# Architecture details
This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.
## AWS services in this solution
| **AWS service** | **Description** |
| --- | --- |
| [AWS CloudFormation](https://aws.amazon.com/cloudformation/) | **Core**. Used to deploy the solution and develop MCS internal and Third-Party Modules. |
| [Amazon CloudFront](https://aws.amazon.com/cloudfront/) | **Core**. Used to cache and deliver the MCS web console hosted in Amazon S3. |
| [Amazon Cognito](https://aws.amazon.com/cognito/) | **Core**. Provides authentication to the MCS web console and API. |
| [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) | **Core**. Used to store information about MCS modules and the state of the modules. |
| [Amazon EC2](https://aws.amazon.com/ec2/) | **Core**. Used to run the workstations managed by the MCS Workstation Management module. MCS uses Amazon EC2 Image Builder to build Windows and Linux Amazon Machine Images (AMIs) used in the solution. |
| [AWS Global Accelerator](https://aws.amazon.com/global-accelerator/) | **Core**. Used to manage connections between MCS Workstation Management module and Amazon EC2 workstations. |
| [IAM](https://aws.amazon.com/iam/) | **Core**. Used to authorize access to MCS using roles to manage resources effectively. MCS resources are limited by roles and policies defined in IAM and in Cognito user pools. |
| [AWS Lambda](https://aws.amazon.com/lambda/) | **Core**. Handles the processing logic for adding, updating, editing, or deleting MCS modules and storing sensitive information in Secrets Manager. |
| [Amazon RDS for PostgreSQL](https://aws.amazon.com/rds/postgresql/) | **Core**. Used as a database for the Leostream Broker EC2 instances. |
| [Amazon Route 53](https://aws.amazon.com/route53/) | **Core**. Used to manage domain resolution to load balancer addresses. |
| [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | **Core**. Used to store module parameters that contain sensitive information. |
| [AWS Service Catalog](https://aws.amazon.com/servicecatalog/) | **Core**. Used to manage the portfolio of MCS modules and to provision the CloudFormation stack when modules are enabled. |
| [Amazon VPC](https://aws.amazon.com/vpc/) | **Core**. Used to deploy an isolated virtual networking environment to build the MCS studio. Users can create a new VPC or import an existing one. |
| [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) | **Supporting.** Used for monitoring the solution and logs. |
| [Amazon EventBridge Event Bus](https://aws.amazon.com/eventbridge/event-bus/) | **Supporting.** Listens to CloudFront changes and invokes Lambda to update the state of MCS modules in DynamoDB. |
| [Amazon EventBridge Pipe](https://aws.amazon.com/eventbridge/pipes/) | **Supporting.** Used to process and transform operational metrics from Amazon SQS and deliver them anonymously to an API destination for monitoring. |
| [Amazon SQS](https://aws.amazon.com/sqs/) | **Supporting.** Used to deliver operational metrics to EventBridge Pipe |
| [Amazon Simple Storage Service](https://aws.amazon.com/s3/) | **Supporting.** Provides object storage for content used in the MCS web console. |
| [AWS Systems Manager Parameter Store](http://aws.amazon.com/systems-manager/) | **Supporting.** Provides application-level resource monitoring, visualization of resource operations, and secrets management. |
| [Amazon DCV](https://aws.amazon.com/hpc/dcv/) | **Supporting**. Used to connect users securely to the workstations. |
| [AWS Directory Service](https://aws.amazon.com/directoryservice/) | **Optional**. Used to deploy an instance of [AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html). |
| [Amazon FSx for Windows File Server](https://aws.amazon.com/fsx/windows/) | **Optional**. Used to deploy a fully managed shared file system built on Windows Server. |
| [Amazon FSx for Lustre](https://aws.amazon.com/fsx/lustre/) | **Optional**. Used to deploy a fully managed shared file system built on Lustre. |
| [AWS Step Functions](https://aws.amazon.com/step-functions/) | **Optional**. Used to register and deregister MCS Third-Party Modules. |
# Module categories
MCS supports five module categories: [Network](network-modules.md), [Identity](identity-modules.md), [Storage](storage-modules.md), [Workstation Management](workstation-management-modules.md), and [Custom](custom-modules.md).
# Network modules
Network modules create the necessary resources for other modules and components to communicate with each other.
The following Network modules are available in MCS after deployment:
+ Managed VPC module - Deploys a new VPC
+ Unmanaged VPC module - Receives existing VPC information from an input form
## Managed VPC module
![\[managed vpc module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/managed-vpc-module.png)
1. The Solution deploys a VPC with two Availability Zones. Each zone contains:
+ One public subnet - routes traffic to an [internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html)
+ One private subnet - routes traffic to a [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)
**Note**
Pixel streaming traffic doesn’t travel through the NAT gateway.
1. The solution creates [VPC Endpoints](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) to ensure that internal traffic to these services connects privately and doesn’t traverse the public internet.
1. Default EventBridge buses in each enabled region send EC2 instance state change events to a state machine for applying tags to any EC2 instance launched within an MCS VPC.
## Unmanaged VPC module
![\[unmanaged vpc module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/unmanaged-vpc-module.png)
1. The solution can utilize an existing VPC for module deployment. However, any additional configuration required for module functionality must be managed by the MCS administrator.
1. You can optionally enable EventBridge infrastructure for automatic EC2 tagging through the Unmanaged VPC’s deployment parameters (default: Yes). When enabled, default EventBridge buses in each enabled region send EC2 instance state change events to a state machine for applying tags to any EC2 instance launched within an MCS VPC.
1. To toggle EC2 tagging post-deployment, locate the EventBridge rule created by your Unmanaged VPC deployment (rule name contains `EC2InstanceTagging`) and choose **Disable** or **Enable** as needed.
**Note**
If EventBridge EC2 Tagging Parameter is disabled at deployment, tagging infrastructure will not be deployed and the feature cannot be enabled later. If enabled, tagging can be toggled on or off post-deployment by enabling or disabling the EventBridge Rule.
## Spoke Managed VPC module
![\[spoke managed vpc module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/spoke-managed-vpc-module.png)
1. The solution establishes a [VPC peering connection](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) between the existing VPC in the hub Region and the VPC being created in this module, enabling inter-VPC communication.
1. The solution creates a VPC spanning two Availability Zones. Each zone contains:
+ One public subnet - routes traffic through an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html)
+ One private subnet - routes outbound traffic through a [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)
1. Default EventBridge buses in each enabled region send EC2 instance state change events to a state machine for applying tags to any EC2 instance launched within an MCS VPC.
# Identity modules
Identity modules create the necessary resources to allow users to interact with MCS and the post production environment.
The following Identity modules are available in MCS after deployment:
+ Managed Active Directory module - Deploys a new Microsoft Active Directory instance under standard edition
+ Unmanaged Active Directory module - Receives existing Microsoft Active Directory information from an input form
## Managed Active Directory module
![\[managed active directory module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/managed-active-directory-module.png)
1. [Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) deploys an instance of [AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) under standard edition.
1. The Active Directory module deploys a temporary EC2 instance that:
+ Joins to the [AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html) domain
+ Sets password policy for domain users (90-day expiration)
+ Self-terminates after approximately 5 minutes
1. User credentials generated during deployment are automatically stored in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
## Spoke Managed Identity module
1. [Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) deploys an [AD Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html) instance that establishes a connection to the Microsoft AD instance in the Hub environment.
# Storage modules
Storage modules create the necessary resources to allow workstations to save and retrieve data from file systems in the post production environment. The following Storage modules are available in MCS after deployment:
+ FSx for Windows File Server module - Deploys a new Amazon FSx Windows Server file system and registers to the Microsoft Active Directory
+ FSx for Lustre File Server module - Deploys a new Amazon FSx Lustre file system
**Note**
Modular Cloud Studio on AWS allows you to deploy and manage a scalable, secure, and global content production infrastructure in the cloud. This includes custom modules, developed by AWS Partners or other third parties, that you can choose to use ("Third-Party Modules"). AWS does not own or otherwise have any control over Third-Party Modules.
Your use of the Third-Party Modules is governed by any terms provided to you by the Third-Party Module providers when you acquired your license to use them (for example, their terms of service, license agreement, acceptable use policy, and privacy policy). You are responsible for ensuring that your use of the Third-Party Modules comply with any terms governing them, and any laws, rules, regulations, policies, or standards that apply to you.
You are also responsible for making your own independent assessment of the Third-Party Modules that you use. AWS does not make any representations, warranties, or guarantees regarding the Third-Party Modules, which are "Third-Party Content" under your agreement with AWS. Modular Cloud Studio on AWS is offered to you as "AWS Content" under your agreement with AWS.
## Amazon FSx for Windows File Server module
![\[amazon fsx for windows file server module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/amazon-fsx-for-windows-file-server-module.png)
1. The solution deploys the Amazon FSx for Windows File Server file system and integrates it with the Microsoft Active Directory instance deployed by the Identity module.
1. You can mount this file system manually onto workstations started by the [Leostream Broker module](workstation-management-modules.md#leostream-broker-module) module.
## Amazon FSx for Lustre File Server module
![\[amazon fsx for lustre file server module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/amazon-fsx-for-lustre-file-server-module.png)
1. You can mount this file system manually onto workstations started by the [Leostream Broker module](workstation-management-modules.md#leostream-broker-module) module.
1. You can optionally specify an S3 Path to enable a [Data Repository Association](https://docs.aws.amazon.com/fsx/latest/LustreGuide/fsx-data-repositories.html) for the file system.
# Workstation Management modules
Workstation Management modules create the necessary resources to provide virtual workstations to users in the post-production environment. This way, users can gain cloud performance by connecting remotely only from their local laptop, and handle auto-scaling based on policies.
The following Workstation Management modules are available in MCS after deployment:
+ Leostream Broker module - Manages assignment and auto scaling of workstations
+ Leostream Gateway module - Manages connections to workstations
**Note**
Modular Cloud Studio on AWS allows you to deploy and manage a scalable, secure, and global content production infrastructure in the cloud. This includes custom modules, developed by AWS Partners or other third parties, that you can choose to use ("Third-Party Modules"). AWS does not own or otherwise have any control over Third-Party Modules.
Your use of the Third-Party Modules is governed by any terms provided to you by the Third-Party Module providers when you acquired your license to use them (for example, their terms of service, license agreement, acceptable use policy, and privacy policy). You are responsible for ensuring that your use of the Third-Party Modules comply with any terms governing them, and any laws, rules, regulations, policies, or standards that apply to you.
You are also responsible for making your own independent assessment of the Third-Party Modules that you use. AWS does not make any representations, warranties, or guarantees regarding the Third-Party Modules, which are "Third-Party Content" under your agreement with AWS. Modular Cloud Studio on AWS is offered to you as "AWS Content" under your agreement with AWS.
## Leostream Broker module
![\[leostream broker module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/leostream-broker-module.png)
1. A privately [hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/route-53-concepts.html#route-53-concepts-hosted-zone) in [Amazon Route 53](https://aws.amazon.com/route53/) routes requests to an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) that is accessible through a private subnet. This Application Load Balancer manages connections to an [Amazon EC2 Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html).
1. This module manages Leostream workstations on [Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html).
1. An [Amazon EC2 Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html) maintains the necessary number of Leostream Broker instances on [Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html).
1. The Leostream Broker EC2 instances use an [Amazon Relational Databases Service (Amazon RDS) for PostgreSQL](https://aws.amazon.com/rds/postgresql/) database.
Database configuration:
+ A dedicated "leostream" user is provisioned with specific permissions
+ User can create, read, update, and delete databases and tables
+ Operates with restricted privileges compared to the default administrator account
+ Default admin user credentials are not exposed to or utilized by Leostream modules
1. [Amazon EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/what-is-image-builder.html) is used upon deployment to build the AMI for the Leostream Broker EC2 instances along with both Windows and Linux AMIs that the Leostream Broker module uses.
## Spoke Leostream Broker module
![\[spoke leostream broker module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/spoke-leostream-broker-module.png)
1. The Leostream Broker cluster in the hub variant of this module manages workstations on [Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html).
1. Workstations use the same AMIs built by the Leostream Broker module in the hub Region. The Spoke Leostream Broker module copies AMIs from the hub Region into the spoke Region.
## Leostream Gateway module
![\[leostream gateway module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/leostream-gateway-module.png)
1. Optionally, when a certificate and hosted zone are configured, a [hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html) on [Amazon Route 53](https://aws.amazon.com/route53) routes requests to [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html).
1. The module deploys an [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html) and uses it to manage connections with Leostream Gateway to either a workstation or the Leostream Broker cluster.
1. The module uses the [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) deployed by the Leostream Broker module which manages traffic to the [Auto Scaling](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html) Group for Leostream Broker instances.
1. [Amazon DCV](https://aws.amazon.com/hpc/dcv/) traffic is routed securely between the AWS Global Accelerator, Leostream Gateway, and workstations.
1. An [Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html) maintains the necessary number of Leostream Gateway instances on [Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html).
1. Auto Scaling events invoke workflows in [AWS Step Functions](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html) via [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/) to manage Leostream Gateway registrations.
1. The AMI used by Leostream Gateway EC2 instances is built during deployment using [Amazon EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/what-is-image-builder.html).
## Spoke Leostream Gateway module
![\[spoke leostream gateway module\]](http://docs.aws.amazon.com/solutions/latest/modular-cloud-studio-on-aws/images/spoke-leostream-gateway-module.png)
1. Auto Scaling events invoke workflows in [AWS Step Functions](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html) via [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/) to manage Leostream Gateway registrations.
1. [Amazon DCV](https://aws.amazon.com/hpc/dcv/) traffic is routed securely between the [AWS Global Accelerator](https://aws.amazon.com/global-accelerator/), Leostream Gateway, and workstations.
1. Workstations use the same AMIs built by the Leostream Broker module in the hub Region.
1. An [Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html) maintains the necessary number of Leostream Gateway instances on [Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html).
# Custom modules
You can bring your own custom modules, or modules developed by AWS Partners or third parties to MCS. You can register your own custom modules under the Custom category if they don’t belong to the other four categories. Modules registered and enabled under the Custom category are displayed under the **Custom** menu in the MCS user interface.
Custom modules developed by AWS Partners are hosted in [GitHub](https://github.com/aws-solutions/modular-cloud-studio-on-aws-third-party-modules-listing), and they are imported into MCS as `AVAILABLE` status when the solution is first deployed. You can fetch the latest listings from the repository when new modules are added or existing modules are modified or removed from the Module Library page.
**Note**
Modular Cloud Studio on AWS allows you to deploy and manage a scalable, secure, and global content production infrastructure in the cloud. This includes custom modules, developed by AWS Partners or other third parties, that you can choose to use ("Third-Party Modules"). AWS does not own or otherwise have any control over Third-Party Modules.
Your use of the Third-Party Modules is governed by any terms provided to you by the Third-Party Module providers when you acquired your license to use them (for example, their terms of service, license agreement, acceptable use policy, and privacy policy). You are responsible for ensuring that your use of the Third-Party Modules comply with any terms governing them, and any laws, rules, regulations, policies, or standards that apply to you.
You are also responsible for making your own independent assessment of the Third-Party Modules that you use. AWS does not make any representations, warranties, or guarantees regarding the Third-Party Modules, which are "Third-Party Content" under your agreement with AWS. Modular Cloud Studio on AWS is offered to you as "AWS Content" under your agreement with AWS.
# DynamoDB Tables
MCS uses five DynamoDB tables: [Registered Modules](#registered-modules), [External Modules](#external-modules), [Modules Mapping](#modules-mapping-table), [Enabled Modules](#enabled-modules), and [Regions](#regions-table).
## Registered Modules table
The Registered Modules table contains modules that are registered and can be enabled or disabled.
Attributes:
+ `registered_module_pk` - Primary key consisting of `module_name` and `region_type`.
+ `module_version` - The version of the module.
+ `category` - Can be one of the following: `Network`, `Identity`, `WorkstationManagement`, `Storage`, `Custom`, or `SpokeRegionInfrastructure`.
+ `input_parameters_hub` Systems Manager parameter inputs for the modules that exist in the hub Region.
+ `input_parameters_local` - Systems Manager parameter inputs for the modules that exist in its local Region (hub or spoke).
+ `is_external` - Boolean value indicating if the module is a Third-Party Module.
+ `module_name` - Name of the module.
+ `region_type` - Indicates whether the module can be enabled in the hub Region, a spoke Region, or both. Can be one of the following: `HUB`, `SPOKE`, or `BOTH`.
+ `servicecatalog_portfolio_id` - MCS Service Catalog portfolio.
+ `servicecatalog_product_id` - Service Catalog product of the module.
+ `status` - Can be one of the following: `REGISTERED`, `REGISTERING IN PROGRESS`, `REGISTER FAILED`, `DE-REGISTERING IN PROGRESS`, `DE-REGISTER FAILED`, or `ENABLING IN PROGRESS`.
## External Modules table
The External Modules table contains Third-Party Modules that are registered or are available to be registered.
Attributes:
+ `module_name` - Name of the module.
+ `category` - Can be one of the following: `Network`, `Identity`, `WorkstationManagement`, `Storage`, `Custom`, or `SpokeRegionInfrastructure`.
+ `created_at` - When the module was created.
+ `display_name` - Module name to display in the UI.
+ `is_custom` - Indicates whether the module was registered post-deployment of MCS.
+ `manifest_url` - The URL for the manifest.
+ `status` - Can be one of the following: `AVAILABLE`, `REGISTERED`, `REGISTER IN PROGRESS`, `REGISTER FAILED`, `DE-REGISTER IN PROGRESS`, or `DE-REGISTER FAILED`.
+ `updated_at` - When the module was updated.
+ `registered_version` - Semantic version of the registered module. Field is empty if a module is available but not registered.
## Modules Mapping table
The Modules Mapping table contains Systems Manager parameter paths and the registered modules that output them.
Attributes:
+ `param_name` - Systems Manager parameter path following the MCS deployment ID.
+ `infrastructure` - Boolean value indicating if the parameter is output by MCS infrastructure.
+ `module_pks` - List of registered modules that output param\$1name.
## Enabled Modules table
The Enabled Modules table contains modules that have been enabled.
Attributes:
+ `enabled_module_pk` - Primary key consisting of module\$1name, region\$1type, and module\$1region.
+ `active_dependents` - List of enabled modules that are dependent on this module.
+ `category` - Can be one of the following: `Network`, `Identity`, `WorkstationManagement`, `Storage`, `Custom`, or `SpokeRegionInfrastructure`.
+ `creation_time` - Time that the module was created.
+ `deployment_uuid` - Unique ID assigned when the Service Catalog product is provisioned.
+ `input_parameters` - CloudFormation parameters.
+ `last_update_time` - Time that the module was most recently updated.
+ `module_name` - Name of the module.
+ `module_region` - Region in which the module is enabled.
+ `module_region_category` - Type of Region in which the module is enabled. Can be one of the following: `Hub` or `Spoke`.
+ `module_version` - Version of the module enabled.
+ `region_type` - Indicates whether the module can be enabled in the hub Region, a spoke Region, or both. Can be one of the following: `HUB`, `SPOKE`, or `BOTH`.
+ `servicecatalog_provisioned_product_id` - Service Catalog provisioned product ID for the module enabled.
+ `status` - Can be one of the following: `ENABLED`, `ENABLING IN PROGRESS`, `ENABLE FAILED`, `DISABLED`, `DISABLING IN PROGRESS`, or `DISABLE FAILED`.
## Regions table
The Regions table consists of AWS Regions that can be enabled or disabled in MCS. The hub Region cannot be disabled.
Attributes:
+ `name` - AWS Region name.
+ `date_enabled` - Date that the Region was enabled.
+ `enablement_status` - Can be one of the following: `ENABLED`, `ENABLING IN PROGRESS`, `ENABLE FAILED`, `DISABLED`, `DISABLING IN PROGRESS`, or `DISABLE FAILED`.
+ `is_hub` - Boolean value indicating if the Region is the hub Region.
+ `provisioned_product_id` - Service Catalog provisioned product ID.
## Lock table
The Lock table is a distributed locking mechanism that prevents multiple processes from executing the same critical section simultaneously.
Attributes:
+ `lock_name` - Name of the process currently being executed
+ `time_to_live` - TTL timestamp for automatic cleanup
**Note**
DynamoDB automatically deletes items where `time_to_live` date had been expired, but the deletion does not occur instantly after expiration and it can take few days until deletion.
See [Using time to live (TTL) in DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TTL.html) for more details