| Ella ↗ | AI · Bedrock | Twice-daily Claude Sonnet narrative per subject via Bedrock — de-identified summaries stored in DynamoDB for clinical staff. | 11 | ✓ | |
| Nurse/Admin API ↗ | REST API | FastAPI + Cognito JWT with row-level facility scoping. Twelve endpoints serving staff web and mobile clients. | 19 | ✓ | |
| Telemetry ↗ | Streaming | Fall-alert Lambda → SNS for sub-2s staff notification; per-minute aggregates → Firehose → Parquet on S3. | 15 | ✓ | |
| Admin CLI ↗ | CLI | Operator CLI for device provisioning — mints tenant X.509 certs and registers rooms in DynamoDB. | 28 | — | |
| URL Minter ↗ | Upload | Presigned S3 upload URLs for device Parquet batches — eliminates MQTT overhead for analytic cold-path data. | — | ✓ | |
| Athena ↗ | Analytics | Glue table and partition projection for raw radar frames on the cold path — queryable without ETL. | — | ✓ | |
| CloudTrail ↗ | Audit | Data-event audit logging on all sensitive DynamoDB tables — every read/write attributed for HIPAA compliance. | — | ✓ | |
| IoT Core ↗ | IoT | Role alias (temp AWS creds for devices via mTLS), Device Shadow, and IoT Rules for fall-enricher and legacy Firehose paths. | — | ✓ | |
| KMS ↗ | Security | Tenant CMK with 30-day deletion window, automatic annual rotation, and scoped key policy for DynamoDB, S3, SNS, and SQS. | — | ✓ | |
| Observability ↗ | Monitoring | CloudWatch Metric Streams to central account — scalar metrics only (Lambda, DynamoDB, Ambient/* namespace). No PHI crosses the boundary. | — | ✓ | |