Important: This Guidance requires the use of AWS CodeCommit, which is no longer available to new customers. Existing customers of AWS CodeCommit can continue using and deploying this Guidance as normal.
This Guidance helps to provide transparency and traceability of the supply chain network for a product. The architecture allows vendors and stakeholders to easily upload the supply chain certificates as well as ingest relevant data from systems such as enterprise resource planning (ERP), product lifecycle management (PLM), SharePoint. It then extracts, processes, cross-checks, and validates these documents in an automated, serverless AWS workflow. This Guidance includes both an overview architecture and a detailed architecture with sample code.
Architecture Diagram
-
Overview
-
Detailed Architecture
-
Overview
-
Please note: This is an overview architecture showing an end-to-end process flow to provide transparency and traceability of the supply chain network for a product.
Click to enlarge
Step 1
External data sources are ingested for extraction validation.Step 2
Suppliers upload certificates through a secure web application.Step 3
The certificate upload triggers an extraction Step Function, and certificates are eventually archived.
Step 4
Data is extracted from the certificate.
Step 5
Extracted addresses are mapped to GPS coordinates.
Step 6
Extracted data is matched with and cross-checked against third-party data.
Step 7
Relevant parties consume data.Step 1
External data sources are ingested for extraction validation.Step 2
Suppliers upload certificates through a secure web application.Step 3
The certificate upload triggers an extraction Step Function, and certificates are eventually archived.
Step 4
Data is extracted from the certificate.
Step 5
Extracted addresses are mapped to GPS coordinates.
Step 6
Extracted data is matched with and cross-checked against third-party data.
Step 7
Relevant parties consume data. -
Detailed Architecture
-
Please note: This is a detailed architecture showing an end-to-end process flow to provide transparency and traceability of the supply chain network for a product.
Click to enlarge
Step 1
AWS Glue ingests, cleans, and processes third-party data, such as shipping and invoice information.Step 2
Users upload supply chain certificates through a serverless portal powered by Amazon Route 53, Amazon Cognito, Amazon CloudFront, and Amazon Simple Storage Service (Amazon S3).Step 3
Lifecycle rules automatically move certificates from Amazon S3 to Amazon S3 Glacier.
Step 4
Amazon EventBridge initiates a data extraction process, orchestrated by AWS Step Functions. Amazon Textract facilitates the extraction of key information, such as expiration date and certificate number, using plain language queries and built-in optical character recognition (OCR) functionalities.
Step 5
Amazon Location Service maps extracted supplier addresses to GPS coordinates, allowing for location visualization.
Step 6
Data extracted from the supply chain certificates is optionally matched with and crosschecked against third-party data. This data can be used as a form of extraction validation or certificate validity checking.
Step 7
You can access final data through Amazon Athena or Amazon Redshift and visualize it in Amazon QuickSight or in a third-party app of choice.Step 8
Amazon CloudWatch and AWS CloudTrail monitor all services. AWS Key Management Service (AWS KMS) stores and manages encryption keys.Step 1
AWS Glue ingests, cleans, and processes third-party data, such as shipping and invoice information.Step 2
Users upload supply chain certificates through a serverless portal powered by Amazon Route 53, Amazon Cognito, Amazon CloudFront, and Amazon Simple Storage Service (Amazon S3).Step 3
Lifecycle rules automatically move certificates from Amazon S3 to Amazon S3 Glacier.
Step 4
Amazon EventBridge initiates a data extraction process, orchestrated by AWS Step Functions. Amazon Textract facilitates the extraction of key information, such as expiration date and certificate number, using plain language queries and built-in optical character recognition (OCR) functionalities.
Step 5
Amazon Location Service maps extracted supplier addresses to GPS coordinates, allowing for location visualization.
Step 6
Data extracted from the supply chain certificates is optionally matched with and crosschecked against third-party data. This data can be used as a form of extraction validation or certificate validity checking.
Step 7
You can access final data through Amazon Athena or Amazon Redshift and visualize it in Amazon QuickSight or in a third-party app of choice.Step 8
Amazon CloudWatch and AWS CloudTrail monitor all services. AWS Key Management Service (AWS KMS) stores and manages encryption keys.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
This Guidance is deployed using AWS Cloud Development Kit (AWS CDK). Changes to the main branch of the AWS CodeCommit repository are automatically propagated to the Guidance infrastructure through AWS CodePipeline.
-
SecurityRead the Security whitepaper
This Guidance uses AWS WAF, Amazon Cognito, and AWS Certificate Manager (ACM) to secure access to its hosted upload portal, restricting access to services and protecting them from attacks. All data is encrypted at rest using AWS KMS keys.
-
ReliabilityRead the Reliability whitepaper
The load balancer will ensure the health of the hosted upload portal alongside built-in autoscaling for services. It is critical that the extraction be done within a Step Function that includes a retry mechanism. Otherwise, you may encounter a bottleneck in Amazon Textract due to account-level concurrency limits that can only be increased by contacting AWS support. It is possible for the extraction Lambda function to fail if too many certificates are uploaded at once. As such, the Step Function should include a fail-retry check to address failures that occur as result of Textract throttling.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
We selected the services in this Guidance to create a serverless architecture. The Guidance uses automation to minimize infrastructure management and user intervention. The architecture is also decoupled so that different functions can run independently from one another.
-
Cost OptimizationRead the Cost Optimization whitepaper
All data is stored in Amazon S3, with lifecycle policies that automatically archive old certificates. This allows for cost optimization while still adhering to data retention regulations.
-
SustainabilityRead the Sustainability whitepaper
All components of this Guidance are serverless and scale automatically. This approach ensures minimal energy consumption while maintaining high availability.
Implementation Resources
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
Related Content
[Title]
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.