This Guidance outlines a common framework for customers to adopt AWS services for their non-fungible token (NFT) workload, enabling customers to begin with a standard architecture that handles the basic functions required to get started with NFTs in their application(s).
The web client user authenticates with the Amazon Cognito User Pool, requesting a JSON Web Token (JWT) that will be verified upon requests to the REST API.
The web client user submits a POST request to mint a non-fungible token (NFT), providing both the required arguments for the request and the JSON web token (JWT) to authorize the operation to the Amazon API Gateway endpoint. API Gateway integrates with Amazon Cognito to verify the JWT and its contents.
After authorization, the API Gateway request cues an AWS Lambda function that’s responsible for building and signing the Ethereum transaction for the mint operation.
Using the user’s unique identifier encoded in the JWT provided for the request, the Lambda function triggers the secure transaction signing module that utilizes isolated compute instances in AWS Nitro Enclaves to sign the Ethereum transaction with the user’s highly sensitive private key in custody. In the transaction signing module, AWS Systems Manager manages access to the Amazon Elastic Compute Cloud (Amazon EC2) instance(s), AWS Key Management Service (AWS KMS) manages the symmetric encryption key used to derive private keys, and AWS Secrets Manager securely manages the encrypted private keys (ciphertext).*
*This example refers to a custodial key management environment (backend managed cryptographic keys), however, users in a self-custody environment (self-managed cryptographic keys) can sign transaction(s) directly from the web client interface using their own wallet, bypassing the backend signing using Nitro Enclaves.
Once the transaction is securely signed with the user’s private key, the now signed transaction is broadcast to the public Ethereum network via the JSON-RPC API exposed by a fully managed Ethereum full node on Amazon Managed Blockchain. The Ethereum node returns a transaction hash (ID) that can be used to retrieve information about the transaction and its status on the blockchain. In addition, the Lambda function stores any associated JSON metadata for the NFT in an Amazon Simple Storage Service (Amazon S3) bucket.
To monitor the blockchain transaction’s status and its resulting state mutation on the network, an AWS Fargate task manages an Amazon Elastic Container Service (Amazon ECS) application that subscribes to on-chain events and writes updates to a noSQL database, Amazon DynamoDB, for later query when a relevant event is published. For example, subscribing to events related to a transaction hash that will cue when a transaction is mined (included into a block) on the blockchain.
Once the transaction is included in a block and state is updated on the blockchain, the web client user can query the ownership of their new NFT and retrieve its metadata/content from the Amazon S3 bucket.
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
Using Managed Blockchain, the deployment of Ethereum full node(s) to connect to public testnets and the Ethereum mainnet can be completed in a matter of minutes, which contrasts to the slow deploy and sync times of self-hosted Ethereum nodes that can take 24-36 hours in some cases. Observability is built into the solution with process level metrics, logs, and dashboards. Extend these mechanisms to your needs, and create alarms in Amazon CloudWatch to inform your on-call team on any issues. Finally, the deployment of this solution can be automated with infrastructure as code frameworks such as Cloud Development Kit (CDK) or AWS CloudFormation.
The serverless backend is protected with authentication provided by an Amazon Cognito User Pool, which prevents API endpoints from being called by unauthorized users. Using AWS Identity and Access Management (AWS IAM) role(s), the backend Lambda functions have access only to the services they need when making requests to the API Gateway REST API. The most sensitive data in any blockchain solution is the private key(s) that make up a user’s wallet. The confluence of Nitro Enclaves, AWS KMS, Secrets Manager, and Systems Manager provide an isolated, secure compute environment for key derivation and signing.
Various components in the architecture are deployed across multiple Availability Zones, such as the Managed Blockchain Ethereum nodes and the hosts for Nitro Enclaves. By nature, all the serverless components such as AWS Fargate and Lambda are highly available, and automatically scale to accommodate demand. To further increase reliability, consider implementing DynamoDB Global Tables and backups to replicate user balance and transaction status data across Regions.
By using serverless technologies, you provision only the exact resources required for your workload. Using Amazon CloudFront, both the static content for the client web application and the underlying metadata and content for the NFT can be globally served through AWS points-of-presence around the world. Right-sizing the instances that host the Nitro hypervisor for Nitro Enclaves will render the ideal performance for signing operations, which can be identified with testing with various transaction payloads and volumes. Furthermore, for optimized performance in Lambda functions, utilize Lambda Power Tuning to choose the ideal memory allocation by profiling different memory allocations and the resulting duration and cost per execution.
By utilizing serverless technologies, you pay only for the resources you use. Using tools such as Lambda Power Tuning to identify the ideal memory allocation for your performance goals, you can identify the optimal balance of cost and performance for your Lambda function executions. In addition, using Nitro Enclaves for isolated compute during signing operations presents significant cost savings to using AWS KMS customer-managed keys (CMKs) for signing operations where your fixed cost grows in a linear fashion on a per-wallet3 basis. To further optimize cost, you can utilize the Amazon S3 Intelligent-Tiering storage class, which automatically selects the ideal cost-effective storage tier for your content depending on its access patterns, such as frequency of access.
By extensively utilizing managed services and dynamic scaling, we minimize the environmental impact of the backend services. Furthermore, as the public Ethereum blockchain mainnet and testnets shift from the Proof-of-Work to the Proof-of-Stake consensus mechanism in late 2022, it will bring a 99.5%+ reduction in energy consumption in operating the networks.
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.