Skip to main content

AWS Architecture

Last Updated: 2026-03-06 Sources: .state/discovered-accounts.json (247 accounts), .state/org-ous.json (17 OUs), .state/discovered-scps.json (19 SCPs), .state/upstream-status.json

Executive Summary

The NDX:Try AWS platform operates within a single AWS Organization (o-4g8nrlnr9s) managed by account 955063685555. The organization contains 117 accounts: 110 pool accounts for sandbox workloads, 1 hub account (568672915267) running the ISB control plane, and 6 supporting infrastructure accounts (Network, Perimeter, SharedServices, Audit, LogArchive, and the management account itself). All ISB operations are restricted to us-east-1 and us-west-2 regions, with the primary deployment in us-east-1.

Organization Structure (117 Accounts, 10 OUs)

Account Inventory Summary

CategoryCountExamples
Management1gds-ndx-try-aws-org-management (955063685555)
ISB Hub1InnovationSandboxHub (568672915267)
Pool Accounts110pool-001 through pool-121
Security2Audit (406429476767), LogArchive (408585017257)
Infrastructure3Network, Perimeter, SharedServices
Total117

All pool account emails follow the pattern: ndx-try-provider+gds-ndx-try-aws-pool-NNN@dsit.gov.uk

Hub Account (568672915267) Architecture

Pool Account Lifecycle

OU-Based State Management

Pool accounts move between child OUs under ndx_InnovationSandboxAccountPool based on their lifecycle state. Different SCPs are attached to each OU to enforce appropriate restrictions.

Service Control Policies (19 SCPs)

SCP Hierarchy

ISB-Specific SCP Summary

SCPApplied ToDescription
InnovationSandboxRestrictionsScpPool OURegion restrictions (us-east-1, us-west-2), network isolation
InnovationSandboxAwsNukeSupportedServicesScpPool OUOnly allow services that AWS Nuke can clean
InnovationSandboxProtectISBResourcesScpPool OUPrevent modification of ISB control plane resources
InnovationSandboxWriteProtectionScpAvailable + Quarantine OUsRead-only access (no create/modify)
InnovationSandboxCostAvoidanceComputeScpActive OURestrict EC2, EBS, RDS, EKS instance types
InnovationSandboxCostAvoidanceServicesScpActive OUBlock SageMaker, EMR, Redshift, Neptune

Cross-Account Trust Relationships

Hub to Pool Accounts

Hub to Organization Management

Network Architecture

Hub Account VPC (LZA Managed)

VPC: 10.0.0.0/16 (approximate - LZA configured)
+-- Public Subnets (us-east-1a, 1b, 1c)
|   +-- NAT Gateways (for Lambda internet access)
|   +-- Internet Gateway
+-- Private Subnets (us-east-1a, 1b, 1c)
    +-- Lambda ENIs (for VPC-attached functions)
    +-- CodeBuild (for AWS Nuke execution)

Pool Accounts

Pool accounts have no pre-configured networking. Users can create their own VPCs subject to SCP restrictions (region-limited to us-east-1 and us-west-2).

Region Usage

Primary: us-east-1

All ISB Core Lambda functions, DynamoDB tables, API Gateway, Step Functions, CodeBuild, and EventBridge are deployed in us-east-1.

Secondary: us-west-2

Available as a secondary region for pool account workloads per SCP restrictions. Pool accounts may create resources in both us-east-1 and us-west-2.

Global Services

ServiceScope
CloudFrontEdge locations worldwide
Identity CenterGlobal service
OrganizationsGlobal service
Route 53Global DNS

Cross-Region Access

SourceTargetPurpose
Hub (us-east-1)Bedrock (us-east-1)AI scoring
Hub (us-east-1)Cost Explorer (us-east-1)Billing data
Hub (us-east-1)S3 (us-east-1)Screenshots bucket

AWS Service Usage Map

ServiceUsageAccount(s)Count
LambdaCore functions + satellitesHub21+ functions
DynamoDBData persistenceHub6 tables
S3Storage, frontend, templates, exportsHub, Pool15+ buckets
API GatewayREST API (ISB)Hub1 API
EventBridgeEvent-driven architectureHub1 custom bus, 10+ rules
Step FunctionsCleanup + approval workflowsHub2 state machines
CodeBuildAWS Nuke executionHub1 project
EventBridge SchedulerPer-lease cost collection delaysHubDynamic schedules
SQSBilling separator delay queueHub2 queues (+DLQs)
Secrets ManagerGitHub token, IDC config, API keysHub3+ secrets
CloudFormationIaC deploymentsHub, Pool20+ stacks
OrganizationsMulti-account managementManagement1 org, 10 OUs
Identity CenterSSO authenticationOrganization1 instance
Cost ExplorerBilling data APIManagementAPI access
BedrockAI risk assessmentus-east-1Model invocations
CloudFrontCDN for ISB + NDX frontendsHub2 distributions
CognitoJWT authenticationHub1 user pool
SNSAlertingHub3+ topics
CloudWatchLogs, metrics, alarmsAll accountsFull stack
KMSEncryptionHubMultiple CMKs

Disaster Recovery

Current State: Single-Region (us-east-1)

MetricValue
Recovery Time Objective (RTO)~4-8 hours
Recovery Point Objective (RPO)~1 hour (DynamoDB PITR)

Backup Strategy

  • DynamoDB Point-in-Time Recovery (35 days retention)
  • DynamoDB automated daily backups
  • S3 versioning enabled on critical buckets
  • All infrastructure defined as code (CDK + Terraform + LZA)

Failover Plan

  1. Deploy ISB Core to us-west-2 (backup region)
  2. Restore DynamoDB tables from PITR
  3. Update DNS/CloudFront to point to new region
  4. Redeploy satellite stacks
  5. Reconfigure Identity Center integration

Limitation: Manual failover process with no active-active deployment.

Cost Profile

Monthly Estimate (Platform Infrastructure Only)

ServiceMonthly Cost (est.)Notes
Lambda~$6521+ functions, on-demand
DynamoDB~$506 tables, on-demand mode
NAT Gateway~$40Data transfer charges
Cost Explorer API~$12100 req/hour limit
EventBridge~$10Custom bus + rules
S3~$9Multiple buckets
Bedrock (Claude 3)~$3~$0.0024/approval
CloudWatch~$6Logs, metrics, alarms
Secrets Manager~$43+ secrets
Other~$8SNS, SQS, CodeBuild
Total~$207/monthPlatform only (excludes pool usage)

References

Generated from source analysis. See 00-repo-inventory.md for full inventory.