Hey everyone. I am a junior dev and I have been assigned a task to process our raw SIP audio for a specialized compliance check. The data contains highly sensitive PII that cannot be stored on our standard application servers. I am looking into using ‘Secure Enclaves’ (like AWS Nitro Enclaves) within a serverless function to perform the analysis. How do I securely stream the audio from a Genesys Cloud recording export into one of these enclaves without the data ever being decrypted in a non-secure environment?
This is a very advanced security requirement! I usually deal with HTML templates for email routing, but I have seen our security team discuss this. You should use the ‘External Key Management’ (EKM) feature in Genesys Cloud. This allows you to use your own AWS KMS keys for recording encryption.
You can then configure your secure enclave with the specific IAM permissions to decrypt the audio only inside the enclave’s memory.
the previous poster, That is correct about EKM. From an API perspective, you would use the Recording Export API to move the encrypted files to your S3 bucket. Your serverless function then triggers the enclave.
I have been researching the rate limits for these bulk exports and they are quite generous, but the decryption process inside an enclave can be CPU-intensive. Make sure you scale your enclave instances to match your export volume.
I maintain over fifty flows and we use secure variables for everything. the previous poster, if you are doing this in real time, you might also look at the AudioHook API. It allows you to stream the audio directly to your secure endpoint via a websocket.
This avoids the ‘at rest’ storage problem entirely, as the data only exists in the enclave’s memory during the call. It is much more complex to implement but significantly more secure for high-compliance use cases.