# Plan your deployment This section helps you plan your Spatial Data Management Application deployment by understanding prerequisites, sizing requirements, and configuration options. # Supported AWS Regions Spatial Data Management on AWS is available in the following AWS Regions: | Region Name | Region Code | | --- | --- | | US East (N. Virginia) | us-east-1 | | US East (Ohio) | us-east-2 | | US West (Oregon) | us-west-2 | | Europe (Frankfurt) | eu-central-1 | | Europe (Ireland) | eu-west-1 | | Europe (London) | eu-west-2 | | Asia Pacific (Tokyo) | ap-northeast-1 | | Asia Pacific (Singapore) | ap-southeast-1 | | Asia Pacific (Sydney) | ap-southeast-2 | **Regional Considerations:** + **Service quotas** – Service quotas for services used by the solution may vary by region. + **Data residency** – Ensure your region choice complies with your organization’s data governance policies and regulatory requirements # Prerequisites ## AWS Account Requirements + Active AWS account with appropriate permissions + Don’t use the AWS Organizations management account – Deploy to a member account instead. The management account should be used only for AWS Organizations administrative tasks. For details, see [AWS Organizations Best Practices](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices.html). + AWS Command Line Interface (AWS CLI) configured with credentials (optional) + AWS CloudFormation stack creation permissions + Selected deployment AWS Region ## Permission Requirements Before deploying the Spatial Data Management solution, verify that your AWS user or role has the necessary permissions to create and manage AWS resources. **Console Access Check** Verify you can access and create resources in these AWS Console sections: **Core Services (Required):** + CloudFormation + IAM + Amazon S3 + AWS Lambda + Amazon DynamoDB + AWS KMS **Application Services (Required):** + Amazon Cognito + Amazon API Gateway + Amazon OpenSearch + Amazon VPC/EC2 + Amazon CloudWatch Logs + AWS Deadline Cloud + Amazon Location Services **Content & Security Services (Required):** + Amazon CloudFront + AWS Secrets Manager + AWS Systems Manager + Amazon SQS + Amazon EventBridge + Amazon Verified Permissions **Analytics Services (Required):** + AWS Glue + Amazon Athena + AWS CloudTrail ### Troubleshooting Permission Issues If deployment fails with permission errors: 1. Check **CloudFormation Events** in the AWS Console for specific error messages 1. Look for "Access Denied" errors in the stack events 1. Verify you can access the failing service in the AWS Console 1. Contact your AWS administrator to grant missing permissions ## Knowledge Requirements + Basic understanding of AWS services + Familiarity with AWS CloudFormation ## Deployment Modes You can configure the deployment mode during AWS CloudFormation deployment. These modes provide simpler configuration options for proof of concept or test environments. Both modes are feature compatible. ### Development Mode + Reduced provisioned concurrency + Suitable for testing and development ### Production Mode + Provisioned concurrency for AWS Lambda # Cost You are responsible for the cost of the AWS services used while running this solution. **Note** The cost for running Spatial Data Management on AWS depends on your deployment configuration, data volume, and usage patterns. The following examples provide cost breakdowns for various deployment sizes in the US West (Oregon) Region. We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution. ## Example Cost Table | Deployment Size | Small | Medium | Large | | --- | --- | --- | --- | | **Example** | < 1 TB data, 10 users | 1-10 TB data, 50 users | > 10 TB data, 100\$1 users | | **AWS Services** | **Cost (USD)** | **Cost (USD)** | **Cost (USD)** | | Amazon S3 | \$123.55 | \$1235.50 | \$12,355.00 | | Amazon DynamoDB | \$15.00 | \$125.00 | \$1100.00 | | AWS Lambda | \$110.00 | \$150.00 | \$1200.00 | | Amazon API Gateway | \$13.50 | \$117.50 | \$170.00 | | Amazon OpenSearch Serverless | \$150.00 | \$1150.00 | \$1500.00 | | Amazon CloudFront | \$15.00 | \$125.00 | \$1100.00 | | AWS Key Management Service | \$15.00 | \$15.00 | \$15.00 | | Amazon Cognito | \$12.00 | \$110.00 | \$140.00 | | VPC endpoints | \$115.00 | \$115.00 | \$115.00 | | Amazon CloudWatch | \$15.00 | \$115.00 | \$150.00 | | AWS Deadline Cloud | \$18.00 | \$140.00 | \$1160.00 | | **Total Cost per month (USD)** | \$1**\$1132.05** | \$1**\$1588.00** | \$1**\$13,595.00** | **Important** This estimate assumes: S3 storage costs based on data volume (1 TB = \$123.55/month), moderate API request volume, standard data transfer rates, and on-demand pricing for all services. AWS Deadline Cloud costs assume a small percentage of files undergo metadata extraction jobs and one file conversion job per file to generate preview (for example, E57 to MP4 turntable low-resolution preview). Actual costs will vary based on: + Data volume and growth rate + Number of API requests + Data transfer (uploads/downloads) + Search query frequency + Number of concurrent users + Compute resources used for data transformations and integration orchestration with external applications # Security planning Before you proceed, review the security considerations for this solution. When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the [AWS Security Center](https://aws.amazon.com/security/). For security details specific to this solution, see [Security](security.md). # Integration Planning ## External Systems The solution provides a Connector feature that enables you to build connectors for external applications using REST APIs. Before configuring external application integrations, understand the following: + Connector interfaces and REST API requirements + Authentication and authorization requirements for external systems + Data format and payload specifications **Recommended Approach:** 1. Start with a proof of concept to validate the integration approach 1. Test the connector in a test mode deployment 1. Deploy to production workloads only after successful validation ## Data Migration Plan and implement a migration strategy for your current workloads. Use a gradual, phased approach to minimize risk and impact: + Assess existing data volume and characteristics + Plan a phased migration approach considering scale and operational impact + Implement backups before each migration phase + Define verification procedures to confirm successful data migration + Validate data integrity and completeness after each phase + Document completion criteria and sign-off procedures **Data Upload Methods:** You can upload data to the solution using one of the following methods: + Programmatic migration – Use REST APIs to create resource structures and obtain temporary S3 credentials, then upload directly to Amazon S3 + Client applications – Use the web portal or desktop application for interactive uploads # Operations planning ## Monitoring and Operations For detailed information on monitoring, backup, and recovery best practices, see the following sections: + For monitoring and operational visibility, see [Infrastructure Security](infrastructure-security.md) in the Security section + For backup and disaster recovery strategies, see [Resilience](resilience.md) in the Security section + For architecture details on monitoring services, see [AWS Services](aws-services.md) in the Architecture Overview ## Quotas Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. ### Quotas for AWS Services in This Solution Make sure you have sufficient quota for each of the services implemented in this solution. For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). Use the following links to view service quotas for the AWS services used in this solution: | Service | Documentation Link | | --- | --- | | Amazon API Gateway | [API Gateway quotas](https://docs.aws.amazon.com/general/latest/gr/apigateway.html) | | Amazon CloudFront | [CloudFront quotas](https://docs.aws.amazon.com/general/latest/gr/cf_region.html) | | Amazon CloudWatch | [CloudWatch quotas](https://docs.aws.amazon.com/general/latest/gr/cloudwatch_limits.html) | | Amazon Cognito | [Cognito quotas](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html) | | Amazon DynamoDB | [DynamoDB quotas](https://docs.aws.amazon.com/general/latest/gr/ddb.html) | | Amazon EventBridge | [EventBridge quotas](https://docs.aws.amazon.com/general/latest/gr/cwe_region.html) | | Amazon OpenSearch Serverless | [OpenSearch Serverless quotas](https://docs.aws.amazon.com/general/latest/gr/opensearch-service.html) | | Amazon S3 | [S3 quotas](https://docs.aws.amazon.com/general/latest/gr/s3.html) | | Amazon SQS | [SQS quotas](https://docs.aws.amazon.com/general/latest/gr/sqs-service.html) | | Amazon Verified Permissions | [Verified Permissions quotas](https://docs.aws.amazon.com/general/latest/gr/verifiedpermissions.html) | | AWS CloudFormation | [CloudFormation quotas](https://docs.aws.amazon.com/general/latest/gr/cfn.html) | | AWS KMS | [KMS quotas](https://docs.aws.amazon.com/general/latest/gr/kms.html) | | AWS Lambda | [Lambda quotas](https://docs.aws.amazon.com/general/latest/gr/lambda-service.html) | | AWS Secrets Manager | [Secrets Manager quotas](https://docs.aws.amazon.com/general/latest/gr/asm.html) | ### Key Quota Considerations Before deploying this solution, verify the following quotas in your AWS account: **AWS Lambda:** + Concurrent executions: Default 1000 (solution reserves up to 500) + Function storage: Default 75 GB + If your account has reduced quotas, request an increase before deployment **Amazon DynamoDB:** + Tables per region: Default 2500 (solution creates 11 tables) + On-demand throughput: No fixed limit, but subject to account-level limits **Amazon S3:** + Buckets per account: Default 100 (solution creates 5 buckets) + Objects per bucket: Unlimited **VPC:** + VPCs per region: Default 5 (solution creates 1 VPC) + VPC endpoints per VPC: Default 50 (solution creates 8 endpoints) **Amazon API Gateway:** + Regional APIs per account: Default 600 (solution creates 1 API) + Requests per second: Default 10,000 (solution throttles at 500 req/s) To view your current quotas and request increases, use the [Service Quotas console](https://console.aws.amazon.com/servicequotas/). # Production Deployment Recommendations For production deployments, consider the following best practices: **Custom Domain Configuration** Configure a custom domain for your deployment following your organization’s security best practices and policies. You can specify a custom domain during the initial deployment, or configure it after deployment is complete. **External Identity Provider Integration** Instead of managing users and groups directly in Amazon Cognito, integrate with your organization’s external identity provider. This centralizes user and group management in your existing identity system and enforces consistent security policies across your organization. For configuration guidance, see [Cognito User Pools Identity Federation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html) in the AWS documentation.