Applications/services must be protected in case of a disaster or emergency. to design the architecture of this applications employees often need access to critical information related to disaster recovery, business continuity, and safety recommendations. However, this information is currently scattered across various resources, wikis, and documentation. Employees often struggle to find the right information when they need it the most.
- Initial User Interaction:
- User accesses website through CloudFront
- CloudFront serves static website from S3 (HTML, CSS, JS files)
- Cognito handles user authentication/permissions and provide necessary AWS credentials
- Frontend sends query to Lex through authenticated connection
- Lex Intent Check:
- Lex analyzes query to identify intent
- Determines what kind of information user is seeking
- If Lex has matching intent → provides direct response
- If no matching intent → forwards to Lambda function
- Lambda Initial Processing:
- ConversationalRetrievalChain used
- Calls Bedrock (first LLM) to formulate search prompt
- Uses conversation history
- Kendra Search:
- Lambda sends prompt to Kendra retrieve API
- Kendra searches through documents in S3
- Kendra returns relevant context passages
- Response Generation:
- Lambda sends prompt + Kendra context to Bedrock (second LLM)
- Bedrock uses search results to generate natural response
- Different LLM used for response generation
- Optimized for cost/performance
- Response Delivery
- Lambda sends response back to Lex
- Lex stores conversation history in session
- Response displayed to user through frontend
Click here to see the code
AWS DocsAmazon Cognito serves as the authentication and authorization backbone for web applications distributed through CloudFront. In our implementation, we're utilizing Cognito's Identity Pools to manage unauthenticated (guest) access, which provides temporary AWS credentials to users accessing the chatbot interface through CloudFront's secure content delivery network.
The security flow begins when a user accesses the website through CloudFront, which serves the static content securely via HTTPS. Behind the scenes, Cognito's Identity Pool issues temporary AWS credentials, allowing the frontend application to interact with AWS services (specifically Lex in our case) through IAM roles that define precise permissions for unauthenticated users.
This architecture ensures secure and scalable access management while maintaining simplicity for public chatbot access. The combination of CloudFront's secure content delivery and Cognito's identity management creates a robust system where users can interact with AWS services safely, without requiring authentication, while still maintaining control over resource access through IAM policies.
