APRIL 2, 2026 — LIVE TRACKER
AWS Infrastructure Roadmap
MULTI-INSTANCE ARCHITECTURE • IAM • NIST COMPLIANCE
GhostPort is splitting its EC2 infrastructure into two purpose-built instances — separating the control plane (fleet API, Stripe, websites) from the data plane (WireGuard relay, DNS). This page tracks every milestone, maps each to NIST 800-171 controls, and updates live as we ship.
Overall Progress
2 / 13 MILESTONES
Architecture
INTERNET
|
+-----------------+
| AWS VPC |
| [region] |
| |
+-----------+---+ +---------+---------+
| [instance] | | [instance] |
| CONTROL PLANE | | DATA PLANE |
| | | |
| Fleet API | | WireGuard Relay |
| Stripe | | Unbound DNS |
| Bridge | | |
| Websites (x7) | | EIP: (pending) |
| EIP: [REDACTED]| | |
| | | |
+-------+-------+ +--------+----------+
| |
| [internal subnet] |
+----------+----------+
|
+------+------+
| Pi Clients |
| [Pi peer]+ |
+-------------+
The control plane handles all API traffic, payment processing, and web properties. The data plane handles raw VPN throughput — currently bottlenecked at ~2.8 Mbps on the [instance]. The [instance] (ARM/Graviton) is optimized for network I/O.
IAM Role Architecture
| Role | Instance | Permissions | Status |
|---|---|---|---|
| ghostport-control-plane | [instance] | S3 (backups/control/*), SSM, CloudWatch Logs, SES (future) | PENDING |
| ghostport-data-plane | [instance] | S3 (backups/relay/*), SSM, CloudWatch Logs | PENDING |
Both roles use instance profiles — no access keys stored on disk. Least-privilege scoping per instance. S3 access is prefix-separated so neither instance can touch the other's backups.
Milestone Tracker
| # | Milestone | NIST Controls | Status |
|---|---|---|---|
| 1 | Create S3 bucket ghostport-backups with versioning + AES-256 encryption |
MP-1SC-28 | COMPLETE |
| 2 | Create IAM policy: ghostport-control-plane-policy |
IA-2AC-2 | COMPLETE |
| 3 | Create IAM policy: ghostport-data-plane-policy |
IA-2AC-2 | PENDING |
| 4 | Create IAM roles + instance profiles, attach to [instance] | IA-2AC-6 | COMPLETE |
| 5 | S3 lifecycle policy: Glacier at 30 days, delete at 90 | MP-6 | COMPLETE |
| 6 | Update maintenance.sh to push backups to S3 |
CP-9MP-4 | COMPLETE |
| 7 | Install + configure SSM Agent on [instance] | CM-2AU-2 | COMPLETE |
| 8 | Configure CloudWatch Log Groups (fleet API + security logs) | AU-6AU-7 | COMPLETE |
| 9 | CloudWatch alarms: auth failures, tunnel drops, disk usage | SI-4AU-5 | COMPLETE |
| 10 | Launch [instance] — WireGuard + Unbound, hardened baseline | SC-7CM-2 | PENDING |
| 11 | Attach data-plane IAM role to [instance] | IA-2AC-6 | PENDING |
| 12 | Pi WireGuard endpoint cutover to [instance] EIP | SC-7 | PENDING |
| 13 | SSM Patch Manager + State Manager on both instances | MA-2CM-3 | PENDING |
NIST Controls Closed by This Work
| Family | Control | Gap Before | Solution |
|---|---|---|---|
| AU | Audit & Accountability | No centralized log monitoring / SIEM | CloudWatch Logs + alarms across both instances |
| IA | Identification & Authentication | No IAM — no credential management | Instance roles, zero keys on disk, least privilege |
| CM | Configuration Management | Manual configuration only | SSM State Manager + drift detection |
| MP | Media Protection | Local backups only (same disk) | S3 offsite, encrypted, versioned, Glacier lifecycle |
| SC | System & Communications | Single instance, no network segmentation | Separate security groups per role, VPC isolation |
| MA | Maintenance | Manual patching, no procedures | SSM Patch Manager, automated OS updates |
Security Principles
- Zero keys on disk — IAM instance roles only. No access keys, no credentials files, nothing to leak.
- Least privilege per instance — Control plane can't touch relay backups. Data plane can't access fleet DB backups. Prefix-separated S3 paths.
- Full audit trail — SSM Session Manager logs every shell command. CloudWatch captures all API and security events. Tamper-resistant.
- Encrypted at rest + in transit — S3 AES-256, WireGuard tunnel encryption, TLS on all public endpoints.
- Separation of concerns — Payment processing and fleet management never share compute with raw VPN throughput.
GHOSTPORT TECHNOLOGIES — VETERAN-BUILT PRIVACY INFRASTRUCTURE