Developers
Security Architecture
Auth model, network boundaries, encryption, secrets management, and audit.
Security Architecture
Defense in depth: every layer of the Sentinel stack has explicit security controls.
Trust Boundaries
┌─────────────────────────────────────────┐
│ Public Internet │
│ (CloudFront CDN + WAF) │
└──────────────┬──────────────────────────┘
│
┌──────────────▼──────────────────────────┐
│ AWS ALB (HTTPS/TLS 1.3) │
│ (Geo-restriction: India only) │
└──────────────┬──────────────────────────┘
│
┌──────────────▼──────────────────────────┐
│ ECS Fargate (Sentinel Frontend) │
│ (No direct DB access) │
└──────────────┬──────────────────────────┘
│
┌──────────────▼──────────────────────────┐
│ ECS Fargate (Studio Middleware) │
│ (Auth, RBAC, Rate Limiting) │
└──────────────┬──────────────────────────┘
│
┌──────────────▼──────────────────────────┐
│ Internal ALB → Capability Backends │
│ (No public ingress) │
└──────────────┬──────────────────────────┘
│
┌──────────────▼──────────────────────────┐
│ Data Layer (MongoDB, Postgres, │
│ OpenSearch, S3, Redis) │
│ (VPC-only, encrypted, backup) │
└─────────────────────────────────────────┘
Authentication
| Layer | Mechanism | Notes |
|---|---|---|
| User → Frontend | Session cookie (HttpOnly, Secure, SameSite) | 24h expiry |
| Frontend → Studio | Bearer JWT | 1h expiry |
| Studio → Backends | Internal mTLS (service mesh) | Certificate rotation |
| Backend → LLM | API keys (scoped per tenant) | Rotated monthly |
Authorization (RBAC)
User ──► JWT (role claim)
│
▼
Studio Middleware
│
├──► Viewer? ──► Read own data only
├──► Analyst? ──► Read + Write own data
└──► Admin? ──► Full tenant management
Every API endpoint has an explicit @require_role decorator. No endpoint defaults to open.
Secrets Management
| Secret | Storage | Rotation |
|---|---|---|
| Database passwords | AWS SSM Parameter Store | Quarterly |
| JWT signing key | AWS Secrets Manager | Monthly |
| LLM API keys | AWS Secrets Manager + per-tenant scoping | Monthly |
| OAuth client secrets | AWS Secrets Manager | On credential refresh |
No secrets are hardcoded in source code or Docker images.
Encryption
| Layer | Algorithm | Key Management |
|---|---|---|
| TLS in transit | TLS 1.3 | ACM certificates |
| S3 at rest | AES-256 (SSE-S3) | AWS-managed |
| MongoDB | AES-256 | AWS KMS |
| PostgreSQL | AES-256 | AWS KMS |
| Backups | AES-256 | Customer-managed (optional BYOK) |
Audit
All security-relevant events are logged to PostgreSQL:
| Event | Fields |
|---|---|
| Login | User ID, IP, user agent, success/failure, MFA status |
| API call | User ID, endpoint, method, status code, duration |
| Data access | User ID, document ID, action (read/write/delete) |
| Role change | Admin ID, target user ID, old role, new role |
| Export | User ID, export format, document IDs, destination |
Retention: 7 years (immutable).