What Gets Created in Your AWS Account¶
Scope: Exactly what the deployment provisions inside your AWS account, how the deployment runs, and roughly what it costs. Nothing here needs action from you - we run the deployment - but you may want this for your own cloud and security review.
Resources¶
CampusCore runs in a dedicated, private network inside your account. The application, database, and cache live in private subnets with no direct exposure to the internet; traffic reaches them only through the load balancer.
| Resource | Purpose |
|---|---|
| Dedicated VPC (2 availability zones) | An isolated network with public and private subnets. The app, database, and cache run in the private subnets. |
| NAT gateway | Lets private resources make outbound calls (for example, to the AI provider APIs) without being reachable from the internet. |
| VPC interface endpoints (5) | Private connections to AWS services (container registry, logs, queue, parameter store) so that traffic stays on AWS's own network rather than the public internet. |
| ECS cluster + services (AWS Fargate) | Runs the web application (1 vCPU / 2 GB) and the document-processing worker (1 vCPU / 4 GB). No servers to manage. |
| ECR repositories | Private storage for the application's container images (web + worker). |
| RDS PostgreSQL 17 | The database, with pgvector for AI search (db.t3.large, 20 GB). An optional read replica is available but off by default. |
| ElastiCache Serverless (Valkey) | A managed in-memory cache used for coordination and performance. |
| S3 buckets | Application storage and user file uploads. |
| SQS queue | The document-processing job queue, plus a dead-letter queue for retries. |
| Application Load Balancer | Routes traffic to the application over your domain. |
| AWS WAF | A web application firewall on the load balancer - AWS managed rule sets plus per-IP rate limiting. |
| CloudWatch Logs | Application logs, retained for 14 days. |
| IAM roles | Scoped, least-privilege roles for the application to run. |
| SSM Parameters | Encrypted storage for the Google service account key. |
The only thing kept outside your account is the deployment's Terraform state, which lives in CampusCore's own AWS account. No application data leaves your environment.
How the deployment runs¶
Once you have deployed the IAM role and shared your credentials, we trigger the deployment. It runs automatically and provisions everything above in order:
- The network (VPC, subnets, NAT gateway, endpoints), then base infrastructure (database, cache, container registry, load balancer, S3, SQS).
- The HTTPS certificate and domain, if CampusCore-managed SSL is enabled (see Custom Domain Setup).
- The application images and services (web + worker).
The first deployment takes about 15 minutes without a custom SSL certificate. With CampusCore-managed SSL, the first run takes longer - typically 45 to 75 minutes - because issuing and validating the certificate is a one-time wait. Later deployments take about 5 minutes.
Security by default¶
- Network isolation - the application, database, and cache run in private subnets. The load balancer is the only public entry point, and it sits behind the AWS WAF.
- Encryption at rest - RDS uses AWS-managed KMS encryption, S3 buckets use AES-256 with public access blocked, SQS and the Valkey cache are encrypted with AWS-managed keys.
- Encryption in transit - database and cache connections require TLS, and the application enforces HTTPS.
Estimated AWS cost¶
These are baseline figures for a single-institution deployment in us-east-1 - one web task, one worker task, and light traffic - at current on-demand AWS pricing. The bill scales up with usage.
| Resource | Configuration | Approx. monthly |
|---|---|---|
| Database (RDS PostgreSQL) | db.t3.large + 20 GB storage |
~$108 |
| Compute (Fargate web + worker) | 1 vCPU / 2 GB + 1 vCPU / 4 GB | ~$79 |
| VPC interface endpoints | 5 services across 2 AZs | ~$73 |
| NAT gateway | 1 (shared) | ~$33 + data |
| Load balancer (ALB) | 1 | ~$20 |
| Cache (ElastiCache Serverless) | Valkey, capped at 1 GB | ~$10 |
| Web application firewall (WAF) | Web ACL + 5 rule sets | ~$10 + requests |
| Logs, S3, SQS, data transfer | usage-based | ~$15 |
| Total (baseline) | ~$350 / month |
What moves the bill: under heavy document ingestion the worker auto-scales (1 to 10 tasks) and the web service scales (1 to 5), which is the largest variable cost. NAT gateway and endpoint data processing, data transfer out, and WAF request volume also grow with traffic.
Billed separately to you, not in the figures above: the AI provider usage (OpenAI, Gemini, Cohere) is charged directly to your own provider accounts.
Your CampusCore contact can help you estimate for your expected volume.
Next: Initial App Setup.