Automated Deployment of EC2 Web Application

Last Updated: September 2020

Authors: Ben Potter, Security Lead, Well-Architected & Rodney Lester, Manager, Well-Architected


This hands-on lab will guide you through the steps to configure a web application in Amazon EC2 with a defense in depth approach incorporating a number of AWS security best practices. The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework. The WordPress example CloudFormation template will deploy a basic WordPress content management system, This example is not intended to be a comprehensive WordPress system, please consult Build a WordPress Website for more information.

This lab will create the web application and all components using the example CloudFormation template, inside the VPC you have created previously. The components created include:

  • Application load balancer
  • Auto scaling group of web instances
  • A role attached to the auto-scaled instances allows temporary security credentials to be used
  • Instances use Systems Manager instead of SSH for administration
  • Amazon Aurora serverless database cluster
  • Secrets manager secret for database cluster
  • AWS Key Management Service is used for key management of Aurora database
  • Security groups for load balancer and web instances to restrict network traffic
  • Custom CloudWatch metrics and logs for web instances
  • IAM role for web instances that grants permission to Systems Manager and CloudWatch
  • Instances are configured from the latest Amazon Linux 2 Amazon Machine Image at boot time using user data to install agents and configure services

Overview of wordpress stack architecture: architecture

An SSH key is not configured in this lab, instead AWS Systems Manager should be used to manage the EC2 instances as a more secure and scalable method.
The Application Load Balancer will listen on unencrypted HTTP (port 80), it is a best practice to encrypt data in transit, you can configure a HTTPS listener after completion of this lab.
An example amazon-cloudwatch-agent.json file is provided and automatically downloaded by the instances to configure CloudWatch metrics and logs, this requires that you follow the example naming prefix of WebApp1.


  • An AWS account that you are able to use for testing.
  • Permissions to create resources in CloudFormation, EC2, VPC, IAM, Elastic Load Balancing, CloudWatch, Aurora RDS, KMS, Secrets Manager, Systems Manager.
  • Basic understanding of AWS CloudFormation, visit the Getting Started section of the user guide.
  • Deployed the CloudFormation VPC stack in the lab Automated Deployment of VPC.


Typically less than $20 per month if the account is only used for personal testing or training, and the tear down is not performed: