My First AWS Diagram

My journey to becoming an AWS Solutions Architect has been challenging and I have been loving every step of the process! My most recent goal that I achieved was obtaining my AWS Certified Solutions Architect — Associate. In an effort to progress my knowledge with AWS Services, I plan to partake in many hands on projects, and practice the art of designing architecture diagrams for potential clients.

I recently connected with a peer of mine who is also in the beginning stage of his cloud journey, and gave me a hypothetical scenario to migrate a Health Records SaaS company from an on premises solution into AWS.

HealthyRecords Inc. is a customer in the health industry seeking to migrate their files on-prem into AWS S3 for both short and long-term storage.

This customer specializes in storing patient records securely as a paid service to large hospitals and is currently unhappy with their on-prem storage solution (a SAN) which is getting too expensive and difficult to maintain. They will have to lifecycle it soon and are looking for a cloud alternative.

They have 2 primary types of items to store:

1. Patient Records: requires HIPAA-compliant storage, and records are typically accessed anywhere from every 30 days to 180 days. Some patient records are pulled more frequently, however.

2. Long-Term archives: internal company documents. Will be stored long-term for record-keeping, and don’t need to be accessed very often. These get seen on average every year and some will come up for annual audits.

The customer is concerned with data security and will retain key custody for encryption of the patient records. For the long-term archives, they want the most cost-effective option. All traffic to and from the S3 bucket location must be encrypted for both item types, however.

Additionally, they want to ensure that these documents will be available in the event of a disaster in a given region. What options do they have to mitigate that natively within AWS?

I created this diagram using draw.io with the native AWS templates and icons that they have. When designing this architecture, it really caused me to think deep at how each specific service interconnects with each other. You have to be intentional with the specific placement of each icon, because the intent that you are trying to present, can be interpreted a totally different way due to your chosen layout. Is this layout perfect? Probably not, but you will not get better at diagrams until you put it to practice.

So how am I presenting a solution to this potential client?

1. Utilize AWS Datasync to migrate your files to AWS cloud, this can be uploaded directly to an S3 Bucket. Datasync will encrypt your data that you are uploading using Transport Layer Security (TLS). You can optimize the bandwidth control to perform most of the load during business off hours. It can also be configured to perform ongoing synchronization, by only uploading modified or new files to your S3 bucket. This service would be perfect for Healthy Records Inc. (HRI) to migrate to an AWS cloud storage solution.
2. The customer can upload a Customer Managed Key to AWS Key Management Service (KMS) so that they can maintain key custody of the encryption as requested. This same key can be used to encrypt the traffic from data sync to the S3 bucket, as well as encrypting the S3 buckets themselves (data at rest).
3. Based on the requirement of accessing files every 30–180 days, I proposed that HRI uploads directly to S3 — Infrequent Access. This would allow for the best cost optimization while still allowing them to instantly retrieve their patient files when needed. S3 — Infrequent Access will cost more per pull request, but will save in the long term with storage costs. S3 bucket versioning will also be implemented to archive any versions to the patients records. In order to store HIPAA files in this bucket, the AWS account owner will have to sign a Business Associate Addendum.
4. For the long term storage, which will only be accessed on average once a year, I recommend the use of S3 — Glacier Flexible Retrieval. This will still provide up to a 12 hour retrieval time for annual audit purposes. This will provide great cost optimization for storing long term records.
5. In order to maintain regional resilience, a cross region replica will be made for both the S3-IA and the S3 Glacier Bucket. This will provide instant access to all of HRI’s files in the case of a regional outage. This will cost more however to maintain two regions worth of the customers files.
6. An IAM Access policy will grant users access to the respective buckets using least privilege access principles. This will ensure that no unauthorized user will be able to access the files within the S3 bucket. Utilizing prefixes in the JSON file, you can specifiy multiple partitions within the S3 bucket to give private access to the respective cutomer’s files. This will allow you to avoid creating one bucket per user.

Thanks for taking the time to read this article, I hope you were able to get something out of this or that you possibly thought of a better way to architect this! I’m looking forward to the future in growing my AWS skills. I am open to criticism and feedback, I only want to improve my skills and continue to get better each day!