Updating SCC-AC Resources

AWS Resources Upgrade Process

IMPORTANT: Before updating the resource version, make sure to check the compatability chart as not all resource versions may be compatible with every managed package version.

1. Navigate to the SCC-AC Guided Setup page

   1. Scroll down to the Update Resources section. It should look like this if an update is available:

      

   2. Choose Update to start the resource update process. This may take a few minutes.

   3. When the update is complete or all resources are already up to date, you should see a green check mark as below:

      

Version Compatability

Managed Package Version	Resource Version
1.5.1	1.2.0 - 1.4.0
1.5.0	1.2.0 - 1.4.0
1.4.3	1.2.0 - 1.4.0
1.4.2	1.2.0 - 1.4.0
1.4.1	1.2.0 - 1.4.0
1.3.1	1.2.0 - 1.4.0
1.3.0	1.2.0 - 1.4.0
1.2.0	1.1.0 - 1.2.0
1.0.0	1.0.0

Certificate Upgrade Process

Customers can re-use the Setup wizard to update their certificate when it approaches expiration or needs to be rotated for security compliance. The certificate upgrade process follows the same steps as the initial certificate setup.

IMPORTANT: Certificate upgrades require a brief service interruption while AWS and Salesforce resources are updated. Schedule the upgrade during a planned maintenance window and ensure proper testing procedures are followed after completion.

Prerequisites

Before starting the certificate upgrade process, ensure the following:

1. The SCCAC Administrator user is active in your Salesforce org.
2. You have scheduled a maintenance window to accommodate the service interruption (typically two minutes).
3. You have prepared a testing plan to validate service functionality after the upgrade.
4. You have reviewed your current certificate expiration date to plan the upgrade timeline appropriately.

Service Impact and Downtime

The certificate upgrade process involves deploying a CloudFormation stack to your AWS account, which updates all AWS and Salesforce resources where the certificate is used. Based on typical deployments, this process completes within two minutes. During this time, new connections cannot be established, though existing connections remain active. We recommend planning for up to five minutes to account for testing and validation.

Upgrade Steps

1. Generate certificate KeyStore file and import to Salesforce

   Follow the same process as the initial setup to generate and import your new certificate:

   Generate certificate KeyStore file guide

   This step creates a new certificate file in your S3 bucket and requires you to download and import it into Salesforce Certificate and Key Management.

2. Enter imported certificate label

   Once the new certificate has been imported to Salesforce, enter the certificate label in the Setup wizard:

   Enter imported certificate label guide

   When you enter the new certificate label in the Setup wizard, SCC-AC automatically updates all AWS and Salesforce resources where the certificate is used by deploying a CloudFormation stack (SCC-GLOBAL-CERTIFICATE-APPLIED-RESOURCE-STACK-{SalesforceOrgId}-{Timestamp}) to your AWS account.

Post-Upgrade Validation

After the certificate upgrade completes, perform the following validation steps:

1. Verify CloudFormation stack deployment

   Navigate to the AWS CloudFormation console in the us-east-1 region and confirm that the SCC-GLOBAL-CERTIFICATE-APPLIED-RESOURCE-STACK-{SalesforceOrgId}-{Timestamp} stack shows a status of CREATE_COMPLETE or UPDATE_COMPLETE.

2. Confirm certificate update in Guided Setup

   Refresh the SCC-AC Guided Setup page in Salesforce and verify that a green check mark appears next to the Enter imported certificate label button.

3. Test service connectivity

   Initiate test calls or chats through your Amazon Connect instance to verify that all services are functioning correctly with the new certificate.

4. Verify certificate expiration date

   In Salesforce Setup, navigate to Certificate and Key Management and confirm that the new certificate shows the expected expiration date.

Troubleshooting

If you encounter issues during the certificate upgrade process:

1. CloudFormation stack deployment fails

   Review the CloudWatch logs for the SCC-ExternalCredentialManagementFunction Lambda function in your AWS Console. Common issues include:

   • invalid_grant: no client credentials user enabled - Verify that the awsscc GLOBAL_CONNECTED_APP has client credentials enabled and is running as SCCAC Administrator under Client Credentials Flow.
   • Permission errors - Confirm that the IAM user credentials have the necessary permissions to deploy CloudFormation stacks.

2. Certificate not updating in Salesforce

   Ensure that:

   • The certificate was successfully imported to Salesforce Certificate and Key Management.
   • The certificate label entered in the Setup wizard exactly matches the label shown in Certificate and Key Management.
   • The SCCAC Administrator user is active and has the necessary permissions.

3. Service connectivity issues after upgrade

   If services are not functioning after the certificate upgrade:

   • Verify that all Named Credentials are still enabled for callouts.
   • Check that the certificate has not expired.
   • Review the Troubleshooting guide for additional diagnostic steps.

For additional assistance, refer to the IAM User's Credential Rotation guide if you need to rotate IAM credentials during the certificate upgrade process.