AWS Architecture
Serverless, secure, and cost-aware by design.
GrantVault AI is built on managed AWS services to support secure access, private storage, AI workflows, logging, and budget guardrails.
Architecture
Fully serverless, AWS-native, and cost-aware.
GrantVault AI uses managed AWS services exclusively: no servers, containers, or always-on infrastructure. The MVP is designed around tenant isolation, manual AI triggers, least privilege, and infrastructure as code.
▣
AmazonCognito
▥
APIGateway
λ
AWSLambda
◉
AmazonDynamoDB
▱
AmazonS3
▧
AmazonTextract
🧠
AmazonBedrock
☁
CloudWatch▥
AWSBudgets
Request flow
From login to audit package export.
| Layer | Service | Purpose |
|---|---|---|
| Identity | Amazon Cognito | User authentication, JWT token issuance, session management. |
| API | API Gateway HTTP API | JWT-authorized routes into Lambda business logic. |
| Compute | AWS Lambda | Grant, document, review, AI orchestration, and export workflows. |
| Data | DynamoDB | Grants, documents, extractions, report drafts, audit package metadata. |
| Storage | Amazon S3 | Private document uploads and audit package artifacts. |
| AI | Textract + Bedrock | Document extraction and report draft generation with manual triggers. |
| Ops | CloudWatch + Budgets | Logs, visibility, 14-day retention, and monthly cost alerting. |
✓
Security and tenant isolation are design principles.
Every data access is scoped by organizationId. S3 buckets are private, access uses pre-signed URLs, and Lambda roles should follow least-privilege IAM.
✓ Cognito authentication
✓ JWT-authorized API Gateway
✓ Private S3 document storage
✓ Terraform-defined infrastructure