AWS Public Sector Blog

MOSIP on AWS: Technical deep dive exploring architecture, implementation, and deployment models

AWS branded background with text "MOSIP on AWS: Technical deep dive exploring architecture, implementation, and deployment models"

In Part 1 of this blog series, MOSIP on AWS: Transforming digital identity for modern governments, we explored the compelling business case for cloud-based digital identity systems. We discussed how according to the World Bank’s Identification for Development (ID4D) initiative, approximately 850 million people globally lack official identification, the projected growth of the global biometric technology market is projected to grow to USD $150.58 billion by 2030, and how the collaboration between Atos and Amazon Web Services (AWS) addresses these challenges through MOSIP (Modular Open-Source Identity Platform) on the AWS Cloud.

We outlined the significant cost benefits—including 60–70% reduction in upfront infrastructure costs and 40–50% decrease in operational expenses—along with the flexible deployment tiers ranging from USD $4,168 per month for small-scale implementations to USD $14,395 per month for large-scale deployments. We also examined how this solution transforms implementation timelines from 12–18 months to just 3–6 months while providing enhanced security, scalability, and compliance capabilities.

Building on that foundation, this technical deep dive explores the intricate architecture, implementation patterns, and deployment models that make these business benefits possible. We’ll examine the specific AWS services powering this solution, detailed infrastructure configurations, security frameworks, and the four hybrid deployment options that address varying data sovereignty requirements. Whether you’re a technical architect, systems integrator, or government technology leader, this post provides the technical insights needed to understand and implement MOSIP on AWS effectively.

The MOSIP and AWS co-innovation project

The Atos and AWS innovation teams collaborated to develop the leading implementation of a cloud-based digital identity system using MOSIP on AWS. The project involved architecture discussions and face to face meetings, bringing together teams from both AWS and Atos to enable a comprehensive solution design.

Figure 1. Innovating Digital ID on AWS Cloud, ATOS presentation

The project demonstrates the feasibility of deploying a scalable, secure, and efficient digital identity system on the cloud, so that countries and organizations without dedicated infrastructure can build their digital ID systems using MOSIP and AWS Cloud services.

The co-innovation journey began with intensive architecture discussions between AWS and Atos teams in Rabat, Morocco. Over 3 months, the teams collaborated to transform MOSIP from an on-premises solution to a cloud-centered platform. The project team redesigned the system from the ground up, using AWS managed services including Amazon Elastic Kubernetes Service (Amazon EKS) for Kubernetes orchestration, Amazon Aurora for database management, Amazon Managed Streaming for Apache Kafka (Amazon MSK) for Kafka clusters, and Amazon MQ for message queuing.

The implementation delivered two key components: a registration system for citizen onboarding and an authentication system for identity verification—complete with real-time notifications and a comprehensive monitoring dashboard. This successful proof-of-concept (PoC) demonstrated that governments could implement digital identity systems without significant (refer back to cost optimization section in Part 1 of this blog series) infrastructure investments while maintaining core functionality and security requirements.

Figure 2. Rabat ville by sunset at Ave Mohammed V, Alawite Square from above, Rabat, Morocco

Architecture

PoC implementation: Logical view

In the following figure, we demonstrate both the registration and authentication processes including the high-level flow of data.

Figure 3. PoC implementation, Logical view, designed by Atos

Cloud-based digital identity system

In the following figure, we demonstrate the implementation of the MOSIP POC on AWS including the difference in architecture and migration of components from on-premises to the new cloud-centered deployment.

 

Figure 4. PoC implementation – MOSIP LTS 1.2.0.1 Deployment, designed by Atos

MOSIP on the AWS Cloud

The MOSIP cloud architecture on AWS is designed with security and scalability at its core. The system’s entry points are protected by AWS Shield, Amazon Route 53, Amazon CloudFront, and AWS WAF, providing multi-layered security against security threats. The network architecture is segmented into specialized virtual private clouds (VPCs) (transaction, ingress, egress, and VPN) interconnected through an AWS Transit Gateway, to help enable secure communication flows.

At the heart of the system lies the MOSIP Private VPC, hosting an Amazon EKS cluster distributed across two Availability Zones for high availability. This cluster runs the core MOSIP services, supported by essential managed services including Amazon Kafka for event streaming, Amazon Aurora PostgreSQL for data persistence, Amazon MQ for message queuing, and Amazon OpenSearch for analytics.

Security is further enhanced through a dedicated hardware security module (HSM) VPC containing an Amazon CloudHSM cluster for cryptographic operations. The entire infrastructure is managed as code using the AWS Cloud Development Kit (AWS CDK) and AWS CloudFormation and supported by a comprehensive continuous integration and development (CI/CD) pipeline, including AWS CodePipeline, AWS CodeBuild, and SonarQube for quality assurance.

The AWS security services such as Amazon GuardDuty, AWS Certificate Manager (ACM), and AWS Identity and Access Management (IAM) provide additional layers of protection, while Amazon Simple Notification Services (Amazon SNS) and Amazon Simple Email Service (Amazon SES) handle system notifications.

Figure 5. MOSIP on AWS architecture, co-designed by AWS and Atos

Hybrid deployment options

To address data residency and sovereignty requirements, the project explored four hybrid deployment options.

Option 1: Hybrid deployment

Production environments are deployed on-premises, while non-production environments are hosted on AWS.

This approach maintains a clear separation between production and non-production environments, with production workloads running entirely on-premises while development, testing, and staging environments operate on AWS. This model uses AWS managed services for non-production environments, including Amazon EKS for container orchestration and Aurora PostgreSQL-Compatible Edition for databases, while keeping production data within the organization’s physical infrastructure. This setup helps meet compliance with data residency requirements in addition to rapid development and testing in the cloud. The architecture includes on-premises HSM, PostgreSQL databases, and Amazon Simple Storage Service (Amazon S3)-compatible object storage for production workloads, with automated biometric identification systems (ABIS) deployed locally to handle sensitive biometric data.

Figure 6. Hybrid deployment architecture

Option 2: Data backup and key management on-premises

All environments are deployed on AWS, but key management, HSM, and data backups are stored on-premises.

In this model, all MOSIP environments operate on AWS while maintaining critical security controls on premises. The solution uses the full range of AWS services for application deployment, but keeps encryption keys and HSM modules on-premises—helping to ensure that organizations maintain control over data access. To help meet compliance standards backups of both Amazon S3 data and PostgreSQL databases are stored on-premises, providing an additional layer of data sovereignty. This approach offers a balance between cloud scalability and data control, because cloud-stored data remains encrypted with keys managed on-premises, helping organizations to meet compliance requirements while using the robust infrastructure provided by AWS.

Figure 7. Data backup and key management on-premises

Option 3: Personal and sensitive data on-premises

Services handling personal or sensitive data are deployed on-premises, while other services are hosted on AWS.

This architecture creates a clear delineation based on data sensitivity. Services handling personal and sensitive data—including biometric information, identity documents, and personal details—are deployed on-premises, while services without sensitive data operate on AWS. This split architecture requires careful service segregation and robust communication channels between cloud and on-premises components. The solution maintains separate Kubernetes clusters and databases in both environments, with an on-premises HSM managing encryption keys across both environments. This approach enables strict compliance with data residency requirements while still taking advantage of cloud benefits for non-sensitive workloads.

Figure 8. Personal and sensitive data on-premises, all standard services on the AWS Cloud

 

Figure 9. Microservices architecture to support Option 3: Personal and sensitive data on-premises

Option 4: AWS Outposts solution

Deploying MOSIP on AWS Outposts offers a unique hybrid approach where AWS infrastructure and services run within the organization’s data center. This solution provides the full AWS experience—including managed services such as Amazon EKS, Aurora, and other AWS services—while keeping all data and processing within the organization’s premises. The Outposts deployment maintains consistency with cloud-centered operations while helping meet data residency requirements. This approach eliminates the complexity of managing split environments while providing the security and compliance benefits of on-premises deployment, combined with AWS managed service capabilities and operational tools. For more information, make sure to read the AWS blog post Delivering national digital identity systems with AWS Outposts.

Figure 10. AWS Outposts server rack

Countries and organizations can use these hybrid options to comply with local regulations and maintain control over their data while taking advantage of the scalability and cost-effectiveness of the AWS Cloud.

Implementation guide

The journey to implementing MOSIP on AWS begins with an assessment and planning phase.

The MOSIP implementation journey begins with evaluating population size and transaction volumes to determine the appropriate scale requirements, followed by analyzing data sovereignty and residency requirements to select the optimal deployment model. During this initial phase, collaboration with the Atos Digital ID team establishes country-specific requirements and integration needs. After requirements are finalized, the foundational infrastructure deployment begins, setting up the network architecture and security components that will support the entire system.

With the foundation in place, the development environment is established to begin system configuration and testing. Core MOSIP modules are deployed and integrated with essential services, while security controls and access management systems are implemented. Comprehensive testing follows, including functional testing, security assessments, and integration validation, with iterative improvements made based on testing feedback. This phase helps ensure that all components work together before moving to production.

The final implementation stages involve deploying the production environment with high availability configurations and establishing backup and disaster recovery procedures. When live, the system enters a continuous monitoring and optimization phase, where performance is tracked and resources are adjusted based on actual usage patterns. The implementation cycle typically completes within 3–6 months, followed by an ongoing process of updates and improvements based on operational feedback and evolving requirements. This approach helps ensure that the system remains efficient, secure, and aligned with user needs throughout its lifecycle.

Security and compliance

The MOSIP cloud architecture implements a defense-in-depth security strategy, starting with edge protection through AWS Shield, AWS WAF, and CloudFront. Network security is enforced through a specialized VPC architecture that includes dedicated transaction, ingress, egress, and VPN VPCs—all interconnected through Transit Gateway. Security inspection occurs at multiple points, with SSL termination at the Kubernetes cluster ingress and encrypted data packets being scanned for malware before processing. The architecture implements role-based access control (RBAC) through Keycloak for OAuth2 authentication, while external systems connectivity is secured using mTLS with certificate-based authentication.

Data protection is paramount, with all sensitive information encrypted both at rest and in transit. The system uses CloudHSM for key management and cryptographic operations, helping to maintain hardware-based security for critical operations. Personal and biometric data undergo additional encryption at the application level before storage. Comprehensive audit trails are maintained through Amazon CloudWatch Logs, while Amazon GuardDuty provides threat detection capabilities. AWS Certificate Manager (ACM) handles SSL/TLS certificate management, and IAM governs access control across all AWS services. For organizations with specific data residency requirements, the architecture supports hybrid deployment models where sensitive data can be maintained on-premises while using cloud capabilities for non-sensitive workloads.

Figure 11. Diagram showing the AWS security and governance services used within the architecture

Compliance is managed through multiple layers, with AWS Config and AWS Security Hub providing continuous security assessment and compliance monitoring. The system adheres to privacy-by-design principles, incorporating data minimization and purpose limitation. All system components are deployed using infrastructure as code (IaC) to provide consistent security controls and compliance with security standards. Regular security assessments, penetration testing, and automated security scanning are integral parts of the CI/CD pipeline. The architecture supports various compliance requirements including data protection regulations, with the flexibility to adapt to country-specific regulatory frameworks through its modular design.

Conclusion

The co-innovation project between Atos and AWS demonstrates how cloud technology can deliver digital identity systems through the implementation of MOSIP on AWS. This collaboration addresses the fundamental challenges of traditional on-premises deployments while offering a flexible and scalable solution that meets diverse governmental requirements. The architecture—built on AWS managed services and secured through multiple layers of protection—enables rapid deployment and cost-effective scaling while maintaining the highest standards of data security and sovereignty.

The solution’s versatility is evidenced through its multiple deployment options, from fully cloud-centered to hybrid implementations, allowing organizations to balance data residency requirements with cloud benefits. The successful implementations of MOSIP, serving millions of citizens, demonstrate the solution’s real-world effectiveness and scalability. The integration of IaC principles enables consistent, repeatable deployments while maintaining security and compliance standards, significantly reducing implementation time from 12–18 months to 3–6 months.

As governments worldwide seek to modernize their identification systems, this cloud-based approach offers a compelling pathway to digital transformation. The solution not only reduces initial infrastructure investments and ongoing operational costs but also provides the agility needed to adapt to evolving requirements. Through this partnership, Atos and AWS are helping to bridge the identity gap, so that governments can provide secure, accessible, and inclusive digital identity services to their citizens while maintaining control over sensitive data and meeting regulatory requirements. This innovative approach sets a new standard for digital identity systems, making them more accessible, efficient, and secure for governments and citizens alike.

Acknowledgments

ATOS Digital ID Team

AWS Team

  • Faisal Iqbal, head of innovation programs, Middle East & Africa
  • Tarik Belhachemi, senior partner manager, Middle East & North-Africa
  • Khalil Chagraoui, senior GSI partner account lead, EMEA & North America
  • Vida Ayub, senior program manager, digital innovation, EMEA
  • Hanane Lboukili, senior security & compliance regional lead, Middle East & Africa
  • Ionut Ionescu, principal security solutions architect, worldwide public sector
  • Benjamin Guérin, senior solutions architect
  • Roy White, global lead, partner solution architects, GSI partner
  • Gautier Rose, global Atos & Eviden alliance leader
  • Hamza Mimi, Saudi Arabia head of public sector solutions architects

References

TAGS: , , ,
Andrew Johnston

Andrew Johnston

Andrew is a partner solutions architect at AWS focused on UK Public Sector initiatives. With over 30 years in IT across the UK and US, he brings deep expertise from his work with global integrators, SMEs, and software companies. Andrew excels at connecting business needs with technical solutions, helping AWS partners deliver innovative outcomes for their customers. His unique ability to spot patterns and craft elegant solutions makes him an asset in driving public sector digital transformation.

Mohamed Heiba

Mohamed Heiba

Mohamed is a senior innovation solutions architect at AWS, as part of the Customer Innovation Program across the Middle East, Africa, and Turkey. With over 15 years of experience in enterprise technology spanning roles at AWS, SAP, IBM, and various startups across multiple geographies, Mohamed specializes in cutting-edge technologies with a particular focus on generative AI, retrieval-augmented generation, and generative AI agents. He has a proven track record of architecting AI-powered solutions that leverage data lake architectures, big data processing, and advanced analytics, helping organizations harness the power of emerging technologies to drive innovation and achieve their business objectives.