AWS Architecture
This document details the AWS service architecture, service dependencies, IAM policies, and resource tagging strategy for MenoTime.
Service Dependency Map
┌─────────────┐
│ Route 53 │
│ (menotime.ai)
└────────┬────┘
│
┌────────▼────────┐
│ CloudFront │
│ (CDN + Cache) │
└────────┬────────┘
│
┌────────▼────────┐
│ ALB (Port 80) │
│ (Port 443) │
└────────┬────────┘
│
┌────────────────┼────────────────┐
│ │ │
┌───▼────┐ ┌───▼────┐ ┌───▼────┐
│ ECS │ │ ECS │ │ ECS │
│ Dev │ │ Staging│ │ Prod │
│ Cluster│ │ Cluster│ │ Cluster│
└───┬────┘ └───┬────┘ └───┬────┘
│ │ │
│ ┌────────────┼────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────┐ │
│ │ Secrets Manager │ │
│ │ (DB Credentials) │ │
│ └────────────┬────────────┘ │
│ │ │
└───────────┬───┴────────────────┘
│
┌───────────▼─────────────┐
│ RDS PostgreSQL │
│ 3 instances │
│ (Dev/Staging/Prod) │
│ db.m7g.large │
│ Single-AZ │
└──────────┬──────────────┘
│
┌──────────────┴──────────────┐
│ │
┌───▼────┐ ┌───▼────┐
│ S3 │ │ KMS │
│(Logs) │ │(Encrypt)
└────────┘ └────────┘
┌────────────────────┐
│ CloudWatch Logs │
│ (Encrypted) │
└────────────────────┘
┌────────────────────┐
│ GuardDuty │
│ (Threat Detection) │
└────────────────────┘
┌────────────────────┐
│ WAF (Recommended) │
│ (Attach to ALB) │
└────────────────────┘
┌────────────────────┐
│ SES │
│ (Email via SMTP) │
└────────────────────┘
┌────────────────────┐
│ ECR │
│ (Image Registry) │
└────────────────────┘
Core Services
Route 53 (DNS)
Purpose: Domain name resolution for menotime.ai
- Record Type: A record (alias) pointing to CloudFront distribution
- TTL: 300 seconds (5 minutes) for faster failover
- Health Checks: Optional health check on ALB for automatic failover
- Zone: Hosted Zone for menotime.ai managed in AWS
CloudFront (CDN)
Purpose: Content delivery network for static assets and API caching
- Origin 1: ALB (primary backend origin for /api/* routes)
- Origin 2: S3 bucket (for static assets, images, etc.)
- HTTPS Only: Enforce HTTPS for all connections
- SSL/TLS: AWS Certificate Manager (ACM) certificate for menotime.ai
- Caching:
- Static assets: 1 week (Cache-Control headers)
- API responses: 60 seconds (via Vary headers)
- Default TTL: 24 hours
- Compression: Enabled (gzip, brotli)
- Security: Restrict to TLS 1.2+
Application Load Balancer (ALB)
Purpose: Layer 7 load balancing, SSL/TLS termination, request routing
- Scheme: Internet-facing
- Subnets: Public subnets (availability zones)
- Security Group:
menotime-alb-sg - Inbound: HTTP (80) and HTTPS (443) from 0.0.0.0/0
- Outbound: All traffic to ECS security group
- Target Groups:
- Name:
menotime-backend-tg - Protocol: HTTP (targets are ECS tasks)
- Port: 8000 (FastAPI default)
- Health Check Path:
/health - Interval: 30 seconds
- Healthy Threshold: 2
- Unhealthy Threshold: 3
- Timeout: 5 seconds
- Listeners:
- Port 80: Redirect to HTTPS (301)
- Port 443: Forward to target group, SSL/TLS termination
ECS Fargate
Purpose: Serverless container orchestration
- Clusters:
menotime-dev-clustermenotime-staging-clustermenotime-prod-cluster- Services: One per environment, load balanced by ALB
- Task Definition:
menotime-backend:latest - Compute: See Environments
- Container Port: 8000
- Log Driver: awslogs (CloudWatch Logs)
- Environment Variables: Injected from Secrets Manager
- Deployment Strategy:
- Dev/Staging: All-at-once (fastest)
- Production: Rolling (1 task minimum)
RDS PostgreSQL
Purpose: Relational database for patient data, clinical records, appointments
- Engine: PostgreSQL 15.x
- Instance Class: db.m7g.large
- vCPU: 2 cores
- Memory: 8 GB
- Network Performance: Up to 10 Gbps
- Storage: gp3 (1 TB, expandable)
- Configuration:
- Multi-AZ: No (Single-AZ to reduce cost; upgrade path available)
- Backup Retention: 7 days
- Backup Window: 03:00 UTC (off-peak)
- Maintenance Window: Sunday 04:00 UTC
- Parameter Group: Custom with HIPAA-recommended settings
- Option Group: None (no additional features enabled)
- Security:
- Security Group:
menotime-db-sg- Inbound: PostgreSQL (5432) from ECS security group only
- Outbound: Denied
- Subnet Group: Private subnets (no public access)
- IAM Database Authentication: Enabled
- Encryption: KMS-managed key at rest
- Storage Encryption: Enabled by default
ECR (Elastic Container Registry)
Purpose: Private Docker image repository
- Repository:
menotime/backend - Image Tagging:
latest(always points to most recent)v{MAJOR}.{MINOR}.{PATCH}(semantic versioning){BRANCH}(e.g.,main,develop){COMMIT_SHA}(Git commit hash)- Lifecycle Policy: Delete untagged images after 30 days, keep last 10 tagged versions
- Scanning: Enable image scanning on push to detect vulnerabilities
- Registry Permissions: IAM policy allows ECS task role to pull images
S3 (Simple Storage Service)
Purpose: Static asset hosting, log storage, backup storage
Buckets:
- menotime-static-assets (Public via CloudFront)
- Versioning: Enabled
- Encryption: KMS
- ACL: Private (CloudFront access via OAI)
- CORS: Configured for menotime.ai
-
Purpose: Images, CSS, JavaScript, fonts
-
menotime-logs (Private)
- Versioning: Disabled
- Encryption: KMS
- Lifecycle Rules:
- Move to Glacier after 90 days
- Delete after 2 years
-
Purpose: ALB logs, ECS task logs, CloudTrail logs
-
menotime-backups (Private)
- Versioning: Enabled
- Encryption: KMS
- Lifecycle Rules:
- Move to Glacier after 30 days
- Purpose: RDS snapshots, database exports
Secrets Manager
Purpose: Secure credential storage and rotation
Secrets:
- menotime/db/prod
- Value:
{"username":"menotime_user", "password":"<random>"} - Rotation: Every 30 days
-
Automatic Rotation: Lambda function manages RDS password rotation
-
menotime/db/staging
-
Value:
{"username":"menotime_user", "password":"<random>"} -
menotime/db/dev
-
Value:
{"username":"menotime_user", "password":"<random>"} -
menotime/email/ses-smtp
-
Value:
{"username":"<SMTP user>", "password":"<SMTP password>"} -
menotime/api/third-party-keys
- Value:
{"stripe_key":"...", "twilio_key":"...", ...}
Access Policy: IAM roles only (no manual retrieval)
KMS (Key Management Service)
Purpose: Encryption key management
Keys:
- menotime-master-key
- Key Policy: Allows RDS, S3, Secrets Manager, and ECS task role
- Rotation: Automatic annual rotation
- Alias:
alias/menotime-master -
Purpose: Default encryption for all sensitive data
-
menotime-ebs-key
- Purpose: ECS task storage encryption
Usage: - RDS (database encryption) - S3 (bucket encryption) - EBS volumes (attached to ECS tasks) - Secrets Manager (secret encryption) - CloudWatch Logs (log encryption)
CloudWatch (Monitoring & Logs)
Purpose: Centralized logging, metrics, and alarms
Log Groups:
- /aws/ecs/menotime-dev
- /aws/ecs/menotime-staging
- /aws/ecs/menotime-prod
- /aws/rds/menotime/postgresql
- /aws/alb/menotime
Metrics Collected: - ECS: CPU, memory, network - RDS: CPU, connections, storage, query performance - ALB: Request count, latency, HTTP 5xx errors - Custom: API response times, business metrics
Alarms: See Monitoring
GuardDuty (Threat Detection)
Purpose: Intelligent threat detection for AWS account
- Status: Enabled
- Scope: All ECS, RDS, and S3 resources
- Findings: Reviewed monthly, critical findings trigger SNS alerts
- Integration: Findings published to SNS topic for Slack notifications
SES (Simple Email Service)
Purpose: Transactional email delivery
- Verified Domain: timelessbiotech.com
- Sender Email: noreply@timelessbiotech.com
- Configuration:
- DKIM: Enabled for domain authentication
- SPF: Configured in DNS
- DMARC: Recommended best practice record
- Sending Limits: Production account (not sandbox) allows 50,000 emails/day
- Bounces & Complaints: Tracked via SNS, sent to monitoring system
- Use Cases: Password resets, appointment reminders, clinical notifications
WAF (Web Application Firewall) — Recommended
Purpose: Protection against common web exploits
Recommended Configuration: - Association: Attach to ALB - Rules: - AWS Managed Rule: Core Rule Set (OWASP Top 10) - AWS Managed Rule: SQL Injection Rule Set - AWS Managed Rule: Rate-Based Rule (e.g., 2000 requests/5 min per IP) - Custom Rule: Geo-blocking (if applicable) - Action: Block or log (recommend logging initially, then block)
IAM Roles & Policies
ECS Task Execution Role
Purpose: Allows ECS agent to pull images and write logs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken"
],
"Resource": "arn:aws:ecr:us-west-1:ACCOUNT_ID:repository/menotime/backend"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-west-1:ACCOUNT_ID:log-group:/aws/ecs/menotime-*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-west-1:ACCOUNT_ID:key/*"
}
]
}
ECS Task Role
Purpose: Allows application code to access AWS services
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-west-1:ACCOUNT_ID:secret:menotime/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::menotime-static-assets/*",
"arn:aws:s3:::menotime-logs/*"
]
},
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-west-1:ACCOUNT_ID:key/*"
}
]
}
RDS Enhanced Monitoring Role
Purpose: Allows RDS to publish OS-level metrics to CloudWatch
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"monitoring:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-west-1:ACCOUNT_ID:log-group:/aws/rds/*"
}
]
}
Resource Tagging Strategy
All AWS resources are tagged for cost allocation, environment identification, and compliance tracking.
Mandatory Tags:
| Tag Key | Values | Purpose |
|---|---|---|
Environment |
dev, staging, prod |
Environment identification |
Application |
menotime |
Application ownership |
Component |
backend, database, networking, security |
Resource categorization |
CostCenter |
engineering, operations |
Cost allocation |
Owner |
Team email (e.g., platform@timelessbiotech.com) |
Responsibility tracking |
Compliance |
hipaa, pii-storage, audit-required |
Compliance requirements |
Backup |
daily, weekly, none |
Backup policy |
Encryption |
kms, aws-managed, none |
Encryption method |
Example: RDS Instance Tags
Environment: prod
Application: menotime
Component: database
CostCenter: operations
Owner: platform@timelessbiotech.com
Compliance: hipaa,pii-storage
Backup: daily
Encryption: kms
Example: ECS Cluster Tags
Environment: staging
Application: menotime
Component: backend
CostCenter: engineering
Owner: platform@timelessbiotech.com
Compliance: audit-required
Encryption: aws-managed
Service Interconnections Summary
| Source | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|
| Client Browser | CloudFront | HTTPS | 443 | Content delivery |
| CloudFront | ALB | HTTPS | 443 | Backend routing |
| ALB | ECS Tasks | HTTP | 8000 | Load balanced requests |
| ECS Tasks | RDS | TCP | 5432 | Database queries |
| ECS Tasks | Secrets Manager | HTTPS | 443 | Credential retrieval |
| ECS Tasks | S3 | HTTPS | 443 | Asset/log storage |
| ECS Tasks | SES | SMTP | 587 | Email sending |
| RDS | KMS | Internal | — | Encryption key access |
| CloudWatch Logs | KMS | Internal | — | Log encryption |
| GuardDuty | SNS | Internal | — | Alert publishing |
Capacity & Performance Baseline
- ALB: Can handle ~20,000 requests/second (well above current needs)
- ECS Fargate: 1 vCPU, 2GB RAM per task; auto-scaling up to 4 tasks in production
- RDS db.m7g.large: 2 vCPU, 8GB RAM; ~500 connections supported
- S3 & CloudFront: Unlimited throughput; 3,500 PUT/COPY/POST/DELETE and 11,000 GET/HEAD requests per second per prefix
Next Steps
- Review Environments for environment-specific configurations
- Configure Networking VPC and security groups
- Set up Monitoring dashboards and alarms
- Implement Cost Management budgets and reserved instances