AWS shared infrastructure bootstrap¶
| ID | MOD-104 |
| System | SD07 |
| Repo | bank-platform |
| Build status | Deployed |
| Deployed | Yes |
| Last commit | bd9bfc0c9b4b0abbc7cf3d28d714d9378d3a11fc |
Purpose¶
Provisions all shared AWS infrastructure that every system domain depends on. This is an IaC module — it contains CDK/SST stacks, not Lambda application code. It runs via the bank-platform CI/CD pipeline and must be fully deployed before any other module in any system domain can be deployed.
This is the bottom of the dependency tree. No other module can be deployed without it.
Execution pattern¶
Unlike runtime modules, this module uses:
- SST v3 Ion (home: "aws") for all AWS resource provisioning — consistent with ADR-025,
which establishes Pulumi (via SST Ion) as the IaC layer for all repos
- SST Ion self-bootstraps its state infrastructure on first deploy: it creates its own S3 state
bucket and records the bucket name in SSM Parameter Store at /sst/bootstrap. No manual state
bucket creation is required — npx sst deploy with valid AWS credentials is sufficient.
- Deployed once at platform bootstrap, then updated on config change via CI/CD
- Runs before all other repos' deployment pipelines
- Lives in a bootstrap/ directory in the bank-platform repo, separate from runtime Lambda code
EventBridge buses¶
One custom event bus per system domain. Each bus has: - A cross-account resource policy permitting events from the corresponding Lambda execution role - An archive rule retaining all events for 30 days (replay capability) - A dead-letter queue (SQS) for undeliverable events
| Bus name | Owner | Purpose |
|---|---|---|
bank-core |
SD01 | Account lifecycle, posting, balance events |
bank-kyc |
SD02 | KYC status, onboarding, CDD events |
bank-aml |
SD03 | Alert created, case status, STR filed events |
bank-payments |
SD04 | Payment initiated, settled, failed events |
bank-credit |
SD05 | Application, decisioning, drawdown events |
bank-risk-platform |
SD06 | Score updates, rate publications, capital alerts |
bank-platform |
SD07 | CDC, usage events, external asset updates |
bank-app |
SD08 | Device registered, session, notification events |
Cross-bus subscriptions (where one domain needs events from another) use EventBridge rules with a cross-bus target. The event catalogue documents all rules and named consumers.
S3 buckets¶
| Bucket | Purpose | Encryption | Lifecycle |
|---|---|---|---|
bank-iceberg-prod |
Iceberg data lake — CDC output (MOD-042) | KMS (financial data key) | Glacier after 90d, delete after 7y |
bank-firehose-landing |
Kinesis Firehose landing zone | KMS (operational key) | Auto-expire 24h |
bank-documents-prod |
Customer document store (MOD-028) | KMS (PII key) | Glacier after 1y, delete after 7y |
bank-artefacts |
Deployment artefacts (Lambda ZIPs, CDK assets) | SSE-S3 | Delete after 90d |
bank-reports-prod |
Regulatory report output, invoice PDFs | KMS (financial data key) | Glacier after 1y, delete after 7y |
All buckets: SSL-only access enforced, public access blocked, versioning enabled.
KMS keys¶
One customer-managed key (CMK) per data classification level:
| Key alias | Classification | Used by |
|---|---|---|
bank/pii |
Customer PII — names, DOB, addresses, tax IDs | Document store, KYC databases, Cognito |
bank/financial |
Financial records — transactions, balances, rates | Iceberg, report output, Snowflake integration |
bank/operational |
Operational data — logs, configs, artefacts | Firehose, Secrets Manager, CloudTrail |
Key policies: usage rights granted only to the Lambda execution roles of modules that handle that data classification. Key rotation is automatic (annual). Key ARNs are exported as SSM Parameter Store parameters (/bank/{env}/kms/{alias}/arn) and referenced by all downstream IaC modules.
Kinesis Data Firehose streams¶
| Stream | Source | Destination | Purpose |
|---|---|---|---|
bank-cdc-stream |
Neon logical replication (MOD-042) | S3 bank-iceberg-landing/ |
CDC pipeline landing |
bank-usage-events |
EventBridge bank-platform bus |
S3 + Snowflake | Usage metering (MOD-097) |
Both streams: 128 MB / 300s buffer, KMS encryption, CloudWatch error metrics, SQS DLQ.
Cognito user pools¶
Two user pools per environment, per ADR-026, ADR-027, and ADR-042:
| Pool | Users | MFA | Custom attributes |
|---|---|---|---|
bank-customers-{env} |
All retail customers — NZ and AU | Required (biometric app + TOTP fallback) | custom:user_id, custom:party_id, custom:jurisdiction |
bank-staff-{env} |
Internal employees + contractors | Required (TOTP) | custom:staff_id |
NZ and AU customers share a single pool. Jurisdiction is expressed as a custom attribute (custom:jurisdiction = NZ \| AU) set at onboarding and emitted as a JWT claim on every token. See jurisdiction runtime model for how this flows through the system.
App clients provisioned for: mobile app (public client, PKCE), web app (public client, PKCE), back-office web (confidential client), internal API Gateway authoriser. Token configuration: ID token 1h, access token 1h, refresh token 30d.
IAM Lambda execution roles¶
One IAM role per system domain, following least-privilege:
| Role | Trust | Key permissions |
|---|---|---|
BankCoreRole |
Lambda (bank-core) | Neon secrets read, EventBridge put (bank-core bus), KMS decrypt (financial) |
BankKycRole |
Lambda (bank-kyc) | Neon secrets read, EventBridge put (bank-kyc bus), S3 put (documents), KMS decrypt (PII + financial) |
BankAmlRole |
Lambda (bank-aml) | Neon secrets read, EventBridge put (bank-aml bus), KMS decrypt (financial) |
BankPaymentsRole |
Lambda (bank-payments) | Neon secrets read, EventBridge put (bank-payments bus), KMS decrypt (financial) |
BankCreditRole |
Lambda (bank-credit) | Neon secrets read, EventBridge put (bank-credit bus), KMS decrypt (financial + PII) |
BankRiskRole |
Lambda (bank-risk-platform) | Snowflake key read, EventBridge put (bank-risk-platform bus), KMS decrypt (financial) |
BankPlatformRole |
Lambda (bank-platform) | All event buses read, S3 read/write (iceberg + firehose), Kinesis put, Snowflake key read |
BankAppRole |
Lambda (bank-app) | Neon secrets read, EventBridge put (bank-app bus), Cognito admin, KMS decrypt (PII) |
All roles: mandatory tagging enforcement via IAM condition (aws:RequestedRegion, aws:ResourceTag/module_id).
CloudTrail and SSM¶
- CloudTrail: Enabled across all accounts from day one. All management and data events logged to
bank-artefacts/cloudtrail/. Retained 90 days hot, 7 years cold. - SSM Parameter Store: Used for non-secret configuration shared across repos (KMS key ARNs, EventBridge bus ARNs, S3 bucket names, Cognito pool IDs). Naming convention:
/bank/{env}/{service}/{parameter}.
Deployment note¶
This module is deployed via a dedicated infra stage in the CI/CD pipeline that runs before any system domain pipeline. On first deploy (bootstrap), a human operator must run aws sso login and assume the bootstrap role — subsequent updates are fully automated.
The bank-platform repo contains a bootstrap/ directory with the CDK stacks for this module, separate from the runtime Lambda code.
Module dependencies¶
Depends on¶
(No intra-platform module dependencies — this is a foundational or standalone module.)
Required by¶
| Module | Title | As | Contract |
|---|---|---|---|
| MOD-001 | Double-entry posting engine | Hard dependency | — |
| MOD-002 | Immutable transaction log | Hard dependency | — |
| MOD-003 | Real-time balance engine | Hard dependency | — |
| MOD-004 | Multi-currency ledger (NZD/AUD) | Hard dependency | — |
| MOD-005 | Daily accrual calculator | Hard dependency | — |
| MOD-006 | Rate change propagation | Hard dependency | — |
| MOD-007 | Account state machine | Hard dependency | — |
| MOD-008 | Dormancy & escheatment engine | Hard dependency | — |
| MOD-009 | eIDV & document verification | Hard dependency | — |
| MOD-010 | CDD tier assignment engine | Hard dependency | — |
| MOD-011 | KYC periodic review scheduler | Hard dependency | — |
| MOD-012 | KYC audit trail store | Hard dependency | — |
| MOD-013 | Real-time sanctions screener | Hard dependency | — |
| MOD-014 | List change propagation | Hard dependency | — |
| MOD-015 | False positive management | Hard dependency | — |
| MOD-016 | Rule-based typology engine | Hard dependency | — |
| MOD-017 | ML behavioural scoring model | Hard dependency | — |
| MOD-018 | Alert case management system | Hard dependency | — |
| MOD-019 | Regulatory report submission module | Hard dependency | — |
| MOD-020 | Pre-payment validation suite | Hard dependency | — |
| MOD-021 | Payment limit & velocity controller | Hard dependency | — |
| MOD-022 | Payment audit trail | Hard dependency | — |
| MOD-023 | Transaction fraud scorer | Hard dependency | — |
| MOD-024 | Device & session intelligence | Hard dependency | — |
| MOD-025 | FX rate lock & conversion | Hard dependency | — |
| MOD-026 | IFTI / CMIR reporting trigger | Hard dependency | — |
| MOD-027 | Affordability calculator | Hard dependency | — |
| MOD-028 | Credit score & risk rating | Hard dependency | — |
| MOD-029 | Pre-approval engine | Hard dependency | — |
| MOD-030 | Stage allocation model | Hard dependency | — |
| MOD-031 | ECL calculation & GL posting | Hard dependency | — |
| MOD-032 | LCR / NSFR calculator | Hard dependency | — |
| MOD-033 | RWA & capital ratio engine | Hard dependency | — |
| MOD-034 | Stress testing scenario engine | Hard dependency | — |
| MOD-035 | IRRBB / EVE / NII model | Hard dependency | — |
| MOD-036 | Prudential return builder (RBNZ / APRA) | Hard dependency | — |
| MOD-037 | AUSTRAC / RBNZ AML reporting pipeline | Hard dependency | — |
| MOD-038 | Data quality & reconciliation monitor | Hard dependency | — |
| MOD-039 | Customer risk score model | Hard dependency | — |
| MOD-040 | Churn & health score engine | Hard dependency | — |
| MOD-041 | Categorisation & merchant enrichment model | Hard dependency | — |
| MOD-042 | CDC pipeline — Neon logical replication to S3 Iceberg | Hard dependency | — |
| MOD-043 | EventBridge domain event governance | Hard dependency | — |
| MOD-044 | JWT role-based access control | Hard dependency | — |
| MOD-045 | Secrets & key management | Hard dependency | — |
| MOD-046 | Privileged access management (PAM) | Hard dependency | — |
| MOD-047 | Agent action logger | Hard dependency | — |
| MOD-048 | System decision log | Hard dependency | — |
| MOD-049 | Open banking consent management | Hard dependency | — |
| MOD-050 | Disclosure enforcement module | Hard dependency | — |
| MOD-051 | Financial automation rules engine | Hard dependency | — |
| MOD-052 | Role-scoped data access | Hard dependency | — |
| MOD-053 | Case & complaint management module | Hard dependency | — |
| MOD-054 | Call recording & transcript attachment | Hard dependency | — |
| MOD-055 | Onboarding fraud scoring engine | Hard dependency | — |
| MOD-056 | Compliance visibility engine | Hard dependency | — |
| MOD-057 | Statistical returns & survey engine | Hard dependency | — |
| MOD-058 | Regulatory incident & breach notification engine | Hard dependency | — |
| MOD-059 | Credit bureau submission engine | Hard dependency | — |
| MOD-060 | FATCA/CRS/AEOI reporting engine | Hard dependency | — |
| MOD-061 | Open banking API platform | Hard dependency | — |
| MOD-062 | Workflow orchestration engine | Hard dependency | — |
| MOD-063 | Notification orchestration | Hard dependency | — |
| MOD-064 | Operations work queue | Hard dependency | — |
| MOD-065 | Credit servicing & collections | Hard dependency | — |
| MOD-066 | Collateral & security management | Hard dependency | — |
| MOD-067 | Trade finance operations | Hard dependency | — |
| MOD-068 | Authentication & session management | Hard dependency | — |
| MOD-069 | Customer app shell | Hard dependency | — |
| MOD-070 | Transaction history & search | Hard dependency | — |
| MOD-071 | Payment initiation | Hard dependency | — |
| MOD-072 | Customer profile & settings | Hard dependency | — |
| MOD-073 | Document vault | Hard dependency | — |
| MOD-074 | Back-office customer 360 | Hard dependency | — |
| MOD-075 | Internal API gateway | Hard dependency | — |
| MOD-076 | Observability platform | Hard dependency | — |
| MOD-077 | Account dashboard & insight feed | Hard dependency | — |
| MOD-078 | Card & account controls | Hard dependency | — |
| MOD-079 | Snowflake decision publication service | Hard dependency | — |
| MOD-080 | Statutory financial reporting & ERP integration | Hard dependency | — |
| MOD-081 | Payment reconciliation engine | Hard dependency | — |
| MOD-082 | Nostro & FX treasury management | Hard dependency | — |
| MOD-083 | Agent assist & compliance coaching panel | Hard dependency | — |
| MOD-084 | Open banking data access — data recipient | Hard dependency | — |
| MOD-085 | Market rates ingestion & normalisation | Hard dependency | — |
| MOD-086 | Funds transfer pricing engine | Hard dependency | — |
| MOD-087 | Transaction enrichment engine | Hard dependency | — |
| MOD-091 | Receipt processor | Hard dependency | contract/ssm/ |
| MOD-096 | Multi-entity party graph manager | Hard dependency | — |
| MOD-097 | Usage event collector | Hard dependency | — |
| MOD-098 | Cost attribution engine | Hard dependency | — |
| MOD-100 | External asset connector | Hard dependency | — |
| MOD-101 | Wealth intelligence engine | Hard dependency | — |
| MOD-102 | Snowflake account configuration & governance | Hard dependency | — |
| MOD-103 | Neon database platform bootstrap | Hard dependency | — |
| MOD-105 | Product eligibility engine | Hard dependency | — |
| MOD-106 | ROTE engine | Hard dependency | — |
| MOD-107 | Next best product engine | Hard dependency | — |
| MOD-108 | Product offer engine | Hard dependency | — |
| MOD-109 | Product deal engine | Hard dependency | — |
| MOD-110 | Fee engine | Hard dependency | — |
| MOD-111 | Term deposit maturity engine | Hard dependency | — |
| MOD-112 | Amortisation schedule engine | Hard dependency | — |
| MOD-113 | Statement generation | Hard dependency | — |
| MOD-114 | Direct debit mandate management | Hard dependency | — |
| MOD-118 | Member equity and share registry | Hard dependency | — |
| MOD-122 | NZ faster payments and A2A integration | Hard dependency | — |
| MOD-128 | Credit bureau enquiry and CCR integration | Hard dependency | — |
| MOD-130 | Notice account management | Hard dependency | — |
| MOD-132 | Loan restructure and variation workflow | Hard dependency | — |
| MOD-135 | Batch payment and payroll file processing | Hard dependency | — |
| MOD-136 | BPAY biller registration and inbound BPAY | Hard dependency | — |
| MOD-137 | Agency banking adapter | Hard dependency | — |
| MOD-143 | Open Bank Resolution pre-positioning | Hard dependency | — |
| MOD-144 | Confirmation of payee — account name verification | Hard dependency | — |
| MOD-145 | Payment hold & friction engine | Hard dependency | — |
| MOD-146 | Restricted activities enforcement | Hard dependency | — |
| MOD-147 | Related party exposure monitor | Hard dependency | — |
| MOD-148 | Privacy access request (DSAR) workflow | Hard dependency | — |
| MOD-149 | Scam intelligence reporting & reimbursement | Hard dependency | — |
| MOD-150 | Risk management platform | Hard dependency | — |
| MOD-151 | Risk case console | Hard dependency | — |
| MOD-152 | Climate risk assessment | Hard dependency | — |
| MOD-153 | Customer acceptance engine | Hard dependency | — |
| MOD-154 | Correspondent banking risk gate | Hard dependency | — |
| MOD-155 | Target Market Determination (AU DDO) | Hard dependency | — |
| MOD-156 | CI/CD pipeline platform | Hard dependency | — |
| MOD-157 | External provider stub service | Hard dependency | — |
| MOD-161 | Transfer pricing | Hard dependency | — |
| MOD-162 | Loan facility & component manager | Hard dependency | — |
| MOD-163 | Break-cost calculator | Hard dependency | — |
| MOD-164 | Facility component self-service | Hard dependency | — |
| MOD-165 | Synthetic swap book aggregator | Hard dependency | — |
| MOD-166 | Transaction category corrections | Hard dependency | — |
| MOD-168 | Maker-checker enforcement engine | Hard dependency | — |
| MOD-170 | Regulatory Submissions Portal | Hard dependency | — |
| MOD-171 | Risk Intelligence Dashboard | Hard dependency | — |
| MOD-172 | Operations & Model Intelligence Dashboard | Hard dependency | — |
| MOD-173 | Model risk register & inventory | Hard dependency | — |
| MOD-175 | Model change control & re-approval workflow | Hard dependency | — |
| MOD-176 | Snowflake read API service | Hard dependency | — |
Policies satisfied¶
| Policy | Title | Mode | How |
|---|---|---|---|
| GOV-005 | Financial Accountability Regime (FAR) Policy | GATE |
All AWS resources are tagged with tenant_id, module_id, and environment at IaC synthesis time — untagged resources are blocked from deployment by SCP and the tagging compliance gate in MOD-097. |
| GOV-006 | Internal Audit Policy | LOG |
CloudTrail is enabled across all accounts from bootstrap — every AWS API call is logged from day one, satisfying the operational audit trail requirement. |
| DT-002 | Cybersecurity Policy | GATE |
KMS CMKs are provisioned per data classification level; encryption at rest is enforced by S3 bucket policy and Kinesis encryption settings — unencrypted data storage is not permitted. |
Capabilities satisfied¶
(No capabilities mapped)
Part of SD07 — Data Platform & Governance Infrastructure
Compiled 2026-05-22 from source/entities/modules/MOD-104.yaml