Amazon Connect is where many of your customers' most candid conversations happen — and most of that audio sits inside your AWS account, unused. The Enterpret integration with Amazon Connect ingests your voice contact metadata and .wav recordings every 4 hours, transcribes them, and tags them automatically with your feedback taxonomy.
Some of the key benefits of this integration are:
Doing trend analysis on what customers are calling your contact center about.
Catching emerging issues in support call topics before they show up in NPS.
Connecting voice feedback to the same themes as your tickets, surveys, and reviews.
Automatically summarizing calls and staying on top of your contact backlog.
How it works: Amazon Connect is a pull-based integration. Enterpret reads from your AWS account using cross-account IAM role assumption — no long-lived credentials ever leave your AWS account, and you can revoke access any time by deleting the role.
Note: As of April 2026, Amazon Connect uses IAM role authentication only. Static IAM access keys are no longer accepted for new integrations. If you have an existing static-key integration from before this date, see Migrating an existing Amazon Connect integration below.
Before you start
You'll need:
Admin access to your AWS account (or someone who has it on the call with you).
Your Amazon Connect Instance ARN and Access URL — from Amazon Connect → Account Overview.
The AWS Region and S3 bucket URI where your call recordings are stored.
The Enterpret AWS Account ID — used as the trusted principal in your IAM trust policy. Reach out to your CSM or
[email protected]to get this value.10–15 minutes to set up the IAM role on the AWS side.
You do not need to know your External ID upfront — Enterpret generates one for you and displays it in your dashboard after you save the integration. You'll plug it into your trust policy as part of the setup flow.
How the setup works (the short version)
Amazon Connect setup is a two-pass flow because the External ID is generated by Enterpret only after you save:
Pass 1 — Create the integration in Enterpret. You fill out 5 fields and click Integrate. Enterpret saves your config and generates a unique External ID for this integration.
Pass 2 — Finalize your trust policy in AWS. You copy the External ID from the Enterpret detail page and paste it into your IAM role's trust policy.
The first ingestion runs within 4 hours of save, so you have time to complete Pass 2 before then. If you miss it, the integration just sits in "Connection expired" — fix the trust policy and the next cycle picks up automatically.
Step-by-step setup
Step 1: Create the IAM role in AWS (with a placeholder External ID)
In your AWS Console, create a new IAM role with the following two policies.
Trust policy — replace <ENTERPRET_AWS_ACCOUNT_ID> with the value your CSM shared. For <EXTERNAL_ID>, use any placeholder string for now (e.g., "placeholder-will-update"). You'll come back and replace it in Step 4.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<ENTERPRET_AWS_ACCOUNT_ID>:root" },
"Action": "sts:AssumeRole",
"Condition": { "StringEquals": { "sts:ExternalId": "<EXTERNAL_ID>" } }
}]
}
Permission policy — replace <bucket>, <instance>, <region>, and <account> with your own values.
💡 Use the S3 prefix that matches the S3 Bucket URI you'll enter in Enterpret in Step 2. The example below uses Amazon Connect's default storage path (connect/<instance>/CallRecordings/). If your Connect instance is configured to write recordings under a different prefix, substitute it everywhere connect/<instance>/CallRecordings/ appears below — both the Resource ARN on s3:GetObject and the s3:prefix condition on s3:ListBucket must match.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket>/connect/<instance>/CallRecordings/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucket>",
"Condition": { "StringLike": { "s3:prefix": ["connect/<instance>/CallRecordings/*"] } }
},
{
"Effect": "Allow",
"Action": ["connect:SearchContacts", "connect:GetContactAttributes"],
"Resource": "arn:aws:connect:<region>:<account>:instance/<instance>"
},
{
"Effect": "Allow",
"Action": "connect:DescribeContact",
"Resource": "arn:aws:connect:<region>:<account>:instance/<instance>/contact/*"
}
]
}
The broader instance/<instance>/* ARN also works for all three actions and is what some teams prefer for simplicity. The split above is the tightest policy that lets Enterpret do its job — useful if your AWS security review wants least-privilege ARNs per action.
Important — use StringLike, not StringEquals, on s3:prefix.
Enterpret lists recordings under date- and contact-scoped sub-prefixes like connect/<instance>/CallRecordings/2026/04/29/<contact-id>. If you use StringEquals against the bare prefix, ListBucket will silently fail (GetObject will still work, so the failure is easy to miss). StringLike matches the longer prefixes that Enterpret actually requests.
If your bucket only contains call recordings and you'd prefer a simpler bucket-wide policy, that works too — the runtime behavior is identical.
Save the role and copy its Role ARN.
If your recordings bucket is encrypted with a customer-managed KMS key, the role needs kms:Decrypt on that key as well. With S3-managed encryption (SSE-S3) you can skip this; with a CMK (SSE-KMS), s3:GetObject will return AccessDenied without it, and the integration will silently land in "Connection expired" on the next ingestion cycle.
Add the following statement to the permission policy, replacing <key-arn> with the ARN of the KMS key your bucket uses:
{ "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "<key-arn>" }
If you're unsure whether your bucket uses a CMK, check S3 → your bucket → Properties → Default encryption. Anything other than "SSE-S3 (AES-256)" means you need this statement.
Step 2: Create the integration in Enterpret
In the bottom left of the screen, click on your organization's logo. A panel will open up — click on Integrations.
On the top right corner, click the + New Integration button.
Search for Amazon Connect and click Continue.
Choose Feedback Integration.
The setup form opens. Fill in all five required fields (see table below).
Field | Where to find it |
Instance ARN | Amazon Connect → Account Overview |
Access URL | Amazon Connect → Account Overview |
AWS Region | The region your Amazon Connect instance runs in (e.g., |
S3 Bucket URI | The S3 location where Amazon Connect stores call recordings |
Role ARN | The Role ARN from Step 1 |
Click Integrate.
You'll see Amazon Connect appear as a connected integration with status Active.
Step 3: Copy your External ID from the Enterpret dashboard
Once the integration is saved, Enterpret has generated a unique External ID for it. You'll see it in two places:
The integration detail page → Integration Details card, in a row labeled External ID.
The source detail view title strip, as a caption next to the integration name.
Both have a one-click copy button. Click to copy the value.
Step 4: Update your IAM trust policy with the real External ID
Back in AWS, open the IAM role you created in Step 1 and edit the trust policy. Replace your placeholder value with the External ID you just copied:
"Condition": { "StringEquals": { "sts:ExternalId": "<paste-the-real-value-here>" } }
Save the trust policy.
That's it — setup is complete.
What happens next
Within 4 hours, Enterpret runs its first fetch cycle. This is when the integration first tries to assume your IAM role.
If everything is set up correctly, recordings start landing in Enterpret and will appear in your feedback within a few hours after that, depending on volume.
If the trust policy isn't right yet (e.g., you haven't done Step 4 yet, or there's a typo in the External ID), the integration chip in your Integrations page flips to "Connection expired" and you'll receive an alert email. The detail page will show a Reconnect CTA. Fix the trust policy in AWS and the next ingestion cycle (within 4 hours) will recover automatically — no action needed in Enterpret.
Why doesn't Enterpret tell me immediately if my setup is correct?
The first time Enterpret actually contacts your AWS account is on the next ingestion cycle (up to 4 hours after you save). We're working on adding an instant verification step at save time — for now, you'll see the result of that first cycle reflected in the integration's status.
Reauthorizing your integration
You might need to reauthorize if:
Your AWS team rotated something on their side and ingestion is now failing.
You need to update the S3 bucket URI, region, instance, or role.
You're migrating off legacy static-key authentication (see below).
To reauthorize:
Open the Integrations page and find your Amazon Connect integration. (If the integration is in "Connection expired", you can also click the Reconnect CTA on the integration's detail page.)
Click Reauthorize.
The form will open with all five fields empty. You'll need to re-enter all of them, even fields you aren't changing.
Click Submit.
Important — every Reauthorize generates a fresh External ID.
Because the form requires you to re-enter the Role ARN on every reauth, Enterpret treats every reauth as a new authorization and rotates your External ID. This is by design — it makes any previously-leaked External ID useless — but it has a practical implication: your old trust policy will stop working until you update it.
After reauthorizing:
Go to the integration detail page.
Copy the new External ID from the Integration Details card.
Paste it into your IAM role's trust policy in AWS, replacing the previous value.
The next ingestion cycle will pick up the new value automatically.
We're working on improvements to the reauth flow that will make this cleaner — pre-filled fields, an in-product warning before submit, and only rotating the External ID when the Role ARN actually changes. Until then, treat every Reauthorize click as a "you'll need to update your AWS trust policy" event.
Migrating an existing Amazon Connect integration (legacy static-key)
If you set up Amazon Connect before April 2026, your integration is using static IAM access keys. Both modes continue to work, but we strongly recommend migrating to IAM role authentication — no long-lived credentials, easier to revoke, and consistent with AWS security best practices.
To migrate:
In AWS, create the IAM role following Step 1 above (trust policy + permission policy). Use a placeholder for the External ID for now.
In Enterpret, find your existing Amazon Connect integration and click Reauthorize.
The form will open with all fields empty.
Re-enter your existing values for Instance ARN, Access URL, Region, and S3 URI.
Paste the new Role ARN into the Role ARN field.
Click Submit.
Enterpret will:
Save your Role ARN.
Generate a fresh External ID.
Clear your old static access keys. This is one-way per submit — once you migrate, the static keys are gone.
Copy the new External ID from the detail page and update your IAM trust policy in AWS.
After confirming the next ingestion cycle runs cleanly, you can safely delete the legacy IAM user from your AWS account.
There's no auto-migration — it happens at your pace, on your timeline.
Notes
Recording behavior — Enterpret only ingests calls that Amazon Connect has been configured to record. Set this up in your Amazon Connect contact flows.
Bucket location — Amazon Connect requires the recordings bucket to be in the same AWS region as your Connect instance (this is an Amazon-side constraint, not an Enterpret one). If you've pointed Connect at a non-default bucket, make sure the
ResourceARN in the permission policy above matches that bucket's name.Revoking access — to fully revoke Enterpret's access at any time, delete the IAM role in AWS. The next ingestion cycle will fail safely, and the integration will show as "Connection expired" in Enterpret.
Auditing Enterpret's access in CloudTrail — every time Enterpret assumes your role, the session is tagged
enterpret-amazonconnect-<integration-id>. In CloudTrail, filter onuserIdentity.sessionContext.sessionIssuer.userName = <your-role-name>to see exactly which API calls Enterpret has made and when. The session name includes the integration's UUID, which you can copy from the integration detail page if you ever need to correlate.