Multi-tier digital identity enrollment system on AWS implements PKI certificate issuance with Active Directory Certificate Services. Citizens submit enrollment requests through a WAF-protected Application Load Balancer to EC2-hosted web portals across two availability zones. The Web Enrollment Portal validates requests against a civil registry SQL Server RDS database, then routes certificate requests to a Certificate Processing Service that interfaces with a Root CA running AD CS on EC2. Database replication between primary and standby RDS instances ensures enrollment data availability during AZ failures. Fork this architecture on Diagrams.so to customize instance types, add HSM integration for CA key storage, or extend with biometric verification services.