AWS BYOC Deployment
This guide describes how the Viven Digital Twin platform is deployed within the customer's own Virtual Private Cloud (VPC) on Amazon AWS. This deployment model is also known as Bring Your Own Cloud (BYOC).
Advantages of this setup:
- Customer data resides within their own cloud and never leaves it
- Application logs are stored within the customer's cloud
- Customer has full control over the deployment
Customers provide a new, blank AWS account where Viven deploys the complete Digital Twin stack. All data, including application logs, is stored in the customer's cloud. A limited amount of diagnostic data is pushed to Viven's deployment command center for monitoring purposes.
At any point, reach out to your Viven representative or support@viven.ai.
Overview
| Step | Task |
|---|---|
| Step 1 | Create a dedicated AWS sub-account |
| Step 2 | Share account access details with Viven |
| Step 3 | Set up ACM certificates |
| After setup | Post-infrastructure steps |
Step 1: Create a Sub-Account
Create a new sub-account under your AWS Organization to be used exclusively for the Digital Twin deployment.
- Log in to your AWS Management Account (the parent/organization account)
- Open AWS Organizations in the console
- Select Accounts → Add an AWS Account
- Choose Create an AWS Account (not Invite) and configure:
- Account Name:
DigitalTwin-Prod(or your naming convention) - Email: A distribution or admin email you control (e.g.
aws-admin@yourdomain.com)
- Account Name:
- Complete creation and wait for the account to appear in your accounts list
No billing or charges will occur at this stage. Services will only be activated later during Viven's deployment.
Step 2: Share Access Details with Viven
Once the account is created, provide your Viven representative with the following information:
| Detail | Example |
|---|---|
| Preferred domain and company name | acmeinc.com, Acme Inc |
| AWS Account ID (12 digits) | 123456789012 |
| AWS Region | us-west-2 |
| IAM user with admin access | prod-dt |
| ARN of the IAM role | arn:aws:iam::123456789012:role/dt-admin-access-role |
With this information, Viven can begin infrastructure deployment and typically completes it within a few business days.
Create the prod-dt IAM User
- Go to IAM → Users → Create user
- Enter the username
prod-dtand click Next - Under Permissions options, select Attach policies directly, then select AdministratorAccess and click Next
- Click Create User
Create the dt-admin-access-role IAM Role
Run the CloudFormation template provided by Viven. This role will be used by Viven engineers to provision the Digital Twin stack in your account, and thereafter only by Viven's on-call team to resolve critical issues.
Step 3: Set Up ACM Certificates
Two ACM certificates are required:
- One in your deployment region (for the Application Load Balancer)
- One in us-east-1 (for CloudFront distributions)
For each certificate, set the fully qualified domain name to *.<your_domain>.
Once created, share both certificate ARNs and your domain name with your Viven representative.
Steps After Infrastructure Setup
Once your Digital Twin infrastructure is live, your Viven representative will follow up on:
- Connector setup — Connect Digital Twin to your enterprise data sources (Google Workspace, Microsoft 365, Salesforce/Slack, Atlassian, and more)
- SSO setup — Provide your Identity Provider (IdP) configuration: entity ID, SSO URL endpoints, and X.509 certificates
- LLM setup — Digital Twin uses OpenAI models. OpenAI does not train on inputs or outputs from business customers
- User limiting — Access is best restricted via SSO. The Admin Console also allows admins to limit users directly
Appendix
AWS Services
| AWS Service | Purpose |
|---|---|
| Amazon CloudFront | Securely distributes the application with low latency |
| AWS Elastic Kubernetes Service (EKS) | Hosts the web application and processor workers |
| Amazon EC2 | Compute instances and Airflow |
| Amazon Redshift | Stores application and access logs |
| Amazon RDS (Aurora) | Stores user information and application configuration |
| Amazon Route 53 | Manages domain records |
| Elastic Load Balancing | Balances traffic across EC2 instances |
| Amazon ElastiCache | Caches results of expensive I/O calls and computations |
| Amazon DynamoDB | Primary datastore for processed data |
| Amazon ECR | Stores container images for deployment |
| Amazon S3 | Stores raw ingested documents, builds, and artifacts |
| AWS IAM | Creates and manages roles used by the platform |
| AWS KMS | Creates and manages encryption keys |
| Amazon SES | Sends emails from the application |
| Amazon SQS | Queues tasks for background workers |
| Amazon SNS | Pub/sub notifications to multiple consumers |
| Amazon Kinesis | Streams application logs to Redshift |
| AWS Secrets Manager | Stores application secrets (API tokens, etc.) |
| Amazon CloudWatch | Collects metrics and logs for monitoring |
| Amazon OpenSearch Service | Indexes documents and supports lexical and vector search |
| PostgreSQL (RDS) | Stores Airflow logs |
Document Ingestion Architecture
1. Scheduled Orchestration
An Airflow DAG runs on a periodic basis and queues an ingestion job for the EKS Worker cluster for each connected source system (Gmail, Calendar, Google Drive, etc.).
2. EKS Worker Cluster Processing
| Stage | Description |
|---|---|
| Document Ingest | Worker calls external source systems via Connectors and pulls documents; raw files are stored in S3 |
| Document Store | Document metadata is stored in DynamoDB |
| Document Process | Documents are enriched via the LLM service; enriched data is stored in DynamoDB |
| Document Index | Documents and their embeddings are indexed in Amazon OpenSearch for search and retrieval |
Application Logs and Configuration Access
Application logs are stored in Redshift and application configuration is stored in RDS — both within the customer's account. Viven's tooling provides easy interfaces for accessing this data when troubleshooting issues or enabling new features. A dedicated user login is provisioned in the deployed application for this purpose.