Architecture details

This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.

This solution includes three separate Step Functions workflows invoked by EventBridge events, as described in the Architecture diagram section. The following sections describe each of these workflows, AWS services used in this solution, and how the solution works.

AWS services in this solution

AWS service	Description
Amazon API Gateway	Core. This service provides the REST API for the solution.
Amazon Cognito	Core. This service handles user management and authentication for the API.
Amazon Comprehend	Core. This service performs standard and PII entity detection. Note The CloudFormation template doesn’t deploy this service. Instead, Lambda calls this service as a part of the architecture.
Amazon Comprehend Medical	Core. This service performs medical entity and PHI detection. Note The CloudFormation template doesn’t deploy this service. Instead, Lambda calls this service as a part of the architecture.
Amazon DynamoDB	Core. Two tables contain data for this solution: One table manages the state of the cases and documents processed by this solution. One table contains workflow configurations.
Amazon EventBridge	Core. This solution uses an entirely event-driven architecture. The default event bus listens for S3 upload events to the RequestProcessorDocumentRepo, which invoke the workflow orchestrator Lambda function. The solution uses the custom event bus for all other events related to workflow orchestration. This includes events to invoke and get responses from the workflow Step Functions, and sending success and failure notifications.
AWS KMS	Core. AWS managed keys provide server-side encryption on the Amazon SQS queues in this solution. The solution also uses AWS KMS to: Encrypt communication with Amazon Textract Manage keys for access to the deployed Amazon Kendra index (if deployed).
AWS Lambda	Core. The solution uses Lambda functions to: Back the REST API endpoints Handle the core logic of each workflow and the workflow orchestrator. Implement custom resources during CloudFormation deployment for actions such as copying static files to Amazon S3 and populating the configuration database in DynamoDB.
Amazon SNS	Core. The solution creates an Amazon SNS topic to handle sending success and failure notifications to users through email.
Amazon SQS	Core. Amazon SQS acts as the intermediary between the workflow Step Functions and their core processing logic, which the solution implements as Lambda Functions. As such, the solution creates an Amazon SQS queue for each workflow. The solution also implements a dead-letter queue with Amazon SQS to handle failed processing requests for each workflow.
Amazon S3	Core. This solution creates the following S3 buckets for storage: RequestProcessorDocumentRepo – Stores documents uploaded by users of the UI or REST API RequestProcessorInferences – Stores inferences from processing cases SetupAppConfig - Stores email templates and acts as a staging bucket for workflow configuration files before they’re loaded into DynamoDB. AccessLog - Stores access logs for the other buckets in the solution.
AWS Step Functions	Core. Step Functions implement the workflows and interact with the workflow orchestrator with EventBridge events. Each workflow Step Function: Handles the control flow to determine which documents in a case to process Determines which Lambda function to use for processing each document Sets input parameters to the Lambda functions Implement retry mechanisms Handle sending success and failure events to be picked up by the Workflow Orchestrator
Amazon Textract	Core. The solution uses Amazon Textract in the text extraction workflow to: Perform OCR to extract raw text from uploaded documents in PDF or image form. Extract key-value pairs and tabular content. Note The CloudFormation template doesn’t deploy this service. Instead, Lambda calls this service as a part of the architecture.
AWS WAF	Core. The solution deploys a web application firewall (WAF) in front of the API Gateway deployment to protect it.
AWS CloudFormation	Supporting. This solution is distributed as a CloudFormation template, and CloudFormation deploys the AWS resources for the solution.
Amazon CloudWatch	Supporting. This solution publishes logs from solution resources to CloudWatch Logs, and publishes metrics for processed documents to CloudWatch metrics. The solutions also creates a CloudWatch dashboard to view this data, as well as CloudWatch Alarms to raise alerts when executions are failing.
AWS CDK	Supporting. The source code for this solution uses AWS CDK to generate the CloudFormation templates.
IAM	Supporting. IAM manages access permissions between the resources in this solution, such as allowing a workflow Lambda function to write to the ML inferences S3 bucket. See IAM roles for details.
Service Catalog	Supporting. This solution uses Service Catalog AppRegistry to track and manage solution deployments.
Amazon Kendra	Optional. You can optionally deploy this solution with Amazon Kendra support, which provides NLP-based search for the uploaded documents.
Amazon OpenSearch	Optional. You can optionally deploy this solution with Amazon OpenSearch Serverless support, which provides keyword search for the uploaded documents.