AWS Resources
This document provides a comprehensive inventory of all AWS resources deployed by the Spatial Data Management Application (SDMA), including their purposes, configurations, and interdependencies.
Document Purpose: Reference guide for understanding the complete resource architecture deployed when implementing the SDMA solution.
Deployment Scope: All resources listed are deployed as part of the standard SDMA AWS CloudFormation template across eight nested stacks.
AWS Lambda Functions
Total Functions Deployed: 21
Core API and Processing Functions
| Function Name | Purpose | Timeout | Memory | Concurrency | VPC |
|---|---|---|---|---|---|
|
Resource Operation Function |
Main API handler for CRUD operations on libraries, projects, assets, files, connectors, and templates |
900s |
1024 MB |
Reserved: 300 |
Private subnets |
|
Connector Invocation Function |
Executes connector workflows for external system integrations |
900s |
512 MB |
Reserved: 100 |
Private subnets |
|
Cognito Identity Function |
Handles Cognito user pool triggers for user lifecycle events |
900s |
1024 MB |
Default |
Private subnets |
|
Assets Search Indexer Function |
Indexes asset metadata into OpenSearch for full-text and geospatial search |
900s |
1024 MB |
Default |
Private subnets |
|
Asset Watcher Function |
Processes S3 notifications for file uploads/changes, EventBridge for asset operations, and Dymano DB streams for connector invocation updates |
900s |
1024 MB |
Reserved: 100 |
Private subnets |
|
Metric Emitter Function |
Emits custom CloudWatch metrics for application monitoring |
900s |
256 MB |
Default |
Private subnets |
|
System Bootstrap Function |
Initializes system during deployment, creates default library, sets up OpenSearch indexes, and configures initial system state |
900s |
1024 MB |
Default |
Private subnets |
Utility and Custom Resource Functions
| Function Name | Purpose | Timeout | Memory |
|---|---|---|---|
|
Deployment UUID Generator |
Generates unique deployment identifier for resource naming |
30s |
128 MB |
|
Portal Runtime Config Lambda |
Portal runtime configuration and initialization |
30s |
128 MB |
|
CloudFront Key Generator Function |
Generates CloudFront signing key pairs for secure asset URL access |
120s |
128 MB |
|
Metrics Reporting Function |
Collects and sends anonymous usage metrics for solution analytics |
900s |
256 MB |
|
S3 Bucket Notifications Handler |
Processes S3 bucket notification events |
300s |
128 MB |
|
Log Retention Manager |
Manages CloudWatch log group retention policies |
900s |
128 MB |
|
CloudFront Distribution Handler |
Manages CloudFront distribution configuration |
900s |
128 MB |
|
Asset Preview Distribution |
Handles asset preview and distribution logic |
900s |
128 MB |
There are also 6 additional lambdas that get created for managing custom resource lambdas, assisting deployment, and orchestrating CloudFormation custom resource operations (these are automatically generated by AWS CDK).
Configuration:
-
All functions deployed with Amazon VPC configuration and security groups
-
All functions have Amazon CloudWatch Logs integration
-
Reserved concurrency configured for core functions to handle production load
-
Functions use AWS X-Ray tracing for distributed debugging
Amazon DynamoDB Tables
Total Tables Deployed: 11
Common Configuration:
-
Encryption: AWS KMS customer-managed key with automatic yearly rotation
-
Billing Mode: On-demand (auto-scaling)
-
Point-in-Time Recovery: Enabled (35-day retention)
-
Deletion Protection: Enabled
-
Backup: Automatic via point-in-time recovery
| Table Name | Partition Key | Sort Key | Purpose | GSIs |
|---|---|---|---|---|
|
Libraries Table |
LibraryId (String) |
— |
Stores library metadata (top-level organizational unit) |
None |
|
Projects Table |
ProjectId (String) |
— |
Stores project metadata within libraries |
2 (LibraryId, ManifestPrefix) |
|
Asset Templates Table |
AssetTemplateId (String) |
— |
Stores reusable asset templates with metadata schemas |
2 (AssetTemplateName, LibraryId) |
|
Assets Table |
AssetId (String) |
— |
Stores asset metadata, properties, state, and relationships |
8 (AssetName, ProjectName, ProjectId, AssetManifestLocation, State, UploadState, TemplateId, StatusCode) |
|
Files Table |
FileObjectKey (String) |
AssetId (String) |
Stores file metadata and S3 object references for assets |
6 (FileObjectKey, FileId, AssetId, AssetId-PathWithDepth, AssetId-Path, PathId) |
|
Locks Table |
LockId (String) |
— |
Distributed locking for concurrent operations |
None |
|
Processed S3 Objects Table |
ObjectKey (String) |
— |
Tracks S3 objects processed to prevent duplicate processing |
None |
|
Members Table |
ResourceId (String) |
PrincipalId (String) |
Stores resource membership and access control relationships |
4 (PrincipalId, ResourceId-PrincipalType, PrincipalId-ResourceId, ResourcePrefix-ResourceId) |
|
Connectors Table |
ConnectorId (String) |
— |
Stores connector configurations for external system integrations |
2 (LibraryId-Direction, LibraryId-ConnectorType) |
|
Connector Invocations Table |
ConnectorInvocationId (String) |
— |
Tracks connector execution state and results |
2 (ResourcePath, ConnectorId) |
|
Resource Associations Table |
SourceResourceId (String) |
TargetResourceId (String) |
Stores relationships between resources (assets, projects, etc.) |
2 (SourceResourceId, TargetResourceId) |
Amazon S3 Buckets
Total Buckets Deployed: 6
| Bucket Name | Purpose | Naming Pattern | Versioning | Encryption | Lifecycle | Public Access |
|---|---|---|---|---|---|---|
|
Asset Storage Bucket |
Primary storage for spatial asset files (E57, LAS, point clouds, 3D models, images). Stores asset and file metadata, and maintains file and folder hierarchy information. |
|
Enabled |
SSE-S3 |
Configurable (default: none) |
Blocked |
|
Asset Log Bucket |
S3 access logs for asset bucket |
|
Enabled |
SSE-S3 |
90-day expiration |
Blocked |
|
Portal Bucket |
Static web assets for the React portal application |
|
Enabled |
SSE-S3 |
None |
Blocked (CloudFront access only) |
|
Portal CloudFront Log Bucket |
CloudFront access logs for web portal distribution |
|
Enabled |
SSE-S3 |
90-day expiration |
Blocked |
|
Telemetry Bucket |
Application telemetry, usage analytics, and custom metrics |
|
Enabled |
SSE-S3 |
Configurable |
Blocked |
|
CloudTrail Bucket |
AWS API audit logs from CloudTrail |
|
Enabled |
SSE-S3 |
90-day retention |
Blocked |
Amazon SQS Queues
Total Queues Deployed: 8 (4 primary + 4 dead letter queues)
| Queue Name | Type | Purpose | Visibility Timeout | Message Retention | Dead Letter Queue |
|---|---|---|---|---|---|
|
Asset File Notification Queue |
Standard |
Receives S3 event notifications for file uploads/changes |
900s |
14 days |
Yes (max 3 retries) |
|
Asset CRUD Notification Queue |
Standard |
Receives EventBridge events for asset create/update/delete operations |
900s |
14 days |
Yes (max 3 retries) |
|
Deadline Notification Queue |
Standard |
Receives notifications from AWS Deadline Cloud for job status updates |
900s |
14 days |
Yes (max 3 retries) |
|
Connector Queue |
FIFO |
Queues connector invocation requests for sequential processing |
900s |
14 days |
Yes (max 3 retries) |
|
Dead Letter Queues (4 instances) |
Standard |
Captures failed messages after max retry attempts |
— |
14 days |
— |
Configuration:
-
All queues encrypted with KMS customer-managed keys
-
All queues configured with 900s visibility timeout
-
Message retention set to 14 days
-
Dead letter queues configured with max receive count of 3
VPC Endpoints
Total Endpoints Deployed: 18
| Endpoint Name | Type | Service | Purpose | Subnets | Security Group | DNS |
|---|---|---|---|---|---|---|
|
DynamoDB Gateway Endpoint |
Gateway |
|
Private access to DynamoDB without internet gateway |
— |
— |
— |
|
S3 Gateway Endpoint |
Gateway |
|
Private access to S3 without internet gateway |
— |
— |
— |
|
OpenSearch Serverless VPC Endpoint |
Interface (PrivateLink) |
|
Secure private access to OpenSearch Serverless from VPC |
Private (both AZs) |
Allows HTTPS (443) from Lambda |
Private DNS enabled |
|
Secrets Manager Interface Endpoint |
Interface (PrivateLink) |
|
Private access to Secrets Manager |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
Lambda Interface Endpoint |
Interface (PrivateLink) |
|
Private Lambda invocations |
Private |
Allows HTTPS from VPC |
Private DNS enabled |
|
CloudWatch Logs Interface Endpoint |
Interface (PrivateLink) |
|
Private CloudWatch Logs access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
SQS Interface Endpoint |
Interface (PrivateLink) |
|
Private SQS access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
API Gateway Interface Endpoint |
Interface (PrivateLink) |
|
Private API Gateway access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
Athena Interface Endpoint |
Interface (PrivateLink) |
|
Private Athena access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
CloudFormation Interface Endpoint |
Interface (PrivateLink) |
|
Private CloudFormation access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
CloudTrail Interface Endpoint |
Interface (PrivateLink) |
|
Private CloudTrail access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
Deadline Cloud Management Interface Endpoint |
Interface (PrivateLink) |
|
Private Deadline Cloud Management access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
Glue Interface Endpoint |
Interface (PrivateLink) |
|
Private Glue access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
KMS Interface Endpoint |
Interface (PrivateLink) |
|
Private KMS access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
SSM Interface Endpoint |
Interface (PrivateLink) |
|
Private SSM access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
STS Interface Endpoint |
Interface (PrivateLink) |
|
Private STS access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
Verified Permissions Interface Endpoint |
Interface (PrivateLink) |
|
Private Verified Permissions access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
|
Places Interface Endpoint |
Interface (PrivateLink) |
|
Private Places access |
Private |
Allows HTTPS from Lambda |
Private DNS enabled |
Note
<region> represents the AWS Region where the solution is deployed (for example, us-east-1, eu-west-1).
Security Groups
Total Security Groups Deployed: 4 custom + 1 default
| Security Group Name | Purpose | Inbound Rules | Outbound Rules |
|---|---|---|---|
|
Lambda Function Security Group |
Controls network access for Lambda functions |
None (Lambda doesn’t accept inbound) |
HTTPS (443) to VPC endpoints; HTTPS (443) to 0.0.0.0/0 (external APIs via NAT) |
|
Private Lambda Security Group |
Controls network access for Lambda functions with external access |
None |
All traffic (0.0.0.0/0) |
|
VPC Endpoint Security Group |
Controls access to VPC endpoints |
HTTPS (443) from VPC CIDR (10.0.0.0/16) |
All traffic |
|
Metrics Reporting Lambda Security Group |
Controls network access for metrics Lambda |
None |
All traffic (0.0.0.0/0) |
|
Default VPC Security Group |
Default VPC security group |
All from self |
All traffic (0.0.0.0/0) |
Long-Running Operations
CloudFormation Stack Deployment
-
Estimated Time: 15-25 minutes
-
Dependencies: All nested stacks must complete
-
Critical Path:
-
VPC Stack (5-7 minutes)
-
Auth Stack (3-5 minutes) - depends on VPC
-
Asset Management Stack (5-8 minutes) - depends on VPC, Auth
-
OpenSearch Stack (3-5 minutes) - depends on VPC
-
Portal Stack (2-3 minutes) - depends on Auth, Asset Management
-
Monitoring Stack (2-3 minutes) - depends on all stacks
-
-
Notes: OpenSearch collection creation can take 5-10 minutes
OpenSearch Collection Creation
-
Estimated Time: 5-10 minutes
-
Dependencies: VPC endpoints, security policies, network policies
-
Notes: Collection must be active before indexing can begin
CloudFront Distribution Deployment
-
Estimated Time: 15-30 minutes
-
Dependencies: S3 origin bucket, CloudFront key pair
-
Notes: Global propagation takes time
Initial System Bootstrap
-
Estimated Time: 2-5 minutes
-
Dependencies: All DynamoDB tables, default library creation
-
Triggered By: System Bootstrap Lambda (CloudFormation custom resource)
Resource Dependencies
VPC
├── Subnets (Public, Private, Isolated)
├── NAT Gateways (2, one per AZ)
├── VPC Endpoints (8)
└── Security Groups (4)
└── Lambda Functions (9)
├── DynamoDB Tables (11)
├── S3 Buckets (5)
├── SQS Queues (5)
└── OpenSearch Collection
└── VPC Endpoint
API Gateway
├── Cognito Authorizer
├── IAM Authorizer
└── Lambda Integration (Resource Operation Function)
CloudFront
├── S3 Origin (Portal assets)
├── API Gateway Origin (API proxy)
└── CloudFront Key Pair (Secrets Manager)
Cognito User Pool
├── Lambda Triggers (Cognito Identity Function)
└── API Gateway Authorizer
EventBridge
├── Rules (Asset changes, scheduled tasks)
└── Targets (Lambda, SQS)
Deadline Cloud
├── Render Farm
├── Worker Nodes
└── Notification Queue (SQS)
Deployment Summary
Estimated Deployment Time: 25–35 minutes
CloudFormation Stacks: 8 nested stacks
-
Main Stack (SDMA)
-
Auth Stack
-
VPC Stack
-
Portal Stack
-
OpenSearch Stack
-
Asset Management Stack
-
Deadline Stack
-
Monitoring Stack
Deployed Resources:
-
VPC Infrastructure (1 VPC, 6 subnets across 2 AZs, 18 VPC endpoints, 4 security groups)
-
Lambda Functions (13 total)
-
DynamoDB Tables (11 total)
-
S3 Buckets (5 total)
-
SQS Queues (8 total: 4 primary + 4 dead letter)
-
API Gateway (1 REST API)
-
Cognito (1 user pool, 1 identity pool)
-
EventBridge (multiple rules for event routing)
-
CloudWatch Logs (automatic log groups for all Lambda functions)
-
CloudTrail (audit logging)
Configuration Highlights:
-
DynamoDB tables configured with on-demand billing and PITR enabled
-
Lambda functions have reserved concurrency for core functions
-
VPC spans 2 availability zones for high availability
-
All Lambda functions deployed with VPC configuration
-
X-Ray tracing enabled for distributed debugging
-
CloudWatch monitoring configured for all services
