Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Design considerations

PDF
Focus mode
Design considerations - Verifiable Controls Evidence Store
QuotasData backup and restoreRegional deployments

With the exception of its use of the Amazon OpenSearch Service, this solution is a serverless architecture. To enhance data query and retrieval performance, the solution replicates evidence records to an Amazon OpenSearch Service domain in near-real time, as they are committed to the QLDB ledger. This is achieved by leveraging QLDB’s streaming capability with a combination of Kinesis Data Streams and Lambda.

The introduction of an Amazon SQS queue in front of the AWS Config and Security Hub Evidence Collector helps protect the Verifiable Controls Evidence Store and the services it depends on from the potentially large number of generated findings. In some scenarios, Security Hub and AWS Config can produce tens of thousands of findings in a short period of time, which, in the absence of an SQS queue, would overwhelm the store and severely impact its performance.

Amazon Cognito helps simplify the initial setup, allowing customers to quickly deploy and inspect the capabilities offered by the solution. When operating in a production environment, Amazon Cognito should be replaced by a customer’s identity provider(s) to handle user authentication. For further instructions on how to set up identity federation with a SAML2 or OpenID Connect (OIDC) capable identity provide, refer to the solution’s README.md file.

Quotas

The Verifiable Controls Evidence Store solution has the following limits:

  • 500 evidence providers per AWS Region

  • 10,000 requests per seconds per Region

Refer to the respective services’ FAQ for detailed information on quota and limitation for each of the services used in the solution. Some service limitations can be increased by contacting AWS Support, as needed.

Data backup and restore

All DynamoDB tables have Point-In-Time recovery activated by default. For QLDB, the entire ledger is continuously streamed to an S3 bucket and can be replayed onto a new ledger. Amazon OpenSearch Service data can be restored by restarting the QLDB stream, this initiates the data replication process from the QLDB source.

Regional deployments

This solution uses the Amazon QLDB service, which is not currently available in all AWS Regions. You must launch this solution in an AWS Region where Amazon QLDB is available. For the most current availability of AWS services by Region, refer to the AWS Regional Services List.

Supported deployment Regions

As of June 2022, Verifiable Controls Evidence Store can be deployed in the following AWS Regions in accordance with the regional availability of its constituent services:

Region ID Region name
us-east-2 US East (Ohio)
us-east-1 US East (N. Virginia)
us-west-2 US West (Oregon)
af-south-1 Africa (Cape Town)
ap-northeast-2 Asia Pacific (Seoul)
ap-southeast-2 Asia Pacific (Singapore)
ap-southeast-2 Asia Pacific (Sydney)
ap-northeast-1 Asia Pacific (Tokyo)
ca-central-1 Canada (Central)
eu-central-1 Europe (Frankfurt)
eu-west-1 Europe (Ireland)
eu-west-2 Europe (London)
me-south-1 Middle East (Bahrain)
us-gov-west-1 AWS GovCloud (US-West)

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.