NORDICS20 - Assets

Open Banking on AWS

Amazon Web Services Resources EMEA

Issue link: https://emea-resources.awscloud.com/i/1242465

Contents of this Issue

Navigation

Page 0 of 0

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture Amazon SQS and Amazon SNS provide integration and notification capabilities between different services. 10 Banking logic accesses a bank's data center using AWS Direct Connect. 9 Banking logic is implemented using AWS Lambda, containers, or by running Amazon EC2 instances. 8 AWS WAF integrates with API Gateway to protect against common web exploits. 7 Amazon API Gateway handles the complete API management of the banking APIs. 6 A reverse proxy (such as Nginx) is used to meet mutual TLS requirement of the Open Banking Standard. 5 AWS CloudHSM offloads SSL certificates for both API and Auth endpoints. 4 Third - party application obtains an access token from the account servicing payment service provider (ASPSP) to service user requests. ASPSP validates the certificate of AISP/PISP using mutual TLS authentication and provides an access token (from identity providers such as ForgeRock, PingIdentity, and Keycloak). Third parties — account or payment information services providers (AISP/ PISP) — build applications around payments, money transfer. Aggregating data across banks provides more insights (such as spend analysis, balance across banks). 2 Payment service user accesses third - party application; can use any service. 1 Open Banking on AWS Implement the right architecture for Open APIs. AWS Cloud Integration layer VPC Service logs are collected in Amazon S3 and analyzed and monitored using Amazon Elasticsearch. 11 AWS PrivateLink securely connects a VPC to supported AWS services. 12 AWS Shield protects against DDoS attacks. 13 AWS Config provides continuous compliance. 14 Amazon GuardDuty continuously monitors for malicious activity and unauthorized behavior; protecting AWS accounts and workloads. 15 Third parties use a separate developer sandbox to build their applications. 16 3 Reverse proxy subnet Reverse proxy HSM subnet AWS CloudHSM IDP subnet ID provider • Keycloak • PingIdentity • ForgeRock Amazon SQS Amazon SNS Logging and monitoring Payment service user (PSU) 1 Account or Payment Information Services Provider (AISP/PISP) 2 Amazon S3 On - premise AWS Direct Connect 9 Amazon CloudWatch Network load balancer subnet API endpoint Auth endpoint VPC VPC API backend (banking application) Developer sandbox (mock APIs) Amazon VPC PrivateLink Amazon VPC PrivateLink Mutual Authentication TLS (MATLS) AWS CloudTrail Amazon Elasticsearch Service Amazon ECS Amazon EKS Amazon EC2 AWS Lambda Amazon EC2 AWS Lambda Mutual Authentication TLS (MATLS) AWS Shield 13 Amazon GuardDuty 15 AWS Config 14 8 16 11 10 12 Amazon API Gateway 6 AWS WAF 7 5 4 3

Articles in this issue

view archives of NORDICS20 - Assets - Open Banking on AWS