AWS Deployment
Use ECS/EKS with managed Postgres (RDS/Aurora), Redis, and S3-backed artifact storage. Terminate TLS at ALB/NLB + NGINX edge pattern.
Installation & Deployment Guidance
Deploy CyberTax Across AWS, On-Prem, or Hybrid Environments
This guide summarizes infrastructure minimums, environment dependencies, identity setup, AI integration, and secure deployment patterns for CyberTax operations.
High-Level Installation Guide
- Provision PostgreSQL, Redis, and artifact storage according to target security boundary.
- Configure environment variables and secrets for backend, worker, and frontend services.
- Deploy with container orchestration using the provided compose baseline and hardened ingress.
- Configure identity providers in the Administration area (SAML, OIDC, or LDAP).
- Enable Bedrock model access and verify AI scoring and report generation workflows.
Minimum Infrastructure Requirements
| Deployment Profile | App CPU | App Memory | Database Baseline | Notes |
|---|---|---|---|---|
| Pilot / Single System | 4 vCPU | 8 GB RAM | PostgreSQL 16 (2 vCPU, 4 GB RAM) | Suitable for limited concurrent assessor and ISSO/ISSM activity. |
| Program Office / Multi-System | 8-16 vCPU | 16-32 GB RAM | PostgreSQL 16 (4+ vCPU, 8+ GB RAM, managed recommended) | Supports broader multi-tenant and report generation workloads. |
| SAP / Controlled Environment | 16+ vCPU | 32+ GB RAM | PostgreSQL 16 HA topology with backup controls | Designed for higher-assurance workflows and controlled operations. |
On-Prem Deployment
Run containers in a segmented enclave with internal Postgres/Redis services, enterprise IdP integration, and controlled artifact storage volumes.
Hybrid Deployment
Keep application stack in cloud while integrating on-prem identity, logging, and governance systems through controlled network boundaries.
Required External Dependencies
Core Platform Dependencies
- Relational database: PostgreSQL 16 baseline.
- Queue/cache service: Redis 7 baseline for worker execution.
- Artifact storage: local volume for development, S3-compatible object storage for production.
Identity & Access Dependencies
- Identity provider integration via OIDC, SAML, or LDAP.
- TLS termination and certificate management for all user/API ingress.
- Least-privilege IAM for Bedrock invocation and artifact storage access.
Identity Provider Configuration (SAML / OIDC / LDAP)
OIDC
- Create an OIDC application in your IdP.
- Register redirect URIs exposed by CyberTax.
- Set issuer URL, client ID, and secret reference in Admin - Identity Providers.
SAML
- Import SAML metadata URL or XML in Admin - Identity Providers.
- Verify entity ID, ACS URL, and IdP SSO URL mapping.
- Configure signing/encryption certificate references and test connection.
LDAP
- Set LDAP URL, base DN, bind DN, and secret reference.
- Define user/group filters and attribute mapping.
- Enable StartTLS where required and validate connectivity.
AWS Bedrock Integration Guidance
Bedrock integration requires model access enablement, least-privilege IAM policy assignment, and runtime environment configuration.
# Backend environment baseline BEDROCK_MODEL_ID=anthropic.claude-3-sonnet-20240229-v1:0 AWS_REGION=us-east-1 STORAGE_BACKEND=s3 S3_BUCKET=your-cybertax-artifacts
Use the baseline policy template at deploy/iam-bedrock-policy.json and validate model invocation permissions before enabling production scoring.
Helm Chart Guidance Reference
For Kubernetes deployments, use the CyberTax Helm release package provided with your environment baseline and align values with the same configuration keys used by the compose deployment profile.
# Example deployment flow (adjust chart path/repo for your release package) helm upgrade --install cybertax ./charts/cybertax \ --namespace cybertax \ --create-namespace \ --set image.tag=<release-tag> \ --set env.AWS_REGION=<region> \ --set env.BEDROCK_MODEL_ID=<model-id>
Validate ingress, secret references, and storage classes against your enclave policy before promoting a Helm release to production.
Security Architecture & Data Protection
Security Architecture Overview
- HTTPS-only ingress with TLS 1.2+ and HSTS controls.
- Role and tenant-scoped authorization across API resources.
- Administrative audit logging and authentication event tracking.
Storage & Encryption Practices
- Data in transit protected through TLS at edge and API layers.
- Artifact encryption at rest via object storage server-side encryption policies.
- Database-at-rest encryption handled by platform-managed controls (for managed DB deployments).
Recommended Deployment Architecture
Users (ISSO/ISSM/SCA/AO)
->
TLS Edge / NGINX
Next.js Frontend
FastAPI Backend
Celery Worker
PostgreSQL
Redis
Artifact Storage (S3/Local)
AWS Bedrock
Version Compatibility Matrix
| Component | Supported / Baseline Version | Source |
|---|---|---|
| Python Runtime | 3.12.x | backend Dockerfile base image |
| Node Runtime | 20.x | frontend Dockerfile base image |
| PostgreSQL | 16.x | docker-compose production baseline |
| Redis | 7.x | docker-compose worker queue baseline |
| FastAPI + SQLAlchemy | Current project dependencies | backend/requirements.txt |
| Next.js | 16.x | frontend build output baseline |