📦 🔒 🚀

AWS Deployment Architecture

Reference architecture — same app, AWS-native platform layer

Customer identity + BrainzBytes infrastructure, zero API keys, IRSA everywhere. The identical ContextWeaver containers deploy on EKS with AWS-native services.

Base Architecture
Customer Identity
AWS Cognito
User Pool with hosted UI
Or external OIDC: Okta, Auth0
Custom domain for login
App Client
OAuth 2.0 / OIDC client
Authorization code flow
Custom scopes for roles + groups
Token Configuration
OIDC tokens with custom claims
Roles + groups in JWT payload
Callback: /oidc/callback
🔒
OIDC JWT Token — the ONLY thing crossing the boundary
BrainzBytes Platform (AWS Account)
Region: us-east-1
EKS Cluster 3 nodes • m5.large
Ingress Layer
ALB (Application Load Balancer)
AWS WAF + AWS Shield
ACM-managed TLS certificate
Service Mesh
App Mesh or Istio for mTLS
Envoy sidecar proxies
default namespace mesh injected
cerebro-app 2/2
app + envoy sidecar
ServiceAccount IRSA IAM Role
Zero secrets in pod
mcp1 namespace mesh injected
mcp1 engine 2/2
engine + envoy sidecar
ServiceAccount IRSA IAM Role
4 plugins:
email (13 tools) github (6) payments (10) travel (4)
IRSA (IAM Roles for Service Accounts)
EKS OIDC provider federated with IAM • ServiceAccount annotations bind K8s pods to IAM roles • Zero secrets in pods
SecretsManager Read/Write Bedrock InvokeModel OpenSearch Access DynamoDB Full Access ECR Pull STS AssumeRole
AWS Services All via IRSA — Zero Keys
ECR
Elastic Container Registry
2 container images
Pull via IRSA role
Secrets Manager
Connector secrets
Already supported in vault_client.py
IAM policy-based access
Amazon Bedrock
Claude / Llama / Mistral
Or SageMaker endpoints
InvokeModel via IRSA
OpenSearch Service
Amazon OpenSearch
Vector search (k-NN plugin)
Fine-grained access control
DynamoDB
Or DocumentDB (Cosmos-compatible)
Serverless on-demand capacity
IAM-based table access
External Services
Credentials in Secrets Manager:
Stripe API Gmail / Calendar GitHub API

Customer Isolation on AWS

Every customer gets dedicated AWS resources on a shared EKS cluster — complete separation at every layer.

Per-Customer Resources
🔒 AWS Secrets Manager — separate prefix per customer
💾 DynamoDB — separate table per customer
🔍 OpenSearch — separate domain/index per customer
👤 IAM Role (IRSA) — per-customer role scoped to only its own resources
Isolation Controls
🌐 EKS Namespace — each customer in its own namespace with NetworkPolicy
🛡️ App Mesh / Istio mTLS — strict mutual TLS per namespace
🚦 ALB — routes by hostname to correct namespace
🔑 IAM Policies — each IRSA role only has permissions on its own resources
Full isolation architecture → Base Architecture
AWS Security Posture
Zero API Keys IRSA mTLS (App Mesh / Istio) ALB + WAF IAM Roles for Service Accounts AWS Secrets Manager Cognito SSO
Base Architecture Azure Architecture GCP Architecture