Level 200: Automated Deployment of EC2 Web Application

Authors

  • Ben Potter, Security Lead, Well-Architected
  • Rodney Lester, Manager, Well-Architected

Introduction

This hands-on lab will guide you through the steps to configure a web application in Amazon EC2 with a defense in depth approach incorporating a number of AWS security best practices. The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework. The WordPress example CloudFormation template will deploy a basic WordPress content management system, This example is not intended to be a comprehensive WordPress system, please consult Build a WordPress Website for more information.

This lab will create the web application and all components using the example CloudFormation template, inside the VPC you have created previously. The components created include:

  • Auto scaling group of web instances
  • Application load balancer
  • Security groups for load balancer and web instances
  • Custom CloudWatch metrics and logs for web instances
  • IAM role for web instances that grants permission to Systems Manager and CloudWatch
  • Instances are configured from the latest Amazon Linux 2 Amazon Machine Image at boot time using user data to install agents and configure services

Overview of wordpress stack architecture: architecture

An SSH key is not configured in this lab, instead AWS Systems Manager should be used to manage the EC2 instances as a more secure and scalable method.
The Application Load Balancer will listen on unencrypted HTTP (port 80), it is a best practice to encrypt data in transit, you can configure a HTTPS listener after completion of this lab.
An example amazon-cloudwatch-agent.json file is provided and automatically downloaded by the instances to configure CloudWatch metrics and logs, this requires that you follow the example naming prefix of WebApp1.

Goals

  • Get temporary security credentials securely by using a role attached to the auto-scaled instances.
  • Restrict network traffic allowed through security groups.
  • CloudFormation to automate configuration management.
  • Instances do not allow for SSH, instead Systems Manager may be used for administration.
  • AWS Key Management Service is used for key management of Aurora database.
  • Allow for Systems Manager to be used for management instead of SSH

Prerequisites

  • An AWS account that you are able to use for testing, that is not used for production or other purposes.
  • An IAM user or role in your AWS account with full access to CloudFormation, EC2, VPC, IAM, Elastic Load Balancing. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.
  • Basic understanding of AWS CloudFormation, visit the Getting Started section of the user guide.
  • Deployed the CloudFormation VPC stack in the lab Automated Deployment of VPC.

Steps: