🛡️ AWS Connect Instance flow logs are not enabled🟢

• Contextual name: 🛡️ Instance flow logs are not enabled🟢
• ID: /ce/ca/aws/connect/instance-flow-logs
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Connect Instance
  • 🔌 AWS Connect Instance - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Connect.2] Amazon Connect instances should have CloudWatch logging enabled

Description

Open File

Description

This policy identifies AWS Connect Instances the are not configured to generate contact flow logs and deliver them to a designated Amazon CloudWatch Logs log group.

Rationale

Contact flow logs capture detailed execution data as customer interactions traverse defined contact flows. When streamed to CloudWatch Logs, this information enables:

• Operational troubleshooting by identifying failed, stalled, or dropped interactions.
• Performance monitoring through analysis of queue wait times, latency, and contact flow execution behavior.
• Security and compliance auditing by maintaining a centralized and immutable audit trail of customer interactions and agent actions.

Impact

If contact flow logging is not enabled, visibility into customer interaction behavior is significantly reduced, making issue diagnosis and experience optimization more difficult.

Enabling contact flow logs may result in additional costs associated with CloudWatch Logs data ingestion, storage, and retrieval.

Audit

This policy flags an AWS Connect Instance as INCOMPLIANT if the the instance's CONTACTFLOW_LOGS Attribute is set to false.

Remediation

Open File

Remediation

Enable Contact Flow Logs

To ensure that contact flow execution data is captured and delivered to CloudWatch Logs, enable the Contact Flow Logs attribute for the Amazon Connect instance.

From Command Line

Use the following command to enable contact flow logging for the specified instance:

aws connect update-instance-attribute \
    --instance-id {{connect-instance-id}} \
    --attribute-type CONTACTFLOW_LOGS \
    --value true

Considerations

• Enabling contact flow logs applies only to new contact flow executions; historical data is not retroactively captured.
• Ensure that the Amazon Connect service-linked role has sufficient permissions to publish logs to the configured CloudWatch Logs log group.
• Additional costs may be incurred for CloudWatch Logs ingestion, storage, and retrieval.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Connect.2] Amazon Connect instances should have CloudWatch logging enabled			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			75		no data