Architecture overview

Deploying this solution with the default parameters builds the following environment in the target AWS account.

Verifiable Controls Evidence Store solution architecture diagram

Verifiable Controls Evidence Store follows a micro-service architecture, where the presentation service (UI) is a React single-page application. The business logic is powered by the combination of Amazon API Gateway and AWS Lambda.

The solution provides a RESTful interface with CRUD (create, read, update, delete) APIs for managing evidence providers, as well as for storage and retrieval of evidence data.

At its core, the solution leverages Amazon Quantum Ledger Database (Amazon QLDB) to store evidence data. QLDB’s inherent immutability, transparency, scalability, and cryptographic security help ensure data integrity, validity, full traceability, and auditability. To provide advanced and high-performance query capabilities, the solution also utilizes Amazon OpenSearch Service, which requires a dedicated instance.

By default, the solution builds the following infrastructure:

1. An Amazon CloudFront distribution to serve the optional UI. CloudFront delivers low latency, high performance, and secure static web hosting. An Amazon Simple Storage Service (Amazon S3) web UI bucket hosts the static web application artifacts.

2. An Amazon Cognito user pool to provide customers a quick and convenient authentication mechanism to explore the solution’s functionalities without extensive configuration.

3. API Gateway to expose a set of RESTful APIs. API Gateway processes HTTP requests issued by the Evidence Store consumers. It orchestrates the authentication and authorization workflows by validating the request’s credentials (signature and API key) against AWS Identity and Access Management (IAM) and its API usage plan.

4. An evidence store Lambda function to process the validated requests from API Gateway. This Lambda function encapsulates the solution's business logic, receiving rest requests from the user via API Gateway, validating them and storing, and retrieving data to and from the various databases.

5. Amazon QLDB to track and store evidence records. QLDB ensures evidence records’ immutability and cryptographically verifiable nature. Evidence records are stored in Amazon S3.

6. Amazon DynamoDB to store evidence providers and their respective evidence content schemas. The request processing Lambda function relies on this data to validate evidence content before committing to its QLDB ledger.

7. A stream processing Lambda function to replicate evidence records to Amazon OpenSearch Service, which offers advanced query capabilities (full text search) across the entire evidence record data structure.

8. Amazon Kinesis Data Streams to replicate records to Amazon OpenSearch Service to offer consumers a better query experience. Amazon Kinesis provides the channels for the solution to replicate and archive evidence records in near real-time.

9. Amazon Data Firehose to archive evidence records to an Amazon S3 bucket.

10. AWS CloudWatch and AWS X-Ray for logging and monitoring.

11. AWS Config and AWS Security Hub to publish findings to Amazon EventBridge.

12. Amazon Simple Queue Service (SQS) to provide rate limiting capabilities to AWS Config and the Security Hub Evidence Collector.

13. Evidence collector Lambda functions to invoke the Create Evidence API to record the finding. These include the Security Hub evidence collector and the S3 evidence collector.