# Plan your deployment Plan your deployment This section describes the [cost](cost.md), [network security](security-1.md), [quotas](quotas.md), and other considerations prior to deploying the solution. ## Supported AWS Regions This solution uses AWS services that are not currently available in all AWS Regions. You must launch this solution in an AWS Region where Amazon Lex is available. See the [services implemented in this solution](architecture-details.md#aws-services-in-this-solution) for more details on core services needed for the solution. Note that the solution is not supported in AWS GovCloud (US) or China Regions. For the most current availability by Region, see the [AWS Services by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) list. # Cost You are responsible for the cost of the AWS services used while running this solution. As of this latest revision, the cost for running the default basic implementation of this solution in the US East (N. Virginia) Region is approximately **\$1547.33 per month**. **Note** Amazon Kendra and Amazon Connect are **not** part of the default solution implementation, but the solution does provide the capability to integrate with them. Because the solution does not create resources for Amazon Kendra or Amazon Connect automatically, they are not included in the example cost table. If you intend to integrate Amazon Kendra and Amazon Connect, review the [Amazon Kendra pricing](https://aws.amazon.com/kendra/pricing/) and [Amazon Connect pricing](https://aws.amazon.com/connect/pricing/) to adjust your cost estimate accordingly. We recommend creating a [budget](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this solution. For additional information, see [Creating a cost budget](https://docs.aws.amazon.com/cost-management/latest/userguide/create-cost-budget.html) in the *AWS Cost Management User Guide*. ## Option 1: Default basic deployment The following table provides a sample cost breakdown for deploying this solution with the default parameters in the US East (N. Virginia) Region for one month. | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Amazon API Gateway | 1,000,000 REST API calls per month | \$13.50 | | Amazon Cognito | 1,000 active users per month without the advanced security feature | \$10.00 | | Amazon S3 | 100 GB data transfer \$1 1,000,000 requests (100 records x 100 KB from Amazon Kinesis) | \$13.27 | | AWS Lambda | 2,000,000 requests with 200 ms duration | \$11.23 | | Systems Manager Parameter Store | 2,000,000 requests with 10 standard parameters | \$10.00 | | Amazon Lex | 100,000 text requests per month | \$175.00 | | Amazon Data Firehose | 100,000 records per month with 100 KB per record | \$10.28 | | Amazon DynamoDB | 2 GB storage \$1 2 reads and 2 writes per second \$1 20 hours peak read/write per month | \$116.14 | | Amazon Polly | 10,000 requests \$1 50 characters per request | \$14.00 | | Amazon Translate | 100,000 requests \$1 50 characters per request (OPTIONAL for non-English) | \$175.00 | | Amazon Comprehend | 100,000 requests \$1 50 characters per request | \$15.00 | | Amazon OpenSearch Service | m6g.large.search instance running all hours in a month for 4 nodes | \$1368.64 | | **Total for a default basic deployment:** | | **\$1547.33** | ## Option 2: Amazon Bedrock embeddings only | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Amazon Bedrock for text embeddings (optional) | Daily average of 8,000 requests of 2,000 input tokens estimated using Amazon Titan Embeddings Text | \$148.00 | | **Total with Amazon Bedrock embeddings only (\$1547.33 \$1 \$148.00):** | | **\$1595.33** | ## Option 3: Amazon Bedrock embeddings and LLMs | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Amazon Bedrock for LLM question answering (optional) | Daily average of 8,000 requests each made of 2,000 input tokens and 200 output tokens estimated using [Anthropic Claude 3 Haiku](https://us-east-1.console.aws.amazon.com/bedrock/home?region=us-east-1&/providers%3Fmodel=anthropic.claude-3-haiku-20240307-v1%3A0#/models) (lower cost LLM option) or [Anthropic Claude 3 Sonnet](https://us-east-1.console.aws.amazon.com/bedrock/home?region=us-east-1&/providers%3Fmodel=anthropic.claude-3-sonnet-20240229-v1%3A0#/models) (higher cost LLM option) | \$1180.00 (Haiku) to \$12,160.00 (Sonnet) | | **Total with Amazon Bedrock embeddings and LLMs (\$1595.33 \$1 \$1180.00 to \$12,160.00):** | | **\$1775.33 to \$12,755.33** | ## Option 4a: Amazon Bedrock embeddings and LLM and Amazon Kendra | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Amazon Kendra index | 0-8,000 queries a day and up to 100,000 documents with Amazon Kendra Enterprise Edition with 0-50 data sources | \$11,008.00 | | **Total with Amazon Bedrock embeddings and LLM and Amazon Kendra (\$1775.33 to \$12,755.33 \$1 \$11,008.00 ):** | | **\$11,783.33 to \$13,763.33** | ## Option 4b: Amazon Bedrock embeddings and LLM and RAG using Amazon Bedrock knowledge base | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Amazon Bedrock knowledge base (optional) | 8,000 questions a day with 5 GB of data stored in Amazon OpenSearch Service Serverless vector store and using Anthropic Claude 3 Haiku (lower cost LLM option) or Anthropic Claude 3 Sonnet (higher cost LLM option) | \$1733.00 (Haiku) to \$12,713.00 (Sonnet) | | **Total with Amazon Bedrock embeddings and LLM and RAG using Amazon Bedrock knowledge base (\$1775.33 to \$12,755.33 \$1 \$1733.00 to \$12,713.00 ):** | | **\$11,508.33 to \$15,468.33** | ## Option 5a: Amazon Bedrock Guardrails Integration (Optional) | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Content Filters | 8,000 requests/day (1 text unit (400 characters) for both query and FM response) | \$114.40 | | Denied Topics | 8,000 requests/day (1 text unit (400 characters) for both query and FM response) | \$114.40 | | Sensitive Information Filter (PII) | 8,000 requests/day (1 text unit (400 characters) for both query and FM response) | \$19.60 | | Contextual grounding check | 8,000 requests/day (1 text unit (600 characters) for both query and FM response) | \$114.40 | | Sensitive Information filter (Regex) | Free | - | | Word Filters | Free | - | | **Total with Amazon Bedrock embeddings and LLM and RAG using Amazon Bedrock knowledge base (\$12,084.77 to \$15,468.33 \$1 \$152.80):** | | **\$12,137.57 to \$15,491.13** | ## Option 5b: Amazon Bedrock Pre-process Guardrails Integration (Optional) | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Content Filters | 8,000 requests/day (1 text unit (100 characters - questions only) for both query and FM response) | \$13.60 | | Denied Topics | 8,000 requests/day (1 text unit (100 characters - questions only) for both query and FM response) | \$13.60 | | Sensitive Information Filter (PII) | 8,000 requests/day (1 text unit (100 characters - questions only) for both query and FM response) | \$12.40 | | Contextual grounding check | N/A | | | Sensitive Information filter (Regex) | Free | - | | Word Filters | Free | - | | **Total with Amazon Bedrock embeddings and LLM and RAG using Amazon Bedrock knowledge base (\$12,084.77 to \$15,468.33 \$1 \$19.60):** | | **\$12,094.37 to \$15,477.93** | ## Option 5c: Amazon Bedrock Post-process Guardrails Integration (Optional) | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Content Filters | 8,000 requests/day (1 text unit (300 characters - answers only) for both query and FM response) | \$110.80 | | Denied Topics | 8,000 requests/day (1 text unit (300 characters - answers only) for both query and FM response) | \$110.80 | | Sensitive Information Filter (PII) | 8,000 requests/day (1 text unit (300 characters - answers only) for both query and FM response) | \$17.20 | | Contextual grounding check | N/A | | | Sensitive Information filter (Regex) | Free | - | | Word Filters | Free | - | | **Total with Amazon Bedrock embeddings and LLM and RAG using Amazon Bedrock knowledge base (\$12,084.77 to \$15,468.33 \$1 \$128.80):** | | **\$12,113.57 to \$15,497.13** | ## Option 6: Streaming Responses for QnABot | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | DynamoDB Table (optional) | 1 GB storage \$1 1 read and 1 write per second \$1 20 hours peak read/write per month | \$111.41 | | Lambda (optional) | 2,000,000 requests with 200 ms duration | \$11.23 | | WebSocket API (optional) | 100,000 messages per day with 25,000 connections for 10 minutes | \$14.94 | | **Total with Streaming Responses for QnABot only (\$1547.33 \$1 \$117.58):** | | **\$1564.91** | ## Option 7: QnABot with OpenSearch Dedicated Master Nodes | AWS service | Dimensions | Cost [\$1USD] | | --- | --- | --- | | Amazon OpenSearch Service | m6g.large.search instance running all hours in a month for 3 dedicated master nodes | \$1276.48 | | **Total with Streaming Responses for QnABot only (\$1547.33 \$1 \$1276.48):** | | **\$1823.81** | # Security When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/). ## Security best practices QnABot on AWS is designed with security best practices in mind. However, the security of a solution differs based on your specific use case. Adding additional security measures can add to the cost of the solution. The following are additional recommendations to enhance the security posture of QnABot on AWS in production environments. ## Amazon S3 access logging bucket configuration We recommend having a central access logging Amazon S3 bucket, and updating the S3 buckets that this solution creates to allowing access logging. QnABot on AWS by default configures a central access logging Amazon S3 bucket to store access logging. For more information about Amazon S3 access logging see [Enabling Amazon S3 server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html) in the *Amazon Simple Storage Service User Guide*. ## Multi-factor authentication (MFA) in Amazon Cognito user pools This solution creates only one user in its Cognito user pools. MFA is not activated by default; however, we recommend using MFA for users in Cognito for a stronger security posture in production workloads. For more information about setting up MFA in Cognito, see [Adding MFA to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html) and [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) in the *Amazon Cognito Developer Guide.* ## Single sign-on with AWS IAM Identity Center Solution administrators can also federate into the content designer UI and OpenSearch Dashboards using single sign-on with AWS IAM Identity Center. In this case, IAM Identity Center serves as the identity provider for the Cognito user pool. Additionally, using Cognito, you can configure a SAML or OpenID Connect identity provider to federate with as well. When users federate into Cognito, a user profile is dynamically provisioned for them, but they will not be granted access to QnABot on AWS until they are added to the `Admins` group. For more information about automating using a Lambda trigger see [Customizing User Pool Workflows with Lambda](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) in the *Amazon Cognito Developer Guide*. ## AWS WAF for Amazon API Gateway When the chatbot application is open to public access in production, we recommend allowing AWS WAF for API Gateway. For guidance about setting up AWS WAF, see [Using AWS WAF to protect your APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html) in the *Amazon API Gateway Developer Guide*. We also recommend reviewing the [AWS Best Practices for DDoS Resiliency](https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/welcome.html) whitepaper for information about protecting your AWS applications from Distributed Denial of Service (DDoS) attacks. For best security practices, we recommend adding rules/rule groups when creating your web access control list (ACL) in AWS WAF. AWS WAF provides the ability to set AWS managed rules and custom rule groups which the customer creates and maintains. We recommend adding [Core rule set](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs) and [Known bad inputs managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs) when setting up your web ACL. See [AWS WAF rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Guide* for more information on setting up managed and created rule groups. ## Creating a custom domain in Amazon API Gateway By default, QnABot deploys the default domain in API Gateway. The default domain uses a TLS version 1.0 security policy, which uses outdated encryption protocols and weak encryption cyphers. We recommend that the customer sets up a [custom domain name](setting-up-a-custom-domain-name-for-qnabot-content-designer-and-client.md) and uses a TLS version 1.2 security policy. See [Choosing a security policy for your custom domain in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html) in the *Amazon API Gateway Guide.* ## Children Online Privacy Protection Act (COPPA) settings for Amazon Lex When using this solution to create or update an Amazon Lex chatbot, set the Amazon Lex API **childDirected** parameter to `true` if the bot’s users are subject to COPPA. For more information, see [DataPrivacy](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_DataPrivacy.html) in the *Amazon Lex API Reference*. ## AWS CloudFormation parameters Before deployment, we recommend reviewing the **PublicOrPrivate** parameter. It has two possible values: `Public` or `Private`. We recommend choosing `Private` unless the use case for this solution dictates having the chatbot open to the public without needing to sign up or register. If you select `Public`, we recommend enabling [AWS WAF for Amazon API Gateway](#aws-waf-for-amazon-api-gateway). ## Amazon Cognito The solution uses a Cognito user pool for controlling administrative access to the QnABot on AWS content designer UI, Amazon Lex web client, and OpenSearch Dashboards. Users are also required to be members of the `Admins` group in the Cognito user pool. The content designer UI requires that you sign in with credentials defined in an Amazon Cognito user pool. Using temporary AWS credentials from Cognito, the content designer UI interacts with secure API Gateway endpoints backed by the content designer’s Lambda functions. The Amazon Lex web client is deployed to an Amazon S3 bucket in your account, and accessed via API Gateway. An API Gateway endpoint provides run time configuration. Using this configuration, the web client connects to Cognito to obtain temporary AWS credentials, and then connects with the Amazon Lex service. ## AWS Lambda The solution uses Lambda functions. Depending on your use case, we recommend that you configure [Lambda function-level concurrency run limits](https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html). Adding concurrency limits can prevent a rapid spike in usage and costs, while also increasing or lowering the default concurrency limit. ## IAM roles IAM roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles with least privileges that grant the solution’s resources with needed permissions. ## CloudWatch Logs For QnABot on AWS, CloudWatch Logs are set by default to never expire. You can [Export log data to Amazon S3](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html). ## Data storage and protection The solution uses multiple services to store and protect your data. This solution defaults to the following when storing and protecting the customer’s data: | Service/Resource | Default | | --- | --- | | CloudWatch Logs | - Default CloudWatch Logs set to **Never Expire**. | | DynamoDB | - User table stores chat message history (per user) - never expires. - Data fully encrypted at rest (managed by DynamoDB). - Point-in-time recovery enabled by default. - Continuous backups disabled. | | OpenSearch Dashboards index | - Default expiry set to 30 days. | | Amazon S3 | - Default **Never Expire** for Metrics bucket and Export bucket. - All buckets are enabled with server-side encryption (SSE) by default. See [Setting default server-side encryption behavior for Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) for additional guidance. - Access logging is disabled, customer can configure. For additional guidance, see [Setting default server-side encryption for Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) in the *Amazon Simple Storage Service User Guide*. | | Amazon Lex | - Default, logs not enabled. For additional guidance, see [Conversation Logs](https://docs.aws.amazon.com/lexv2/latest/dg/conversation-logs-configure.html) in the *Amazon Lex V2 Developer Guide*. - Encrypting conversation logs is optional, but can be implemented if needed. For additional guidance, see [Encrypting Conversation Logs](https://docs.aws.amazon.com/lexv2/latest/dg/conversation-logs-configure.html#conversation-logs-enable) in the *Amazon Lex V2 Developer Guide*. - Audio logs are stored in Amazon S3 (default encryption). - The **childDirected** parameter for COPPA defaults to `false`. For additional guidance, see [DataPrivacy](https://docs.aws.amazon.com/lexv2/latest/APIReference/API_DataPrivacy.html) in the *Amazon Lex API Reference*. - PII redaction capability is implemented on logs. | | AWS Key Management Service | - The solution can store PII data. By default, DynamoDB is encrypted, but we recommend using Customer Managed Keys (CMK) if you intend to store sensitive data. For additional guidance, see the [utility\$1scripts](https://github.com/aws-solutions/qnabot-on-aws/tree/main/source/utility_scripts) section in the GitHub repository. | | Amazon Data Firehose | - SSE enabled via AWS KMS key. | # Quotas Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. ## Quotas for AWS services in this solution Make sure you have sufficient quota for each of the [services implemented in this solution](architecture-details.md#aws-services-in-this-solution). For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). Select one of the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead. ## AWS CloudFormation quotas Your AWS account has AWS CloudFormation quotas that you should be aware of when [launching the stack](step-2-launch-the-chatbot-content-designer.md) in this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, see [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation User’s Guide*. ## Amazon Lex quotas Your AWS account has Amazon Lex quotas, which you can view by following these steps: 1. Sign in to the [AWS Service Quotas console](https://console.aws.amazon.com/servicequotas). 1. Choose **AWS services** from the left navigation menu. 1. Enter `Amazon Lex` in the **Find services** field. 1. Choose **Amazon Lex**. Amazon Lex V2 requires the fulfillment Lambda’s maximum output size to be set to 50 KB. You cannot adjust this setting through the AWS account’s Service endpoints and quotas. You might reach this quota when you are trying to return very large responses by increasing the number of words or context in the response. Additionally, when you use RAG with Amazon Kendra or Knowledge Bases for Amazon Bedrock, you might want to limit your output by customizing the settings such as prompt templates, max retrieved results, or documents. # Amazon DynamoDB backups Backups for Amazon DynamoDB Tables are not set up by default. If you require backups for the data that is stored in DynamoDB Tables, see [Backing Up a DynamoDB Table](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Backup.Tutorial.html) in the *Amazon DynamoDB Developer Guide*. For recovery of backed up data, see [Restoring a DynamoDB table from a backup](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Restore.Tutorial.html) in the *Amazon DynamoDB Developer Guide*. Alternatively, you can use [Point-in-time recovery for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html) as your backup and recovery method.