Skip to main content

πŸ“ AWS Connect Instance flow logs are not enabled 🟒

  • Contextual name: πŸ“ Instance flow logs are not enabled 🟒
  • ID: /ce/ca/aws/connect/instance-flow-logs
  • Located in: πŸ“ AWS Connect

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Logic​

Description​

Open File

Description​

Ensure that AWS Connect Instances are configured to generate contact flow logs and deliver them to a designated CloudWatch log group.

Rationale​

Enabling contact flow logs provides detailed records of customer interactions as they move through your defined contact flows. Streaming this data to CloudWatch Logs enables:

  • Root‑cause analysis and troubleshooting of failed or dropped interactions,
  • Performance monitoring to measure latency, queue wait times, and flow execution metrics
  • Security auditing to maintain an immutable audit trail of customer interactions and agent actions.

Impact​

Without these logs, diagnosing issues and understanding customer experience becomes significantly more difficult.

Enabling and storing flow logs in CloudWatch Logs may incur additional charges for data ingestion, storage, and retrieval.

Audit​

This policy marks an AWS Connect Instance as INCOMPLIANT if the instance's CONTACTFLOW_LOGS Attribute is set to false.

Remediation​

Open File

Remediation​

From Command Line​

Use the update-instance-attribute command to turn on CONTACTFLOW_LOGS:

aws connect update-instance-attribute \
  --instance-id {{connect-instance-id}} \
  --attribute-type CONTACTFLOW_LOGS \
  --value true

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Connect.2] Amazon Connect instances should have CloudWatch logging enabled1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration52