Context is Everything logo

Using Your Own AWS Hosting with Private LLM

Deploy Sasha on your own AWS infrastructure for complete data sovereignty, with the AI powered by Amazon Bedrock — a private LLM that keeps all your data within your environment.

Why Host on Your Own AWS?

Your data never leaves your environment. When Sasha runs on your AWS account, all processing — your documents, conversations, and AI interactions — stays within infrastructure you own and control. Amazon Bedrock provides the AI capability as a fully managed service inside AWS, so there is no data transfer to third-party AI providers.

This is the gold standard for organizations with strict compliance requirements: HIPAA, SOX, FedRAMP, or simply a security-first culture. You get the full power of Sasha's knowledge management with complete auditability and control.

Hosting Models — Choose What Works for You

Every organization is different. Sasha supports multiple hosting models so you can pick the right balance of control, convenience, and cost.

🟢 Our Infrastructure, Our Management (Fastest Start)

Sasha runs entirely on our managed hosting. You're up and running in minutes with zero infrastructure work on your side. AI is provided via our Anthropic API integration. Ideal for teams that want to get started immediately and don't have compliance requirements mandating self-hosting.

You provide: Nothing — just sign up and go.
We handle: Hosting, updates, scaling, backups, AI access.

Your AWS, Our Management (Recommended for Compliance)

Sasha runs on your AWS account, but we manage the deployment, updates, and operations for you. You create a dedicated IAM user with the right permissions and hand us the credentials. From there, we automate everything — deploying Sasha as an ECS Fargate service with persistent storage, HTTPS routing, and Amazon Bedrock for private AI.

You provide: AWS credentials (IAM user with specific permissions), an SSL certificate, and DNS configuration.
We handle: Deployment, updates, scaling, monitoring, troubleshooting.

This is what most compliance-focused organizations choose. Your data lives entirely in your AWS account while we handle the operational complexity.

🟣 Your AWS, Your Management, Our Support

For organizations with dedicated DevOps teams who want full control. We provide the container images, documentation, and architecture guidance. Your team deploys and manages Sasha in your own AWS environment. We're available for support, upgrades, and troubleshooting.

You provide: Full AWS environment management and operations.
We provide: Container images, documentation, architecture support, and an escalation path.

Key Benefits of AWS Self-Hosting

Complete Data Privacy

Your documents, conversations, and AI processing all stay within your AWS account. Bedrock runs inside AWS — there's no data transfer to any external AI provider. Meets HIPAA, SOX, FedRAMP, and GDPR requirements.

Transparent, Direct Billing

All AWS costs go directly to your account — compute, storage, networking, and Bedrock AI usage. No middleman, no markup. Use AWS Cost Explorer and budgets to track and control spending.

Full Visibility and Auditability

CloudWatch logs, CloudTrail audit trails, and AWS billing dashboards give you complete visibility into what Sasha is doing, when, and how much it costs. Every API call, every container event — all in your AWS account.

Pause and Save

When a Sasha instance isn't needed (e.g. a client project wraps up), you can pause it with one click. Paused instances cost $0 in compute — you only pay for persistent storage (pennies per month). Unpause anytime to bring it right back.

How the Setup Works

The setup is a straightforward recipe. You handle a few one-time steps in your AWS Console, give us the credentials, and we automate everything from there.

Step 1

1

Create an IAM User
In your AWS Console, create a dedicated user (e.g. sasha-deployer) with programmatic access and the required permissions policy. This takes about 10 minutes.

Step 2

2

Request an SSL Certificate
In AWS Certificate Manager, request a wildcard certificate for your domain. AWS validates it via DNS and it auto-renews forever. Free of charge.

Step 3

3

Give Us the Credentials
Share the IAM Access Key ID, Secret Access Key, and Certificate ARN with us. We encrypt them with AES-256 immediately — we only ever see the last 4 characters after that.

Step 4

4

We Set Up Everything Else
We run an automated setup that creates all the infrastructure in your account in about 5 minutes: container registry, load balancer, file system, cluster, security groups, IAM roles, and logging.

What You Need to Do (The Recipe)

1. Create a Dedicated IAM User

Go to IAM → Users → Create user in your AWS Console. Name it something like sasha-deployer. Choose programmatic access (access keys, not console login).

Attach a custom IAM policy that grants permissions for: ECS, ECR, ELB, EFS, EC2 (VPC/subnets/security groups), IAM role creation, CloudWatch Logs, and STS. We provide the exact JSON policy — you just paste it in.

After creating the user, go to Security credentials → Create access key. Copy both the Access Key ID and the Secret Access Key. The secret is only shown once.

2. Request an SSL Certificate

Go to AWS Certificate Manager (in the same region you'll use for hosting). Request a public certificate for your wildcard domain, e.g. *.app.yourdomain.com.

Choose DNS validation. ACM gives you a CNAME record to add to your DNS — once added, the certificate validates automatically (usually within 30 minutes) and renews itself forever. ACM certificates are free.

Copy the Certificate ARN from the certificate details page once it shows "Issued".

3. Share the Credentials with Us

Provide us with three things:

  • IAM Access Key ID (starts with AKIA...)
  • IAM Secret Access Key (the secret string)
  • ACM Certificate ARN (starts with arn:aws:acm:...)

We encrypt your credentials immediately with AES-256-GCM. After that, we can only see the last 4 characters. The credentials are used exclusively by our deployment automation — no human access.

What We Automatically Create in Your Account

Once you give us the credentials, our automated setup creates the following shared infrastructure in about 5 minutes:

ECR Container Registry — A private repository in your account where we store the Sasha container images. Images are automatically copied from our source registry to yours during each deployment.
Application Load Balancer (ALB) — Routes HTTPS traffic to the right Sasha instance based on subdomain. Shared across all instances in the region, so you only pay for one ALB regardless of how many Sasha instances you run.
ECS Fargate Cluster — Runs Sasha as serverless containers. No servers to manage or patch. Each instance runs as an isolated task with dedicated CPU and memory.
EFS Persistent Storage — Elastic file system that survives container restarts and redeployments. Each instance gets isolated access points for its data. Your documents and conversation history persist safely.
Security Groups + IAM Roles — Firewall rules that only allow HTTPS traffic in and restrict internal communication. IAM roles follow the principle of least privilege — each role only has the permissions it needs.

After setup, each time we deploy a new Sasha instance, we automatically create per-instance resources: dedicated storage access points, a load balancer routing rule, and a Fargate task definition.

How Your Team Uses the Private AI

Simple Chat Interface — Same Sasha, Your Infrastructure

Your team accesses Sasha through the same familiar chat interface. The only difference is what's happening behind the scenes: all AI processing is handled by Amazon Bedrock inside your AWS account, and all data is stored on your EFS filesystem.

Example Conversations:

  • "What was our approach to the Johnson project last year?"
  • "Find all contracts mentioning data security requirements"
  • "Summarize our compliance procedures for new team members"

Cost Transparency

What You'll Pay (Directly to AWS)

Fargate (1 vCPU, 2GB per instance) ~$30-35/month when running
Application Load Balancer (shared) ~$16-22/month
EFS Storage ~$0.30/GB/month
Bedrock AI Usage Pay-per-token (varies by model)
Paused instance $0 compute — only storage

All costs go directly to your AWS bill. No markup from us. Use AWS Cost Explorer and budget alerts to track spending.

Perfect For

Healthcare Organizations — HIPAA compliant AI for patient data analysis
Government Agencies — Secure AI for classified information handling
Financial Services — SOX compliant AI for sensitive financial data
Legal Firms — Attorney-client privileged information stays secure
Any Organization with Compliance Requirements — When "our servers only" is a non-negotiable policy

📞 Getting Started

Ready to Deploy Sasha on Your AWS?

The setup takes less than an hour. You handle 3 simple steps in your AWS Console, and we automate everything else.

Most organizations are fully deployed and running within a single business day.

support@context-is-everything.com
Sasha AI Knowledge Management — Your knowledge, your infrastructure, your control