Ringkasan

Satu Platform AI Untuk Tiga Perkhidmatan KDN

Platform ini membolehkan KDN menggunakan AI untuk menjawab soalan parlimen, membantu rakyat di JPN, dan melayan pertanyaan di PDRM. Semua dalam satu sistem yang selamat dan mematuhi undang-undang Malaysia.

Mematuhi OSA, CGSO, PDPA Data kekal di Malaysia Siap dalam 24 bulan

Lapisan Seni Bina

Aplikasi Utama

Bulan Projek

99.9%

Sasaran Uptime

Ringkasan Eksekutif

Projek AI KDN merupakan inisiatif transformasi digital oleh Kementerian Dalam Negeri (MOHA) untuk memanfaatkan pengkomputeran awan dan kecerdasan buatan bagi meningkatkan penyampaian perkhidmatan awam. Platform ini meletakkan Malaysia sebagai peneraju serantau dalam transformasi digital kerajaan.

Dibangunkan sepenuhnya di atas AWS Malaysia Region dengan pematuhan penuh kepada keperluan keselamatan kerajaan, platform ini menawarkan penyelesaian GenAI-as-a-Service yang boleh diskala untuk memenuhi keperluan pelbagai agensi.

Cabaran Semasa

• Jawapan parlimen memerlukan pencarian manual yang memakan masa
• Rakyat perlu menunggu waktu pejabat untuk pertanyaan JPN/PDRM
• Tiada sistem AI yang mematuhi CGSO untuk sektor awam
• Kos tinggi untuk infrastruktur AI on-premise

Penyelesaian Platform

RAG Pipeline automatik carian dokumen dalam saat
Chatbot 24/7 berbilang bahasa untuk rakyat
AWS Secure Landing Zone dengan pematuhan penuh
Model pay-as-you-go tanpa pelaburan modal besar

USR Sasaran Pengguna

KDN

Pegawai KDN

Soal Jawab Parlimen

JPN

Staff JPN

Pengurusan Chatbot

PDRM

Staff PDRM

Pengurusan Chatbot

MYS

Rakyat Malaysia

JPN & PDRM Chatbot

APP Tiga Aplikasi Utama

Parlimen AI

Sistem soal jawab parlimen berkuasa AI yang membantu pegawai KDN menyediakan jawapan berkualiti tinggi dengan cepat.

CIRI-CIRI UTAMA:

Carian pintar merentasi arkib Hansard
Penjanaan respons AI dengan petikan sumber
Analisis corak soalan sejarah
Kawalan versi untuk draf respons

RAG Hansard Dalaman Claude 3.5

JPN

Chatbot JPN

Chatbot untuk Jabatan Pendaftaran Negara yang melayan pertanyaan rakyat 24/7 dalam BM dan English.

CIRI-CIRI UTAMA:

Pemahaman bahasa semula jadi BM/EN
Panduan keperluan dokumen IC, sijil lahir
Penjejakan status permohonan
Bantuan penjadualan temujanji

Chatbot 24/7 Awam NLU

PDR

Chatbot PDRM

Chatbot Polis Diraja Malaysia untuk pertanyaan saman, laporan polis, dan maklumat kecemasan.

CIRI-CIRI UTAMA:

Pertanyaan dan panduan bayaran saman
Prosedur pemfailan laporan polis
Maklumat hubungan kecemasan
Makluman keselamatan komuniti

Chatbot Saman Awam 24/7

ADMIN

Portal Pentadbiran Berpusat

Papan pemuka tunggal untuk mengurus semua tiga aplikasi AI dengan kawalan penuh.

Papan Pemuka

Pantau prestasi semua modul

Knowledge Base

Urus dokumen dan data latihan

RBAC

Kawalan akses berasaskan peranan

Analitik

Laporan penggunaan dan prestasi AI

HOW Bagaimana Platform Berfungsi

Soalan

Pengguna hantar pertanyaan

Embedding

Tukar ke vektor semantik

Carian

OpenSearch vector DB

Konteks

Gabung dokumen relevan

LLM

Claude 3.5 proses

Respons

Jawapan + petikan

RAG Pipeline - Retrieval-Augmented Generation untuk jawapan yang tepat dan boleh disahkan

SEC Pematuhan & Keselamatan

OSA

OSA 1972

Akta Rahsia Rasmi

CGSO

Chief Govt Security Officer

PDPA

Perlindungan Data Peribadi

ISMS

ISO 27001 Aligned

Data Sovereignty

Semua data kekal dalam Malaysia

AES

Encryption at Rest

AES-256 untuk semua storan

TLS

Encryption in Transit

TLS 1.3 untuk semua sambungan

KDN

KDN Secure Landing Zone untuk AI

MOHA Secure Landing Zone for AI

Platform AI ini dibina atas KDN Secure Landing Zone, berasaskan standard keselamatan sektor awam Malaysia. Infrastruktur ini mematuhi garis panduan CGSO dan memastikan kedaulatan data kekal dalam sempadan negara.

Kedaulatan Data

Semua data diproses dan disimpan dalam pusat data Malaysia sahaja

Pengasingan Akaun

Setiap agensi beroperasi dalam akaun berasingan dengan kawalan penuh

Pematuhan Automatik

Polisi keselamatan dikuatkuasakan secara automatik merentasi platform

Audit Berpusat

Semua aktiviti direkod dan boleh diaudit oleh pihak berkuasa

LZ Cloud Landing Zone Architecture

Multi-account structure dengan AWS Control Tower untuk governance berpusat

AWS Organizations (ROOT)

↓

CORE OU (Shared Infrastructure)

Management

SCPs, Billing
Control Tower

Security

GuardDuty, KMS
Security Hub

Log Archive

CloudTrail
7-year retention

Shared Services

Transit GW, DNS
ECR, Artifacts

↓

WORKLOAD OU (Application Accounts)

Parlimen AI

Dedicated VPC
Own KMS Keys

ZON A

JPN Chatbot

Dedicated VPC
Own KMS Keys

ZON B

PDRM Chatbot

Dedicated VPC
Own KMS Keys

ZON C

SCP Guardrails

Region lock, service deny

VPC Isolation

No peering, Transit GW

KMS per Account

Separate CMKs

Centralized Logs

Cross-account to Log Archive

RAG

RAG Security: Isolation + Redaction + Access Control

Multi-layer data protection dalam RAG pipeline

User Query

+ JWT Token

Access Control

RBAC + Tenant ID

Retrieval Isolation

Tenant-scoped k-NN

PII Redaction

Comprehend Mask

LLM Context

Sanitized Input

Output Filter

Guardrails

1 Retrieval Isolation

- Tenant ID filter pada semua vector queries

- Separate OpenSearch index per aplikasi

- Document-level ACL dengan classification tag

- Cross-tenant query blocked at k-NN level

2 PII Redaction

- AWS Comprehend untuk PII detection

- Real-time masking sebelum LLM context

- IC Number, Phone, Address auto-redact

- Audit log untuk setiap redaction event

3 Access Control

- JWT token dengan user clearance level

- RBAC: Admin, Editor, Viewer roles

- Classification filter (TERBUKA/TERHAD/SULIT)

- Session boundary enforcement

100%

Tenant Isolation

PII in LLM Context

Classification Levels

7yr

Audit Retention

ZON Pemencilan Data Tiga Agensi

Satu Platform, Tiga Zon Perundangan - setiap agensi beroperasi dalam sempadan data yang berasingan

Zon	Agensi	Sumber Data	Model AI
ZON A	Parlimen AI	Hansard, Akta Parlimen, Jawapan Sejarah	Politically Neutral
ZON B	JPN Chatbot	11 Akta Pendaftaran, SOP, FAQ	Strict Identity Boundaries
ZON C	PDRM Chatbot	Soalan Awam, SOP Laporan, Info Saman	Public-Facing Filter

100%

Pengasingan Data Antara Agensi

Cross-Contamination Risk

Model AI Khusus Setiap Zon

10 10 Lapisan Keselamatan KDN

Penyulitan Kunci Kedaulatan

Sovereign KMS - kunci enkripsi kekal dalam Malaysia

Pengasingan Zon Agensi

Setiap agensi dalam zon rangkaian berasingan

Jejak Audit Automatik KDN

Semua aktiviti direkod untuk siasatan

Firewall Trafik Pintar

Penapisan trafik masuk/keluar dengan AI

Kawalan Akses Identiti Pegawai

Pengesahan identiti pegawai kerajaan

Logging & Forensik Siasatan

Log terperinci untuk forensik digital

Kelulusan Dwi-Faktor Dalaman

2FA untuk semua akses sensitif

Penapisan Kandungan Automatik

AI filter untuk output berbahaya

Pematuhan CGSO + OSA

Mematuhi garis panduan keselamatan kerajaan

Pensijilan Log & Hash

Blockchain ringan untuk integriti log

Semua lapisan keselamatan ini beroperasi secara automatik dan 24/7 tanpa memerlukan campur tangan manual

TECH Tindanan Teknologi

AWS

CLOUD

AWS Malaysia

AI ENGINE

Amazon Bedrock

C3.5

LLM

Claude 3.5 Sonnet

VECTOR DB

OpenSearch

WAF

SECURITY

WAF, GuardDuty

ROI Nilai Bisnes untuk KDN

70%

Pengurangan masa jawapan parlimen

24/7

Perkhidmatan chatbot tanpa henti

50%

Pengurangan beban call center

∞

Skala untuk agensi lain

24M Timeline Projek (24 Bulan)

Fasa 0-4

6 bulan

Pembangunan

Fasa 5

6 bulan

Tempoh Jaminan

Fasa 6

12 bulan

Cloud Operations

B3: Go-Live Parlimen AI

B4.5: Go-Live Chatbot JPN

B5.5: Go-Live Chatbot PDRM

LEAN + RAG-FIRST

Pendekatan Yang Betul Untuk KDN

SOC tidak meminta "AI Hub enterprise" dengan puluhan perkhidmatan. SOC meminta Parlimen AI, Chatbot JPN, dan Chatbot PDRM — tiga use case spesifik yang memerlukan senibina ringkas, selamat, dan boleh dihantar dalam masa singkat.

🔒 JAMINAN KESELAMATAN KRITIKAL

🛡️

"Data tidak dihantar kepada model dan tidak digunakan untuk melatih model."

Zero Training • Zero Fine-Tuning
Dijamin kontrak AWS §50.5

🏛️

"Setiap agensi beroperasi dalam tenant terasing dengan polisi keselamatan tersendiri."

IAM Boundary • Tiada Cross-Tenant
Audit Trail Berasingan

🇲🇾

"Semua pemprosesan berlaku dalam boundary KDN di AWS Malaysia Region."

ap-southeast-5 Kuala Lumpur
SCP Enforce Data Residency

RAG

Apa Itu RAG? (Retrieval-Augmented Generation)

RAG bermaksud: Apabila pengguna bertanya soalan, sistem mencari dokumen rasmi KDN dahulu (Hansard, SOP JPN, data PDRM), kemudian baru minta AI menjawab berdasarkan dokumen tersebut sahaja. AI tidak menjawab dari "pengetahuan umum" atau tekaan — setiap jawapan ada sumber yang boleh disahkan.

✓ Elak Hallucination ✓ Mudah Diaudit ✓ Jawapan Boleh Disahkan ✓ Patuh OSA/CGSO

LEAN

Kurang Risiko Projek

SOC 1.3.3 Project Risk • SOC 2.3.1 Architecture

Platform enterprise yang kompleks memerlukan 40+ perkhidmatan, 6+ bulan setup, dan pasukan 10+ orang. Pendekatan kami guna ~15 komponen sahaja — lebih stabil, lebih cepat siap, lebih mudah dijaga.

✓ Parlimen AI siap ≤6 minggu — bukan 6 bulan
✓ Kos 70% lebih rendah — tiada GPU, tiada fine-tuning
✓ Pasukan kecil boleh urus — 2-3 engineers cukup

~15

Failure Points

(vs 40+ heavy)

<15min

MTTR

(vs hours)

6 wks

Delivery

(vs 6+ months)

Komponen minimum = Risiko minimum

RAG

Patuh Undang-undang

SOC 1.1 OSA • SOC 1.2 CGSO • SOC 2.4 Security

Setiap jawapan AI datang daripada dokumen rasmi KDN sahaja. Tiada tekaan. Tiada hallucination. Setiap output ada sumber yang boleh disahkan dan diaudit.

✓ Data tidak dihantar untuk training — inference only
✓ Semua dalam boundary KDN — VPC Endpoints
✓ 100% audit trail — siapa, bila, apa, jawapan

🔐 Mekanisme Teknikal:

IAM least privilege

VPC PrivateLink

KMS AES-256

Bedrock Guardrails

Grounded answers = Safe for government

SCALE

Boleh Dikembangkan

SOC 2.2 Multi-Agency • SOC 2.5 Expandability

Platform heavy perlu bina semula untuk setiap agensi baru. Kami guna multi-tenant architecture — tambah agensi dalam minggu, bukan bulan.

✓ Tenant isolation per agensi — data terasing
✓ Polisi keselamatan tersendiri — IAM per tenant
✓ Kos per agensi turun — shared infra, isolated data

🏗️ Tenant Isolation:

Parlimen
S3 + KB + IAM

JPN
S3 + KB + IAM

PDRM
S3 + KB + IAM

Tiada cross-tenant data access

Scale tanpa rebuild

⚠️

Kenapa Platform Enterprise Tidak Sesuai Untuk KDN?

❌ Over-engineered: Puluhan perkhidmatan yang KDN tidak perlukan — menambah kompleksiti tanpa nilai.

❌ Setup lama: 6+ bulan sebelum first value — SOC mahu hasil dalam tempoh kontrak.

❌ Pasukan besar: Memerlukan 10+ specialists (ML, DevOps, Security) — KDN tiada kapasiti ini.

❌ Tidak spesifik SOC: Generic "AI Hub" tidak jawab keperluan Parlimen AI, JPN, PDRM.

Pematuhan & Standard

SOC Chapter 1.1, 1.2, 2.1, 2.3, 2.5 dipenuhi melalui reka bentuk

OSA 1972

Official Secrets Act

CGSO

Arahan Keselamatan

PDPA 2010

Personal Data Protection

AES-256

Encryption Standard

AWS Malaysia

Data Sovereignty

SOC 2.0

Full Compliance

LEAN + RAG-FIRST

Strategi Teknikal Yang Sesuai Untuk KDN

KDN tidak memerlukan "AI mega platform" yang sukar diurus dan perlahan dihantar. KDN memerlukan platform yang fokus, tepat, cepat dihantar, patuh undang-undang, dan boleh dijaga oleh pasukan kecil tanpa risiko runtuh.

LEAN

Komponen Kurang = Risiko & Kos Turun

Kualiti naik apabila fokus pada yang penting sahaja

Pesaing membina platform dengan:

Puluhan perkhidmatan cloud, multi-tenant governance layer, pipeline kompleks, mekanisme orkestrasi yang rumit

Setiap tambahan komponen = tambahan risiko + kos + masa troubleshooting

+ "Sikit komponen, tapi semua buat kerja yang betul."

+ Bila berlaku isu, pembetulan cepat dan terasing

+ KDN boleh lihat hasil dalam minggu, bukan bulan

+ Kos operasi rendah — mudah justify kepada Kewangan & Audit

RAG

Ketepatan & Keselamatan Terjamin

Reputasi kementerian dilindungi dari hallucination

Platform Pesaing:

Model menjawab dulu, harap tidak tersilap, cuba kawal dengan guardrails

Platform Kami:

Jawapan dari dokumen KDN dulu, model hanya merangka bahasa

+ Zero hallucination — jawapan dari Hansard/SOP/data rasmi

+ Data kekal dalam Malaysia, tidak masuk ke model

+ Jawapan AI boleh didokumenkan untuk audit

+ Setiap jawapan boleh dijejak terus ke sumber

AUDIT TRACEABILITY — Apabila KSU/MAMPU/Audit bertanya "Jawapan ini datang dari mana?"

Parlimen AI

Sumber: Hansard
Dokumen: DR-2024-05-15.pdf
Muka surat: 45-47
Dimuat naik: 16 Mei 2024

JPN Chatbot

Sumber: SOP JPN
Dokumen: SOP-MyKad-v3.2.pdf
Seksyen: 4.2.1
Versi: 12 Jan 2024

PDRM Chatbot

Sumber: Data PDRM
Rekod: Sistem Saman
Query ID: QRY-789456
Timestamp: Real-time

Ini killer advantage terhadap pesaing — tiada ruang untuk AI "reka cerita"

Kenapa Sesuai Untuk Operasi Sebenar Kerajaan?

KDN bukan Google. KDN tidak ada 30 engineers untuk maintain AI platform setiap hari.

Pasukan Kecil

Pegawai IT KDN boleh faham architecture dalam satu sesi taklimat

Tambah Agensi

Scaling tidak menjadikan platform lebih berat, kos marginal rendah

Risiko Reputasi

Lean + RAG = peluang salah jawab sangat rendah

Tempoh SOC

Value dalam 6 minggu, bukan multi-year mega platform

SOC Mahukan Tepat Ini — Bukan GenAI Hub Yang Overbuilt

1. Use Case Oriented

SOC tak minta "AI Hub". SOC minta: Parlimen AI, JPN chatbot, PDRM chatbot, Vector DB, RAG.

2. Ringkas Untuk Audit

SOC emphasises: governance, auditability, traceability, accuracy, compliance.

3. Boleh Dikembang

Lean = scalable. Over-engineered = fragile + mahal.

💰 Justifikasi Kos: Kenapa Pendekatan Kami Lebih Murah

🚫 Tiada GPU/Training Costs

Kami menggunakan model foundation sedia ada (Claude 3.5 Sonnet) tanpa fine-tuning. Ini menghapuskan kos GPU training yang boleh mencecah RM50K-100K sebulan untuk GPU instances seperti p4d.24xlarge.

📦 Komponen Minimum

Platform lean menggunakan ~15 AWS services berbanding platform enterprise yang biasanya memerlukan 40+ services. Lebih sedikit komponen = lebih sedikit kos licensing dan operasi.

⚡ Serverless-First

ECS Fargate + Lambda = bayar per penggunaan sahaja. Tiada EC2 instances yang berjalan 24/7. Pada waktu tidak puncak (malam/hujung minggu), kos hampir sifar.

👥 Pasukan Kecil

Senibina ringkas boleh diurus oleh 2-3 engineers. Platform enterprise memerlukan 10+ engineers dengan specializations berbeza (ML, DevOps, Security, Data).

Anggaran Perbandingan Bulanan:
• Platform Enterprise: RM 150K - 300K/bulan (GPU, banyak services, pasukan besar)
• Platform LEAN: RM 30K - 50K/bulan (serverless, komponen minimum, pasukan kecil)
Penjimatan: 70-80% lebih rendah

Pendekatan kami adalah LEAN + RAG-first kerana itu sahaja pendekatan yang benar-benar sesuai untuk KDN. Lean bermaksud platform dibina dengan komponen minimum supaya stabil, cepat dihantar dan mudah dijaga oleh pasukan kecil. RAG-first bermaksud setiap jawapan AI adalah berdasarkan dokumen rasmi KDN seperti Hansard, SOP JPN dan data PDRM, bukan tekaan model. Gabungan dua prinsip ini menjadikan platform kami lebih ringan, lebih cepat, lebih murah dioperasi, dan jauh lebih boleh dipercayai berbanding platform berat yang memerlukan konfigurasi kompleks dan kos tinggi.

OBS

Observability & Monitoring

CloudWatch-based comprehensive monitoring stack

50+

Metrics

CloudWatch Dashboards

200GB

Logs/month

Log Insights Query

X-Ray

Traces

Distributed Tracing

Anomaly

Auto Detection

Metric	Target SLA	Alert Threshold	Dashboard
System Uptime	99.80%	< 99.50%	Availability
API Response Time	< 5s	> 8s (P95)	Performance
LLM Token Generation	< 3s	> 5s	AI Metrics
Error Rate	< 0.5%	> 1%	Reliability

Alert Flow:

CloudWatch Alarm

→

SNS Topic

→

Lambda

→

SOC Team (24x7)

AWS

AWS Malaysia

Data kekal dalam negara

Claude 3.5

Model AI terkini

RAG

RAG Pipeline

Jawapan dari dokumen

Multi Tenant

Sedia untuk agensi lain

Arkitektur 7 Lapisan

Platform KDN GenAI menggunakan pendekatan berlapis untuk memastikan keselamatan, kebolehskalaan, dan penyelenggaraan yang mudah.

Arkitektur

Kenapa 7 Lapisan?

Pengasingan (Isolation)

Setiap lapisan diasingkan sepenuhnya untuk keselamatan maksimum. Jika satu lapisan terjejas, lapisan lain kekal selamat. Ini mengikut prinsip "defense in depth" yang disyorkan oleh CGSO dan amalan terbaik AWS Well-Architected Framework.

Kebolehskalaan (Scalability)

Setiap lapisan boleh diskala secara bebas mengikut keperluan beban kerja. Contohnya, jika trafik API meningkat, hanya lapisan Compute perlu ditingkatkan tanpa menjejaskan lapisan lain. Ini membolehkan pengoptimuman kos yang lebih baik.

Penyelenggaraan (Maintainability)

Kemas kini, patch keselamatan, atau penambahbaikan boleh dilakukan pada satu lapisan tanpa menjejaskan operasi lapisan lain. Ini membolehkan zero-downtime deployment dan mengurangkan risiko kegagalan sistem secara keseluruhan.

Pematuhan (Compliance)

Struktur 7 lapisan memudahkan audit dan pematuhan CGSO, PDPA, dan ISMS. Setiap lapisan mempunyai kawalan keselamatan tersendiri yang boleh diaudit secara berasingan, memenuhi keperluan SOC 2.0 dan standard kerajaan Malaysia.

7 Lapisan Arkitektur

AWS SECURE LANDING ZONE

Asas infrastruktur yang mematuhi CGSO

Lapisan asas yang menyediakan persekitaran awan selamat dengan pematuhan penuh kepada dasar keselamatan kerajaan Malaysia.

Control Tower Organizations VPC IAM

LAPISAN COMPUTE

Perkhidmatan pengkomputeran dan API

Menjalankan kod aplikasi dan logik bisnes menggunakan perkhidmatan serverless dan kontena untuk kecekapan kos.

ECS Fargate Lambda API Gateway

LAPISAN DATA

Pangkalan data dan penyimpanan

Menyimpan semua data aplikasi, dokumen, dan fail dengan enkripsi AES-256 dan backup automatik.

RDS MySQL Amazon S3 Redshift Lake Formation

LAPISAN AI / LLM

Model AI dan RAG Pipeline

Enjin kecerdasan buatan yang memproses soalan dan menjana jawapan menggunakan RAG (Retrieval-Augmented Generation).

Amazon Bedrock Claude 3.5 Sonnet Titan Embeddings OpenSearch

LAPISAN KESELAMATAN

Pertahanan berlapis dan pemantauan

Perlindungan menyeluruh termasuk firewall, pengesanan ancaman, enkripsi, dan pemantauan keselamatan 24/7.

WAF GuardDuty KMS Security Hub

LAPISAN APLIKASI

Antara muka pengguna dan aplikasi bisnes

Aplikasi yang digunakan oleh pegawai dan rakyat termasuk Parlimen AI, Chatbot JPN, Chatbot PDRM, dan Portal Admin.

Parlimen AI Chatbot JPN Chatbot PDRM Portal Admin

LAPISAN DEVSECOPS

CI/CD Pipeline dan automasi keselamatan

Automasi pembangunan, pengujian, dan penempatan dengan pengimbasan keselamatan bersepadu di setiap peringkat.

GitLab CI/CD CodeBuild Terraform SAST/DAST

DFD Data Flow Diagram

SOC Ref: 1.1.6 - Aliran data dari sumber ke AI ke output

Phase 1: Data Ingestion

Source Systems + ETL (Glue) + Data Lake (S3) + Data Catalog

Phase 2: Processing & Cleansing

Cleansing + PII Redaction + Chunking (512-1024) + Metadata Tags

Phase 3: Embedding & Indexing

Titan Embeddings + Vector Store + HNSW Index + Metadata Index

Phase 4: Query & Retrieval

User Query + Query Embedding + k-NN Search + Re-ranking

Phase 5: Generation & Response

Context Assembly + LLM (Claude 3.5) + Guardrails + Response + Citations

RAG RAG Pipeline Architecture

SOC Ref: 2.3.2 - Retrieval-Augmented Generation pipeline dengan implementation details

🔧 Technical Implementation Details

EMBEDDING MODEL

Amazon Titan Embeddings v2

1536 dimensions | 8192 max tokens

VECTOR DATABASE

OpenSearch Serverless

HNSW index | 2 OCU baseline

REFRESH CYCLE

Real-time + Scheduled

S3 trigger + Daily full sync

📥 Ingestion Pipeline (Offline)

1 S3 Upload - Dokumen masuk ke raw bucket

2 Textract OCR - Extract text dari PDF/images

3 Lambda Chunker - Split 1000 chars, 200 overlap

4 Titan Embed - Generate 1536-dim vectors

5 OpenSearch - Index ke HNSW collection

🔍 Query Pipeline (Real-time, <3s)

1 Input Guard - Bedrock Guardrails filter

2 Query Embed - Titan embed user query

3 Vector Search - kNN k=10, ef_search=256

4 Claude 3.5 - Generate dengan context

5 Output Guard - PII redact + validate

Chunking

1000 chars | 200 overlap

Vector Index

HNSW | ef=512 | m=16

Retrieval

k=10 | rerank to 5

Latency

P95 < 3 seconds

Infrastruktur Cloud

Seni bina cloud komprehensif untuk platform KDN GenAI - Landing Zone, VPC, High Availability, dan Monitoring.

Infrastruktur

PARL

Parliamentary

JPN

JPN Users

PDRM

PDRM Users

Analytics Users

Public Cloud (Malaysia - Multi-AZ)

1. PRESENTATION LAYER

Parliamentary QnA AI

Web Auth (1000 MAU)
Response under 5s

JPN Chatbot

Translation BM+EN
Speech-to-Text

PDRM Chatbot

Text-to-Speech
OCR (10K pages)

Data Analytics

BI Tool + GenAI
100 Authors, 100 Readers

Web Application Firewall (WAF)

1 Web ACL, 10 Rules per ACL
DDoS Protection
Bot Detection and Rate Limiting

2. APPLICATION LAYER

Load Balancer

3x LB
1TB/month

App Servers

9x instances
8vCPU, 16GB

API Gateway

REST API
1.6GB Cache

Serverless Fn

100M req/mo
1024MB mem

Orchestration

Workflow Mgmt
100 req/hr

Container Registry

10GB Storage
Docker Images

Redis Cache

2vCPU, 8GB RAM
5GB Data, Multi-AZ

3. AI/ML LAYER

Foundation Models API

Multi-Model Access
• Anthropic Claude
• AI21 Labs, Cohere
• Meta, Stability AI
1B input + 1B output tokens/mo
10M in + 10M out tokens/mo LLM

Vector Database (RAG)

8vCPU, 16GB RAM
1000GB Storage
Semantic Search
Retrieval-Augmented
Generation Optimized
Multi-AZ Deployment

ML Training Platform

Training: 4 jobs/month
8hrs each, 4vCPU, 16GB
Inference: 4 models
640 hrs/month
200GB SSD Storage
Auto-scaling

LLM Inference Instances

2x GPU Instances
16vCPU, 64GB RAM
NVIDIA L4 Tensor Core
500GB Block Storage
3yr Savings Plan
Linux OS

AI Services Suite

Speech-to-Text: 9,600 min/mo
Text-to-Speech: 5,000 min/mo
Translation: BM+EN, 1M chars/mo
OCR: 10,000 pages/mo
Neural TTS Engine
Real-time and Batch Processing
Under 1s latency

4. DATA LAYER

MySQL DB

2x instances
16vCPU, 64GB
1TB SSD each
Multi-AZ
Auto-backup

NoSQL DB

3x databases
400KB items
1GB storage
1TB data storage
Standard Table

Data Warehouse

3 nodes
2vCPU, 16GB
1TB managed
On-Demand
Analytics Ready

Data Lake

5TB Object Store
Standard Storage
1M PUT requests
Versioning
Lifecycle Mgmt

ETL Pipeline

10 DPUs Spark
0.0625 DPUs Python
1 Data Crawler
Schema Discovery
Transform Jobs

Streaming

Real-time Analytics
5KB records
1 record/sec
Direct PUT
Data Stream

Storage

15TB Std
10TB Out
1TB Xfer
Encrypted
Redundant

5. INTEGRATION LAYER

API Integration

Existing Data Sources

Transit Gateway

5 Attachments

VPN Connection

2 Site-to-Site

Private Link

5 VPC Endpoints

Data Transfer

1TB Outbound
10TB from Storage

NAT Gateway

2 Endpoints, 1TB/mo

6. SECURITY LAYER

Threat Detection

1TB Volume Scan
100GB S3 Scan
VPC Flow Logs
1M Events

Security Hub

5 Accounts
10 Checks/Acct
1M Findings
Compliance

Secrets Mgr

100 Secrets
30-day rotation
Encrypted
Audit Logging

Key Mgmt (KMS)

5 CMKs
2M Symmetric Req
At-rest Encrypt
In-transit Encrypt

SPA Testing

Penetration Test
Internal + External
Vuln Assessment
Host Assessment
3rd Party Auditor

Compliance

OSA 1972
CGSO Guidelines
KDN Cyber Policy
Data Sovereignty
Malaysia Only

Monitoring

50 Metrics
200GB Logs
24x7 Alerting
SIEM Integration

7. DEVSECOPS LAYER

CodeBuild

ARM-based, Linux

CodeDeploy

10 instances, 100 dep/mo

CodePipeline

10 Active Pipelines

CI/CD Automation

Automated Testing, Security Scanning
Compliance Checks, Auto-deployment

Infrastructure as Code (IaC)

Automated Deployment, Version Control
Drift Detection, Change Management

8. NETWORK ARCHITECTURE

Multi-AZ Deployment

3 Availability Zones (Malaysia)

High Availability (99.80% SLA)

Auto-failover, Load Distribution

Geo-Redundancy

Data replicated across regions

Network Segmentation

VPC, Subnets, Security Groups

9. MANAGED SERVICES (MSP) - 24x7x365

Cloud Mgmt Platform

Unified Dashboard
Resource Provisioning
Self-Service Portal
Catalog Management

Support Services

24x7 Call Center
Email Support
1st Level Support
Ticket Management

Monitoring and Logging

Resource Monitoring
Event Management
SLA Tracking
Performance Reports

Billing and Cost Mgmt

Cost Estimation
Cost Planning
Custom Billing Alerts
Usage Analytics

Professional Services (2401 Mandays)

GenAI Foundation Design and Deployment
Multi-tenant Architecture Setup
Migration & Configuration Services
Training and Knowledge Transfer
24-month Support Contract

On-Premise Systems

Existing Data Sources Legacy Applications Internal Systems Active Directory

Project Management Office (PMO)

6-month Development 6-month Warranty Training and TOT

LZ Landing Zone Design - IaaS / PaaS / SaaS Mapping

Layer	Service Model	AWS Service	KDN Configuration	Responsibility
Compute	IaaS	EC2 (m6i.2xlarge)	9 instances, 8vCPU 16GB, Multi-AZ	KDN manages OS, patching, hardening
GPU Compute	IaaS	EC2 G5 (g5.4xlarge)	2x NVIDIA L4, 64GB RAM, 3yr Reserved	KDN manages CUDA, drivers, inference
Block Storage	IaaS	EBS gp3	500GB per instance, encrypted AES-256	KDN manages snapshots, encryption keys
Container	PaaS	ECS Fargate	Serverless containers, auto-scaling	AWS manages runtime, KDN manages code
Database	PaaS	RDS MySQL, DynamoDB	Multi-AZ, auto-backup, encryption	AWS manages HA, KDN manages schema
Vector DB	PaaS	OpenSearch Serverless	1000GB, k-NN index, Multi-AZ	AWS manages cluster, KDN manages index
AI/ML	SaaS	Amazon Bedrock	Claude 3.5, Titan Embed, pay-per-token	AWS manages model, KDN manages prompts
AI Services	SaaS	Transcribe, Polly, Translate, Textract	STT 9.6K min, TTS 5K min, OCR 10K pages	AWS manages AI, KDN integrates API
Analytics	SaaS	QuickSight + Q (GenAI)	100 Authors, 100 Readers, NL queries	AWS manages BI, KDN manages dashboards

Landing Zone Account Structure

Management Account

AWS Organizations Root

SCPs, Billing, Control Tower

Security Account

Centralized Security

GuardDuty, Security Hub, KMS

Log Archive Account

Centralized Logging

CloudTrail, VPC Flow, App Logs

Shared Services Account

Common Infrastructure

Transit GW, DNS, AD Connector

Workload: Parlimen AI

Production Environment

Isolated VPC, Hansard Data

Workload: JPN Chatbot

Production Environment

Isolated VPC, Registry Data

Workload: PDRM Chatbot

Production Environment

Isolated VPC, Public FAQ

API API Architecture - REST Gateway & Authentication

Request Flow Architecture

CLIENT

Web/Mobile

HTTPS

WAF

Shield

ALB

Load Balancer

API GW

REST API

AUTH

Cognito

BACKEND

ECS/Lambda

Endpoint	Method	Auth	Rate Limit	Response
/api/v1/parlimen/query	POST	JWT + IAM Role	100 req/min/user	JSON (answer, citations, sources)
/api/v1/jpn/chat	POST	API Key + Session	500 req/min/IP	JSON (response, confidence)
/api/v1/pdrm/chat	POST	API Key + Captcha	300 req/min/IP	JSON (response, next_steps)
/api/v1/analytics/query	POST	JWT + MFA + Role	50 req/min/user	JSON (insights, charts, data)
/api/v1/embed	POST	Internal Service	1000 req/min	JSON (vector[1536])
/api/v1/health	GET	None	Unlimited	JSON (status, version)

// Request Schema

{
  "query": "string (max 2000 chars)",
  "session_id": "uuid",
  "language": "ms|en",
  "context": {
    "agency": "parlimen|jpn|pdrm",
    "user_role": "string",
    "filters": ["array"]
  },
  "options": {
    "include_citations": true,
    "max_tokens": 1500,
    "temperature": 0.3
  }
}

// Response Schema

{
  "response_id": "uuid",
  "answer": "string",
  "confidence": 0.95,
  "citations": [{
    "source": "Hansard DR 2023",
    "page": 45,
    "url": "string"
  }],
  "metadata": {
    "tokens_used": 1200,
    "latency_ms": 2340,
    "model": "claude-3.5-sonnet"
  }
}

Authentication Flow (OAuth 2.0 + OIDC)

1. Login

User credentials

2. Cognito

Validate + MFA

3. Token

JWT (1hr expiry)

4. API GW

Validate JWT

5. Authorize

IAM Role check

DLP Kaedah Keselamatan untuk Elak Kebocoran Data

Risiko Kebocoran	Kawalan Teknikal	AWS Service	Konfigurasi	Pengesanan
Data at Rest	Enkripsi AES-256-GCM	KMS (CMK)	Customer Managed Key, auto-rotate 365 days	CloudTrail decrypt events
Data in Transit	TLS 1.3, mTLS internal	ACM, ALB	HTTPS only, HSTS enabled, cert pinning	VPC Flow Logs TLS version
Data Exfiltration	VPC Endpoints, no IGW	PrivateLink	All AWS traffic via private endpoints	GuardDuty anomaly detection
SQL Injection	WAF Rules, Parameterized	WAF, RDS	SQLi rule set, prepared statements	WAF blocked requests log
Prompt Injection	Input sanitization, guardrails	Bedrock Guardrails	Content filters, denied topics, PII redact	Guardrail intervention logs
PII Leakage	Auto-redaction, masking	Comprehend, Macie	IC number, phone, email detection	Macie PII findings alert
Unauthorized Access	RBAC, least privilege	IAM, Cognito	Role-based, agency-scoped permissions	CloudTrail unauthorized API
Cross-Tenant Access	Account isolation, SCPs	Organizations	Deny cross-account by default	Cross-account assume role log
Model Output Leakage	Output filtering, audit	Bedrock, Lambda	Post-processing filter, response audit	All responses logged to S3
S3 Bucket Exposure	Block public, bucket policy	S3, Macie	Block all public access, VPC endpoint	Security Hub S3 findings

256-bit

AES Encryption

TLS 1.3

Transit Security

10+

DLP Controls

24/7

Real-time Monitor

MON Monitoring Instrumentation - Measurable Metrics

Metric Category	Metric Name	Target SLA	Alert Threshold	Tool	Dashboard
Availability	System Uptime	99.80%	< 99.50% = P1	CloudWatch	Ops Dashboard
	Health Check Pass Rate	100%	< 95% = P1	ALB Target Health	Ops Dashboard
	Multi-AZ Failover Success	100%	Failover > 30s = P2	RDS Events	DB Dashboard
Performance	API Response Time (P95)	< 5s	> 8s = P2	X-Ray, CloudWatch	API Dashboard
	LLM Inference Latency (P95)	< 3s	> 5s = P2	Bedrock Metrics	AI Dashboard
	Vector Search Latency (P95)	< 500ms	> 1s = P3	OpenSearch Metrics	Search Dashboard
	Throughput (req/sec)	> 100	< 50 = P2	ALB Metrics	Traffic Dashboard
Security	WAF Block Rate	Monitor	> 1000/hr = P2	WAF Logs	Security Dashboard
	GuardDuty Findings	0 High	Any High = P1	GuardDuty	Security Dashboard
	Failed Auth Attempts	< 100/hr	> 500/hr = P2	Cognito Logs	Auth Dashboard
AI Quality	Citation Accuracy	> 95%	< 90% = P3	Custom Metric	AI Quality Dashboard
	Guardrail Intervention Rate	< 5%	> 10% = P3	Bedrock Guardrails	AI Quality Dashboard
	User Satisfaction (CSAT)	> 4.0/5	< 3.5 = P3	Feedback System	User Dashboard
Cost	Daily Token Spend	< $50/day	> $100/day = P3	Cost Explorer	Cost Dashboard
Cost	Monthly Cloud Spend	Budget	> 80% budget = P3	AWS Budgets	Cost Dashboard

Alert Escalation Matrix

P1 - Critical

15 min response

Phone + SMS + Email

P2 - High

1 hour response

SMS + Email

P3 - Medium

4 hour response

Email + Slack

P4 - Low

24 hour response

Email + Ticket

Log Sources

CloudTrail API logs
VPC Flow Logs
ALB Access Logs
Application Logs
Bedrock Invocation Logs

Retention Policy

Security Logs: 7 years
Audit Logs: 7 years
Application Logs: 1 year
Performance Metrics: 15 months
Cost Data: 12 months

SIEM Integration

Security Hub aggregation
EventBridge rules
SNS notifications
S3 export to SIEM
OpenSearch dashboards

Tech Stack

Perkhidmatan AWS yang digunakan dalam platform KDN GenAI dengan penerangan lengkap untuk setiap komponen.

Tech Stack

AI AI & Machine Learning

Amazon Bedrock

Platform fully managed untuk akses model AI seperti Claude. Menyediakan API bersatu untuk pelbagai model dengan keselamatan enterprise.

Claude 3.5 Sonnet

Model LLM utama oleh Anthropic. Cemerlang untuk penaakulan kompleks, penulisan, dan pemahaman konteks BM/EN.

Titan Embeddings

Model embedding untuk tukar teks ke vektor. Digunakan dalam RAG untuk carian semantik dokumen.

OpenSearch

Vector database untuk simpan embeddings. Membolehkan carian semantik pantas untuk RAG pipeline.

TOK Token Metering & Usage Control

SOC Ref: 2.4.7 - Kawalan dan pemantauan penggunaan FM

Control	Parlimen AI	JPN	PDRM	Admin
Model	Sonnet	Haiku	Haiku	Sonnet
Max Input	6,000	2,000	2,000	4,000
Rate Limit	100/min	500/min	300/min	50/min
Daily Budget	500K tok	5M tok	3M tok	200K tok

CloudWatch

Token metrics

Cost Explorer

Daily spend

Budgets

80% alert

X-Ray

Latency trace

AI ASR, TTS & Translation Services

SOC Ref: 2.4.2, 2.4.3, 2.4.4 - Speech dan language services

Service	AWS	Capacity	Languages	Latency
Speech-to-Text	Transcribe	9,600 min/mo	BM, EN, Mandarin	<1s streaming
Text-to-Speech	Polly	5,000 min/mo	BM Neural, EN	<500ms
Translation	Translate	1M chars/mo	BM - EN	<200ms
OCR	Textract	10,000 pages/mo	BM, EN	<3s/page

Voice-Enabled Chatbot Flow

User speaks + Transcribe + Translate + RAG + LLM + Translate + Polly + Audio

Compute & Networking

Perkhidmatan pengkomputeran serverless yang membolehkan platform berjalan tanpa pengurusan server, dengan auto-scaling mengikut beban kerja dan model bayar-per-guna untuk pengoptimuman kos.

ECS Fargate

Perkhidmatan kontena serverless yang menjalankan aplikasi utama platform. Fargate menguruskan infrastruktur secara automatik, menghapuskan keperluan untuk provision atau urus EC2 instances.

Kelebihan Utama:

Auto-scale dari 0 hingga ribuan kontena dalam saat
Tiada kos idle - bayar hanya bila kod berjalan
Integrasi penuh dengan ALB untuk load balancing
Patch keselamatan automatik oleh AWS

AWS Lambda

Fungsi serverless untuk tugas event-driven seperti pemprosesan dokumen, trigger S3, dan integrasi dengan perkhidmatan lain. Lambda membolehkan kod berjalan tanpa sebarang pengurusan server.

Penggunaan dalam Platform:

Trigger pemprosesan dokumen bila fail diupload ke S3
Authorizer untuk API Gateway (token validation)
Scheduled tasks untuk maintenance dan cleanup
Real-time data transformation untuk RAG pipeline

API Gateway

Pintu masuk tunggal untuk semua API platform. Menyediakan lapisan keselamatan, rate limiting, caching, dan monitoring untuk setiap request yang masuk ke sistem.

Ciri-ciri Keselamatan:

WAF integration untuk perlindungan OWASP Top 10
Throttling per-user untuk elak abuse
Request/response validation automatik
CloudWatch logging untuk audit trail

Data & Storage

Perkhidmatan penyimpanan data yang menyokong kedaulatan data Malaysia dengan enkripsi end-to-end, backup automatik, dan disaster recovery untuk memastikan kesinambungan operasi.

RDS MySQL

Database relational utama untuk menyimpan data aplikasi, metadata pengguna, dan log audit. Dikonfigurasi dengan Multi-AZ deployment untuk failover automatik dan high availability 99.95%.

Spesifikasi:

Instance: db.r6g.large (2 vCPU, 16GB RAM)
Storage: 500GB gp3 dengan auto-scaling
Backup: Daily automated + 7 hari retention
Encryption: AES-256 at-rest, TLS 1.3 in-transit

Amazon S3

Object storage untuk dokumen asal (Hansard, PDF, laporan), fail yang diproses, dan model embeddings. S3 menawarkan durability 11 9s (99.999999999%) yang bermaksud hampir mustahil data hilang.

Bucket Structure:

raw-documents/ - Dokumen asal sebelum proses
processed/ - Chunks dan metadata
embeddings/ - Vector embeddings untuk RAG
logs/ - Audit logs dengan 7-year retention

Redshift Serverless

Data warehouse untuk analytics dan BI dashboard. Redshift Serverless auto-scale mengikut query load tanpa perlu provision capacity, sesuai untuk beban kerja analytics yang tidak konsisten.

Analytics Use Cases:

Dashboard penggunaan AI per agensi/bulan
Trend soalan parlimen mengikut topik
Performance metrics dan latency analysis
Cost allocation per use case

Lake Formation

Data lake untuk menyimpan data mentah dari pelbagai sumber sebelum transformasi. Lake Formation menyediakan governance, security, dan cataloging untuk semua data assets.

Data Governance Features:

Fine-grained access control per column/row
Data catalog dengan metadata automatik
ETL jobs dengan AWS Glue integration
Cross-account data sharing untuk agensi

Security & Compliance

Perkhidmatan keselamatan AWS yang menyediakan perlindungan berlapis (defense-in-depth) untuk memenuhi keperluan CGSO, PDPA, dan ISMS. Semua perkhidmatan beroperasi 24/7 dengan pengesanan dan respons automatik.

AWS WAF (Web Application Firewall)

Lapisan pertahanan pertama yang melindungi aplikasi web dari serangan OWASP Top 10. WAF menapis trafik masuk dan menyekat request berbahaya sebelum sampai ke aplikasi.

Perlindungan Aktif:

SQL Injection - Block malicious queries
XSS (Cross-Site Scripting) - Sanitize input
Rate Limiting - 1000 req/min per IP
Geo-blocking - Allow Malaysia + Singapore only

Amazon GuardDuty

Perkhidmatan pengesanan ancaman menggunakan machine learning yang menganalisis log AWS (CloudTrail, VPC Flow Logs, DNS) untuk mengesan aktiviti mencurigakan secara real-time.

Jenis Ancaman Dikesan:

Cryptocurrency mining attempts
Unauthorized API calls dari IP mencurigakan
Data exfiltration patterns
Compromised EC2 instances atau credentials

AWS KMS (Key Management Service)

Pengurusan kunci enkripsi berpusat dengan penyimpanan HSM (Hardware Security Module) yang memenuhi FIPS 140-2 Level 3. Semua data disulitkan dengan kunci yang diuruskan di sini.

Strategi Enkripsi:

Data at Rest: AES-256 untuk S3, RDS, EBS
Data in Transit: TLS 1.3 minimum
Key Rotation: Automatik setiap 365 hari
Audit: Setiap penggunaan kunci dilog

AWS Security Hub

Dashboard keselamatan berpusat yang mengumpul findings dari semua perkhidmatan keselamatan AWS. Menyediakan compliance checks automatik terhadap standard industri.

Compliance Standards Enabled:

AWS Foundational Security - Best practices
CIS AWS Benchmark - Hardening guidelines
PCI DSS - Payment security (future)
Auto-remediation via EventBridge + Lambda

DSO DevSecOps & Automation

SOC Ref: 2.5.1, 2.5.2, 2.5.3 - CI/CD pipeline dengan security scanning di setiap stage

CI/CD PIPELINE WITH SECURITY GATES

CODE

GitLab

Pre-commit hooks
Secrets scan

BUILD

CodeBuild

SAST scan
Dependency check

TEST

Unit + Integration

80% coverage
Contract tests

SECURITY

Security Gate

DAST scan
Container scan

DEPLOY

ECS Fargate

Blue/Green
Canary release

MONITOR

CloudWatch

Runtime scan
Anomaly detect

<-- Feedback: Security findings auto-create GitLab issues --

SAST

Static Application Security Testing

- SonarQube
- Semgrep
- CodeQL

DAST

Dynamic Application Security Testing

- OWASP ZAP
- Burp Suite
- Nuclei

SCA

Software Composition Analysis

- Snyk
- Dependabot
- OWASP Dep-Check

Container

Container Image Scanning

- ECR Scan
- Trivy
- Anchore

Infrastructure as Code (IaC)

Terraform

- AWS provider
- State in S3 + DynamoDB lock
- Modules for reusability
- tfsec security scan

CloudFormation

- Native AWS IaC
- StackSets for multi-account
- Drift detection
- cfn-lint validation

CDK

- TypeScript/Python
- High-level constructs
- cdk-nag security
- Unit testable

GitOps Environment Promotion

DEV

feature/*

--PR-->

STAGING

develop

--Approval-->

UAT

release/*

--Sign-off-->

PROD

main

Auto deploy

1 approval

2 approvals

Change Advisory Board

Blue/Green Deployment

- Zero-downtime deployment
- Instant rollback capability
- ALB target group switching
- Full environment validation

Canary Release

- 5% -> 25% -> 50% -> 100%
- CloudWatch alarm gates
- Automatic rollback on errors
- A/B testing capability

Keselamatan & Pematuhan

Seni bina keselamatan komprehensif, kawalan akses identiti, dan langkah pencegahan kebocoran data untuk platform KDN GenAI.

Navigasi

SOC Requirements Coverage

1.1.8 - Security Architecture 1.3.15 - Data Leakage Prevention 2.1.1 - Security Controls 2.3.7 - IAM/WebAuthn

SEC Seni Bina Keselamatan - Defense in Depth

7 lapisan pertahanan untuk perlindungan menyeluruh

Layer 1: Edge Security

WAF, Shield Advanced, CloudFront

DDoS Protection | Bot Detection | Geo Blocking

Layer 2: Network Security

VPC, Security Groups, NACLs, PrivateLink

Network Isolation | Micro-segmentation | No Public IPs

Layer 3: Identity & Access

IAM, Cognito, SSO, MFA

Zero Trust | Role-Based Access | Session Management

Layer 4: Application Security

API Gateway, Lambda Authorizer, Input Validation

Request Validation | Rate Limiting | Schema Enforcement

Layer 5: Data Security

KMS, Macie, Secrets Manager

AES-256 Encryption | Key Rotation | PII Detection

Layer 6: AI Security

Bedrock Guardrails, Content Filters, Audit

Prompt Injection Block | Output Filtering | Model Invocation Logs

Layer 7: Detection & Response

GuardDuty, Security Hub, CloudTrail, SIEM

Threat Detection | Compliance Checks | Incident Response

Encryption at Rest

Algorithm: AES-256-GCM
Key Management: AWS KMS (CMK)
Key Type: Customer Managed Keys
Rotation: Automatic yearly
Scope: S3, RDS, EBS, OpenSearch, DynamoDB

Encryption in Transit

Protocol: TLS 1.3 (minimum TLS 1.2)
Certificates: AWS Certificate Manager
Internal: mTLS between services
HSTS: Enabled, max-age=31536000
Cipher Suites: ECDHE-RSA-AES256-GCM

SOC Requirements Coverage

2.1.3 - Landing Zone Design 2.1.4 - Network Architecture 2.1.5 - High Availability

LZ AWS Landing Zone Architecture

Multi-account structure dengan Control Tower untuk governance

AWS Organizations - Account Structure

ROOT: AWS Organizations

Management

SCPs, Billing
Control Tower

Security

GuardDuty, KMS
Security Hub

Log Archive

CloudTrail, VPC Flow
7-year retention

Shared Services

Transit GW, DNS
ECR, Artifacts

Workload Accounts (Isolated)

Parlimen AI

Dedicated VPC
Own KMS Keys

JPN Chatbot

Dedicated VPC
Own KMS Keys

PDRM Chatbot

Dedicated VPC
Own KMS Keys

VPC Architecture per Workload Account

Availability Zone 1a

Public Subnet

ALB, NAT Gateway

Private App Subnet

ECS Fargate, Lambda

Private Data Subnet

RDS Primary, OpenSearch

Availability Zone 1b

Public Subnet

ALB, NAT Gateway

Private App Subnet

ECS Fargate, Lambda

Private Data Subnet

RDS Standby, OpenSearch

Availability Zone 1c

Public Subnet

ALB, NAT Gateway

Private App Subnet

ECS Fargate, Lambda

Private Data Subnet

RDS Read Replica

Network Isolation Controls

• NACLs: Stateless firewall at subnet level
• Security Groups: Stateful firewall per resource
• No Public IPs: All resources in private subnets
• VPC Endpoints: AWS services via PrivateLink

Traffic Flow

• Inbound: CloudFront → WAF → ALB only
• Outbound: NAT Gateway with allow-list
• Inter-subnet: Via Security Groups only
• Cross-account: Transit Gateway with SCP

IP Address Allocation (per Account)

Subnet Type	CIDR Block	Usable IPs	Resources
Public (per AZ)	/24	251	ALB, NAT GW
Private App (per AZ)	/22	1019	ECS, Lambda ENIs
Private Data (per AZ)	/23	507	RDS, OpenSearch
VPC Endpoints	/26	59	S3, Bedrock, ECR

VPC Traffic Flow: Internet → Subnet → Gateway → Workloads

INBOUND (User Request)

Internet

User Request

→

CloudFront

CDN + Cache

→

WAF

Filter + Block

→

VPC Boundary

10.0.0.0/16

→

Public Subnet

IGW + ALB

→

Private App

ECS Fargate

→

Private Data

RDS + OpenSearch

AWS SERVICES (VPC Endpoints - No Internet)

ECS Fargate

App Container

→

VPC Endpoint

PrivateLink

→

Bedrock

ECR

KMS

Secrets

OUTBOUND (Restricted - Allow-list Only)

Private Subnet

Workload

→

NAT Gateway

Public Subnet

→

IGW

Filtered

→

Allow-list

pypi, npm, github

SOC Requirements Coverage

1.3.15 - Data Protection 2.2.1 - Encryption Standards 2.2.3 - Key Management

KMS Encryption & Key Management

End-to-end encryption dengan AWS KMS managed keys

Data at Rest

Algorithm: AES-256-GCM

KMS Key Type: CMK (Customer Managed)

Key Rotation: Automatic (365 days)

Services: S3, RDS, OpenSearch, DynamoDB

Data in Transit

Protocol: TLS 1.3 (minimum)

Certificates: ACM-managed, auto-renew

Internal: mTLS between services

Ciphers: ECDHE-RSA-AES256-GCM-SHA384

KMS Key Hierarchy (per Account)

Root Key

AWS HSM

→

Account CMK

Master Key

→

S3 DEK

RDS DEK

OpenSearch DEK

SOC Requirements Coverage

2.3.2 - RAG Security 2.3.3 - Access Control 1.3.15 - PII Protection

RAG Retrieval Isolation & Access Control

Data boundary enforcement dalam RAG pipeline

User Query

+ Session Context

→

Access Check

RBAC + Tenant ID

→

Filtered Search

Tenant-scoped

→

PII Redaction

Comprehend

→

LLM Context

Sanitized

Control Layer	Implementation	Enforcement Point
Retrieval Isolation	Tenant ID filter on all vector queries	OpenSearch k-NN query
Document-level ACL	Metadata tag with classification level	Pre-retrieval filter
PII Redaction	AWS Comprehend PII detection + mask	Pre-LLM context injection
Session Boundary	JWT + session ID in all requests	API Gateway authorizer
Output Filtering	Bedrock Guardrails content filter	Post-LLM response
Cross-tenant Block	Separate index per application	OpenSearch index isolation

SOC Requirements Coverage

Arahan Keselamatan (Semakan 2017) OSA 1972 CGSO Compliance

KLS Klasifikasi Data Kerajaan Malaysia

Peringkat keselamatan dokumen mengikut Arahan Keselamatan (Semakan 2017)

RAHSIA BESAR

Top Secret

Keselamatan negara

RAHSIA

Secret

Kemudaratan besar

SULIT

Confidential

Kemudaratan sederhana

TERHAD

Restricted

Kegunaan rasmi sahaja

TERBUKA

Open

Maklumat awam

Klasifikasi	Akses RAG	Kawalan Teknikal	Audit
RAHSIA BESAR	TIDAK DIBENARKAN	Tidak di-ingest ke vector store	N/A
RAHSIA	TIDAK DIBENARKAN	Tidak di-ingest ke vector store	N/A
SULIT	TERHAD - SPA Only	IAM role + MFA + SPA clearance + dedicated index	Full audit trail, 7-year retention
TERHAD	DIBENARKAN	IAM role + session token + tenant isolation	Query logging, access audit
TERBUKA	DIBENARKAN	Standard authentication	Basic logging

Document Classification Tagging

Ingestion Process:

1. Document upload dengan classification header
2. Auto-scan untuk sensitive content
3. Metadata tagging (classification level)
4. Route ke appropriate index

Query-time Enforcement:

1. User clearance level check
2. Filter by classification ≤ user level
3. Result redaction if needed
4. Audit log dengan user + classification

SOC Requirements Coverage

Data Sovereignty PDPA 2010 CGSO Compliance

MY Data Boundary & Sovereignty

Semua data kekal dalam sempadan Malaysia dengan jaminan teknikal dan kontrak

🇲🇾

AWS Malaysia Region (ap-southeast-5)

Kuala Lumpur | Dilancarkan 2024 | 3 Availability Zones

📍 Lokasi Fizikal

Data center di Kuala Lumpur, Malaysia. Data TIDAK keluar dari sempadan negara.

📜 Jaminan Kontrak

AWS Enterprise Agreement dengan klausa data residency Malaysia. Boleh audit bila-bila masa.

🔒 Enforced by SCP

Service Control Policies menghalang sebarang operasi di region lain secara teknikal.

Malaysia Region

ap-southeast-5
Kuala Lumpur

No Cross-Region

SCP blocks all
cross-region transfers

CGSO Compliant

OSA 1972
PDPA 2010

Data Residency Controls

Service Control Policies (SCP):

- Deny all non-ap-southeast regions
- Block S3 cross-region replication
- Restrict EC2 AMI copy
- Prevent RDS snapshot export

Network Controls:

- VPC endpoints for all AWS services
- No internet gateway for data subnets
- NAT gateway with allow-list only
- PrivateLink for Bedrock API

DLP Kaedah Keselamatan untuk Elak Kebocoran Data

10 kawalan teknikal untuk mencegah kebocoran dan penyalahgunaan data

Risiko	Kawalan Teknikal	AWS Service	Pengesanan
Data at Rest	AES-256-GCM Encryption	KMS (CMK)	CloudTrail decrypt events
Data in Transit	TLS 1.3, mTLS internal	ACM, ALB	VPC Flow Logs
Data Exfiltration	VPC Endpoints, no IGW	PrivateLink	GuardDuty anomaly
SQL Injection	WAF Rules, Parameterized	WAF, RDS	WAF blocked log
Prompt Injection	Guardrails, Input sanitization	Bedrock Guardrails	Intervention logs
PII Leakage	Auto-redaction, masking	Comprehend, Macie	Macie PII findings
Unauthorized Access	RBAC, least privilege	IAM, Cognito	CloudTrail unauthorized
Cross-Tenant Access	Account isolation, SCPs	Organizations	Cross-account log
Model Output Leakage	Output filtering, audit	Bedrock, Lambda	Response audit S3
S3 Bucket Exposure	Block public, bucket policy	S3, Macie	Security Hub findings

🛡️

JAMINAN KESELAMATAN DATA KDN

"Data KDN TIDAK PERNAH digunakan untuk melatih model.
Semua pemprosesan berlaku dalam boundary yang dikawal dan disahkan."

✓ Zero Model Training ✓ Zero Fine-Tuning ✓ Zero Data Export ✓ 100% Malaysia Boundary

KRITIKAL Jaminan Zero Data Training

🚫 Model TIDAK Belajar dari Data KDN

Amazon Bedrock dan Claude 3.5 Sonnet beroperasi dalam mod inference-only. Data yang dihantar ke model TIDAK digunakan untuk training, fine-tuning, atau penambahbaikan model. Ini dijamin secara kontrak oleh AWS dan Anthropic.

🚫 Tiada Fine-Tuning Model

Platform ini menggunakan model foundation as-is tanpa sebarang fine-tuning dengan data kerajaan. Ini mengelakkan risiko data sensitif tertanam dalam parameter model yang boleh diekstrak kemudian.

🔒 Tiada Pendedahan FM Luaran

Semua panggilan ke Bedrock melalui VPC Endpoints (PrivateLink). Data tidak pernah melintasi internet awam. Tiada integrasi dengan model luaran seperti OpenAI, Google, atau Hugging Face.

🛡️ Prompt Filtering Ketat

Setiap input pengguna melalui Bedrock Guardrails untuk menapis percubaan prompt injection, jailbreaking, dan ekstraksi data. Output juga ditapis untuk redact PII dan maklumat sensitif sebelum dikembalikan.

Rujukan Kontrak AWS: AWS Bedrock Service Terms Section 50.5 menyatakan: "AWS will not use Customer Content to train or improve the models." Anthropic's Usage Policy juga menjamin tiada training dari API requests.

256-bit

AES Encryption

TLS 1.3

Transit Security

10+

DLP Controls

24/7

Real-time Monitor

SOC Requirements Coverage - AI/ML SaaS

2.4.2 - AI Foundation Model 2.4.3 - RAG Implementation 2.4.4 - Guardrails & Filters 2.4.7 - Model Invocation Logging

SaaS Complete AWS SaaS Mapping to SOC Requirements

Explicit mapping of all AWS services to SOC 2.0 requirements with security controls

Category	AWS Service	SOC Ref	Function	Security Control
AI/ML Services	Amazon Bedrock	2.4.2	Foundation Model - Claude 3.5 Sonnet	VPC endpoint, invocation logging, IAM policy
	Titan Embeddings	2.4.3	Text vectorization (1536 dimensions)	Input validation, dimension check
	Bedrock Guardrails	2.4.4	Content filter, topic blocking	Prompt injection, PII masking
	Amazon Comprehend	1.3.15	PII detection & redaction	Pre-ingestion scan, real-time redact
RAG Pipeline	OpenSearch Serverless	2.4.3	Vector store (k-NN HNSW index)	Tenant isolation, encryption at rest
	Amazon S3	2.2.1	Document storage (source docs)	SSE-KMS, bucket policy, versioning
	Lambda	2.3.1	Chunking, embedding, orchestration	VPC, IAM role, env encryption
	Step Functions	2.3.1	Ingestion workflow orchestration	Execution logging, IAM
Security Services	AWS KMS	2.2.3	Key management (CMK)	HSM-backed, auto rotation 365d
	Secrets Manager	2.2.3	Credential storage	Auto rotation, IAM access
	WAF	1.2.4	Web application firewall	OWASP rules, rate limit, geo block
	GuardDuty	2.3.7	Threat detection	ML-based anomaly, threat intel
	Amazon Macie	1.3.15	Sensitive data discovery	S3 scan, PII classification
Compute & Network	ECS Fargate	2.1.4	Container runtime (API, UI)	Private subnet, task IAM, no SSH
	ALB	2.1.4	Load balancer	TLS 1.3, access logs, WAF integrated
	CloudFront	2.1.4	CDN, edge caching	OAI, signed URLs, geo restrict
	API Gateway	1.2.3	API management	Throttling, JWT auth, schema validation
Observability	CloudWatch Logs	2.4.7	Centralized logging	7-year retention, KMS encryption
	CloudWatch Metrics	2.3.5	Performance metrics	Custom metrics, 50+ dashboards
	X-Ray	2.3.5	Distributed tracing	Service map, latency analysis
	CloudTrail	2.3.6	API audit trail	All regions, S3 + CloudWatch
Identity	Cognito	2.3.7	User authentication	MFA, WebAuthn, password policy
Identity	IAM	2.3.7	Service authorization	Least privilege, SCP, permission boundary

RAG RAG Pipeline - Explicit SaaS Service Flow

Each step in RAG pipeline mapped to specific AWS SaaS service

DOCUMENT INGESTION FLOW

S3 Upload

Source Docs

SOC 2.2.1

→

Macie Scan

PII Discovery

SOC 1.3.15

→

Comprehend

PII Redaction

SOC 1.3.15

→

Lambda

Chunking

SOC 2.3.1

→

Titan Embed

Vectorization

SOC 2.4.3

→

OpenSearch

Vector Store

SOC 2.4.3

QUERY PROCESSING FLOW

User Query

Input

→

API Gateway

Auth + Throttle

SOC 1.2.3

→

Guardrails

Input Filter

SOC 2.4.4

→

Titan Embed

Query Vector

SOC 2.4.3

→

OpenSearch

k-NN Search

SOC 2.4.3

→

Bedrock

Claude 3.5

SOC 2.4.2

→

Guardrails

Output Filter

SOC 2.4.4

→

Response

+ Citation

AI/ML SaaS

Security SaaS

Observability

SOC Items Covered

Bedrock Security Architecture

Multi-layer security controls for AI model access

User Input

→

Input Guardrail

Prompt injection check

→

Bedrock API

VPC Endpoint

→

Claude 3.5

Model Inference

→

Output Guardrail

Content filter

→

Response

Input Guardrails

Prompt Injection Detection ✓ Enabled

Jailbreak Prevention ✓ Enabled

Topic Blocking (politics) ✓ Enabled

PII Input Masking ✓ Enabled

Output Guardrails

Harmful Content Block ✓ Enabled

Hallucination Grounding ✓ Enabled

Citation Enforcement ✓ Enabled

Response Length Limit ✓ 4096 tokens

LOG Model Invocation Logging (SOC 2.4.7)

Complete audit trail untuk semua AI model interactions - siapa, bila, apa, hasil

100%

Prompts Logged

100%

Responses Logged

7 yrs

Log Retention

S3+CW

Storage Destination

🔗 Audit Chain - Apa Yang Direkod

📋 Metadata Setiap Request

Timestamp:	ISO 8601 UTC (2024-01-15T10:30:45.123Z)
User ID:	Cognito sub (UUID) + nama pegawai
Session ID:	Unique session identifier
IP Address:	Source IP (internal VPC)
User Agent:	Browser/client identifier
Agency:	JPN/PDRM/Admin (dari IAM role)

📝 Content Yang Dilog

Input Prompt:	Full text (encrypted at rest)
RAG Context:	Document IDs yang digunakan
Model Output:	Full response (encrypted)
Latency:	Response time in ms
Token Count:	Input + output tokens
Guardrail Events:	Any intervention/blocking

📍 Log Destination

Primary: S3 (kdn-audit-logs bucket)
Secondary: CloudWatch Logs
Archive: S3 Glacier (after 90 days)

⏰ Retention Policy

Hot: 30 days (instant access)
Warm: 1 year (S3 Standard-IA)
Cold: 7 years (Glacier Deep Archive)

🔐 Integrity Protection

Encryption: KMS CMK (AES-256)
Immutability: S3 Object Lock
Hash: SHA-256 per log entry

SOC Requirements Coverage

2.3.5 - Monitoring & Observability 2.3.6 - Logging Pipeline 2.3.7 - SIEM Integration

CW CloudWatch Monitoring Stack

Comprehensive observability dengan 4 pillars

Metrics

CloudWatch Metrics

Custom Metrics

50+ Dashboards

Logs

Log Insights

200GB/month

Query Analytics

Traces

X-Ray Tracing

Service Map

Latency Analysis

Anomaly

ML Detection

Auto-baseline

Smart Alerts

Category	Metric	Target	Alert Threshold
Availability	System Uptime	99.80%	< 99.50%
Availability	Health Check	100%	Any failure
Performance	API Response Time	< 5s	> 8s (P95)
Performance	LLM Token Generation	< 3s	> 5s
Security	Failed Auth Rate	< 0.1%	> 1%
Security	DLP Violations	0	Any violation

LOG Centralized Logging Pipeline

End-to-end log collection, processing, and retention

App Logs

ECS, Lambda

CloudTrail

API Calls

VPC Flow

Network

→

Kinesis Firehose

Stream

→

CloudWatch Logs

Real-time

→

S3 Archive

Long-term

Log Sources

• CloudTrail (API audit)
• VPC Flow Logs (network)
• ALB Access Logs
• ECS Container Logs
• Lambda Execution Logs
• Bedrock Invocation Logs
• WAF Logs

Retention Policy

• Security Logs: 7 years
• Audit Logs: 7 years
• Application Logs: 1 year
• Metrics: 15 months
• Traces: 30 days

Alert Response

• P1 Critical: 15 min
• P2 High: 1 hour
• P3 Medium: 4 hours
• P4 Low: 24 hours
• Channel: SNS → SOC Team

SIEM SIEM & Threat Detection

Security event aggregation and threat intelligence

GuardDuty

Threat Intel

Security Hub

Aggregation

EventBridge

Rules

→

SOC Alert

24x7x365

API API Security Architecture

SOC Ref: 1.2.3, 1.2.4 - API Gateway, Auth, Schema

Request Flow Architecture

Client

HTTPS

WAF

ALB

API GW

Cognito

Backend

Endpoint	Method	Auth	Rate Limit
/api/v1/parlimen/query	POST	JWT + IAM Role	100 req/min/user
/api/v1/jpn/chat	POST	API Key + Session	500 req/min/IP
/api/v1/pdrm/chat	POST	API Key + Captcha	300 req/min/IP
/api/v1/analytics/query	POST	JWT + MFA + Role	50 req/min/user

Use Case

Empat aplikasi utama platform KDN GenAI dengan aliran kerja terperinci untuk setiap sistem.

Use Case

Parlimen AI

Sistem soal jawab berkuasa AI untuk membantu pegawai KDN menyediakan jawapan parlimen dengan mencari maklumat dari arkib Hansard, dokumen dasar, dan pekeliling secara automatik menggunakan teknologi RAG (Retrieval-Augmented Generation).

50K+ Hansard Pages BM/EN Bilingual 95% Citation Accuracy Response <5s

Aliran Proses Sistem

Terima Soalan

Soalan parlimen diterima

→

Cari Dokumen

RAG cari context relevan

→

AI Jana Draf

Claude 3.5 bina jawapan

→

Semak & Edit

Pegawai review jawapan

→

Submit

Hantar jawapan rasmi

Data Sources & Ingestion

Pengumpulan data dari sistem kerajaan

HAN

Hansard Archive

10+ tahun rekod perbahasan parlimen

50K+ Pages PDF/HTML

POL

Policy Documents

Dasar kerajaan dan pekeliling

Policies Circulars

LEG

Legislative Docs

Bills, acts, amendments

Bills Acts

ETL

ETL Pipeline

AWS Glue daily ingestion

Glue EventBridge

↓

Document Processing

OCR, text extraction, metadata enrichment

OCR

OCR Textract

High accuracy BM/EN extraction

Textract 10K/mo

Vector Indexing

Creating searchable semantic representations

EMB

Titan Embeddings

1536-dim multilingual vectors

Titan 1536-dim

OpenSearch Index

k-NN plugin with HNSW

k-NN HNSW

HYB

Hybrid Search

Semantic + keyword filters

Hybrid Facets

INC

Incremental Updates

Delta processing via Step Fn

Step Fn Delta

↓

Query Processing & Generation

Real-time RAG question answering

QRY

Query Analysis

Intent, entity, context

NLU Intent

RAG

RAG Retrieval

Top-K context retrieval

Top-10 Rerank

LLM

Claude Generation

Contextual answer synthesis

Claude 3.5 Bedrock

CIT

Citation Engine

Source attribution & links

Sources Links

Contoh Soalan & Jawapan

SOALAN PENGGUNA

"Apakah pendirian kerajaan mengenai rang undang-undang perlindungan data peribadi yang dibentangkan pada tahun 2023?"

JAWAPAN AI

Berdasarkan perbahasan Parlimen pada 3 Oktober 2023, Menteri Komunikasi dan Digital telah menyatakan bahawa Rang Undang-undang Perlindungan Data Peribadi (Pindaan) 2023 bertujuan untuk mengukuhkan perlindungan privasi rakyat Malaysia...

Sources:

Hansard DR 3 Okt 2023, ms. 45-48 Jawapan Bertulis PD-2023-1847

<5s

Query Response

50K+

Hansard Pages

95%

Citation Accuracy

BM/EN

Bilingual

RM Token & Cost Estimate (Per Query)

~6,000

Input Tokens

Query + RAG Context

~1,500

Output Tokens

AI Response + Citation

~500

Embedding Tokens

Titan Embed

$0.05

Est. Cost/Query

Claude 3.5 Sonnet

Model: Claude 3.5 Sonnet

Est. Queries/Month: ~500

Est. Monthly Cost: ~$25

JPN AI Chatbot

AI-powered citizen services chatbot untuk Jabatan Pendaftaran Negara (National Registration Department) menyediakan bantuan segera untuk MyKad, sijil lahir, pendaftaran perkahwinan, dan perkhidmatan dokumen identiti melalui pelbagai saluran.

Multi-Channel Access WhatsApp Integration BM/EN Bilingual 24/7 Availability

WEB

Web Portal

Responsive web interface integrated with JPN website

APP

Mobile App

Native iOS & Android via MyGov app integration

WhatsApp Business API for conversational access

KSK

Self-Service Kiosk

Touch-screen kiosks at JPN offices

Aliran Proses Sistem

Choose Channel

Web, Mobile, WhatsApp, Kiosk

→

Select Language

BM or English

→

Ask Question

Natural language or menu

→

AI Processing

Intent recognition & RAG

→

Get Help

Answer or escalation

SVC

JPN Services Supported

MyKad Application & Renewal

Birth Certificate Registration

Marriage Registration

Death Certificate

Name Change Application

Address Update

Appointment Booking

Application Status Check

LOC

Branch Locator

DOC

Document Requirements

FEE

Fee Information

HRS

Operating Hours

Channel Integration Layer

Multi-channel ingestion and unified message handling

WEB

Web Widget

Embeddable React widget for JPN portal

WhatsApp API

Business API with message templates

MSG

Message Broker

Unified queue with SQS/SNS

SES

Session Management

DynamoDB for conversation state

↓

NLU & Intent Processing

Understanding citizen requests and routing

LEX

Amazon Lex V2

50+ JPN service intents

ENT

Entity Extraction

IC numbers, dates, locations

TRN

Translation

Real-time BM/EN translation

CTX

Context Tracking

Multi-turn conversation

↓

Knowledge Base & RAG

JPN procedures, FAQs, and document retrieval

JPN Knowledge Base

SOPs, circulars, FAQs, fees

VEC

Vector Store

OpenSearch multilingual

RAG

RAG Pipeline

Retrieve context for LLM

FRM

Form Templates

Pre-filled forms & checklists

↓

Response Generation

LLM-powered natural language responses

LLM

Claude Generation

Natural, empathetic responses

TMP

Response Templates

Standardized common answers

RCH

Rich Media

Images, buttons, carousels

ESC

Escalation

Human handoff when needed

Contoh Perbualan

Rakyat

"Saya nak tahu dokumen apa perlu bawa untuk renew IC?"

JPN AI

"Untuk pembaharuan MyKad, anda perlu bawa:

1. MyKad lama
2. Borang permohonan (boleh isi di kaunter)
3. Bayaran RM10

Nak saya cari pejabat JPN terdekat?"

Ya, cari pejabat Waktu operasi

24/7

Ketersediaan

Channels

50+

Service Intents

<3s

Response Time

RM Token & Cost Estimate (Per Query)

~1,200

Input Tokens

Query + FAQ Context

~400

Output Tokens

AI Response

~300

Embedding Tokens

Titan Embed

$0.008

Est. Cost/Query

Claude 3.5 Haiku

Model: Claude 3.5 Haiku

Est. Queries/Month: ~50,000

Est. Monthly Cost: ~$400

PDRM AI Chatbot

AI-powered citizen services chatbot untuk Polis Diraja Malaysia (Royal Malaysia Police) menyediakan bantuan segera untuk laporan polis, saman trafik, semakan kenderaan, dan pertanyaan keselamatan awam melalui saluran digital yang selamat.

Secure Authentication Report Filing Summons Payment 24/7 Support

WEB

PDRM Portal

Integrated with official PDRM website and ePolis

APP

MyPolis App

Native mobile app for iOS and Android

SMS

SMS Gateway

Text-based queries for basic information

IVR

Voice IVR

Phone-based assistance via call center

Aliran Proses Sistem

Authenticate

MyKad verification

→

Select Service

Report, summons, inquiry

→

Provide Details

Guided form filling

→

AI Processing

Validation & routing

→

Confirmation

Reference & next steps

SVC

PDRM Services Supported

RPT

Police Report Filing

SUM

Traffic Summons Check & Pay

VHC

Vehicle Status Check

STS

Case Status Inquiry

LOC

Police Station Locator

999

Emergency Contact Info

LIC

License Verification

TIP

Crime Tip Submission

PRM

Permit Applications

CLR

Police Clearance Letter

Security & Authentication

Secure identity verification and access control

AUTH

IC Authentication

MyKad verification with JPN API

MFA

Multi-Factor Auth

SMS OTP and authenticator app

SES

Session Security

JWT tokens with short expiry

AUD

Audit Logging

Complete access trail

↓

Intent Processing

Understanding citizen requests and routing

CLS

Intent Classification

40+ police service intents

ENT

Entity Extraction

Vehicle plates, IC, locations

URG

Urgency Detection

Flag emergency requests

CTX

Context Tracking

Multi-turn conversation

↓

Knowledge Base

Police procedures, FAQs, and legal information

SOP

Police SOPs

Standard procedures & guidelines

S3 200+ Docs

LAW

Legal Database

Criminal code, traffic laws

OpenSearch Laws

FAQ

FAQ Repository

Common questions & answers

RAG 500+ FAQs

FRM

Form Templates

Pre-filled report forms

PDF Gen Templates

↓

PDRM System Integration

Core police systems and databases

RPT

Report System

ePolis integration for filing

ePolis API mTLS

SUM

Summons System

MyBayar PDRM payments

MyBayar FPX

VHC

Vehicle Database

JPJ integration for checks

JPJ API Real-time

CMS

Case Management

Status tracking & updates

CMS API Status

↓

Response & Escalation

Delivering answers and human handoff

RSP

AI Response

Claude-generated responses

Claude 3 Bedrock

REF

Reference Numbers

Auto-generated case IDs

UUID Tracking

ESC

Human Escalation

Transfer to police officers

Connect Queue

NTF

Notifications

SMS/Email status updates

SNS SES

Contoh Perbualan

Rakyat

"Macam mana nak check saman saya?"

PDRM AI

"Untuk semak saman, sila masukkan nombor IC atau nombor pendaftaran kenderaan anda. Saya akan tunjukkan semua saman aktif dan cara bayaran."

Guna nombor IC Guna nombor kenderaan

24/7

Availability

40+

Service Intents

<3s

Response Time

Secure

MyKad Auth

RM Token & Cost Estimate (Per Query)

~1,500

Input Tokens

Query + SOP Context

~500

Output Tokens

AI Response

~300

Embedding Tokens

Titan Embed

$0.01

Est. Cost/Query

Claude 3.5 Haiku

Model: Claude 3.5 Haiku

Est. Queries/Month: ~30,000

Est. Monthly Cost: ~$300

KDN Admin Portal

Centralized administration dashboard untuk mengurus ketiga-tiga sistem AI chatbot - Parlimen AI, JPN Chatbot, dan PDRM Chatbot - dengan analytics komprehensif, knowledge management, dan sistem monitoring capabilities.

Unified Dashboard Real-time Analytics Knowledge Management Role-Based Access

Total Conversations Today

12,847

+15.3% from yesterday

Average Response Time

2.3s

-0.4s improvement

Resolution Rate

87.2%

+2.1% this week

User Satisfaction

4.6/5

+0.2 this month

Active Users

3,421

Currently online

System Health

99.9%

All systems operational

ANA Analytics Dashboard

- Real-time conversation metrics across all chatbots
- Intent distribution and trending topics analysis
- User satisfaction scores and feedback trends
- Response time and resolution rate tracking
- Peak usage patterns and capacity planning

KB Knowledge Management

- Document upload and processing pipeline
- FAQ creation and editing interface
- Response template management
- Version control for knowledge articles
- Content approval workflow

USR User Management

- Role-based access control (RBAC)
- Admin user creation and permissions
- Department-level access restrictions
- Single sign-on (SSO) integration
- Multi-factor authentication enforcement

MON System Monitoring

- Real-time service health dashboard
- API latency and error rate monitoring
- Infrastructure resource utilization
- Automated alerting and notifications
- Incident management and escalation

Analytics & Reporting

Comprehensive insights powered by QuickSight GenAI

QuickSight Dashboards

Interactive BI with drill-down

QuickSight GenAI Q

NLP

Natural Language Query

Ask questions in plain BM/EN

QuickSight Q AI

RPT

Scheduled Reports

Automated daily/weekly/monthly

PDF Email

EXP

Data Export

Export to CSV, Excel, DW

CSV XLSX

↓

Knowledge Management

Maintain and update AI knowledge bases

DOC

Document Manager

Upload, process, and index

S3 Textract

FAQ

FAQ Editor

Create and manage Q&A pairs

WYSIWYG Preview

TMP

Response Templates

Standardized responses

Templates Variables

VER

Version Control

Track changes & rollback

History Diff

↓

Quality Assurance

Monitor and improve AI response quality

REV

Conversation Review

Sample and review AI conversations

Sampling Rating

FBK

Feedback Analysis

Analyze user ratings & comments

Sentiment Trends

ACC

Accuracy Metrics

RAGAS evaluation scores

RAGAS F1 Score

ABT

A/B Testing

Test prompt & model variations

Experiments Stats

↓

System Administration

Infrastructure and configuration management

CFG

Configuration

System settings & parameters

SSM Secrets

USR

User Management

Admin accounts and RBAC

Cognito IAM

LOG

Audit Logs

Complete activity trail

CloudTrail Search

BCK

Backup & Recovery

Automated backups and DR

Backup Multi-AZ

↓

Monitoring & Alerting

Real-time system health and incident management

HLT

Health Dashboard

Service status & availability

CloudWatch Status

ALR

Alert Management

Threshold-based notifications

SNS PagerDuty

TRC

Distributed Tracing

End-to-end request tracking

X-Ray Traces

INC

Incident Response

Runbooks and escalation

Runbooks On-call

Chatbot Systems

50+

Dashboard Metrics

RBAC

Access Control

GenAI

BI Analytics

RM Token & Cost Estimate (GenAI BI Analytics)

~2,000

Input Tokens

Query + Data Context

~800

Output Tokens

AI Insights

N/A

Embedding

Structured Data

$0.02

Est. Cost/Query

Claude 3.5 Sonnet

Model: Claude 3.5 Sonnet

Est. Queries/Month: ~2,000

Est. Monthly Cost: ~$40

BOT Chatbot Decision Logic

SOC Ref: 1.2.1 - Fallback, Escalation, dan Rule-Based Hybrid Logic

PT/Berfikiran Decision Flow

Input Validation Language, length, profanity, injection check

Intent Classification Rule-based + LLM: FAQ, Query, Complaint, Other

Knowledge Retrieval RAG pipeline, threshold score > 0.7

Confidence Check

HIGH >0.85: Direct MED 0.7-0.85: +Disclaimer LOW <0.7: Escalate

Escalation/Fallback Human agent, Hotline, atau Form

Trigger	Action	Response
Confidence < 0.7	Soft fallback	"Maaf, saya tidak pasti. Sila hubungi..."
No relevant docs	Hard fallback	"Tiada maklumat berkaitan..."
Sensitive topic	Immediate escalation	"Memerlukan pegawai..."
3x low confidence	Auto-escalation	"Sambung dengan pegawai..."

BI BI/Analytics Module Architecture

SOC Ref: 1.2.1(c) - Analytics dan data visualization

Analytics Data Pipeline

Sources (RDS, DynamoDB) + ETL (Glue) + Redshift + SPICE Cache + QuickSight + QuickSight Q (GenAI)

Dashboard Features

Interactive charts | Drill-down | Scheduled reports | Export PDF/Excel

QuickSight Q (GenAI)

Natural language queries | Auto-generate visuals | BM/EN support

Access Control

100 Authors | 100 Readers | Row-level security | Agency isolation

Satu Platform AI Untuk Tiga Perkhidmatan KDN

Ringkasan Eksekutif

Cabaran Semasa

Penyelesaian Platform

USR Sasaran Pengguna

APP Tiga Aplikasi Utama

Parlimen AI

Chatbot JPN

Chatbot PDRM

Portal Pentadbiran Berpusat

HOW Bagaimana Platform Berfungsi

SEC Pematuhan & Keselamatan

KDN Secure Landing Zone untuk AI

LZ Cloud Landing Zone Architecture

RAG Security: Isolation + Redaction + Access Control

ZON Pemencilan Data Tiga Agensi

10 10 Lapisan Keselamatan KDN

TECH Tindanan Teknologi

ROI Nilai Bisnes untuk KDN

24M Timeline Projek (24 Bulan)

Pendekatan Yang Betul Untuk KDN

Apa Itu RAG? (Retrieval-Augmented Generation)

Kurang Risiko Projek

Patuh Undang-undang

Boleh Dikembangkan

Kenapa Platform Enterprise Tidak Sesuai Untuk KDN?

Pematuhan & Standard

Strategi Teknikal Yang Sesuai Untuk KDN

Komponen Kurang = Risiko & Kos Turun

Ketepatan & Keselamatan Terjamin

💰 Justifikasi Kos: Kenapa Pendekatan Kami Lebih Murah

Observability & Monitoring

AWS Malaysia

Claude 3.5

RAG Pipeline

Multi Tenant

Arkitektur 7 Lapisan

Kenapa 7 Lapisan?

7 Lapisan Arkitektur

DFD Data Flow Diagram

RAG RAG Pipeline Architecture

Infrastruktur Cloud

LZ Landing Zone Design - IaaS / PaaS / SaaS Mapping

Landing Zone Account Structure

API API Architecture - REST Gateway & Authentication

Request Flow Architecture

Authentication Flow (OAuth 2.0 + OIDC)

DLP Kaedah Keselamatan untuk Elak Kebocoran Data

MON Monitoring Instrumentation - Measurable Metrics

Alert Escalation Matrix

LZ Landing Zone Architecture

AWS Organizations - Account Structure

VPC & Subnet Architecture (Per Account)

HA High Availability & Resilience

MON Monitoring & Observability

Observability Flow

Tech Stack

AI AI & Machine Learning

TOK Token Metering & Usage Control

AI ASR, TTS & Translation Services

Voice-Enabled Chatbot Flow

Compute & Networking

Data & Storage

Security & Compliance

DSO DevSecOps & Automation

Keselamatan & Pematuhan

SEC Seni Bina Keselamatan - Defense in Depth

Encryption at Rest

Encryption in Transit

LZ AWS Landing Zone Architecture

AWS Organizations - Account Structure

VPC Architecture per Workload Account

IP Address Allocation (per Account)

VPC Traffic Flow: Internet → Subnet → Gateway → Workloads

KMS Encryption & Key Management

Data at Rest

Data in Transit

KMS Key Hierarchy (per Account)

RAG Retrieval Isolation & Access Control

KLS Klasifikasi Data Kerajaan Malaysia