Ridgeline · Architecture Briefing · 2026 v1.0

Ridgeline.
AWS cost and cloud maturity intelligence.

AI agent built on Amazon Bedrock with Claude Sonnet, cross-account IAM read access, and a practitioner-grounded knowledge base. This briefing covers components, request lifecycle, security posture, deployment models, and integration surfaces.

Book a demo → See services catalog
Overview

What Ridgeline does.

Ridgeline answers natural-language questions about AWS environments: cost drivers, forecasts, anomalies, budget pacing, EC2 rightsizing, Trusted Advisor findings, and six-pillar cloud maturity assessments. It runs in Microsoft 365 Copilot (Teams), through a web frontend, or against the API directly. Customer data stays in the customer's AWS account. Ridgeline reads on demand using temporary cross-account credentials and stores no AWS billing or usage data at rest.

System Architecture

The whole stack in one diagram.

Ridgeline architecture overview showing Microsoft 365 Copilot, Cognito OAuth, Lambda adapter, Bedrock agent with Claude Sonnet, S3 Vectors knowledge base, DynamoDB state, and cross-account IAM read access to customer AWS accounts
Core Components

Nine pieces doing one job.

Bedrock Agent
Claude Sonnet 4.6
Orchestrates retrieval, action-group invocation, and natural language response. Practitioner voice and framework instructions baked into agent instruction. Cross-region inference profile.
Knowledge Base
S3 Vectors
Skyform's six-pillar maturity framework plus governance baseline. Customer-specific KB sections optional. Embeddings indexed for semantic retrieval at query time.
Action Groups
Lambda + boto3
Cost Explorer, Compute Optimizer, Trusted Advisor, Budgets, and Anomaly Detection. Each Lambda assumes the customer's cross-account role with temp credentials per request.
Copilot Adapter
Lambda Function URL
Microsoft 365 Copilot entry point. Validates Cognito JWT or X-API-Key, enforces per-tenant rate limits and monthly quotas, maps Copilot conversations to Bedrock sessions.
Identity
Cognito + OAuth 2.0
Authorization code flow with PKCE. Per-tenant client credentials registered with Microsoft Developer Portal as OAuthPluginVault. JWT validated against Cognito JWKS on every request.
State + Quotas
DynamoDB
Per-tenant session mapping (Copilot conversation to Bedrock session with TTL), per-minute and per-month quota counters with atomic increments, customer tier metadata.
Guardrails
Bedrock Guardrails
Denied topics, PII detection and masking, prompt-injection filter. Applied to every Bedrock invocation. Policy versioned in Terraform.
Cross-Account IAM
STS AssumeRole + ExternalId
Customer deploys read-only IAM role via CloudFormation StackSet. Trust policy scoped to Skyform's AWS account plus per-tenant external_id. Ridgeline never holds long-lived customer credentials.
Observability
CloudWatch + structured JSON
Per-request structured logs (auth, latency, tier, quota), Bedrock invocation metrics, action-group error tracking. Cost-allocation tagged for per-tenant cost attribution.
Request Lifecycle

Microsoft 365 Copilot to AWS data, in eight steps.

01
User asks Ridgeline a question in Microsoft 365 Copilot. Copilot invokes the declarative agent and dispatches to the registered API plugin.
02
Copilot calls Lambda Function URL with the user's text and a Cognito-issued JWT (acquired via OAuth authorization code flow).
03
Adapter Lambda validates the JWT against Cognito JWKS (signature, issuer, scope, expiration), checks per-minute and per-month quotas, resolves Copilot conversation_id to a persistent Bedrock session_id.
04
Adapter invokes the Bedrock agent with the user's text and session attributes (current_date, tenant_id, role_arn).
05
Bedrock agent retrieves relevant KB chunks and optionally calls action-group Lambdas to fetch live AWS data.
06
Action-group Lambda assumes the customer's cross-account role using STS, gets temporary credentials, calls Cost Explorer or Compute Optimizer in the customer's account.
07
Bedrock agent synthesizes the response (markdown tables, citations, follow-up suggestions). Adapter parses chips and source, returns structured JSON to Copilot.
08
Copilot renders the response in the user's Teams chat with follow-up suggestion chips.
Security and Compliance

Read-only, scoped, no data at rest.

Authentication and authorization

OAuth 2.0 authorization code flow via Cognito. Per-tenant client credentials. JWT signature verified against JWKS on every request. ApiKey path retained as fallback for non-OAuth integrations, validated via constant-time comparison.

Data residency

Ridgeline stores no AWS billing or usage data at rest. Customer data is read on demand via cross-account IAM and returned to the agent in-memory. Conversation transcripts stored only for the active Bedrock session window.

Cross-account access

Customer deploys a read-only IAM role with trust policy scoped to Skyform's account plus per-customer ExternalId. Permissions limited to FinOps APIs (ce, compute-optimizer, support, budgets, tag). No write or delete permissions ever requested.

Rate limiting and abuse protection

Per-tenant per-minute and per-month quota counters with atomic DynamoDB increments. Reserved Lambda concurrency caps blast radius. Bedrock Guardrails filter prompt injection and PII.

Read-only IAM
No data at rest
JWT + JWKS validation
Cross-account ExternalId
Bedrock Guardrails (PII + prompt-attack)
Per-tenant rate limit
Reserved concurrency
CloudWatch structured logs
Deployment Models

Hosted SaaS or self-hosted. Pick what fits.

Model Where it runs Customer effort Best for
Hosted SaaS$99/mo – $1,500/mo Skyform's AWS account Deploy IAM role via CloudFormation (5 min). Add Teams plugin. SMB and mid-market. Fastest time-to-value.
Self-Hosted Standard$60–100K / yr Customer's AWS account (Shared Services) Deploy Terraform module. StackSet propagates IAM roles to workload accounts. Platform teams with multi-account AWS Org. Data sovereignty.
Self-Hosted Premium$150–300K / yr Customer's Landing Zone (Skyform-led deploy) Skyform deploys, customizes KB, integrates with existing observability. Enterprise CIO. Compliance-heavy industries.
Integration Surfaces

Three ways to talk to Ridgeline.

Microsoft 365 Copilot
Declarative agent + API plugin
Primary frontend. Teams chat experience. OAuth via Cognito. Where most users live.
Streamlit Web UI
EC2 or local
Direct Bedrock InvokeAgent for demos and admin tasks. Useful for sales and onboarding.
REST API
Lambda Function URL
Direct integration via JWT or API key. Same endpoint Copilot uses. For custom frontends.

Built by practitioners. Ridgeline is the platform Skyform uses to deliver outcomes for our own consulting clients. We dogfood it, build features as we hit gaps, and ship updates publicly. The architecture above is what runs in production today.

Want to see Ridgeline in action?

Book a 30-minute demo and we'll show Ridgeline against a real AWS environment (yours or ours). You'll see the architecture working end-to-end and we'll scope a deployment that fits your team.

Book a demo → hello@skyform.io