AWS Architecture

Serverless, secure, and cost-aware by design.

GrantVault AI is built on managed AWS services to support secure access, private storage, AI workflows, logging, and budget guardrails.

Architecture

Fully serverless, AWS-native, and cost-aware.

GrantVault AI uses managed AWS services exclusively: no servers, containers, or always-on infrastructure. The MVP is designed around tenant isolation, manual AI triggers, least privilege, and infrastructure as code.

Amazon
Cognito
API
Gateway
λ
AWS
Lambda
Amazon
DynamoDB
Amazon
S3
Amazon
Textract
🧠
Amazon
Bedrock
CloudWatch
AWS
Budgets

Request flow

From login to audit package export.

LayerServicePurpose
IdentityAmazon CognitoUser authentication, JWT token issuance, session management.
APIAPI Gateway HTTP APIJWT-authorized routes into Lambda business logic.
ComputeAWS LambdaGrant, document, review, AI orchestration, and export workflows.
DataDynamoDBGrants, documents, extractions, report drafts, audit package metadata.
StorageAmazon S3Private document uploads and audit package artifacts.
AITextract + BedrockDocument extraction and report draft generation with manual triggers.
OpsCloudWatch + BudgetsLogs, visibility, 14-day retention, and monthly cost alerting.

Security and tenant isolation are design principles.

Every data access is scoped by organizationId. S3 buckets are private, access uses pre-signed URLs, and Lambda roles should follow least-privilege IAM.

Cognito authentication
JWT-authorized API Gateway
Private S3 document storage
Terraform-defined infrastructure