Amazon Connect Integration - Manual

This is a guide for integrating an Amazon Connect Instance with eMite. This involves the deployment of several additional components on your AWS Cloud, such as Kinesis streams and elasticsearch.

This guide assumes all components will be deployed in the same region as the Amazon Connect instance, and also all under the same AWS Account.

Components Overview

IAM Policies/Roles
- A policy will be created to allow read access to Kinesis Stream and Amazon Connect
- Policies will be attached to an IAM Role that eMite will use to get data from Streams and Amazon Connect
  - If the eMite server will be deployed on your AWS Account, this role will be attached to the EC2 server directly
  - If not, eMite team will assume the IAM Role via AWS Security Token Service (STS)
Kinesis Stream
- Amazon Connect will be configured to send Agent Events and CTR data to streams
AWS Elasticsearch Service
- Stores Contact Trace Record data, as well as queue observations and queue metrics/history data.
Application Load Balancer

eMite Server deployment (If self-hosted)

*Note: Please skip this section if eMite server will not be deployed on your AWS cloud.

EC2 Instance Details
- AMI: Microsoft Windows Server 2016 Base
- Instance Size: r5.large
  - Note: larger instance size may be needed depending on factors such as the number of agents or concurrent active dashboards. You can also increase the instance size later via AWS Console.
- Subnet: Assign the server to a public subnet
- Auto-Assign Public IP: disable
- Storage: At least 100GB
- Security Group Settings:
  - RDP – to allow us access to the servers for eMite installation/configuration
    - Your Office IP
    - eMite Office IPs:
      - 60.241.25.74/32
      - 54.79.101.24/32
      - 13.238.169.116/32
    - Note: If your security policy does not allow direct external RDP access, our team can work with you through your preferred remote access solution (e.g. VPN, Webex Remote session, etc.)
  - HTTP/HTTPS – 0.0.0.0/0
- After launch, create an Elastic IP and attach it to the EC2 server
  - This will be referred to as eMite server external IP
Additional prerequisites after server is launched:
- Local administrator account access for eMite team – to be used for installation/configuration
  - Note: If your security policy does not allow direct external RDP access, we do have a silent installation option that installs eMite and all its prerequisite software such as SQL Server. Please contact our team at support@prophecyinternational.com to discuss further.

Application Load Balancer (If self-hosted, optional)

*Note: Please skip this section if eMite server will not be deployed on your AWS cloud.

Frontend for the eMite EC2 Server. Can serve HTTPS certificates via AWS ACM or IAM (upload own certificate).

Please ensure that the AWS Domain is created on the same region used for AWS Connect.

AWS Elasticsearch Service

Stores Contact Trace Record data, as well as queue observations and queue metrics/history data.

Please ensure that the AWS Domain is created on the same region used for AWS Connect.

Create AWS Domain on the same region used for AWS Connect
- Open the AWS Console, go to the same region used for AWS Connect
- Open up Elasticsearch Service from the Service tab
- Click Create New Domain
Choose a Deployment Type

Deployment Type: Custom
Version: 6.3

Configure Cluster
- Domain Name: emite-kinesis-connect
  - You can use a custom name if you prefer.
  - For this guide, we'll use emite-kinesis-connect as example
- Data Instances:
  - 1-AZ
  - Instance Type: m5.large
  - Number of instances: 1
- Dedicated Master Instances: Disabled
- Storage:
  - Type: EBS
  - Volume Type: SSD
  - EBS Storage Size: 50GB
- Leave the other options as is, click next
- Set Up Access
  - Network Configuration: Public Access
  - Domain access policy: Custom access policy
    - IPv4 address (example 1.2.3.4)
  - Add the eMite External IP
    - Note: If eMite EC2 server will not be deployed on your account - this external IP will be provided by eMite team
    - *For AWS Marketplace customers, you can get this value from the Manual setup section of the onboarding page:
  - Configure Encryption settings - enable all encryption and select your preferred master key
Click Next to review and Launch the Elasticsearch Domain
- It will take some time to finish launching the domain.

Kinesis Stream setup

Please ensure that the Kinesis Streams are created on the same region used for AWS Connect.

Agent Events Stream

Open the AWS Console, go to the same region used for AWS Connect
Go to Kinesis Service.
- If this is your first time using Kinesis on this region, click Get Started
Click Create data stream:
Kinesis stream name: connect-agentevents
- Shards: 1
Click Create Stream
- Go back to Dashboard, you should now see connect-agentevents under Kinesis data streams
After the stream is created go to the Configuration tab
- Under Encryption, click Edit
- Enable server-side encryption, use your preferred keys
- Click save changes
Go to Configuration tab
- Under Data Retention, click Edit
- Select custom retention - 60 days

CTR Stream

Open the AWS Console, go to the same region used for AWS Connect
Go to Kinesis Service.
Click Create data stream.
Kinesis stream name: connect-ctr
- Shards: 1
Click Create Stream
- Go back to Dashboard, you should now see connect-ctr under Kinesis data streams
After the stream is created go to the Configuration tab
- Under Encryption, click Edit
- Enable server-side encryption, use your preferred keys
- Click save changes
Go to Configuration tab
- Under Data Retention, click Edit
- Select custom retention - 60 days

IAM Policy/Role Setup

Policies will be used to allow read access to Kinesis Stream and Amazon Connect. These policies will then be attached to an IAM Role that eMite will use to get data from Streams and Amazon Connect.

Policy allowing access to the Kinesis Stream, and the Amazon Connect instance

Open AWS Console, go to IAM under the services tab
Policy Creation:
- Go to Policies > Create Policy
- Go to the JSON tab
- Copy the below policy document:
  {
  "Version": "2012-10-17",
  "Statement": [
  {
  "Action": [
  "kinesis:GetShardIterator",
  "kinesis:GetRecords",
  "kinesis:DescribeStream",
  "kinesis:ListTagsForStream"
  ],
  "Resource": [
  "AgentEventsKinesisARN","CTRKinesisARN"
  ],
  "Effect": "Allow",
  "Sid": "AllowReadKinesis1"
  },
  {
  "Action": "kinesis:DescribeLimits",
  "Resource": "*",
  "Effect": "Allow",
  "Sid": "AllowReadKinesis2"
  },
  {
  "Action": [
  "connect:Get*",
  "connect:Describe*",
  "connect:List*"
  ],
  "Resource": [
  "AmazonConnectInstanceARN","AmazonConnectInstanceARN/*"
  ],
  "Effect": "Allow",
  "Sid": "AllowReadAmazonConnect1"
  },
  {
  "Sid": "AllowReadAmazonConnect2",
  "Effect": "Allow",
  "Action": "ds:DescribeDirectories",
  "Resource": "*"
  },
  {
  "Action": "connect:GetFederationTokens",
  "Resource": "*",
  "Effect": "Deny",
  "Sid": "DenyFederationTokens"
  }
  ]
  }
- Replace AgentEventsKinesisARN with the ARN of the Agent Events Kinesis Stream created in the previous section
  - To view the ARN, open a new console window and go to Kinesis > select the stream under Kinesis data streams (connect-agentevents in this example)
    - On the Details tab, copy the Stream ARN
- Replace CTRKinesisARN with the ARN of the CTR Kinesis Stream created in the previous section
  - To view the ARN, open a new console window and go to Kinesis > select the stream under Kinesis data streams (connect-ctr in this example)
    - On the Details tab, copy the Stream ARN
- Replace AmazonConnectInstanceARN with ARN of the Amazon Connect instance
  - To view the ARN, open a new console window and go to Amazon Connnect > select your Amazon Connect instance
    - On the overview tab, copy the Instance ARN
- Click Review Policy
- Policy Name: emite-role-policy
- Click Create Policy

If the environment will be using Contact Lens data

Policy allowing access to S3 bucket with Contact Lens data

Policy Creation:
- Go to Policies > Create Policy
- Go to the JSON tab
- Copy the below policy document:
  {
  "Version": "2012-10-17",
  "Statement": [
  {
  "Action": [
  "s3:GetObject",
  "s3:ListBucket"
  ],
  "Resource": [
  "ConnectS3BucketARN",
  "ConnectS3BucketARN/Analysis/Voice/*"
  ],
  "Effect": "Allow",
  "Sid": "AllowGetContactLensData"
  },
  {
  "Action": [
  "kms:DescribeKey",
  "kms:GenerateDataKey",
  "kms:Decrypt"
  ],
  "Resource": [
  "ConnectS3BucketKmsArn"
  ],
  "Effect": "Allow",
  "Sid": "AllowDecryptContactLensData"
  }
  ]
  }
- Replace ConnectS3BucketARN with the ARN of the Bucket used to store Contact Lens data
  - Open a new console window and go to Amazon Connnect > select your Amazon Connect instance
    - Go to Data Storage > Edit Call Recordings
    - You should see the S3 bucket name:
  - Open a new console window and go to S3
    - Search and open the bucket name in the previous step
    - Go to properties tab, copy the Bucket ARN

Replace ConnectS3BucketKmsArn with the ARN of the S3 Encryption key used for Contact Lens Data
- Open a new console window and go to Amazon Connnect > select your Amazon Connect instance
  - Go to Data Storage > Edit Call Recordings
  - Copy the ARN of the Encryption Key
Click Review Policy
Policy Name: emite-role-policy-contactlens
Click Create Policy

IAM Role setup

Go to Roles > Create Role
- Select Type of entity: AWS Service
- Service that will use the role: EC2
- Permissions:
  - Select emite-role-policy
  - IF also using ContactLens data:
    - Also select emite-role-policy-contactlens
- You can skip adding tags
- Review:
  - Role Name: emite-role
  - Role Description: Role for eMite EC2 server
  - Click Create Role

Increase Maximum CLI/API session time:

Go to Roles
- Click the emite-role
- Click Edit beside the Maximum CLI/API session duration
- Set the duration to 12 hours then click Save changes:
The setting affects the amount of time for each session that uses a set of API keys provided by the IAM role.
- For the Kinesis adapter in particular, each time the session expires, the adapter will poll back some data to establish agent activity.
- Shorter session times would put more load on the adapter, and adds overhead.

If eMite EC2 to be deployed in your AWS account:

Attach Role to EC2

Go to EC2 > Instances
- Right-click the eMite EC2 instance, select Instance Settings > Attach/Replace IAM Role
- Choose the emite-role role, click Apply

If eMite EC2 will not be deployed in your AWS account:

Edit Trust Relationship on emite-role

Trust relationship will be modified to allow assume role from eMite AWS
Go to Roles
- Click the emite-role
- Under the Trust Relationship tab, click Edit Trust Relationship
- This will load a policy document

Modify Trust Relationship document
- Replace the contents with the policy document below:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::EmiteAccountID:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "CustomerID"
}
}
}
]
}

Replace EmiteAccountID with eMite Account ID sent to you by eMite team
Replace CustomerID with Customer ID sent to you by eMIte team
*For AWS Marketplace customers, you can get these values from the Manual setup section of the onboarding page:
Click Update Trust Policy

Enable Amazon Connect Data Streaming

Now that the Kinesis Stream and Firehose have been setup, we can now

Go to Amazon Connnect > select your Amazon Connect instance
Go to Data Streaming
- Tick Enable data streaming
- Contact Trace Records
  - Select Kinesis Strea
  - Select connect-ctr
- Agent Events
  - Select Kinesis Stream
  - Select connect-agentevents

(Optional) - Add eMite to Application Integration

This step is optional for integrating Amazon Connect Chat with eMite.

To enable this, you would need to add the domain of the eMite server to the list of approved origins

Go to Amazon Connnect > select your Amazon Connect instance
Go to Application Integration
- Click Add Origin
- You will be prompted to add a specific origin URL

If eMite EC2 to be deployed in your AWS account:

Input the access URL of the eMite application
E.g. https://emite.yourcompanydomain.com

If eMite EC2 will not be deployed in your AWS account:

Input the access URL depending on your region:
- US East region: https://useast-cloud.emite.com
- US West region: https://uswest-cloud.emite.com
- Asia Pacific (Sydney): https://au-cloud.emite.com
- Asia Pacific (Tokyo): https://jp-cloud.emite.com
- EU Frankfurt: https://eucentral-cloud.emite.com

Send to eMite team

Please send the below data to eMite team:

eMite EC2 details (only if server will be deployed on your AWS account)
- eMite EC2 external IP
- RDP credentials
EmiteRole ARN
- Go to IAM Roles
  - Click the emite-role role
  - Copy the Role ARN
Amazon Connect Instance ARN
- Go to Amazon Connnect > select your Amazon Connect instance
- On the overview tab, copy the Instance ARN
AgentEvents Kinesis Stream ARN
- To view the ARN, open a new console window and go to Kinesis > select the stream under Kinesis data streams (connect-agentevents in this example)
- On the Details tab, copy the Stream ARN
CTR Kinesis Stream ARN
- To view the ARN, open a new console window and go to Kinesis > select the stream under Kinesis data streams (connect-ctr in this example)
- On the Details tab, copy the Stream ARN
Elasticsearch Endpoint URL
- Go to Elasticsearch > emite-kinesis-connect domain
- Copy the Endpoint

Preferred Time Zone
- Please send us your preferred timezone in IANA format
- Common Timezones
  - Australia/Sydney
  - Europe/Dublin
  - Europe/Berlin
  - Asia/Tokyo
  - America/New_York
  - America/Los_Angeles
- Additional Timezones can be found here:
  - https://timezonedb.com/time-zones