Required AWS Services

This page provides a list of required Amazon Web Service (AWS) services.

The Tetra Data Platform (TDP) is deployed from two CloudFormation stacks, each containing multiple nested stacks. The stacks are packaged, versioned, and made available to clients as AWS ServiceCatalog products.

Application code is containerized and runs on Amazon’s Elastic Container Service (ECS). Some code also runs in AWS Lambda. Data is stored in S3; resource-intensive auxiliary services like Elasticsearch, and Postgres Database have dedicated clusters.

📘

VPC Endpoints

If your private subnets [where the Tetra Data Platform (TDP) is deployed] are restricted, and do not have outbound access to the internet, then please read VPC Endpoints for important details.

Versions

You can find all software versions within the installation scripts.

Supported AWS Regions

These AWS regions are supported for deployment:

Region NameLocation
ap-northeast-1Asia Pacific (Tokyo)
eu-central-1Europe (Frankfurt)
eu-west-1Europe (Ireland)
us-east-1US East (N. Virginia)
us-east-2US East (Ohio)
us-west-2US West (Oregon)

Upgrades

All of the AWS components listed in the table are tested together internally by TetraScience. Upgrading to a new TDP version will also upgrade selected AWS components (as necessary).

AWS Services

This table provides details for the AWS Services currently used:

MicroserviceDescriptionFor More Information
AWS AthenaAn interactive query service that allows you to analyze data in Amazon S3 using SQL.

Set of parsers that convert the data into numerical or tabular data useful for the data scientist.
AWS Athena Page
AWS AutoScalingMonitors applications and automatically adjusts capacity to maintain steady, predictable performance.AWS AutoScaling Page
AWS CloudFormationModels a collection of related AWS and third-party resources, and provisions and manages them throughout their lifecycles, by treating infrastructure as code.

TDP is deployed on two CloudFormation stacks.
CloudFormation
AWS CloudTrailService that enables governance, compliance, operational auditing, and risk auditing of an AWS account. Logs, continuously monitors, and retains account activity related to actions across a customer's AWS infrastructure.

There is active logging and monitoring implemented using CloudTrail and CloudWatch.
CloudTrail
AWS CloudWatchCollects monitoring and operational data in the form of logs, metrics, and events, providing a unified view of AWS resources, applications, and services that run on AWS and on-premise servers.

There is active logging and monitoring implemented using CloudTrail and CloudWatch. Audit trail information is saved in CloudWatch.
AWS CloudWatch Page
AWS CodeBuildFully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.CodeBuild
AWS CognitoAmazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

Only required if using SSO.
AWS Cognito
AWS Container Registry (ECR)Fully managed container registry that is used to store, manage, share, and deploy container images and artifacts.

Connectors are published to ECR as Alpine Docker containers.
Elastic Container Registry
AWS Container Service (ECS)Fully managed service for deploying, securing, and running Elasticsearch at scale.

ECS is used for platform API services, web application-backend. Each service is defined by a container image in the Cloud Formation template.
Elastic Container Service
AWS Computing Cloud (EC2)Secure, resizable compute capacity in the AWS cloud.

Certain parsers that require windows platform leverage ephemeral Amazon EC2 machines. These machines run these file parsers, read raw data and write back the parsed file.
Elastic Compute Cloud
AWS ElasticsearchFully managed service that deploys, secures, and runs Elasticsearch at scale.

File information received is indexed and stored within the Amazon Elasticsearch.
Elasticsearch
AWS FargateServerless compute engine for containers that works with Amazon Elastic Container Service (ECS).

Fargate manages the orchestration for Data pipeline (parsers and convertors) container images.
Fargate
AWS GlueServerless data integration service that discovers, prepares, and combines data for analytics, machine learning, and application development.

Each organization has a separate Glue database. Tables for the organization is created in their database.
Glue
AWS Identity and Access Management (IAM)Manages access to AWS services and resources securely.

Used to manage AWS users and groups, and permissions to allow and deny their accesses to AWS resources. For example, during organization provisioning, an IAM policy is created to only allow access to an organization's Athena folder.
Identity and Access Management
AWS Internet of Things (IoT) CoreSuite of services that provides a means to connect, secure, control, and manage devices.

AWS requests from the data connector are encrypted and authenticated using short-lived IAM credentials. These IAM credentials are generated and refreshed using certificates. IAM roles and policies interact with ECR, KMS, CloudWatch, to grant permissions to upload specific S3 objects.
IoT
AWS Key Management ServiceCreates and manages cryptographic keys and controls their use across a wide range of AWS services and in applications.

Each organization is provisioned a KMS key. Organization data is encrypted with this key.
Key Management Service
AWS LambdaServerless computing service that enables you to run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes.

Lambdas assume a role necessary to only read from a specific S3 location with your organization's KMS key. Lambdas also receive SNS messages.
Lambda
AWS Relational Database Service (RDS)Scalable, AWS relational database in the cloud that automates time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups.

The trigger information, used to initiate file processing, is stored in Postgres RDS database. Lambda, SQS, and SNS work together to evaluate triggers.
Relational Database Service
AWS Route 53Highly available and scalable cloud Domain Name System (DNS) web service that connects user requests to infrastructure running in AWS – such as Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets. Route 53 can also be used to route users to infrastructure outside of AWS.

AWS Route 53 is used internally, to allow platform microservices to discover each other and communicate.
Optionally, external facing entries can be created for the platform endpoints, but this feature can be turned off.
Route53
AWS Security Token Service (STS)Service that provides temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or other authenticated users.

Certificates used in API calls periodically request temporary AWS credentials via the AWS STS.
Security Token Service
AWS Service CatalogUsed to create and manage catalogs of IT services that are approved for use on AWS.

In TDP, the information regarding the installed platform, services and upgrades are available within the service catalog.
Service Catalog
AWS Simple Email Service (SES)Cost-effective, flexible, and scalable email service that enables developers to send mail from within any application.

Email notifications can be configured with the use of SES to handle situations where data export to outside destination or pipeline has failed.
Simple Email Service
AWS Simple Storage ServiceObject storage service that offers scalability, data availability, security, and performance.

TetraScience artifacts (RAW and processed files, along with other artifacts) are stored in S3.
Simple Storage Service
AWS Simple Queue Service (SQS)Fully managed message queuing service that decouples and scales microservices, distributed systems, and serverless applications. Sends, stores, and receives messages between software components at any volume, without losing messages or requiring other services to be available.

In TDP, Lambda, SQS, SNS work together to evaluate triggers.
Simple Queue Service
AWS Simple Notification Service (SNS)Fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication

In TDP, Lambda, SQS, and SNS work together to evaluate triggers.
Simple Notification Service
AWS Systems Manager (SSM)Unified user interface used to view operational data from multiple AWS services and automate operational tasks across AWS resources.

The SSM is leveraged to establish communication from platform to the Tetra Datahub. The credentials used for Data Lake authentication is communicated to the data connectors via the SSM. For example, the SSM is needed to add a new connector and update the connector's configuration.
Systems Manager
Amazon Time Sync ServiceProvided by Amazon. It is accessible from all EC2 instances and is also used by other AWS services. This service uses a fleet of satellite-connected and atomic reference clocks in each region to deliver accurate current time readings of the Coordinated Universal Time (UTC) global standard through the Network Time Protocol (NTP).Reference
AWS Virtual Private Cloud (VPC)Service that launches AWS resources in a logically isolated virtual network.Virtual Private Cloud