Setting up the Amazon Connect integration will enable you to access your calls from Amazon Connect in MaestroQA. Please note that each part of this article may require admin access to Amazon Connect, Amazon Kinesis, IAM, S3, and MaestroQA.

NOTE: If you encounter errors in MaestroQA after enabling the integration, please please send the following to your MaestroQA contact so they can help troubleshoot:

the complete IAM policy for your MaestroQA role or user
all S3 bucket policies for the S3 buckets accessed by this role or user

Access can be granted by selecting one of the following approaches:

A. (recommended) Creating a role for access using STS AssumeRole

→ Use the guide below
(optional) Refer to the AWS documentation for details on STS.

B. Creating a user for access using AWS access keys

→ Follow this link for the instructions, which use parts I and II below and a custom implementation for parts III and IV

I. Set up recording

Set up recording for any Contact Flow that you might want to QA if you have not already done so. Please make sure to record Agent and Customer. The instructions for doing this can be found here:

https://docs.aws.amazon.com/connect/latest/adminguide/set-up-recordings.html#how-to-set-up-recording-behavior

II. Set up Data streaming with Amazon Kinesis Firehose

From the Amazon Connect console at https://console.aws.amazon.com/connect,
click on the instance alias of the Amazon Connect instance you would like to QA.
Click on Data Streaming.
Check the box Enable data streaming.
Under Contact Trace Records, select Kinesis Firehose.
If you have not already set up Kinesis Firehose, click the link
Create a new Kinesis Firehose. If you have already done this, go to step 19.
- There may be some limited costs associated with Amazon Kinesis Firehose. At a rate of 1,000,000 calls per day with each Contact Trace Record being less than 5 KB in size, at the US East rate of $0.029/GB the total cost over a 30 day period will be only $4.15.
- Full pricing information is outlined here: https://aws.amazon.com/kinesis/data-firehose/pricing/
On the new KinesisStreamsConsole tab that just opened, select Kinesis Data Firehose and click
Create delivery stream
Under Source select Direct PUT.
Under Destination select Amazon S3.
Choose a descriptive Delivery stream name, such as
amazon-connect-contact-trace-record-stream
Data transformation and record format conversion can remain disabled.
Create an S3 bucket that is only used for Amazon Connect Contact Trace Records.
1. Set the Bucket name to a descriptive name such as
  connect-contact-trace-records-{your company name}
  - Record this bucket name, as it will be needed for MaestroQA's integration information.
2. Select the AWS Region, using the same region as Amazon Connect.
3. Click
  Create bucket
4. This S3 tab can now be closed.
Select the S3 bucket that was just created, using Browse and refreshing if needed.
Leave S3 bucket prefix blank so the default date prefix of YYYY/MM/dd/HH is used.
- If an S3 bucket prefix is specified (not recommended), record this for Part IV.
(optional) Set Buffer hints, compression and encryption, if desired.
1. A higher Buffer interval would mean greater potential for delay in updating the data in S3, but even the maximum value of 900 seconds is unlikely to have any noticeable impact on QA.
Under Advanced settings, Permissions, allow Firehose to create or update the IAM Role (default selection), or Choose an existing IAM role if one was already created for this purpose.
(optional) Edit Amazon CloudWatch error logging and Tags, if desired.
Click
Create delivery stream
- Wait for the Status to update from Creating to Active.
  - This may take several minutes.
  - When this completes, you may close the tab.
After Kinesis finishes creating the delivery stream, go back to the Amazon Connect tab, refresh the page, and click on Data Streaming again.
Under Contact Trace Records, in the dropdown menu, select the name of the stream you would like to use.
Click
Save

III. Set up IAM (role credentials only)

Go to https://console.aws.amazon.com/iam
Click Roles.
Click
Create role
For Trusted entity type, select AWS account.
Under An AWS account, select Another AWS account and enter the MaestroQA AWS Account ID.
- To obtain the MaestroQA AWS Account ID, please contact your CSM.
(recommended) Under Options, select Require External ID and enter any valid value for External ID
- Record this External ID to be provided to MaestroQA
- Note that MFA is not supported.
We'll now create the S3 policy for s3:GetObject and s3:ListBucket actions.
1. Click
  Create policy
2. Click JSON.
3. Copy and paste the following policy:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR_RECORDING_BUCKET_NAME_HERE",
        "arn:aws:s3:::YOUR_RECORDING_BUCKET_NAME_HERE/YOUR_RECORDING_PREFIX_HERE/*",
        "arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE",
        "arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE/YOUR_CTR_PREFIX_HERE/*"
      ]
    }
  ]
}
```
  1. Replace YOUR_RECORDING_BUCKET_NAME_HERE with the name of your S3 recordings bucket.
  2. Replace YOUR_CTR_BUCKET_NAME_HERE with your S3 Contact Trace Record (CTR) bucket.
  3. Replace YOUR_RECORDING_PREFIX_HERE with the S3 object prefix of the recording objects.
  4. Replace YOUR_CTR_PREFIX_HERE with the S3 object prefix of the Contact Trace Record (CTR) objects.
  The "Resource" array should now include following, with arn:aws:s3::: at the beginning of each resource:
  1. your S3 recordings bucket (no trailing /)
    You can find this by going to https://console.aws.amazon.com/connect, selecting the appropriate instance alias, and clicking on Data storage.
    Under "Call recordings will be stored in this S3 bucket", the information is presented as {bucket}/{prefix}
    Do NOT include the prefix path or the / in this first entry.
  2. your S3 recordings location (including the S3 object prefix) followed by /*
    (uncommon) If there is no S3 object prefix, then this would be arn:aws:s3:::YOUR_RECORDING_BUCKET_NAME_HERE/*
  3. your S3 Contact Trace Record (CTR) bucket (no trailing /)
    This was recorded on step 11 of part II.
  4. your S3 Contact Trace Record (CTR) bucket (including the S3 object prefix) followed by /*
    This would have been specified on step 13 of part II.
    Most commonly, if these objects have no S3 object prefix, then this would be arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE/*
  If you are using or plan to use Amazon Connect Chat, also include the following in the "Resource" array:
  1. your S3 chat transcripts bucket (no trailing /)
    This information can be found and entered the same way as for recordings.
  2. your S3 chat transcripts location (including the S3 object prefix)
    followed by an asterisk (*)
  As a complete example S3 policy:
  https://drive.google.com/file/d/1jGFAWGT5iHfVKGIjPIkC33DqvXt74qDv/view
4. (optional) Add tags, if desired.
5. For Name, enter a descriptive policy name, such as MaestroQA-S3-Policy
6. Click
  Create policy

Now we'll repeat the process for the Amazon Connect policy actions.

Click
Create policy
Click JSON.

Copy and paste the following policy exactly:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "connect:DescribeContact",
        "connect:DescribeUser",
        "connect:ListContactReferences",
        "connect:ListRealtimeContactAnalysisSegments",
        "connect:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

(optional) Add tags, if desired.
For Name, enter a descriptive policy name, such as
MaestroQA-Amazon-Connect-Policy
Click
Create policy

Back on the "Create role" tab, refresh the list of policies.
Select the two policies just created in steps 7 and 8.
For Role name, enter a descriptive role name, such as MaestroQA-API-Role
Click
Create role
Record the role's ARN, as this will need to be provided to MaestroQA.

IV. Enter information into MaestroQA (role credentials only)

Go to https://app.maestroqa.com/settings/integrations
Click on Amazon Connect.
Enter the Amazon Connect Instance Id.
- To find this, go to https://console.aws.amazon.com/connect, select the appropriate instance alias, and take the 36-character alphanumeric string at the end of the instance ARN after the /.
- See this guide for details: https://docs.aws.amazon.com/connect/latest/adminguide/find-instance-arn.html
Enter the Region Code (e.g. us-east-1, us-west-2). This can be found in the instance ARN from the previous step after arn:aws:connect: and before the next :
Enter the CTR Bucket, which was recorded on step 11 of part II.
- This is ONLY the name of the S3 bucket for Contact Trace Records (CTRs), not the full ARN.
- This should NOT be entered with any prefix or trailing /
Enter the CTR S3 Prefix if it was specified on step 13 of part II.
- In most cases, this should be left blank.
- This is ONLY the CTR object prefix, not the full ARN.
- The CTR bucket name should NOT be included.
- If this prefix is not blank, it should end in a trailing /
Enter the Recording Bucket and Recording S3 Prefix.
- You can find this by going to https://console.aws.amazon.com/connect, selecting the appropriate instance alias, and clicking on Data storage.
- Under "Call recordings will be stored in this S3 bucket", the information is presented as {bucket}/{prefix}
- The Recording Bucket should be entered without any / characters.
- The Recording S3 Prefix should exclude the bucket name as well as the initial /, and it should end with a trailing /
If you are using or plan to use Amazon Connect Chat, also enter the Chat Transcript Bucket (typically the same bucket as for recordings) and Chat Transcript S3 Prefix.
1. This information can be found and entered the same way as for recordings.
Enter the Role ARN recorded on step 13 of part III.
Enter the External ID recorded on step 6 of part III.
Click
Submit