables Administrators to activate temporary routing changes securely.
Many customers want an easy way to set up these messages, without requiring them to be in front of their computer. They also want this to be protected from unauthorised use. Simplicity and security are the key to making this scenario successful, and in this blog, we will explore two-factor authentication for your flow. This helps ensure that only authorised people can set the call center in and out of an emergency state.
In this example, we have set up three lines of business that all have their own call center across the globe. This scenario has been written so that you can take offline one specific call center, while keeping the others intact.
Overview of solution
Architecture for admin verification by one-time PIN
In the preceding architecture, Amazon Connect checks the ANI (calling number) of the administrator caller using a Check contact attribute block. If the ANI is in the list, an AWS Lambda function is invoked to generate a random PIN number. This number gets passed to Amazon Pinpoint to be sent as an SMS. The administrator has 30 seconds to enter the PIN. If the PIN matches the PIN sent by Amazon Pinpoint, the admin is considered validated, and the call proceeds to the next flow.
Architecture for update emergency
In the Amazon Connect contact flow, the administrator selects the location of the contact center they want to modify from the IVR menu. An AWS Lambda queries the Emergency database for the emergency status for that location. The admin then is prompted with an option to set or remove the emergency, which triggers another Lambda to write the following to the Emergency database to track who made the last change:
- Contact center location
- Emergency enabled setting
- Emergency Type (from the pre-configured list)
- Time of the update
- ANI of the administrator.
Walkthrough
Prerequisites
- For this walkthrough, you should have the following prerequisites:
- An AWS account
- An Amazon Connect contact center instance
- A basic understanding of AWS CloudFormation
- A basic understanding of Amazon Pinpoint
- A basic understanding of Amazon DynamoDB
- A basic understanding of AWS Lambda
Create Amazon Pinpoint using AWS CloudFormation
We use an AWS CloudFormation template to programmatically create the Amazon Pinpoint configuration and the SMS Channel to be used to deliver the one-time PIN to the admin’s mobile number.
- Log in to your AWS Management Console.
- Confirm that the AWS Region selected has the Amazon Pinpoint service available.
- Click on the “Launch Stack” button below to create a stack called “EmergencyOutagePinpoint“.
- On the AWS CloudFormation page, modify the stack name if you prefer a different one. If you do change the stack name, the text in this document referencing the EmergencyOutagePinpoint stack can be replaced by your chosen stack name.
- Change the PinpointProjectName to be your Amazon Pinpoint project name. We have set the default to One Time PIN.
- Click Create stack.
- Click on the Resources tab of the CloudFormation stack, and copy the Physical ID of the SMS resource for the next steps.
Create AWS Lambda functions and Amazon DynamoDB table using AWS CloudFormation
We use this template to create the IAM roles, AWS Lambda functions, and a DynamoDB (Emergency Database) table needed for our solution. The AWS Lambda functions (OneTimePin, UpdateEmergency, CheckEmergency) are used to read, write, or delete emergency settings and other information in a DynamoDB table. The IAM roles allow the AWS Lambda functions to have read, write, or delete access to the Emergency DynamoDB table and access to the Amazon CloudWatch Logs.
- Click on the second “Launch Stack” button below to create a stack called ‘EmergencyOutage’.
- On the AWS CloudFormation page, modify the stack name if you prefer a different one. If you do change the stack name, the text in this document referencing the EmergencyOutage stack can be replaced by your chosen stack name.
- Set the AWSRegion to be the Region in which you deployed the prior Pinpoint stack.
- To follow security best practices, change the ConnectInstanceId to be your Amazon Connect instance ID. However, if you choose to deploy this CloudFormation stack for several Amazon Connect instances, set this value to *.
- Set the PINLength to be the number of digits you wish the PIN to be, from four to eight digits long.
- Paste in the Physical ID from the Pinpoint stack to be the PinpointProjectId.
- Set the SenderId the name displayed on the receiving SMS messages.
Note: Not all countries support the Sender ID, a complete list is found here.
- Read and acknowledge all warnings by checking all three check boxes.
- Choose Create stack.
Grant Amazon Connect permission to execute the AWS Lambda function
These steps grant the Amazon Connect instance permission to invoke the AWS Lambda functions created previously. For additional information, see the Amazon Connect Administrator guide.
- In the Amazon Connect administration console, choose Contact Flows and scroll to the bottom of the page to the AWS Lambda section.
- From the Function drop-down menu, select the CheckEmergency function created by the AWS CloudFormation steps earlier
- Click on + Add AWS Lambda Function, as shown in the following screenshot:
- Repeat step 2 and 3 to add the UpdateEmergency and OneTimePIN functions.
Import the Amazon Connect emergency update placeholder contact flow
These next steps give a placeholder flow we can publish for upcoming configuration steps. It is needed because we cannot transfer to a contact flow that has not yet been published.
- Download the pre-built contact flow called Emergency_Update_Placeholder.
- Log in to your Amazon Connect console.
- On the left side of the Amazon Connect console, select Routing -> Contact Flows.
- Click the Create contact flow button at the top right.
- Click the drop-down at the top right and select Import Flow.
- Click the Select button and select the downloaded Emergency_Update_Placeholder file from step 1.
- Save and Publish your contact flow.
Import the Amazon Connect emergency demo contact flow
These next steps give a demo flow we can publish for the customers or callers to dial in. This allows for demonstrating normal and emergency operation. This would be the published number for your contact center. This contact flow could later be customized (not covered in this blog) to play longer wait times for fire alarms, offer a callback to the caller, or re-queue the call to another location.
- Download the pre-built contact flow called Emergency_Demo.
- Log in to your Amazon Connect console.
- On the left side of the Amazon Connect console, select Routing -> Contact Flows.
- Click the Create contact flow button at the top right.
- Click the drop-down at the top-right and select Import Flow.
- Click the Select button and select the downloaded Emergency_Demo file from step 1.
- Click on the header for the next “Invoke AWS Lambda function” block and select the CheckEmergency function from the dropdown list, or enter the ARN for the CheckEmergency AWS Lambda function.
- Save and Publish your contact flow.
Import and configure the Amazon Connect emergency authentication contact flow
- Download the pre-built contact flow called Emergency_Authentication.
- Log in to your Amazon Connect console.
- On the left side of the Amazon Connect console, select Routing -> Contact Flows.
- Click the Create contact flow button at the top right.
- Click the drop-down at the top-right and select Import Flow.
- Click the Select button and select the downloaded EmergencyAuthentication file from step 1.
- Configure the Check contact attribute block.
- Enter the mobile phone number for each admin who can administer the system. Phone numbers should be in E.164 format (e.g. +15555551212). You can add multiple numbers by adding additional Conditions to check.
- Click on the header for the next “Invoke AWS Lambda function” block and select the OneTimePIN function from the dropdown list, or enter the ARN for the OneTimePIN AWS Lambda function.
- Save and Publish your contact flow.
Import and configure the Amazon Connect emergency update contact flow
In this contact flow, we set up the locations. These locations would be where you physically have your agents. In this scenario, we have used Singapore, Manila, and Sydney.
- Download the pre-built contact flow called Emergency_Update.
- Open the Emergency_Update flow we had imported as a placeholder.
- Click the drop-down at the top-right and select Import Flow.
- Click the Select button and select the downloaded “Emergency_Update” file from step 1.
- Click on the header for the first “Invoke AWS Lambda function” block and select the CheckEmergency function from the dropdown list, or enter the ARN for the CheckEmergency AWS Lambda function.
- Click on the header for the next “Invoke AWS Lambda function” block and select the UpdateEmergency function from the dropdown list, or enter the ARN for the UpdateEmergency AWS Lambda function.
- To add / remove or modify contact center locations, update the Get customer input block with the desired options.
- Add or modify additional Set contact attributes for that location (Center = Location Name)
- To update the Emergency Type, edit the Get customer input block to change the message and / or modify the options.
- Add or remove the Set contact attributes as needed with EmergencyType and EmergencyAction. The valid values for the EmergencyAction are set or remove.
- Save and Publish your contact flow.
Associate a Phone Number with your Emergency_Authentication Contact Flow for administrator use
- In your Amazon Connect console, choose the Routing icon from the navigation bar, and select Phone numbers.
- Associate a phone number with Emergency_Authentication contact flow from the Contact flow/ IVR drop-down menu
- Choose Save.
Associate a phone number with your Emergency_Demo contact flow for customer use
- In your Amazon Connect console, choose the Routing icon from the navigation bar, and select Phone numbers.
- Associate a phone number with Emergency_Demo contact flow from the Contact flow/ IVR drop-down menu.
- Choose Save.
Note: If this solution is a demo, having the additional number incurs additional charges.
Testing the solution – Admin portion
Now that we have the setup ready, let’s test the solution:
- Call into the Emergency_Authentication phone number you assigned previously using a phone not listed in the Check contact attributes. Notice you are told to call back using your designated phone.
- Call into the Emergency_Authentication phone number you assigned previously using a landline phone that is listed in the Check contact attributes. Notice you are told the admin phone number configured is not a mobile phone, and to fix it and try again.
- Call into the Emergency_Authentication phone number you assigned previously using a mobile that was listed in the Check contact attributes.
- When prompted for the one-time PIN, enter the OTP that was sent to the mobile phone.
- Select the location of your contact center from the IVR. If this is the first time setting that location up, you are told the location has not been set up yet.
- Select the option to check a different call center, the previous message is played.
- Select the option remove an emergency. The Emergency table is updated with Emergency to be false and EmergencyType to be No Emergency.
- Select the option set the emergency, the Emergency table will be updated with Emergency to be true and EmergencyType to be your emergency type.
Testing the solution – Customer portion
Once each of the different scenarios has been set call your main call flow to test the options from a customer perspective.
- When the contact center is in normal operation, dial into the Emergency_Demo flow using the phone number configured earlier.
- When the contact center is in emergency operation, dial into the Emergency_Demo flow using the phone number configured earlier.
Cleaning up
To avoid incurring future charges, delete the additional phone number if not required.
Conclusion
In this blog post, we implemented a solution that provides a secure way to enable an emergency outage flow. This solution provided the following features:
- Limits access to pre-approved callers only
- Further secures it with a one-time PIN sent using Amazon Pinpoint.
- Gives Administrators the ability to set emergency status remotely from the convenience of their pre-registered mobile phone.
- Supporting for multiple contact center locations.
- Option to turn on or off the emergency setting, with different emergency types.
In the basic demo flow, we simply state the emergency, however you can enhance the solution by adding different scenarios based on your company requirements.
If you want to learn more about other best practices for Amazon Connect, check out our blog channel.