AWS Services in Loan Management Systems

Prediction-based Credit Scoring

AWS Machine Learning comprises a set of ML-enabled functionalities, including deep learning services, frameworks, computation resources, analytical and learning tools. Users can build, deploy, and implement ML models across multiple industries, verticals, and use cases: personalizing experiences, building forecasting models, recognizing images, videos, and texts, audio interpretation, conversational agents, and more. For this project, we implemented the AWS Machine Learning services that autonomously make credit forecasts through deep learning models. Based on the historical data, we built a model that accepted leads’ demographic information and underwriting results as an input. Using the collected data, our AI-based model then estimated the probability of a default.

Access to the Loan Management System from Dynamic IPs

We developed a Loan Management System that the client could access only from the office, i.e., from the allowed set of IP addresses. Additionally, several privileged users must have access to the system from any IP. Previously, the problem was addressed through IP filtration on the application level, depending on a particular user’s granted permissions. However, that approach couldn’t guarantee protection from hacker attacks. In this light, Armada Labs undertook the task of providing secure access to the system from custom IPs (in addition to the initially defined ones). For the project, we implemented the AWS Lambda, AWS API Gateway (for API management), AWS S3-based static website (for web-enabled object storage), AWS Cognito (for user authentication upon login), and Amazon SNS (for SMS notifications) services in our Loan Management System (LMS). Our team thoroughly analyzed the server and application for standard vulnerabilities and decided to safeguard both with the virtual Amazon firewall — Security Groups. Security Groups consists of two groups: the first group includes initially allowed IP addresses, and the second one is created for the addresses generated dynamically. When a user needs to access the LMS outside the office, they can log into the separate system and allow using their current IP (defined dynamically) or enter the required IP manually (for example, on a client’s request) to add it to a whitelist. After this, the user receives an SMS notification, and a new IP is added to Security Groups, with the information about the user and the date when it was added.

Mailout Compliant with Amazon Email Processing Requirements

Amazon Simple Email Service (Amazon SES) allows businesses to send various types of email content, including marketing messages, transactional emails, notifications, and other content without upfront fees. Among the distinctive features of Amazon SES are content filtering, reputation dashboards, IP whitelisting, custom rules for email sending, and more. Amazon requires customers who use its email sending services to process Bounce and Complaint issues in addition to regular emails. Otherwise, the system might block access to SES services for the associated account. We configured Amazon SES together with AWS Simple Queue Service (for message queueing) and Amazon Simple Notification Service (for notification management), which allowed us to deliver a full-featured email sending functionality to the client, including Bounce and Complaint processing, email delivery tracking, and analyzing of email open rates and click rates of links included in emails.

Fast and Safe Access to AWS EC2 Servers

Amazon Elastic Compute Cloud (Amazon EC2) is a cloud-based solution that allows users to run applications from virtual machines. EC2 provides a web service for configuring VMs, or instances with custom software. Users can create, launch, or terminate server instances and manage the geographical location of each instance to optimize latency periods. The application server is isolated from the outside world, except for allowed IPs with the HTTPS protocol. The challenge was to establish a connection to EC2 servers from Armada Labs’ local IPs while maintaining security and reliability for users. We provided access to the server through a Remote Desktop Protocol (RDP) on a single-app bastion host. A user can connect to EC2 servers from the Armada Labs’ local IPs. AWS databases can’t be accessed from the outside Virtual Private Cloud (VPC); they are only available for the EC2 Application Server in the same VPC. The replication server can be accessed only from our local IPs through the 1433 protocol. In the event of an intrusion, hackers will access only the bastion host without breaking into AWS databases directly.