AWS Architecture & 12-Month Investment Plan

Production-grade infrastructure for the SafeGuard Predictive Risk Intelligence Platform - sized to absorb $100K AWS Activate credit and graduate to a $50-90K/yr run rate.

12-Month Spend Plan (Optimised for $100K AWS Activate Credit)

Credit Allocation

$100,000

Total Year-1 Burn

$102,000

Year-2 Steady-State

$4,500-7,000/mo

Year-3+ Growth Path

$10K-25K/mo

AWS Activate Strategy: The $100K credit is a 12-month runway to establish production load patterns and commitment to AWS. The goal is to hit $5-7K/mo steady-state by month 12, then convert to standard EDP/PAYG. Credits cover compute, ML inference, data transfer, and 1 year of Business Support.

12-Month Spend Trajectory

MONTH 1-2

$2-3K/mo

Migration: stand up multi-AZ VPC, CI/CD, RDS Aurora, Bedrock PoCs. Lean on Free Tier.

MONTH 3-4

$5-7K/mo

First paying customers. Enable Multi-AZ RDS, ElastiCache cluster, CloudFront, WAF, Bedrock production traffic.

MONTH 5-6

$8-10K/mo

Add SageMaker for custom risk models, MSK or Kinesis for high-volume telemetry, Kinesis Data Firehose to S3.

MONTH 7-9

$10-13K/mo

Multi-region DR (eu-west-2 + eu-west-1). Add Bedrock provisioned throughput for predictable latency. SageMaker endpoints with auto-scaling.

MONTH 10-12

$10-12K/mo

Lock in 1-year Savings Plans (40% off) and Convertible RIs (30% off) for known baseline. Credits nearly exhausted.

1. Compute (EC2 / ECS / Lambda / EKS)

Service	Configuration	Monthly Cost	Purpose
Compute EC2 m6i.xlarge	4 vCPU, 16GB RAM - FastAPI backend (Multi-AZ x2)	~$280	Production API tier with N+1 redundancy
Compute EC2 m6i.large	2 vCPU, 8GB RAM - Temporal + Camunda workers x3	~$240	Workflow engine fleet
Compute EC2 c6i.2xlarge	8 vCPU, 16GB RAM - ML inference fleet	~$280	Bedrock batching, custom model serving
Compute ECS Fargate	50 vCPU, 100GB - autoscaling async workers	~$450	Webhook delivery, telemetry polling, batch jobs
Compute EKS	1 control plane + 3 m5.large nodes	~$320	Container orchestration for microservices growth path
Compute Lambda	50M requests/mo, 400K GB-seconds	~$200	Event glue, API Gateway backend, Step Functions triggers
Compute 1-Year Savings Plans	$1,200/mo commitment, ~40% off on-demand	-$480 effective	Lock in baseline compute from month 6

2. Database (RDS / Aurora / ElastiCache / DynamoDB)

Service	Configuration	Monthly Cost	Purpose
Database Aurora PostgreSQL Serverless v2	2-16 ACU, Multi-AZ, 200GB	~$750	Primary OLTP - assets, alerts, users, audit log (replaces self-hosted TimescaleDB/pgvector)
Database RDS Read Replica (Cross-AZ)	db.r6g.large for analytics queries	~$210	Offload reporting queries from primary
Database ElastiCache Redis (cluster mode)	3x cache.r6g.large, Multi-AZ	~$480	Session, pub/sub, rate limiting, feature store cache
Database DynamoDB	On-demand, 500GB, 100K WCU/RCU peak	~$400	Real-time state, hot IoT metadata, websocket session map
Database Neptune (Graph DB)	db.r6g.large, Multi-AZ, 100GB	~$380	Replaces Apache AGE for risk correlation graphs
Database Timestream (time-series)	1B writes, 10B queries/mo, 500GB memory store	~$350	Raw IoT telemetry (replaces TimescaleDB hypertable)

3. Storage (S3 / EBS / FSx / Glacier)

Service	Configuration	Monthly Cost	Purpose
Storage S3 Standard	2TB active, 50M requests	~$80	Reports, evidence, alert media, ML training data (replaces MinIO)
Storage S3 Intelligent-Tiering	5TB with auto-classification	~$130	Long-term logs, model artefacts, backups
Storage S3 Glacier Instant Retrieval	10TB compliance archive	~$50	7+ year insurance evidence retention (regulatory)
Storage S3 Glacier Deep Archive	20TB cold storage	~$12	10+ year audit trail, regulatory archive
Storage EBS gp3 (EC2 volumes)	2TB aggregated across fleet	~$160	Boot volumes, hot scratch space, log buffers
Storage EBS io2 Block Express	500GB for Aurora temporary tables	~$130	High-IOPS workloads, batch analytics
Storage FSx for Lustre	1.2TB, 100 MB/s/TiB throughput	~$180	High-speed scratch for ML training jobs
Storage AWS Backup	10TB warm backup across RDS, EBS, S3	~$200	Cross-region DR, 35-day retention, point-in-time recovery

4. Networking & Content Delivery

Service	Configuration	Monthly Cost	Purpose
Network Route 53	5 hosted zones, 100M queries	~$50	DNS, health checks, failover routing (replaces self-hosted)
Network CloudFront	10TB egress, 500M HTTP/HTTPS requests	~$950	Global CDN for frontend, API edge caching, static assets
Network Application Load Balancer	2 ALBs (web + API) + LCU	~$80	SSL termination, path routing, WAF integration (replaces Traefik)
Network Network Load Balancer	2 NLBs for WebSocket + IoT MQTT	~$70	TCP/L4 load balancing for long-lived connections
Network API Gateway	200M API calls, 500M connection-minutes	~$250	Public REST API entrypoint, throttling, API keys
Network NAT Gateway	3 NAT GWs across 3 AZs + processing	~$140	Egress for private subnets (compute, workers)
Network VPC Endpoints (Gateway + Interface)	S3, DynamoDB, Secrets Manager, ECR, Bedrock	~$110	Private connectivity, reduce NAT costs
Network Transit Gateway	Multi-region peering for DR	~$80	Hub for VPC-to-VPC and on-prem connectivity
Network Direct Connect (hosted)	1Gbps port, 50% utilisation	~$220	Dedicated link for insurance partner integrations
Network Data Transfer (Internet Out)	5TB/mo to customers/partners	~$450	API responses, report downloads, evidence exports

5. AI/ML (Bedrock / SageMaker / Comprehend / Rekognition)

Service	Configuration	Monthly Cost	Purpose
ML Bedrock - Claude Sonnet 4.5	5M input + 2M output tokens/mo (production reasoning)	~$200	Risk analysis, evidence synthesis, report generation
ML Bedrock - Claude Haiku 4.5	20M input + 10M output tokens/mo (high-volume)	~$120	Alert categorisation, claim summarisation, notifications
ML Bedrock - Nova Pro / Llama 3 70B	10M tokens/mo (open-weight workloads)	~$80	Bulk scoring, embeddings, classification
ML Bedrock Provisioned Throughput	1 model unit (Claude Sonnet 4.5), 1-month commitment	~$1,950	Guaranteed latency for customer-facing risk analysis (months 6-12)
ML Bedrock Custom Model Import	2 fine-tuned models, inference only	~$400	Industry-specific risk models (commercial property, fleet)
ML Titan Embeddings v2	50M tokens/mo (RAG + semantic search)	~$50	Vector embeddings (replaces self-hosted sentence-transformers)
ML SageMaker Real-Time Endpoints	3x ml.m5.xlarge with auto-scaling	~$1,200	Custom claims classifier, anomaly detector, risk scoring ensemble
ML SageMaker Batch Transform	ml.m5.4xlarge, 200 hours/mo	~$600	Nightly portfolio risk recompute, model scoring at scale
ML SageMaker Training	ml.p3.2xlarge GPU, 100 hours/mo	~$1,300	Weekly model retraining with new data
ML SageMaker Pipelines + Experiments	MLOps orchestration	~$150	Model versioning, A/B testing, drift monitoring
ML Comprehend Medical	5M characters/mo (claims & incident text)	~$250	Extract medical/injury entities from claim descriptions
ML Rekognition (Image)	2M images/mo (property damage assessment)	~$200	Visual damage triage from incident photos
ML Forecast (time-series)	10M predictions/mo (telemetry forecasting)	~$90	Sensor drift & anomaly prediction

ML is the big-ticket item - by design. SafeGuard's value prop is AI-driven risk intelligence. Customers expect Claude-grade analysis. Bedrock Provisioned Throughput + SageMaker endpoints are not negotiable for a "predictive" platform - $1-2K/mo of ML is the cost of being taken seriously.

6. IoT & Telemetry (IoT Core / SiteWise / Kinesis)

Service	Configuration	Monthly Cost	Purpose
IoT AWS IoT Core	1B messages, 500K devices registered	~$800	MQTT broker, device shadows, registry (replaces EMQX)
IoT IoT Device Defender	Continuous audit on 500K devices	~$150	Security monitoring, anomaly detection, compliance
IoT IoT Analytics	Pipeline running 24/7, 100GB processed/day	~$300	Time-series SQL queries on raw sensor data
IoT IoT SiteWise	100K assets monitored, 10M datapoints/day	~$500	Industrial asset modelling, asset hierarchy, KPI computation
IoT IoT Events	50M detector events/mo	~$100	Stateful event detection, complex pattern matching

7. Security, Identity & Compliance

Service	Configuration	Monthly Cost	Purpose
Security Secrets Manager	100 secrets, 5M API calls	~$60	DB creds, API keys, JWT signing, encryption keys
Security WAF (Web Application Firewall)	1 Web ACL, 20M requests, 30 managed rules	~$130	OWASP top-10, bot mitigation, rate limiting
Security GuardDuty	Full account + S3 + EKS protection	~$450	Continuous threat detection across all services
Security Security Hub	Standard tier, all findings aggregated	~$50	Centralised security posture, compliance dashboards
Security Inspector (Vulnerability Scanning)	Continuous ECR + EC2 scanning	~$80	CVE detection in container images & VMs
Security Macie (Data Privacy)	1TB S3 scanned/mo for PII	~$100	GDPR/SOX compliance for customer data in S3
Security Certificate Manager (ACM)	Public + private certs	$0	TLS for ALB, CloudFront, API Gateway (replaces Let's Encrypt)
Security KMS (Key Management)	100 CMKs, 50K API calls	~$30	Encryption-at-rest for RDS, S3, EBS, Secrets Manager
Security Cognito	100K MAU, advanced security features	~$275	End-user identity (replaces self-hosted Keycloak for B2C portal)
Security IAM Identity Center (SSO)	50 engineering users	~$25	AWS console SSO, cross-account access for prod/staging

8. Monitoring, Logging & Observability

Service	Configuration	Monthly Cost	Purpose
Monitor CloudWatch (Logs + Metrics)	500GB logs, 100K custom metrics, 50 dashboards	~$800	Logs, metrics, alarms, dashboards (replaces Prometheus + Grafana)
Monitor CloudWatch Logs Insights Queries	20TB scanned/mo for ad-hoc analysis	~$200	Application debugging, security investigations
Monitor CloudWatch Anomaly Detection	200 metrics with ML-based alerting	~$100	Auto-baselined SLO monitoring, capacity planning
Monitor AWS X-Ray	50M traces, full app instrumentation	~$250	Distributed tracing, latency analysis, dependency maps
Monitor Managed Grafana	5 editors, 50 viewers, 50 dashboards	~$180	Customer-facing observability, exec dashboards
Monitor Managed Prometheus	10M samples/sec ingestion, 100K active series	~$650	EKS/microservice metrics, PromQL compatibility
Monitor CloudWatch RUM + Synthetics	10M events, 50 canary runs/mo	~$150	Frontend performance, synthetic uptime checks
Monitor SNS (Alerting)	10M publishes, SMS + email + PagerDuty	~$80	On-call paging, SLO breach notifications
Monitor DevOps Guru	Full application + infrastructure analysis	~$300	ML-powered anomaly detection, root cause suggestions

9. Event Streaming & Messaging

Service	Configuration	Monthly Cost	Purpose
Network Kinesis Data Streams	50 shards, 1TB/hr ingestion	~$1,100	Real-time alert + telemetry pipeline (replaces Redpanda)
Network Kinesis Data Firehose	10TB delivered to S3 + Splunk	~$290	Durable streaming to data lake + analytics
Network MSK (Kafka)	3x kafka.m5.large brokers, Multi-AZ	~$950	Kafka-compatible stream for partner integrations
Network SQS	500M requests/mo	~$200	Webhook delivery, background jobs, fan-out
Network SNS	100M publishes/mo	~$50	Pub/sub for fan-out, SMS/email alerts to end users
Network EventBridge	500M events/mo, 50 event buses	~$225	Service decoupling, scheduled jobs, SaaS integrations
Network Step Functions	10M state transitions/mo (replaces Camunda)	~$250	Visual workflow orchestration for claim processes

10. Analytics, Search & Business Intelligence

Service	Configuration	Monthly Cost	Purpose
Analytics Athena	50TB scanned/mo, S3 data lake	~$250	Ad-hoc SQL on telemetry, audit, evidence data
Analytics Redshift Serverless	32 RPU baseline, 5TB compressed	~$960	Executive analytics, portfolio risk dashboards
Analytics QuickSight (Enterprise)	100 authors, 500 readers, dashboards	~$750	Customer-facing embedded BI, exec reporting
Analytics OpenSearch (Elasticsearch)	3x t3.small.search, 100GB	~$180	Full-text search across evidence & reports
Analytics Glue (ETL)	10 DPUs, 100 hours/mo	~$440	Data transformation, schema discovery, catalog
Analytics Lake Formation	1TB data lake with fine-grained access	~$110	Governance, row/column-level security on data lake

11. Developer Tools & CI/CD

Service	Configuration	Monthly Cost	Purpose
Storage ECR (Container Registry)	500GB images, 10M pulls	~$50	Docker images for backend/frontend/workers
Compute CodeBuild	2,000 build-minutes, 10 concurrent builds	~$80	CI for tests, lint, typecheck, image build
Compute CodePipeline	10 active pipelines	~$10	Multi-stage deploy: dev -> staging -> prod
Compute CodeDeploy	20 EC2 + 20 Lambda deployments/mo	~$5	Blue/green + canary deployments, rollback
ML CodeCatalyst (dev environments)	20 dev environments (4 vCPU, 16GB)	~$800	Cloud dev environments, no local Docker pain
Storage CodeArtifact	100GB Python + npm packages	~$5	Private package registry, supply chain security
Security Inspector + ECR scanning	Continuous on 500 images	~$30	CVE detection in build pipeline

12. Business Support & Professional Services

Service	Configuration	Monthly Cost	Purpose
Support AWS Business Support	1-hour response for production-down, 24/7 chat	~$1,000 or 10% of monthly spend	Required by most enterprise customers for insurance-grade SLA
Support AWS IQ / Professional Services	40 hours/mo of architect time	~$5,000	Migration assistance, Well-Architected reviews, training
Support Training & Certification	5 engineers, 3 courses each	~$3,000	SA-A, SAP, Security Specialty certs
Support Marketplace Subscriptions	3 third-party SaaS listings	~$500	Datadog Pro, Snowflake data sharing, PagerDuty

Self-Hosted -> AWS Service Mapping

Migration Roadmap

Traefik -> Application Load Balancer + ACM
Keycloak -> Amazon Cognito (B2C) + IAM Identity Center (internal)
PostgreSQL + TimescaleDB + pgvector -> Aurora PostgreSQL Serverless v2 (pgvector GA; TimescaleDB -> separate Timestream)
Apache AGE -> Amazon Neptune (graph DB)
Redis -> ElastiCache for Redis (cluster mode)
MinIO -> Amazon S3 (+ S3 Glacier for cold storage)
Redpanda (Kafka) -> MSK (Kafka API) or Kinesis Data Streams (managed)
EMQX (MQTT) -> AWS IoT Core (managed MQTT 5 broker)
Temporal self-hosted -> Temporal Cloud (BYO) for stateful workflows; Step Functions for simpler
Camunda -> Step Functions (state machine DSL); keep Camunda SaaS for BPMN if complex
Prometheus + Grafana -> CloudWatch + Managed Grafana + Managed Prometheus
Jaeger / OpenSearch logs -> CloudWatch + X-Ray + Managed OpenSearch
sentence-transformers (local) -> Bedrock Titan Embeddings + Custom Model Import

Year-1 Total Cost Breakdown

$8,500/mo average burn (Y1), peaks at $12K/mo during Q3-Q4

Compute (EC2/Fargate/EKS/Lambda)

$1,650

Database (Aurora/Neptune/Timestream)

$2,570

Storage (S3/EBS/FSx/Backup)

$940

Networking + CDN

$2,400

AI/ML (Bedrock + SageMaker)

$6,790

IoT (Core, SiteWise, Analytics)

$1,850

Security (WAF, GuardDuty, Cognito)

$1,200

Observability (CW, Grafana, X-Ray)

$2,710

Streaming (Kinesis, MSK, SQS, EventBridge)

$3,065

Analytics (Athena, Redshift, QuickSight)

$2,690

CI/CD + Dev Tools

$980

Support + Training

$2,000

Reserved Instance Savings

-$1,500

Monthly Subtotal

$27,345

Annualised (Y1)

~$328K

The Math: Full production-grade target architecture is $27K/mo, $328K/yr. The $100K AWS Activate credit covers ~3.7 months at full throttle. The intent: use the credit to build the platform and prove production load, then use that data to either raise a priced round with committed AWS spend, or negotiate a custom EDP. AWS wins because the workload sticks; we win because we built on credit instead of seed capital.

Optimised Y1: $8.5K/mo Average (Credit-Funded)

Realistically, the first 6 months won't burn at the full target rate. Adoption curves look like this:

Month 1-2: Migration + Free Tier heavy - $2-3K/mo
Month 3-4: First customers, Multi-AZ, Bedrock production - $5-7K/mo
Month 5-6: Add SageMaker, IoT, basic DR - $8-10K/mo
Month 7-9: Multi-region, advanced ML, full observability - $10-13K/mo
Month 10-12: Reserved instances kick in, optimise - $10-12K/mo

Y1 cumulative: ~$102K - perfect credit absorption.

Year-2 Steady State: $5-7K/mo (After Credit, After RIs)

After Y1 we lock in 1-year and 3-year Reserved Instances / Savings Plans for known baseline, and right-size the rest. Target:

3-year EC2 RIs (No Upfront): ~60% off on-demand for baseline
3-year RDS RIs: ~55% off for Aurora
Compute Savings Plan 1-year: ~30% off Lambda, Fargate, ECS
SageMaker Savings Plan: 1-year, 50% off endpoints
Bedrock throughput still pay-as-you-go but using prompt caching & batch APIs (50% off)

Year-3+ Growth Path: $10-25K/mo

When customers reach 100K+ devices, the IoT + ML line items scale linearly. Plan for:

10x IoT message volume -> $8K/mo on IoT Core + SiteWise
Multi-region active-active (us-east-1, eu-west-2, ap-southeast-1) -> 2.5x infra
Bedrock Provisioned Throughput multiplied by 5x for high-volume customers
Redshift RA3 + QuickSight Enterprise for embedded BI at scale

Cost Optimisation Playbook (Post-Credit)

Savings Plans for EC2/Fargate/Lambda after 6 months of stable usage (30-65% off)
Convertible Reserved Instances for Aurora (30-55% off, flexible instance family)
SageMaker Savings Plan for endpoint baseline (50% off)
Bedrock Prompt Caching + Batch APIs (50% off on cached tokens)
Bedrock Intelligent Prompt Routing (route cheap models first, escalate on confidence)
S3 Intelligent-Tiering + lifecycle policies to Glacier IR/DA
Spot Instances for batch ML training and async workers (60-90% off)
Graviton (ARM) instances (t4g, m6g, c6g, r6g) for 20-40% better price/performance
VPC Endpoints for S3/DynamoDB to cut NAT Gateway data processing
CloudWatch Logs Insights queries instead of keeping raw logs hot; lifecycle to S3
Kinesis Data Firehose with S3 buffering instead of always-on Kinesis Streams
Lambda Power Tuning to right-size memory allocation

Why This Spend is "Reasonable" for Insurance Tech

InsurTech infrastructure benchmarks (CoverWallet, Lemonade, Hippo, Root):

Pre-Series-B InsurTechs typically spend $8-25K/mo on cloud
Series B InsurTechs spend $50-150K/mo
Public InsurTechs spend $500K+/mo on AWS alone
IoT + ML heavy workloads skew higher than pure SaaS (Lemonade spends ~$2M/mo on GCP)

$5-7K/mo steady-state with $100K Y1 burn is the sweet spot: expensive enough to be taken seriously, lean enough to show path to profitability.

AWS Activate Application

Apply at aws.amazon.com/activate:

Founders (incorporated < 5 years, < $10M raised): $1,000 in credits, 1 year
Portfolio (backed by qualifying VC): up to $25,000 in credits, 1 year
Affiliated Startups (via accelerators like YC, Techstars): $5,000-$100,000, 1-2 years
Enterprise (via direct AWS contact): $100,000+ credits, custom

For $100K credits, partner with the AWS Startup Loft team or your VC's AWS account team directly. The credits cover compute, ML, data transfer, and Business Support.

Final Note for AWS Account Team: This architecture is designed to scale predictably and use the credit allocation efficiently. The Y1 burn pattern ($2K -> $12K/mo) demonstrates real production load, not just experimentation. By month 12 we expect to convert to standard EDP/PAYG with 1-year commit, justifying the original $100K investment.