Amazon Connect Lex4EC2 Patch Status Check – Solution Design and Setup Guide Technical Guide March 8, 2021 Notices Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers. © 2021 Amazon Web Services, Inc. or its affiliates. All rights reserved. Contents Before you begin ................................................................................................................. 1 Architecture and design ....................................................................................................... 1 Known caller authentication flow ..................................................................................... 2 Unknown caller authentication flow ................................................................................. 3 Chat client authentication flow ......................................................................................... 5 Components and information architecture .......................................................................... 6 Amazon Connect .............................................................................................................. 6 Amazon Lex...................................................................................................................... 7 AWS Lambda ................................................................................................................... 8 Amazon DynamoDB ......................................................................................................... 9 Amazon SNS .................................................................................................................. 10 AWS Systems Manager ................................................................................................. 10 Setup guide ........................................................................................................................ 10 1. Amazon Connect instance creation ........................................................................... 11 2. Amazon connect instance configuration.................................................................... 11 3. Lex configuration ........................................................................................................ 11 4. Create and configure contact flows ........................................................................... 14 5. Test case setup .......................................................................................................... 20 Prerequisite .................................................................................................................... 20 Conclusion ......................................................................................................................... 27 Contributors ....................................................................................................................... 27 Document revisions ........................................................................................................... 28 About this guide This guide contains an architecture and step-by-step implementation of a Minimal Viable Product buildout for an operations mechanism. This type of mechanism is a good fit for large organizations which consist of multiple teams with a central IT department. This MVP build enables IT staff members to either call in or chat via a chat client (such as Slack) to check on the status of maintenance scheduled patching jobs. While the MVP case remains simple, the buildout can be extended to other tasks, such as: • Authorize and trigger an emergency patch job for Amazon EC2 instances with remotely exploitable vulnerabilities. • Start on-demand network and/or vulnerability scan jobs and summarize the result. This guide shows how Amazon Connect and Amazon Lex can be leveraged to integrate with the rest of Amazon Web Services (AWS) to simplify common but important IT tasks. Amazon Web Services Before you begin Prior to deploying this mechanism, consider the following: • Who is responsible for applying the patches and how are they currently being notified of the patching result? For some, email is sufficient, while others might prefer lighter weight mechanism like SMS messages or chat clients. Appropriate changes must be made. • How many instances are being patched at the same time? Remember that the current mechanism is meant to show the possible integrations, so it provides only the summary of patching status. This can be changed in the code. • If more details of the patching status are required, Amazon Lex can be easily adjusted to provide additional details. Important: A basic understanding of the Amazon Connect contact flows is required. Understanding of programming languages like Python and/or Nodejs might help. Architecture and design In this section, the known caller authentication flow and the unknown caller authentication flows are illustrated separately. 1 Amazon Web Services Known caller authentication flow Known caller authentication flow Note: A “known” user means the caller’s phone number is in the system (for example, in the Amazon DynamoDB table). Key: 1. A user calls in, which initiates authentication by the contact flow. • The authentication AWS Lambda function is invoked, with the caller’s number as one of the parameters. 2. Using the number provided, the Employee table within the DynamoDB table is queried, and the match record is retrieved. 3. The entire employee record with the matching phone number is returned to the Lambda function. 2 Amazon Web Services 4. The Lambda function asks for the permanent personal identification number (PIN) stored in the DynamoDB table. 5. The user enters the permanent PIN. 6. The authentication Lambda function signals the contact flow that the user has been authenticated. Unknown caller authentication flow Unknown caller authentication flow Note: A “unknown” user means the caller’s phone number is not in the system. Key: 1. A user calls in, which initiates the authentication by the contact flow. 3 Amazon Web Services • The authentication Lambda function is invoked with the caller’s number as one of the parameters. 2. Using the number provided, the Employee table within the DynamoDB table is queried and the match record retrieved. 3. The Lambda function notifies the contact flow that the Employee record lookup returned empty. 4. The Employee ID is requested. 5. The user enters the ID using the phone. • Behind the scenes, the Lambda function retrieves the employee record matching the ID. 6. The permanent PIN is requested. 7. The user enters the PIN. 8. The Lambda function signals the contact flow that the user has been authenticated, and this invokes the Lex bot. 4 Amazon Web Services Chat client authentication flow Chat client authentication flow Note: In this example, we are integrating with Slack chat client but Amazon Lex supports other Messaging Platforms such as Facebook messenger and Kik. For more information, see Deploying an Amazon Lex Bot on a Messaging Platform. Key: 1. The user initiates the chat session with keywords such as “check patching”. 2. Amazon recognizes that the user session is from a chat client such as Slack, and it invokes the Lex bot with the session info. 3. The Lex bot asks for the Employee ID, and it queries the employee record from the DynamoDB table. 5 Amazon Web Services 4. From the returned record, the bot retrieves the phone number and generates a randomized 6-digit One Time PIN (OTP). The PIN expires within 60 seconds. 5. Using Amazon Simple Notification Service (Amazon SNS), the Lex bot sends out the OTP. 6. The user types in the OTP in the same chat session, and authentication is complete. Components and information architecture Amazon Connect Use Amazon Connect to build the virtual contact center. In this architecture, you need three contact flows: 1. PatchStatus_MainFlow — This contact flow is responsible for greeting the caller. It sets up logging, selects the voice, and redirects the call to the authentication flow. 2. PatchStatus_Authentication — The authentication flow is responsible for providing the basic authentication mechanism for Amazon Connect and Amazon Lex. This architecture assumes that employee records are kept in a DynamoDB table named “Employee”. (See the DynamoDB section of this document for the schema information.) Authentication uses the following workflow to authenticate or deny a user: a. If it’s a voice call, the authentication contact flow asks for an Employee ID. If it’s a chat session, the authentication is handled in the Lex bot, which is discussed later in this document. b. The contact flow looks up the table with the EmployeeID. c. If the record is not present, the contact flow notifies the user and disconnects. d. If the record is present, the calling number is checked against the PhoneNumber record in the Employee table. • If it’s a match, the contact flow asks for the permanent PIN stored