Infrastructure
Components
Every AWS service used in the deployment, organized by layer, with the configured specification for each.
Infrastructure provisioned and managed by Ryvn, deploying into customer's AWS account.
Edge
| Service | Purpose |
|---|
| Route 53 | Authoritative DNS for the deployment's hostnames (e.g. platform.<customer>.com, api.<customer>.com). |
| CloudFront | Delivers the single-page application from the AWS edge network. Terminates TLS at the edge using ACM. |
| ACM (AWS Certificate Manager) | Issues and renews the TLS certificates used by CloudFront and the ALB. Renewal is automatic. |
| AWS WAF | Application-layer firewall attached to both CloudFront and the ALB. Runs the AWS managed rule groups (OWASP top 10, known-bad-input, IP reputation, bot control) plus rate limiting on the API path. |
| AWS Shield Standard | Always-on, no-cost L3/L4 DDoS protection. |
Frontend hosting
| Service | Purpose |
|---|
| S3 (SPA bucket) | Stores the production single-page application bundle. Origin for the CloudFront distribution. The bucket is private; only CloudFront has read access via Origin Access Control. |
Application traffic
| Service | Purpose |
|---|
| Application Load Balancer (ALB) | Single public entry point for the API. Terminates TLS, supports HTTP/2 and WebSocket upgrades, and performs health checks against the backend. The WAF web ACL is attached. |
Backend compute
| Service | Specification | Purpose |
|---|
| EC2 | m6i.4xlarge — 16 vCPU, 64 GiB RAM, EBS gp3 root volume | Hosts the Node.js application. Serves the HTTP API, the live WebSocket gateway, and the per-user session state for live browser-automation sessions. Joined to AWS Systems Manager for operator access. |
Cloud browser
| Service | Purpose |
|---|
| Bedrock AgentCore Browser | Provides a managed, isolated, sandboxed Chromium per active session, exposed over the Chrome DevTools Protocol. Replaces every third-party cloud-browser provider used by the platform; no browser traffic ever leaves the AWS account. Sessions are created on demand at workflow start and torn down at session end. Pricing is per active vCPU-second and per GiB-second of peak memory, so idle and I/O-wait time is not billed. |
AI / language model
| Service | Purpose |
|---|
| Bedrock — Claude Sonnet 4 / 4.6 | AI inference for Ramain's automation capabilities. Invoked via AWS SDK using EC2 instance profile credentials. Cross-region inference profiles absorb burst load. Prompt caching preserved end to end. All inference stays within the customer's AWS account. |
Application database
| Service | Specification | Purpose |
|---|
| PostgreSQL (via Ryvn) | Managed PostgreSQL (AWS RDS / GCP Cloud SQL / Azure Flexible Server). Configurable: versions 14–17, instance size, HA with standby replica, automated backups (7–35 day retention). Encryption at rest, SSL-required connections. | Workflow definitions, run history, execution traces, multi-tenant tables (tenants, portal access, team invitations, agent requests, credit transactions, platform configuration). Provisioned and managed by Ryvn. |
Authentication & user identity
| Service | Purpose |
|---|
| Cognito User Pool | Issues the JWTs used by the platform. Supports email/password, email magic link, and federated identity providers (Google Workspace, Microsoft Entra ID, generic SAML 2.0 / OIDC) for enterprise SSO. Tenant metadata and role assignments live alongside the application data in RDS, keyed by the Cognito user identifier. |
Object storage
| Service | Purpose |
|---|
| S3 (uploads bucket) | Stores artefacts produced by workflows: PDF uploads, screenshots, replay assets, and exported reports. KMS-encrypted at rest; presigned URLs are issued server-side for HTTP client downloads. Versioning is enabled and lifecycle rules transition cold objects to Standard-IA after 90 days. |
Email
| Service | Purpose |
|---|
| SES | Transactional email — magic-link sign-in, team invitations, agent-request notifications, support follow-ups. A verified domain identity with DKIM and SPF is configured during onboarding; a configuration set captures bounce and complaint events to CloudWatch. |
Configuration & secrets
| Service | Purpose |
|---|
| Secrets Manager | Stores rotatable credentials — RDS master password, Cognito application secret, third-party integration tokens. The backend reads on startup via the instance profile; rotation policies are enabled per secret. |
| SSM Parameter Store | Stores non-secret configuration — feature flags, allowlists, hostnames, model identifiers. Hierarchical paths separate concerns by environment. |
Encryption
| Service | Purpose |
|---|
| KMS | Customer-managed keys encrypt RDS storage, EBS volumes on the backend, all S3 buckets, Secrets Manager secrets, and CloudWatch log groups. Key policies grant only the minimum required principals; key rotation is enabled. |
Logging, metrics, and alarms
| Service | Purpose |
|---|
| CloudWatch Logs | Backend application logs, ALB access logs, WAF inspection logs, RDS slow-query logs, Bedrock invocation logs, AgentCore session logs. Default retention of 30 days; archival groups extended to 1 year. |
| CloudWatch Metrics | Standard service metrics plus a small set of custom application metrics (active live sessions, executor turn duration, orchestrator compile latency, token consumption per workflow). |
| CloudWatch Alarms | Pages on: ALB 5xx rate, ALB target health, EC2 CPU and memory pressure, RDS CPU / connections / free storage, Bedrock throttling, AgentCore session failure rate, RDS replication lag (when Multi-AZ is enabled). |
Operator access
| Service | Purpose |
|---|
| SSM Session Manager | Operator shell access to the backend EC2 without SSH, public IPs, or bastion hosts. Authentication is IAM, and every session is recorded to CloudWatch and S3 for audit. Port forwarding via SSM is used for ad-hoc database access. |
Networking
| Service | Purpose |
|---|
| VPC | Dedicated VPC for the deployment, structured across two Availability Zones. Three subnet tiers per AZ: public (load balancer, NAT), private application (backend), private data (RDS). |
| NAT Gateway | Outbound internet egress for the private subnets — Bedrock, AgentCore, SES, and any external integrations are reached through the NAT. One NAT for single-AZ deployments; two NATs for Multi-AZ. |
| VPC Endpoints (PrivateLink) | Interface endpoints for S3, Bedrock, AgentCore, Secrets Manager, KMS, SSM, and CloudWatch Logs. Keeps service traffic on the AWS backbone, reduces NAT egress costs, and removes those services from the public-internet attack surface. |
| Security Groups | Tight, role-based: ALB security group (443 from internet) → backend security group (application port from ALB only) → RDS security group (5432 from backend only). |
Backups & disaster recovery
| Service | Purpose |
|---|
| RDS automated backups | Daily snapshots with 7-day point-in-time recovery. Manual snapshots are taken before major releases. |
| AWS Backup | Centralized backup plan covering EBS volumes on the backend with daily snapshots and 30-day retention. |
| S3 Versioning | Object versioning on uploads and SPA buckets so accidental deletes and overwrites are recoverable. |
CI/CD
| Service | Purpose |
|---|
| Ryvn | Continuous deployment from Ramain's source repository. Handles containerization, provisioning, and updates via GitHub integration. Uses short-lived IAM credentials (OIDC). Ramain controls deployments; everything runs in the customer's AWS account. |