Security & Architecture

AWS-Native by Design

Teev is built on AWS, not just for AWS. We are not a multi-tenant SaaS proxy; we are an AWS-native application running inside your security perimeter.

We integrate directly with native services, ensuring Teev runs within the same trust boundaries as your Bedrock workloads:

• • Amazon Bedrock: Accesses agent and Knowledge Base metadata via read-only IAM policies
• • CloudWatch Logs: Ingests invocation, error, and performance metrics
• • AWS Cost & Usage Reports (CUR): Reads billing data for cost attribution
• • CloudFormation / SAR: Provides a repeatable, auditable deployment process
• • AWS Organizations: Enables streamlined multi-account rollouts with StackSets

This approach means the solution automatically inherits your existing encryption (KMS), logging (CloudTrail), and network isolation (VPC) configurations.

What This Means for Your Security Posture

• • Data residency: All processing occurs in your chosen AWS region(s)—no cross-border data transfers
• • Inherited compliance: If your AWS environment is SOC 2, ISO 27001, or HIPAA compliant, Teev operates within that same boundary
• • No new attack surface: Teev doesn't introduce external endpoints, third-party APIs, or egress dependencies beyond AWS services you already trust

Inspectable & Versioned Infrastructure (IaC)

Every deployment is delivered through the AWS Serverless Application Repository (SAR) as pure CloudFormation. This means:

Transparency

You can inspect and audit the entire infrastructure code before deployment. The SAM template defines every Lambda function, IAM role, DynamoDB table, and EventBridge rule—nothing is hidden.

Control

You can manage the configuration using your existing CI/CD and IaC workflows (Terraform, AWS CDK, or native CloudFormation). You can also:

• • Pin to specific versions for stability
• • Test updates in non-production accounts first
• • Roll back to previous versions if needed

No Opaque Access

There is no external control plane, no opaque installer, and no need to grant Teev any elevated privileges. You own the deployment.

Updates are published as new SAR versions that you choose exactly when to adopt, giving you complete versioning control.

Example: When we release v2.1.0 with new forecasting models, you see the full changelog and CloudFormation diff before updating. You control the rollout timeline—not us.

Security by Design: Isolation & Least Privilege

Our architecture strictly adheres to the principle of least privilege across all components (Lambda, EventBridge, IAM Roles).

Read-Only Data Access

Logging and reporting roles are strictly read-only to ensure telemetry data cannot be mutated or exfiltrated. IAM policies follow AWS best practices:

{
  "Effect": "Allow",
  "Action": [
    "logs:DescribeLogGroups",
    "logs:FilterLogEvents",
    "bedrock:GetAgent",
    "bedrock:GetKnowledgeBase"
  ],
  "Resource": "*"
}

No bedrock:InvokeAgent, bedrock:DeleteAgent, or any mutating actions are ever requested.

No Long-Lived Credentials

Each Lambda function runs in an isolated, serverless environment with ephemeral IAM role credentials that expire after execution. There are no API keys, access tokens, or long-lived credentials to leak or rotate.

Confused-Deputy Protection

Cross-account access (if deploying in a hub-and-spoke model) is secured using a mandatory ExternalId to protect against the confused-deputy attack vector. This ensures that only your authorized deployments can assume cross-account roles.

Example IAM trust policy:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::YOUR-ACCOUNT:role/TeevCollectorRole"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringEquals": {
      "sts:ExternalId": "your-unique-external-id"
    }
  }
}

Full Auditability

All interactions between your Bedrock workloads and Teev's analytics stack are explicitly auditable in your CloudTrail logs. Every API call, IAM assumption, and data access is logged with full context (timestamp, principal, resource ARN).

You can create CloudWatch alarms or AWS Config rules to monitor Teev's behavior in real time.

Network Isolation & Data Encryption

VPC Deployment (Optional)

For customers with strict network segmentation requirements, Teev can be deployed entirely within a VPC with:

• • Private subnets (no internet gateway)
• • VPC endpoints for AWS service access (S3, DynamoDB, Bedrock)
• • Network ACLs and security groups restricting traffic

This ensures zero internet egress except for the optional license validation call (which can be routed through a VPC endpoint or proxy).

Encryption at Rest

All data written by Teev is encrypted at rest using:

• • DynamoDB: AWS-managed or customer-managed KMS keys (you choose)
• • S3: AES-256 encryption with optional SSE-KMS for enhanced key control
• • CloudWatch Logs: Encrypted using AWS-managed keys or your own KMS keys

Encryption in Transit

All data in transit uses TLS 1.3 (or TLS 1.2 minimum):

• • Lambda-to-DynamoDB: AWS PrivateLink
• • Lambda-to-S3: AWS PrivateLink
• • Web console access: CloudFront with custom SSL/TLS certificates

Automated Evidence for Compliance

Teev's architecture maps cleanly to modern AI governance and enterprise frameworks:

• • ISO/IEC 42001 (AI management system controls)
• • EU AI Act readiness for transparency and governance evidence
• • AWS Well-Architected Framework security pillars
• • NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)
• • CIS AWS Foundations Benchmark

Audit logs, configuration baselines, and report artifacts are generated automatically and remain in your environment—ensuring you have the evidence you need, when you need it, for zero-friction compliance.

What This Looks Like in Practice

Auditor asks: "Show me all Bedrock Agent invocations in Q4 2025 and associated costs."

You provide: Direct access to your DynamoDB table or S3 export—no waiting on Teev support.

Auditor asks: "Prove that no data left your AWS account."

You provide: VPC Flow Logs showing zero external egress + CloudTrail showing all IAM activity scoped to your account.

Auditor asks: "How do you ensure least-privilege access?"

You provide: The CloudFormation template showing exact IAM policies—fully inspectable and versioned.

Proven Reliability & Resilience

The system is fully serverless and self-healing, leveraging only core AWS-native primitives for durability and orchestration:

• • Compute: AWS Lambda (auto-scaling, no servers to patch)
• • Orchestration: Amazon EventBridge (event-driven, decoupled)
• • Durable Storage: Amazon S3 (11 nines durability) + DynamoDB (multi-AZ replication)

What This Means for Uptime

• • No servers to patch: AWS manages Lambda runtime updates
• • No containers to maintain: No Docker images, no registry, no CVE scanning overhead
• • No external dependencies: Teev doesn't rely on third-party SaaS APIs, reducing failure modes
• • Predictable cost: Serverless = pay only for what you use, no idle infrastructure costs

Disaster Recovery

Because Teev is deployed via CloudFormation, disaster recovery is built-in:

• • RPO (Recovery Point Objective): Near-zero—all data is in S3/DynamoDB with continuous replication
• • RTO (Recovery Time Objective): < 30 minutes—redeploy the CloudFormation stack in another region
• • Cross-region replication: Enable S3 Cross-Region Replication (CRR) and DynamoDB Global Tables for automated failover

Multi-Account & Multi-Region Support

Teev supports enterprise-grade multi-account architectures:

Hub-and-Spoke Model

Deploy a central analytics account that aggregates data from multiple workload accounts using cross-account IAM roles with ExternalId protection.

Benefits:

• • Centralized reporting across business units or teams
• • Segregated billing and cost attribution
• • Simplified audit and compliance reporting

Region Isolation

Deploy Teev independently in each AWS region where you run Bedrock workloads. Regional deployments ensure:

• • Data never crosses region boundaries (critical for GDPR, data residency laws)
• • Reduced latency for telemetry ingestion
• • Compliance with regional sovereignty requirements

Incident Response & Forensics

In the event of a security incident, Teev's architecture supports rapid investigation:

• • CloudTrail logs: Full API activity history with userIdentity, eventTime, and sourceIPAddress
• • VPC Flow Logs: Network traffic analysis (if deployed in VPC)
• • Lambda execution logs: CloudWatch Logs capture every function invocation with input/output context
• • Immutable audit trail: S3 Object Lock or Glacier Vault Lock ensures logs cannot be tampered with

You can integrate Teev's logs with your existing SIEM (Splunk, Sumo Logic, AWS Security Hub) for centralized monitoring.

Decommissioning & Data Deletion

When you're ready to remove Teev:

• • Delete the CloudFormation stack via the AWS Console or CLI
• • Optionally retain or delete S3 buckets and DynamoDB tables (you control the retention policy)
• • Revoke IAM roles to ensure no residual permissions remain

Zero vendor lock-in. Your data remains in standard AWS formats (JSON, Parquet, CSV) that you can query independently without Teev.

Questions About Security?

If you're evaluating Teev as part of a security review or vendor risk assessment, we're here to help. Contact us at security@teev.ai or schedule a call with our team to discuss your specific requirements.

We can provide:

• • Architecture diagrams and data flow charts
• • Sample IAM policies and CloudFormation templates
• • Third-party penetration test reports (under NDA)
• • Responses to security questionnaires (CAIQ, SIG, VSAQ)