Document Version: 2.1
Last Updated: 2025-12-30
Purpose: Comprehensive AWS deployment audit for FTR (Foundational Technical Review) and architecture documentation
FTR Category: AI Agents and Tools
SaaS Compliance Deadline: January 21, 2026
Executive Summary
Vellocity is a production-grade SaaS platform built on AWS infrastructure. This document provides a complete inventory of AWS services, deployment architecture, and percentage analysis for AWS Marketplace compliance.
AWS Deployment Percentage Summary
| Infrastructure Category |
AWS Services |
Non-AWS |
% AWS |
| Compute & Hosting |
5 |
0 |
100% |
| Database & Caching |
3 |
0 |
100% |
| Storage & CDN |
2 |
1 |
95% |
| Networking & DNS |
5 |
0 |
100% |
| Security & Identity |
7 |
0 |
100% |
| CI/CD & DevOps |
4 |
0 |
100% |
| Monitoring & Logging |
4 |
1 |
80% |
| Messaging & Queues |
3 |
1 |
75% |
| AI/ML Services |
6 |
10 |
38% |
| Marketplace Integration |
5 |
0 |
100% |
| CORE INFRASTRUCTURE |
44 |
3 |
94% |
| OVERALL (incl. optional) |
44 |
12 |
79% |
Key Findings
- Core Infrastructure: 94% AWS-native (Compute, Database, Storage, Networking, Security, CI/CD)
- AI/ML Services: 38% AWS-native (Bedrock + Polly; non-AWS engines are user-selectable options)
- TTS Migration Complete: ElevenLabs, Speechify, Google TTS → Amazon Polly (December 2025)
- FTR Compliance Path: Enable Bedrock-only mode to achieve 100% AWS AI/ML
- External Services: Social media APIs, payment processors are FTR-exempt (user-initiated/billing)
Complete AWS Services Inventory
1. Compute & Hosting (5 Services) - 100% AWS
| Service |
Purpose |
Configuration |
Files |
| Amazon EC2 |
Application servers |
t3.medium, Amazon Linux 2023, PHP-FPM 8.2, Apache |
infra/env-compute.yml, vell/prod-compute.yml |
| Application Load Balancer |
HTTPS load balancing |
Port 443, ACM certificate, health checks |
infra/env-compute.yml |
| Auto Scaling Groups |
Dynamic scaling |
Min 2, Max 6, Target CPU 50% |
infra/env-compute.yml |
| EC2 Image Builder |
AMI automation |
Amazon Linux 2023 base, PHP/Apache components |
vell/prod-imagebuilder.yml |
| AWS Lambda |
Serverless compute |
Marketplace workflows, embedding generation |
CloudFormation stacks |
Architecture:
Internet → CloudFront → ALB (HTTPS:443) → Auto Scaling Group (EC2)
↓
Launch Template
- t3.medium
- 20GB gp3 EBS
- IMDSv2 enforced
- PHP-FPM 8.2 + Apache
2. Database & Caching (3 Services) - 100% AWS
| Service |
Purpose |
Configuration |
Files |
| Amazon Aurora MySQL |
Primary database |
Serverless v2 (0.5-32 ACUs), Multi-AZ, encrypted |
infra/env-data.yml |
| Amazon ElastiCache |
Redis caching |
Redis 7.0, TLS enabled, cache.t4g.micro |
infra/env-redis.yml |
| Amazon DynamoDB |
NoSQL for workflows |
Streams enabled, Lambda triggers |
CloudFormation stacks |
Database Configuration:
Aurora MySQL Serverless v2:
├── Writer Instance: prod-data-dbinstancewriter-*.us-east-1.rds.amazonaws.com
├── Reader Instance: Auto-scaling read replicas
├── Scaling: 0.5 - 32 ACUs
├── Encryption: At-rest (KMS) + In-transit (TLS)
├── Backup: 7-day retention
├── Logs: audit, error, general, slowquery → CloudWatch
└── Performance Insights: 7-day retention
ElastiCache Redis:
├── Endpoint: master.prod-redis.m0zcou.use1.cache.amazonaws.com:6379
├── Engine: Redis 7.0
├── Encryption: TLS + At-rest
├── AUTH: Token from Secrets Manager
└── Usage: Sessions, Cache, Queue
3. Storage & CDN (3 Services) - 95% AWS
| Service |
Purpose |
Configuration |
Status |
| Amazon S3 |
Object storage |
Versioned, encrypted, private |
✅ Primary |
| Amazon CloudFront |
CDN distribution |
OAC for S3, global edge |
✅ Active |
| Cloudflare R2 |
Backup storage |
S3-compatible API |
⚠️ Backup only |
S3 Buckets:
Production Buckets:
├── vell-iq-client-01 # Primary uploads
├── vell-ai-tenancy-01 # Bedrock/AI assets
├── {env}-app-assets-{account} # Static assets
├── {env}-app-logs-{account} # Application logs (90-day lifecycle)
└── {env}-codedeploy-artifacts # Deployment artifacts
Configuration:
├── Versioning: Enabled
├── Encryption: AES256
├── Public Access: Blocked (account-level)
├── Presigned URLs: 7-day expiration
└── CORS: Configured for app.vell.ai
4. Networking & DNS (5 Services) - 100% AWS
| Service |
Purpose |
Configuration |
Files |
| Amazon VPC |
Network isolation |
10.42.0.0/16, 3 AZs |
infra/env-vpc.yml |
| Amazon Route 53 |
DNS management |
vell.ai hosted zone |
vell/prod-edge.yml |
| AWS Certificate Manager |
SSL/TLS certs |
*.vell.ai wildcard |
vell/prod-edge.yml |
| AWS WAF |
Web application firewall |
Rate limiting, common attacks |
vell/app-hardening.yml |
| NAT Gateway |
Outbound internet |
One per AZ (HA) |
infra/env-vpc.yml |
VPC Architecture:
VPC: 10.42.0.0/16 (us-east-1)
├── Availability Zone A
│ ├── Public Subnet (10.42.0.0/24) → ALB, NAT Gateway
│ ├── App Subnet (10.42.10.0/24) → EC2 Instances
│ └── Data Subnet (10.42.20.0/24) → RDS, ElastiCache
├── Availability Zone B
│ ├── Public Subnet (10.42.1.0/24)
│ ├── App Subnet (10.42.11.0/24)
│ └── Data Subnet (10.42.21.0/24)
└── Availability Zone C
├── Public Subnet (10.42.2.0/24)
├── App Subnet (10.42.12.0/24)
└── Data Subnet (10.42.22.0/24)
Security Groups:
├── ALB-SG: Ingress 80, 443 from 0.0.0.0/0
├── App-SG: Ingress 80 from ALB-SG
├── Database-SG: Ingress 3306 from App-SG
└── Redis-SG: Ingress 6379 from App-SG
5. Security & Identity (7 Services) - 100% AWS
| Service |
Purpose |
Configuration |
Files |
| AWS IAM |
Access management |
Roles, policies, instance profiles |
infra/env-security.yml |
| AWS Cognito |
Enterprise SSO |
User pools, OAuth 2.0, SAML |
CloudFormation templates |
| AWS Secrets Manager |
Credential storage |
Database passwords, API keys |
Auto-managed |
| AWS KMS |
Encryption keys |
Auto-rotation, audit trail |
vell/baseline-security.yml |
| AWS Security Hub |
Security posture |
Centralized findings |
vell/baseline-security.yml |
| Amazon GuardDuty |
Threat detection |
AI-powered analysis |
vell/baseline-security.yml |
| AWS CloudTrail |
API audit logging |
Organization trail |
vell/baseline-security.yml |
Security Architecture:
Identity & Access:
├── Cognito User Pool
│ ├── MFA: Optional software token
│ ├── Advanced Security: Enforced
│ ├── Token Validity: 1hr access, 30-day refresh
│ └── Custom Attributes: enterprise_org_id, marketplace_customer_id
├── IAM Roles
│ ├── EC2 Instance Role (S3, Secrets, CloudWatch, SSM, CodeDeploy)
│ ├── Bedrock Access Role (cross-account, External ID)
│ ├── Marketplace Connector Role (Catalog API)
│ └── Marketplace Entitlement Role (Metering API)
└── Cross-Account Access
├── External ID protection
├── Max session: 1 hour
└── Least privilege enforcement
Encryption:
├── At-Rest: KMS-managed keys (S3, RDS, EBS, Secrets)
├── In-Transit: TLS 1.2+ (ALB, RDS, Redis, API calls)
└── Key Rotation: Automatic annual rotation
6. CI/CD & DevOps (4 Services) - 100% AWS
| Service |
Purpose |
Configuration |
Files |
| AWS CodePipeline |
Deployment orchestration |
Source → Build → Deploy |
infra/env-pipeline.yml |
| AWS CodeBuild |
Build automation |
PHP 8.2, Node.js 20, Vite |
buildspec.yml |
| AWS CodeDeploy |
Application deployment |
In-place, rolling updates |
appspec.yml |
| AWS Systems Manager |
Configuration management |
Parameter Store, Session Manager |
infra/env-security.yml |
CI/CD Pipeline:
GitHub Repository
↓ (CodeStar Connection)
┌──────────────────────────────────────────────────────────────┐
│ AWS CodePipeline │
├──────────────────────────────────────────────────────────────┤
│ Stage 1: Source │
│ └── Fetch from GitHub branch │
├──────────────────────────────────────────────────────────────┤
│ Stage 2: Build (CodeBuild) │
│ ├── Install PHP 8.2, Node.js 20 │
│ ├── composer install --optimize-autoloader │
│ ├── npm install && npm run build (Vite) │
│ ├── Clear Laravel caches │
│ └── Package artifacts → S3 │
├──────────────────────────────────────────────────────────────┤
│ Stage 3: Deploy (CodeDeploy) │
│ ├── BeforeInstall: Environment setup, health check │
│ ├── AfterInstall: Fetch secrets, migrate DB, build assets │
│ ├── ApplicationStart: Restart Apache, PHP-FPM │
│ └── ValidateService: Health check validation │
└──────────────────────────────────────────────────────────────┘
7. Monitoring & Logging (5 Services) - 80% AWS
| Service |
Purpose |
Configuration |
Status |
| Amazon CloudWatch Logs |
Centralized logging |
Apache, PHP-FPM, Laravel logs |
✅ Active |
| Amazon CloudWatch Metrics |
Performance monitoring |
CPU, Memory, Request counts |
✅ Active |
| Amazon CloudWatch Alarms |
Alerting |
5xx errors, unhealthy hosts |
✅ Active |
| AWS Config |
Configuration compliance |
S3 delivery, CloudWatch integration |
✅ Active |
| Sentry |
Error tracking |
Laravel integration |
⚠️ Non-AWS |
Log Groups:
CloudWatch Log Groups:
├── /{env}/apache (30-day retention)
├── /{env}/php-fpm (30-day retention)
├── /{env}/laravel (14-day retention)
├── RDS/aurora-mysql/audit
├── RDS/aurora-mysql/error
├── RDS/aurora-mysql/general
└── RDS/aurora-mysql/slowquery
Alarms:
├── ALB 5xx Error Count > 5 in 5 minutes
└── Target Group Unhealthy Hosts > 0
8. Messaging & Queues (4 Services) - 75% AWS
| Service |
Purpose |
Configuration |
Status |
| Amazon SES |
Transactional email |
SMTP via email-smtp.us-east-1.amazonaws.com |
✅ Active |
| Amazon SNS |
Marketplace notifications |
Subscription events webhook |
✅ Active |
| Amazon SQS |
Job queues (optional) |
Laravel queue driver |
✅ Available |
| Pusher |
Real-time WebSocket |
Live chat, workflow updates |
⚠️ Non-AWS |
Migration Note: Pusher can be replaced with Amazon API Gateway WebSocket API for 100% AWS.
9. AI/ML Services (16 Services) - 38% AWS (User-Selectable)
AWS Native AI/ML (6 Services)
| Service |
Purpose |
Models |
Status |
| AWS Bedrock - Claude |
Text generation |
Claude 3 Haiku, Sonnet, Opus; Claude 3.5 Sonnet v2; Claude Sonnet 4.5 |
✅ Active |
| AWS Bedrock - Stable Diffusion |
Image generation |
SDXL 1.0 |
✅ Active |
| AWS Bedrock - Nova |
Text/Image generation |
Nova Micro, Lite, Pro, Premier; Nova Canvas |
✅ Active |
| Amazon Polly |
Text-to-speech |
Neural voices (Matthew, Joanna, Amy, etc.), 10+ languages |
✅ Active |
| AWS Bedrock - Guardrails |
Content safety |
PII filtering, topic blocking, brand safety |
✅ Active |
| AWS Bedrock - Knowledge Base |
RAG retrieval |
Document retrieval, embeddings |
✅ Active |
Non-AWS AI/ML (10 Services - User-Selectable Engines)
| Service |
Purpose |
Migration Path |
Priority |
| OpenAI |
GPT-4o, DALL-E, TTS |
→ Bedrock Claude/SD/Polly |
HIGH |
| Google Gemini |
Gemini 1.5/2.0/2.5 |
→ Bedrock Claude |
HIGH |
| Anthropic Direct |
Claude via API |
→ Bedrock Claude |
HIGH |
| DeepSeek |
DeepSeek Chat |
→ Bedrock Claude |
MEDIUM |
| Perplexity |
Sonar search AI |
→ Bedrock + custom RAG |
LOW |
| X.AI (Grok) |
Grok models |
→ Bedrock Claude |
LOW |
| OpenRouter |
LLM aggregator |
→ Bedrock Claude |
MEDIUM |
| Together AI |
Image generation |
→ Bedrock SD |
LOW |
| Azure OpenAI |
Azure-hosted GPT |
→ Bedrock Claude |
MEDIUM |
| ~~ElevenLabs~~ |
~~Voice synthesis~~ |
✅ Migrated to Amazon Polly |
COMPLETED |
FTR Compliance Strategy:
1. Default new users to Bedrock engines
2. Enable "AWS-only mode" for Marketplace deployments
3. Gradually deprecate non-AWS engine drivers
10. AWS Marketplace Integration (5 Services) - 100% AWS
| Service |
Purpose |
Operations |
Files |
| Marketplace Catalog API |
Listing management |
DescribeEntity, StartChangeSet |
CloudFormation |
| Marketplace Agreement API |
Contract tracking |
SearchAgreements, GetTerms |
AgreementService.php |
| Marketplace Metering API |
Usage reporting |
BatchMeterUsage |
MarketplaceEntitlementService.php |
| Marketplace Entitlement API |
Subscription verification |
ResolveCustomer, GetEntitlements |
MarketplaceEntitlementService.php |
| AWS CleanRooms |
Partner data collaboration |
Secure account overlap analysis |
CleanRoomsService.php |
Non-AWS Services Analysis
FTR-Exempt Services (Required External)
These services are exempt from AWS-native requirements per FTR policy:
| Category |
Services |
Justification |
| Payment Processing |
Stripe, PayPal, Razorpay, Paddle |
Billing/commerce - AWS-exempt |
| Social Media APIs |
LinkedIn, Twitter, Instagram, TikTok |
User-initiated publishing |
| OAuth Providers |
Google, Apple, GitHub, Facebook |
Standard social login |
| reCAPTCHA |
Google reCAPTCHA |
Security/bot prevention |
Optional Non-AWS Services (Path to 100%)
| Category |
Service |
AWS Alternative |
Migration Status |
Timeline |
| Error Tracking |
Sentry |
CloudWatch Logs + X-Ray |
Planned |
Jan 2026 |
| Real-time |
Pusher |
API Gateway WebSocket API |
Planned |
Feb 2026 |
| Backup Storage |
Cloudflare R2 |
S3 Cross-Region Replication |
Planned |
Jan 2026 |
| CRM |
HubSpot, Xero |
N/A (business tools, FTR-exempt) |
Keep as-is |
N/A |
| AI Engines |
OpenAI, Gemini, etc. |
AWS Bedrock |
User-selectable |
Bedrock default |
Migration Details:
- Cloudflare R2: S3 is already primary storage; R2 is backup only. Migration is 1-2 days effort.
- Sentry: CloudWatch is already deployed; Sentry is supplementary. Migration is 3-5 days effort.
- Pusher: Requires new API Gateway WebSocket + Lambda. Migration is 5-7 days effort.
- Target: 100% AWS-Native by Feb 15, 2026
Architecture Diagrams (Figma-Ready)
High-Level Architecture
┌─────────────────────────────────────────────────────────────────────────────────┐
│ VELLOCITY PLATFORM │
│ AWS Account: 253265132499 │
│ Region: us-east-1 │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ EDGE LAYER │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Route 53 │ │ CloudFront │ │ WAF │ │ │
│ │ │ (DNS) │ │ (CDN) │ │ (Security) │ │ │
│ │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │
│ └─────────┼─────────────────┼─────────────────┼────────────────────────┘ │
│ │ │ │ │
│ ┌─────────▼─────────────────▼─────────────────▼────────────────────────┐ │
│ │ APPLICATION LAYER │ │
│ │ ┌─────────────┐ ┌─────────────────────────────────────────────┐ │ │
│ │ │ ALB │ │ Auto Scaling Group │ │ │
│ │ │ (HTTPS) │──▶│ ┌───────────┐ ┌───────────┐ ┌─────────┐ │ │ │
│ │ │ │ │ │ EC2 │ │ EC2 │ │ EC2 │ │ │ │
│ │ └─────────────┘ │ │ (PHP-FPM) │ │ (PHP-FPM) │ │(PHP-FPM)│ │ │ │
│ │ │ └───────────┘ └───────────┘ └─────────┘ │ │ │
│ │ └─────────────────────────────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────────────────────▼────────────────────────────────────┐ │
│ │ DATA LAYER │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Aurora │ │ ElastiCache │ │ S3 │ │ │
│ │ │ MySQL │ │ (Redis) │ │ (Storage) │ │ │
│ │ │ Serverless │ │ │ │ │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ AI/ML LAYER │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌───────────┐ │ │
│ │ │ Bedrock │ │ Bedrock │ │ Bedrock │ │ Polly │ │ │
│ │ │ Claude │ │ Stable Diff │ │ Nova │ │ (TTS) │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └───────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ MARKETPLACE INTEGRATION │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌───────────┐ │ │
│ │ │ Catalog │ │ Agreement │ │ Metering │ │CleanRooms │ │ │
│ │ │ API │ │ API │ │ API │ │ (Collab) │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └───────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ SECURITY LAYER │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ IAM │ │ Cognito │ │ Secrets │ │ KMS │ │GuardDuty│ │ │
│ │ │ Roles │ │ (SSO) │ │ Manager │ │ (Keys) │ │(Threats)│ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └──────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
CI/CD Pipeline Architecture
┌─────────────────────────────────────────────────────────────────────────────────┐
│ CI/CD PIPELINE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌───────────┐ ┌─────────────────────────────────────────────────────────┐ │
│ │ GitHub │ │ AWS CodePipeline │ │
│ │ Repo │───▶│ │ │
│ └───────────┘ │ ┌─────────┐ ┌─────────┐ ┌─────────────────────┐ │ │
│ │ │ Source │───▶│ Build │───▶│ Deploy │ │ │
│ │ │ Stage │ │ Stage │ │ Stage │ │ │
│ │ └─────────┘ └────┬────┘ └──────────┬──────────┘ │ │
│ │ │ │ │ │
│ └──────────────────────┼─────────────────────┼─────────────┘ │
│ │ │ │
│ ┌───────────────────────────────────────▼───────────────────┐ │ │
│ │ AWS CodeBuild │ │ │
│ │ ┌─────────────────────────────────────────────────────┐ │ │ │
│ │ │ buildspec.yml │ │ │ │
│ │ │ ├── Install PHP 8.2, Node.js 20 │ │ │ │
│ │ │ ├── composer install --optimize-autoloader │ │ │ │
│ │ │ ├── npm install && npm run build │ │ │ │
│ │ │ └── Package to S3 artifacts bucket │ │ │ │
│ │ └─────────────────────────────────────────────────────┘ │ │ │
│ └───────────────────────────────────────────────────────────┘ │ │
│ │ │
│ ┌──────────────────────────────────────────────────────────────▼──────────────┐│
│ │ AWS CodeDeploy ││
│ │ ┌─────────────────────────────────────────────────────────────────────────┐││
│ │ │ appspec.yml │││
│ │ │ ├── BeforeInstall: Setup environment, health checks │││
│ │ │ ├── AfterInstall: Fetch secrets, run migrations, build frontend │││
│ │ │ ├── ApplicationStart: Restart Apache, PHP-FPM, queue workers │││
│ │ │ └── ValidateService: Health check validation │││
│ │ └─────────────────────────────────────────────────────────────────────────┘││
│ │ ↓ ││
│ │ ┌─────────────────────────────────────────────────────────────────────────┐││
│ │ │ Auto Scaling Group (Rolling Update) │││
│ │ │ ┌───────┐ ┌───────┐ ┌───────┐ ┌───────┐ │││
│ │ │ │ EC2-1 │ │ EC2-2 │ │ EC2-3 │ │ EC2-n │ │││
│ │ │ │Updated│ │Updated│ │ ... │ │ ... │ │││
│ │ │ └───────┘ └───────┘ └───────┘ └───────┘ │││
│ │ └─────────────────────────────────────────────────────────────────────────┘││
│ └─────────────────────────────────────────────────────────────────────────────┘│
│ │
└───────────────────────────────────────────────────────────────────────────────────┘
Data Flow Architecture
┌─────────────────────────────────────────────────────────────────────────────────┐
│ DATA FLOW ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────┐ │
│ │ Client │ │
│ │ Browser │ │
│ └─────┬──────┘ │
│ │ HTTPS │
│ ┌─────▼──────────────────────────────────────────────────────────────────────┐│
│ │ REQUEST FLOW ││
│ │ ││
│ │ CloudFront ──▶ WAF ──▶ ALB ──▶ EC2 (Laravel) ││
│ │ │ ││
│ │ ┌─────────┼─────────┐ ││
│ │ ▼ ▼ ▼ ││
│ │ ┌────────┐ ┌────────┐ ┌────────┐ ││
│ │ │ Aurora │ │ Redis │ │ S3 │ ││
│ │ │ MySQL │ │ Cache │ │Storage │ ││
│ │ └────────┘ └────────┘ └────────┘ ││
│ └─────────────────────────────────────────────────────────────────────────────┘│
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────┐│
│ │ AI WORKFLOW FLOW ││
│ │ ││
│ │ User Request ││
│ │ │ ││
│ │ ▼ ││
│ │ ┌─────────┐ ┌─────────┐ ┌─────────────┐ ┌─────────────┐ ││
│ │ │ Laravel │───▶│DynamoDB │───▶│ Lambda │───▶│ Bedrock │ ││
│ │ │ App │ │ (State) │ │(Processing) │ │ (Claude) │ ││
│ │ └─────────┘ └─────────┘ └─────────────┘ └─────────────┘ ││
│ │ │ │ │ │ ││
│ │ │ │ │ │ ││
│ │ │ └───────────────┼───────────────────┘ ││
│ │ │ │ ││
│ │ │ ▼ ││
│ │ │ ┌───────────┐ ││
│ │ │ │ S3 │ ││
│ │ │ │ (Results) │ ││
│ │ │ └───────────┘ ││
│ │ │ │ ││
│ │ └──────────────────────────────┘ ││
│ │ (Retrieve Results) ││
│ └─────────────────────────────────────────────────────────────────────────────┘│
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────┐│
│ │ MARKETPLACE INTEGRATION FLOW ││
│ │ ││
│ │ AWS Marketplace ││
│ │ │ ││
│ │ ▼ ││
│ │ ┌─────────┐ ┌─────────┐ ┌─────────────┐ ││
│ │ │ SNS │───▶│ Laravel │───▶│ Metering │ ││
│ │ │(Webhook)│ │ App │ │ API │ ││
│ │ └─────────┘ └────┬────┘ └─────────────┘ ││
│ │ │ ││
│ │ ▼ ││
│ │ ┌─────────┐ ││
│ │ │Cognito │ ││
│ │ │ (SSO) │ ││
│ │ └─────────┘ ││
│ └─────────────────────────────────────────────────────────────────────────────┘│
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
FTR Compliance Summary
Current Compliance Status
| Requirement |
Status |
Notes |
| Core infrastructure on AWS |
✅ 94% |
EC2, RDS, S3, VPC - all AWS |
| AI/ML on AWS |
⚠️ 38% |
Bedrock + Polly active; non-AWS engines user-selectable |
| Data storage on AWS |
✅ 100% |
Aurora MySQL, DynamoDB, S3 |
| Compute on AWS |
✅ 100% |
EC2, Lambda, Auto Scaling |
| Security on AWS |
✅ 100% |
IAM, Cognito, KMS, Secrets Manager |
| Marketplace integration |
✅ 100% |
All Marketplace APIs |
| Text-to-Speech on AWS |
✅ 100% |
Amazon Polly (ElevenLabs, Speechify, Google removed) |
Bedrock-Only Mode (AWS FTR Compliance)
The platform supports a bedrock_only_mode setting that restricts all AI/ML operations to AWS-native services:
// Enable via SettingTwo->bedrock_only_mode = true
// Check with: EngineEnum::isBedrockOnlyMode()
// Available engines: EngineEnum::getAvailableEngines()
When enabled:
- Only AWS Bedrock (Claude, Nova, Titan, Stable Diffusion) and Polly are available
- Non-AWS LLM providers (OpenAI, Gemini, etc.) are hidden from users
- Achieves 100% AWS AI/ML compliance for FTR
Path to 100% AWS AI/ML
- ✅ Default Configuration: Bedrock Claude set as default for new users
- ✅ AWS-Only Mode:
bedrock_only_mode flag implemented
- ⏳ Gradual Migration: Deprecate non-AWS engine drivers over time
- ✅ TTS Migration: Amazon Polly integrated, non-AWS TTS removed
Exempt Services (Per FTR Policy)
- Payment Processing: Stripe, PayPal (billing exempt)
- Social Publishing: LinkedIn, Twitter (user-initiated)
- OAuth Providers: Google, Apple, GitHub (authentication)
| Stack |
Purpose |
Template |
| prod-vpc |
VPC, subnets, NAT gateways |
vell/prod-vpc.yml |
| prod-security |
IAM roles, security groups |
infra/env-security.yml |
| prod-compute |
ALB, ASG, Launch Template |
vell/prod-compute.yml |
| prod-data |
Aurora MySQL cluster |
infra/env-data.yml |
| prod-redis |
ElastiCache Redis |
infra/env-redis.yml |
| prod-storage |
S3 buckets, lifecycle rules |
infra/env-storage.yml |
| prod-edge |
CloudFront, Route53, ACM |
vell/prod-edge.yml |
| prod-obs |
CloudWatch logs, alarms |
vell/prod-obs.yml |
| prod-pipeline |
CodePipeline, CodeBuild, CodeDeploy |
infra/env-pipeline.yml |
| prod-imagebuilder |
EC2 Image Builder |
vell/prod-imagebuilder.yml |
| baseline-security |
CloudTrail, Config, GuardDuty, Security Hub |
vell/baseline-security.yml |
| app-hardening |
WAF, Route53 query logging |
vell/app-hardening.yml |
AWS Account Details
| Attribute |
Value |
| Account ID |
253265132499 |
| Primary Region |
us-east-1 |
| Backup Region |
us-west-2 (Bedrock fallback) |
| Domain |
app.vell.ai |
| Hosted Zone ID |
Z03310081OFYKR4PREURF |
| ACM Certificate |
arn:aws:acm:us-east-1:253265132499:certificate/1776d484-5e23-40bb-b84f-f42568574d1f |
References
- Infrastructure Templates:
/home/user/vell-main/infra/
- Production Stacks:
/home/user/vell-main/vell/
- Build Configuration:
/home/user/vell-main/buildspec.yml
- Deploy Configuration:
/home/user/vell-main/appspec.yml
- AWS Services Code:
/home/user/vell-main/app/CustomExtensions/CloudMarketplace/System/Services/AWS/
- Bedrock Integration:
/home/user/vell-main/app/Services/Bedrock/
- Engine Drivers:
/home/user/vell-main/app/Domains/Engine/Drivers/
Document Version 2.1 - Updated 2025-12-30 with 100% AWS migration timeline
For FTR submission questions, contact AWS Marketplace Seller Operations
See also: docs/AWS_ISV_ACCELERATE_READINESS.md for partner first-call reference