Engineering dossier

Secure multi-tenant RAG, explained as a living system.

A single Amazon Bedrock Knowledge Base can serve many departments only when ingestion, policy, retrieval, and session behavior are explicit. This document turns the architecture into readable, interactive system notes.

01shared knowledge base inside a tenant boundary

02independent policy checks before retrieval

05runtime controls from edge to guardrails

00code redeploys required for Cedar policy edits

Trace query flow Review policy model

Invariant The model never sees unpermitted context.

Layer 2 converts Cedar policy decisions into a metadata filter before vector search.

Tenancy model

Department isolation is a logical filter, not a hard tenant wall.

Select a role to see which documents enter retrieval. Executive access is policy-granted; finance and engineering stay bounded to their own metadata labels.

Finance user

Can retrieve only documents tagged with finance.

2026 Budget Forecast
Q3 Financial Report

Engineering user

Can retrieve only documents tagged with engineering.

Architecture Decision
Incident Report Outage

Executive user

Can retrieve multiple departments when Cedar permits cross-boundary access.

Board Strategy Brief
M&A Pipeline Strategy

Access matrix

Group	Finance	Eng	Exec	Model
finance	ALLOW	-	-	Claude
engineering	-	ALLOW	-	Claude
executive	ALLOW	ALLOW	ALLOW	Nova

Current filter

finance

{ "equals": { "key": "department", "value": "finance" } }

Only finance documents are eligible for vector search.

Ingestion workflow

Metadata is created before documents become searchable.

The important behavior is sequencing: upload event, sidecar creation, sidecar check, then indexing. Click any node to update the detail drawer.

Workflow cards reflow on smaller screens; tap a node to inspect its role.

Phase 1 - sidecar creation

Safeguard

Do not index untagged objects.

The scheduled ingestion step verifies sidecar presence before starting the Bedrock job.

Sidecar JSON

{ "metadataAttributes": {
  "department": "engineering"
} }

Tamper control

Sidecars are protected artifacts.

Restrict writes to the tagging Lambda role and alarm on unexpected mutation.

Phase 2 - indexing

Selected node

Upload

Documents enter S3 under a department prefix. Upload permissions should match the principal department tag.

Next: query flow

Runtime authorization

Two policy checks happen before retrieval.

The first check gates the API. The second check builds the department filter that constrains the vector search and the model context.

Layer 1

Can this group invoke the API?

If no group has a query permit, the authorizer returns 403 before the app logic runs.

Layer 2

Which departments can enter retrieval?

Allowed departments become an explicit metadata filter applied before vector search.

Filter shape

{ "equals": {
  "key": "department",
  "value": "finance"
} }

Fail closed

No policy answer means no retrieval expansion.

Verified Permissions outages or empty permit sets deny access rather than widening the result set.

Selected node

Client

The request carries a bearer token whose group claims become policy inputs.

Policy and data model

Cedar policy is the change surface.

The application keeps a stable retrieval implementation. Access changes happen in the Verified Permissions policy store and are evaluated on request.

Policy inventory

dept-a

query dept-a KB
invoke Claude Haiku

dept-b

query dept-b KB
invoke Claude Haiku

dept-c

query dept-a/b/c KB
invoke Nova Lite

Policy edits live outside Lambda code, can be promoted through CI/CD, and are visible in CloudTrail.

JWT groups

dept-a lead

Any matching group with query permit passes.

dept-a + lead

Operations

Production readiness is mostly about observability and revocation.

The pattern is secure because it fails closed. That means alarms, latency tracking, and policy testing are part of the architecture, not afterthoughts.

Monitor

Signal	Why it matters
Layer 1 deny	credential probing or policy error
Layer 2 deny	unexpected document access miss
AVP latency	throttling or downstream pressure
SQS DLQ	failed metadata tagging

Test probes

Happy path
dept-a response uses dept-a sources only
API deny
remove query permit and expect 403
Document deny
API allowed but KB resources empty
Revocation
retest after authorizer TTL expiry

Cleanup order

1CloudFront + WAF
2API Gateway
3Lambda functions
4Bedrock KB + source
5Verified Permissions + Cognito

Rollout sequence

Seed docs

Upload under department prefixes.

Test policy

Run allow and deny scenarios.

Enable L1

Validate JWT and authorizer behavior.

Enable L2

Verify metadata filters.

Observe

Watch denies, latency, and DLQ signals.

curl -X POST https://api.example/prod/query
  -H "Authorization: Bearer <id_token>" -d '{"query":"..."}'