Saltar al contenido principal

⬅️ Back to Project Overview

AWS Stack Architecture & Dependency Map

A comprehensive overview of the AWS stack architecture, roles, dependencies, and best practices for ShieldCraft AI. This document is standardized for Docusaurus display and clarity.

Recent Architectural Improvements & Best Practices

  • Improved stack isolation and security boundaries
  • Enhanced data governance and access controls
  • Automated data quality validation
  • Centralized secrets management
  • Cost guardrails and budget alerts

Stack Roles & Responsibilities

StackRoleKey Resources
networkingFoundational network isolation and securityVPC, subnets, security groups, vault secret (imported)
s3Centralized object storage for all data and artifactsS3 buckets, vault secret (imported)
lakeformationData governance and fine-grained access controlLake Formation resources, permissions, vault secret (imported)
glueETL, data cataloging, and analyticsGlue jobs, crawlers, catalog, vault secret (imported)
lambdaEvent-driven compute and orchestrationLambda functions, triggers, vault secret (imported)
dataqualityAutomated data quality checks and validationQuality rules, validation jobs, vault secret (imported)
airbyteConnector-based data ingestion and movementECS services, connectors, vault secret (imported)
opensearchSearch and analytics for logs and dataOpenSearch domains, vault secret (imported)
cloud_native_hardeningCross-cutting security, monitoring, complianceCloudWatch alarms, Config rules, IAM boundaries, vault secret (imported)
attack_simulationAutomated attack simulation and security validationLambda functions, CloudWatch alarms, imported secret ARN, vault secret (imported)
secrets_managerCentralized secrets management for all environmentsAWS Secrets Manager secrets, resource policies, cross-stack exports
mskManaged streaming for Kafka workloadsMSK clusters, vault secret (imported)
sagemakerModel training, deployment, and monitoringSageMaker endpoints, models, monitoring, vault secret (imported)
budgetCost guardrails, budget alerts, and multi-channel notificationsAWS Budgets, SNS topics, email alerts, vault secret (imported)
cloudformationOrchestration and lifecycle management of all AWS stacksCloudFormation stacks, stack outputs, cross-stack references

Expanded Dependency Matrix (Outputs & Inputs)

StackExports (CfnOutput)Consumed By (Fn.import_value)Notes on Parallelism
AirbyteStackEndpoints, role ARN, vault secret ARN(If needed by other stacks)
AttackSimulationStackLambda ARN, alarm ARN, imported secret ARNSecurity, audit, downstream consumersCan run in parallel with other compute stacks
BudgetStackBudget ARNs, SNS topic ARN, vault secret ARNAll teams, FinOps, notificationsDeployed last, depends on all infra
CloudFormationStackStack outputs, exported values, orchestration metadataAll stacks (as orchestrator)Runs before/with all stacks, manages dependencies and lifecycle
CloudNativeHardeningStackSecurity findings, config rules, vault secret ARN(If needed by other stacks)
ComplianceStackCompliance reports, Lambda ARNs, vault secret ARN(If needed by other stacks)
DataQualityStackMetrics, alerts, vault secret ARN(If needed by other stacks)
GlueStackGlue DB/catalog name, vault secret ARNLakeFormationStack, DataQualityStackGlueStack must finish before dependents
IamRoleStackAll required IAM role ARNsAll stacks needing rolesDeploy first or in parallel, outputs must exist before import
LakeFormationStackAdmin role, permissions, vault secret ARN(If needed by other stacks)
LambdaStackLambda ARNs, vault secret ARNDataQualityStack, ComplianceStack, AttackSimulationStack
MskStackBroker info, client/producer/consumer roles, vault secret ARNLambdaStack, AirbyteStack, etc.
NetworkingStackVPC ID, SG IDs, Flow Logs ARN, vault secret ARNAll compute/data stacksSame as above
OpenSearchStackEndpoint, role ARN, vault secret ARNAnalytics, LambdaStack
S3Stackdata_bucket name/ARN, vault secret ARNGlueStack, LakeFormationStack, etc.S3Stack must finish before dependent stacks
SageMakerStackEndpoint, role ARN, vault secret ARNML pipeline, LambdaStack
SecretsManagerStackSecret ARNs, resource policiesAll stacks needing secretsDeploy first for secret availability
StepFunctionsStackState machine ARN, workflow outputsLambdaStack, SageMakerStack, DataQualityStackCan run in parallel with other workflow stacks

How the Stacks Interact

A summary of stack relationships and dependencies in the ShieldCraft AI AWS architecture.

Textual Overview

networking_stack
  ├─▶ msk_stack
  ├─▶ lambda_stack
  ├─▶ airbyte_stack
  ├─▶ opensearch_stack
  ├─▶ glue_stack
  ├─▶ sagemaker_stack
  ├─▶ dataquality_stack
  ├─▶ cloud_native_hardening_stack
  └─▶ compliance_stack

cloudformation_stack
  ├─▶ orchestrates all stacks
  ├─▶ manages stack dependencies, outputs, and lifecycle
  └─▶ enables cross-stack references and automation
s3_stack
  ├─▶ lakeformation_stack
  ├─▶ glue_stack
  ├─▶ dataquality_stack
  └─▶ sagemaker_stack

iam_role_stack
  ├─▶ lambda_stack
  ├─▶ glue_stack
  ├─▶ msk_stack
  ├─▶ airbyte_stack
  ├─▶ opensearch_stack
  ├─▶ lakeformation_stack
  ├─▶ sagemaker_stack
  ├─▶ cloud_native_hardening_stack
  └─▶ compliance_stack

glue_stack
  ├─▶ dataquality_stack
  └─▶ lakeformation_stack

lambda_stack
  ├─▶ dataquality_stack
  └─▶ compliance_stack

msk_stack
  ├─▶ cloud_native_hardening_stack

opensearch_stack
  ├─▶ cloud_native_hardening_stack

cloud_native_hardening_stack
  └─▶ (monitors all critical stacks)

compliance_stack
  └─▶ (reports on all critical stacks)

sagemaker_stack
  (consumes VPC, S3, IAM)

budget_stack
  (depends on all other stacks; provides cost guardrails and notifications)