AWS Partner Network (APN) Blog

Revolutionizing the Timber Industry by Ensuring Authenticity and Certification with Amazon Managed Blockchain

By Cristian Critelli, Sr. Partner Solutions Architect, Migrations/Modernization – AWS
By Pedro Campos, Sr. Manager – Deloitte Technology, S.A

By Luís Dias, Manager – Deloitte Technology, S.A
By Bruno Batista, Partner – Deloitte Technology, S.A

Connect with Deloitte-2

The timber industry plays a key role in the global economy, providing a wide range of essential products despite growing concerns caused by the illegal timber trade and lack of control in the process of selling certified timber.

Biond Forest Fibers, a Portuguese nonprofit, collaborated with Deloitte to ensure wood origin, authenticity, certification, and sales process integrity in pulp, paper, and related industries.

This post presents an innovative solution developed by Deloitte, based on Amazon Managed Blockchain, for the timber industry addressing the following challenges:

  • Detecting non-conformities in the process of transporting and selling certified wood.
  • Effectiveness and reliability of forest certification, ensuring the authenticity and legal origin of the wood, from its cutting to its arrival in the factory reducing the risk of fraud.
  • Independent access to timber data, historical records, and wood processing details for audit purposes by timber buyers.
  • Combatting illegal timber trade and promoting environmental sustainability.
  • Managing all of the above in a single pane of glass.

Deloitte is an AWS Premier Tier Services Partner with AWS Competencies in DevOps, Migration, and many other areas. Deloitte is also a member of the AWS Managed Service Provider (MSP) Partner Program.

Lifecycle of Wood Loads

To fully understand the objectives and responsibilities of the Deloitte solution, it’s essential to understand how wood loads are identified and what their lifecycle is.

  • Each wood load has a unique vignette and barcode linking it to its extraction source, transport info, and certificate, with its status changing throughout the wood’s lifecycle.
  • After extraction, a certified entity issues an “In transit” vignette to track the wood, which can be deactivated if erroneous or unused.
  • Upon reaching the factory, the vignette transitions to “Received” and is assessed for production and transport issues, changing its status to either “delivered WITHOUT non-conformity” or “under review.”
  • Vignettes “under review” highlight purchase or transport issues; the supplier organization is asked to verify the issue and confirm its validity, leading to a “delivered WITH” or “WITHOUT non-conformity” status. Both supplier and buyer are notified of the decision.

This meticulous tracking process ensures transparency and conformity throughout the wood’s journey, promoting a reliable and accountable wood industry ecosystem.


Figure 1 – Diagram of states that a vignette, wood load identifier, can assume.

Solution Implementation

To address these challenges and objectives, a solution architecture was designed based on the use of AWS cloud services. The architecture is distributed across different AWS accounts to manage AWS resources and address different purposes of the solution component, each representative of a node of the blockchain network.

All infrastructure is generated through the AWS Cloud Development Kit (AWS CDK), which enables the replication of the entire infrastructure across multiple environments by creating AWS CloudFormation stacks.

For context, let’s review a basic understanding of how the blockchain network is structured behind the scenes.

Hyperledger Fabric is an open-source private blockchain framework that provides a platform for building the blockchain network for peer-to-peer transactions and the execution of smart contracts, also known as “chaincode” within the Hyperledger Fabric ecosystem.

At the heart of a Hyperledger Fabric network is the Membership Service Provider (MSP). The MSP serves as an interface or abstraction layer responsible for establishing and evaluating digital identities using certificates and keys. Each organization or member within the network is assigned a unique cryptographic primitive to establish access control. This allows organizations to leverage various credentialing implementations that suit their specific requirements.

The Fabric Certificate Authority (CA) is often used to generate and manage credentials for authorized clients interacting with the blockchain. The MSP framework enforces access privileges and roles for digital identity owners within the network.

Another crucial component of a Hyperledger Fabric network is the Peer Nodes. Each organization or member operates their own set of Peer Nodes, which act as the primary interface to the network. Peer Nodes play a critical role in endorsing and committing transactions on the network and maintaining a copy of the ledger’s state.

By storing independent copies of the ledger, Peer Nodes contribute to the decentralized and fault-tolerant nature of the blockchain. They are responsible for submitting client transactions to the Ordering Service, ensuring the transactions are included in the blocks added to the ledger.

The Ordering Service, also known as the Orderer, is responsible for maintaining the chronological and consistent order of transactions and writing them into blocks. It acts as the central authority within the network, ensuring all transactions are properly ordered and propagated. The Orderer generates blocks containing updates to the ledger state and disseminates them to the Peer Nodes during the transaction flow.

In a typical setup scenario, a network is initially created by a member; let’s say Member A. At this stage, the CA nodes and Ordering Service are provisioned. Subsequently, Member A can invite other members like Member B and Member C to join the network, expanding the participation and capabilities of the blockchain network.

It’s noteworthy that connectivity to the Hyperledger Fabric network is established using AWS PrivateLink over the AWS backbone, ensuring secure network connections without traversing the public internet.

How to Structure AWS Accounts

The account dedicated to certified entities will be responsible for the communication of wood suppliers or certified entities with the blockchain network, through a forest management portal. This account does the hosting of the portal and its connection to the database and Amazon Managed Blockchain.

The node of Blockchain network available in this account will have permissions for the creation and inactivation of traceability codes (called vignettes) cargo identifiers, but not for the communication of their receipt.


Figure 2 – Architecture of the account dedicated to certified entities in the solution.

The accounts dedicated to buyers will be used by the two purchasing entities (each will have a dedicated AWS account) for the communication of timber cargo receipts.

The number of accounts may increase in the event of an increase in the number of purchasing entities. These accounts expose APIs for the communication of the receipt of certified wood and its connection to the blockchain. The blockchain nodes, available in these accounts, will have permission to update the vignette state to “Received.”


Figure 3 – Architecture diagram of the accounts dedicated to buyers in the solution.

The implemented solution can be divided into two major modules:

  • Module of the supplier/certified entity, which corresponds to the entity that makes the exploitation of the wood in the forests.
  • Module of the buyer, which corresponds to the entity that acquires and receives loads of wood in its factories.

The supplier/certified entity module has as its main entry point the FM Portal (Portal of Forest Management or forest management). This portal is a web application developed in Angular and authenticated using the service Amazon Cognito.

The portal is accessed by three different types of users, each with different actions available:

  • Certified entity (standard user): User associated with one of the certified companies who can use the portal to register their certificates and UGFs (forest management units) to generate vignettes identifying the loads to be transported. In addition, the user may also dispute occurrences/non-conformities identified by the solution, providing a justification to why these have occurred.
  • Operator: Biond user, who has the role of the platform manager, and can create other users and certified companies. You’ll also have access to some operation functionalities, such as changing general application settings (like default vignette time-to-live) and approving certificates.
  • Administrator: User who has access to all the functionalities of the portal so they can intervene in case of error or request for clarification.

The FM portal uses REST APIs exposed via Amazon API Gateway to obtain information or perform any actions that require access to the relational database or Amazon Managed Blockchain. The business logic or orchestration of these requests is programmed in NodeJS and hosted in AWS Lambda.

The Lambda instances thus have logic that supports the core operation of the solution, such as:

  • Orchestration of requests for get, post, delete, or update to the relational database.
  • Request access logic and orchestration for get, post, delete, or update to Amazon Managed Blockchain.
  • Rules engine for synchronous and asynchronous detection of non-conformities, such as:
    • Wood load in excess compared to what was sent.
    • Load received with invalid/inactive certificate.
    • Wood load identified by a cancelled or expired vignette.
    • Incoming load associated with an inactive UGF.
  • Logic of generating alerts and notifications via email in different use cases of the solution.
  • Orchestration of requests to others managed services, such as Amazon Cognito.

The entry point for the buyer module is the receipt submission API, which is exposed via Amazon API Gateway and allows operations for the submission of the receipt manifest, as well as operations for updating or deleting receipts when they have not yet been processed.

The logic for each of the operations explained above is available via AWS Lambda, which processes the requests asynchronously and contains the logic for connecting with the blockchain network. This layer also contains the logic of detecting non-compliant vignettes received previously.


Figure 4 – Representative architecture of the supplier and buyer nodes of the blockchain.

Deloitte and AWS Impact on Timber Trade Industry

The solution described in this post has been adopted by more than 30 certified entities that, since 2020, have been using the FM Portal to register their certified wood transport loads. Since its adoption as a platform for the control and audit of certified wood, the FM and Blackbox Portal have been used daily by certified entities.

The data presented below has been extracted from the application database at the time of writing this post:

  • More than 10,000 groups of vignettes (bar codes identifying wood loads) have been created.
  • More than 130,000 cargo identification stickers have been created.
  • It received more than 3,9 million m3 of wood bark.
  • 5.276 non-conformities were identified in loads recorded in the solution, of which 4,904 were confirmed and 372 were rejected with justification.

Thus, use of the solution contributes to greater transparency and control in the process of selling certified wood, from its cutting to arrival at the factory, and allows greater confidence in the product marketed.

The non-conformities identified and subsequently alerted to the buyer and certified entity allow you to start of the process of investigation of the load and identification of errors or possible fraud in the process. The way the solution is structured also allows ensuring that two or more competing entities can use it independently and with blocked access to information that’s not associated with their domain, which is valid for information held by another competitor or exclusive information of the certified entity/supplier.

Despite the value identified and advantages introduced with the adoption of this platform, the solution introduces a new level of operational effort for certified entities, as they need to enter detailed information associated with the loads they intend to transport.


In summary, the FM and Blackbox Portal implementation have successfully transformed the control and audit processes of certified wood transportation. This transformation has brought about greater transparency, enhanced control, and increased confidence in the certified wood supply chain.

By identifying and addressing non-conformities, the solution enables prompt investigations and safeguards against potential fraud. Its architecture ensures fair competition among entities and at the same time protecting sensitive information.

Continuous improvement and feature development will be driven by feedback from certified entities and buyers. This iterative approach ensures the solution remains adaptable and responsive to industry needs.


Deloitte – AWS Partner Spotlight

Deloitte is an AWS Premier Tier Services Partner and MSP. Through a network of professionals, industry specialists, and an ecosystem of alliances, they assist clients in turning complex business issues into opportunities for growth, helping organizations transform in the digital era.

Contact Deloitte | Partner Overview | Case Studies