Allow only AWS connect agents access to a REST API through API Gateway.

Question

Hello experts,

We are extending the connect CCP for adding the resume/pause feature as mentioned in  [this](https://aws.amazon.com/blogs/contact-center/pausing-and-resuming-call-recordings-with-a-new-api-in-amazon-connect/)  blogpost.

Now we want to secure the rest api in a way that only AWS connect agent can invoke it for the call/contact they are handling.

We know API gateways offer several mechanism for securing the access to rest api but none of them seems to fulfil the above requirement.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

Seeking gaudiness, what should be the best practice for dealing with this type of scenario?

Answer

I would recommend deploying client side SSL certificate https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html to be distributed to valid agent with expiration/rotation.

Answer

I would look into IAM permission section for rest api: https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html

Answer

You will need to create an agent state dynamodb table that is populated from the Agent Event Stream. The agent state table will keep track of the agents active contact. Create an API gateway with Lambda backend that queries the agent state table when a pause\resume event is sent from the custom ccp to validate the agent is on the current contact.

Allow only AWS connect agents access to a REST API through API Gateway.

Relevant content