Setting up the Amazon Connect integration will enable you to access your calls from Amazon Connect in MaestroQA. Please note that each part of this article may require admin access to Amazon Connect, Amazon Kinesis, IAM, S3, and MaestroQA.

Access can be granted by selecting one of the following approaches:

A. (recommended) Creating a role for access using STS AssumeRole

B. Creating a user for access using AWS access keys

  • Follow this link for the instructions, which use parts I and II below and a custom implementation for parts III and IV

I. Set up recording

Set up recording for any Contact Flow that you might want to QA if you have not already done so. Please make sure to record Agent and Customer. The instructions for doing this can be found here:

call recording behavior amazon connect

II. Set up Data streaming with Amazon Kinesis Firehose

1. From the Amazon Connect console at, click on the instance alias of the Amazon Connect instance you would like to QA.

2. Click on "Data Streaming".

3. Check the box "Enable data streaming".

4. Under Contact Trace Records, select "Kinesis Firehose".

5. If you have not already set up Kinesis Firehose, click the link "Create a new Kinesis Firehose". If you have already done this, go to step 19.

6. On the new "Amazon Kinesis Firehose" tab that just opened, click the button "Create delivery stream".

(There may be some limited costs associated with Amazon Kinesis Firehose. At a rate of 1,000,000 calls per day with each Contact Trace Record being less than 5 KB in size, at the US East rate of $0.029/GB the total cost over a 30 day period will be only $4.15. Full pricing information is outlined here:

7. Choose a descriptive Delivery stream name, such as "amazon-connect-contact-trace-record-stream".

8. Under Source select "Direct PUT or other sources".

9. Data transformation and Record format conversion can remain disabled.

10. Under Destination select "Amazon S3".

11. Create an S3 bucket that is only used for Amazon Connect Contact Trace Records, using a descriptive name such as "connect-contact-trace-records-{your company name}". Record this bucket name, as it will be needed for MaestroQA's integration information.

12. Select the region, using the same region as Amazon Connect. Click Create S3 bucket.

13. Leave S3 prefix blank so the default is used. If an S3 prefix is specified, record this for Part IV.

14. Edit Buffer size and Buffer interval, if desired. A higher Buffer interval would mean greater potential for delay in updating the data in S3, but even the maximum value of 900 seconds is unlikely to have any noticeable impact on QA.

15. Set S3 compression and encryption, error logging, and tags, if desired.

16. Under Permissions, allow Firehose to create the IAM Role "firehose_delivery_role" with the default policy.

17. On the Review page, click "Create delivery stream".

18. After Kinesis finishes creating the delivery stream, close this tab, go back to the Amazon Connect tab, refresh the page, and click on "Data Streaming" again.

19. Under Contact Trace Records, in the dropdown menu, select the name of the stream you would like to use.

20. Click Save.

III. Set up IAM (role credentials only)

1. Go to

2. Click “Roles”

3. Click “Create Role”

4. For “Trusted entity type”, select “AWS account”

5. Under "An AWS account", select "Another AWS account" and enter the MaestroQA AWS Account ID.

  • To obtain the MaestroQA AWS Account ID, please contact your CSM.

6. (recommended) Under "Options", select “Require External ID” and enter any valid value for “External ID” (Note that MFA is not currently supported)

  • Record this External ID to be provided to MaestroQA

7. We'll now create the S3 policy for s3:GetObject and s3:ListBucket actions.

Click "Create policy", "JSON", and then paste the policy found here:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": [
  • Replace YOUR_RECORDING_BUCKET_NAME_HERE with the name of your S3 recordings bucket.

  • Replace YOUR_CTR_BUCKET_NAME_HERE with your S3 Contact Trace Record (CTR) bucket.

  • Replace YOUR_RECORDING_PREFIX_HERE with the S3 object prefix of the recording objects.

The "Resource" array should now include following, with arn:aws:s3::: at the beginning of each resource:

  • your S3 recordings bucket (no trailing /)

  • your S3 recordings location (including the S3 object prefix) followed by *

    • (uncommon) If there is no S3 object prefix, then this would be arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*

  • your S3 Contact Trace Record (CTR) bucket (no trailing /)

  • your S3 Contact Trace Record (CTR) bucket followed by *

    • (uncommon) If these objects have an S3 object prefix, then this would be arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE/YOUR_CTR_PREFIX_HERE/*

(uncommon) If you are using Amazon Connect Chat, also include the following in the "Resource" array:

  • your S3 chat transcripts bucket (no trailing /)

  • your S3 chat transcripts location followed by an asterisk (*)

As a complete example S3 policy:

8. Now we'll repeat the process for the Amazon Connect policy for the connect:ListUsers and connect:DescribeUser actions. Again click "Create policy" and "JSON", pasting the following policy verbatim:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": "*"

9. Enter a descriptive name (e.g. "MaestroQA-API-Role")

10. Finish creating the role, and record the role's ARN, as this will need to be provided to MaestroQA

IV. Enter information into MaestroQA (role credentials only)

1. Go to

2. Click on "Amazon Connect".

3. Enter the Role ARN obtained on step 11 of part III.

4. Enter the External ID obtained on step 6 of part III.

5. Enter the Amazon Connect Instance ID. To find this, go to, select the appropriate instance alias, and take the 36-character alphanumeric string at the end of the instance ARN after the /. See this for details:

6. Enter the Region Code (e.g. us-east-1, us-west-2). This can be found in the instance ARN from the previous step after arn:aws:connect: and before the next :.

7. Enter the Amazon Connect Contact Trace Record (CTR) S3 bucket name, which was set on step 11 of part II.

8. Enter CTR S3 prefix if it was specified on step 13 of part II. In most cases, this can be left blank.

9. Enter the Amazon Connect Call recording S3 bucket and location. You can find this by going to, selecting the appropriate instance alias, and clicking on "Data storage".

10. (uncommon) If you are using Amazon Connect Chat, also enter the Amazon Connect Chat transcript S3 bucket (typically the same bucket as for recordings) and location.

Did this answer your question?