How to Encrypt Sensitive Caller Voice Inputs in Amazon Lex

In the telecommunications sector, it’s imperative to safeguard sensitive authentication and user information often collected via mobile voice and keypad inputs. As voice-driven interactive voice response (IVR) systems become increasingly prevalent, there is a critical need for solutions that protect user data gathered from these voice inputs. This blog post outlines a method to secure a caller’s sensitive voice data captured through Amazon Lex, utilizing data encryption via AWS Lambda functions. The approach detailed here helps shield customer information received through voice channels from unauthorized access. Additionally, it includes decryption capabilities, allowing authorized administrators or operators to access decrypted user data via the Lambda console.

Solution Overview

To illustrate the IVR solution presented in this post, consider a scenario where a caller verbally inputs two sensitive data points—credit card number and zip code—through an Amazon Connect contact flow. These spoken values are encrypted and returned to the contact flow for storage in contact attributes. The encrypted ciphertext is maintained as a contact attribute for future decryption. Amazon CloudWatch Logs is enabled within the contact flow, ensuring that only encrypted values are logged in the log streams.

For this solution, conversation logs for the Amazon Lex bot are disabled. Operators with the requisite AWS Identity and Access Management (IAM) permissions can monitor the logged encrypted entries via CloudWatch Logs. For additional information, refer to Working with log groups and log streams in the Amazon CloudWatch Logs User Guide.

Solution Architecture

The architecture of the solution is illustrated in Figure 1 below.

Figure 1: Example of Solution Architecture

The diagram outlines key steps in the solution, with numbered labels indicating the following actions:

A caller initiates an inbound call.
An Amazon Connect contact flow utilizes a Get customer input block, supported by an Amazon Lex bot, to request numerical data from the caller.
The Amazon Lex bot triggers the Lambda function named dev-encryption-core-EncryptFn.
This Lambda function employs the AWS Encryption SDK to encrypt the caller’s plaintext data.
The AWS Encryption SDK retrieves encryption keys from AWS Key Management Service (AWS KMS).
The caller’s data gets encrypted using the AWS KMS keys.
The Lambda function appends the encrypted data to the session attributes of the Amazon Lex bot.
Finally, Amazon Lex sends the fully encrypted data back to Amazon Connect.

Overview of a Contact Flow

Figure 2: Contact Flow Capturing Input Values and Returning Encrypted Values

This flow consists of two primary steps:

The first numerical input (an encrypted credit card number) is stored in contact attributes.
The second numerical input (an encrypted zip code) is also stored in contact attributes.

Prerequisites

This solution requires the following AWS services:

Amazon Connect
AWS Identity and Access Management (IAM)
AWS Key Management Service (AWS KMS)
AWS Lambda
Amazon Lex

You also need the following installed on your local machine:

Git
Node and NPM (version 14.x or higher)
TypeScript
AWS Cloud Development Kit (AWS CDK) version 2.0 or higher

Before implementing the solution, ensure that you have an Amazon Connect instance set up.

To Establish the Amazon Connect Instance (if none exists):

Create an Amazon Connect instance with a claimed phone number and an Amazon Connect user linked to a basic routing profile. For more details on setting up a contact center, see Set up your contact center in the Amazon Connect Administrator Guide.
Assign the CallCenterManager or Admin security profile to an Amazon Connect user.
In the newly created instance, locate the access URL in the Overview section, formatted as https://<aliasname>.awsapps.com/connect/login.
Keep this access URL handy for logging into the Amazon Connect Dashboard.
Log in using a Connect user with Admin or CallCenterManager permissions.

Solution Procedures

The solution encompasses several procedures:

Clone the project or download the solution zip file.
Create the necessary AWS resources for encryption and decryption.
Configure the Amazon Lex bot within Amazon Connect.
Develop the contact flow in Amazon Connect.
Validate the solution.
Decrypt the collected data.

To Clone or Download the Solution

Access the GitHub repository.
Clone or download the solution files to your local machine.

The downloaded file includes all artifacts required for deployment.

To Create AWS Resources for Encryption and Decryption

Change your command line directory to the project’s root.
Run npm install.
Execute npm run build to transpile TypeScript into JavaScript and package the code along with its dependencies before deploying to AWS.
Run cdk deploy CoreStack.

To Configure the Amazon Lex Bot in Your Amazon Connect Instance

In the Amazon Connect console, select Contact flows and navigate to the Amazon Lex section.
From the Bot menu, choose secure_LexInput(Classic) and click +Add Amazon Lex Bot.

To Import the Contact Flow into Amazon Connect

In the Amazon Connect console, go to Overview and select Login as administrator.
From the Routing menu, select Contact flows to view the list of flows.
Click Create Contact flow.
Utilize the arrow next to the Save button and select Import flow (beta) to upload the previously downloaded contact flow.
Save and publish the contact flow to prepare it for validation.
(Optional) Claim a phone number if one is not already available.
(Optional) On the Edit Phone number page, enter any desired notes in the Description box.
Assign the contact flow to your claimed phone number under Contact flow / IVR.

This article serves as a guide for securing sensitive voice data in Amazon Lex while ensuring compliance with best practices in data protection. For further insights on related topics, consider checking out this excellent resource on Amazon warehouse worker experiences.