Configure ECS Respository and Deploy The Application Stack

2.0. Introduction.

In this section, we are going to prepare our sample application. We will package this as a docker image and push to a repository.

As we mentioned in our introduction, our sample application will be running in a docker container which we will deploy using Amazon ECS .

In preparation for the deployment, we will need to package our application as a docker image and push it into ECR . When this is completed, we will use the image which we placed in ECR to build our application cluster.

For more information on how ECS works, please refer to this guide .

When our application stack is completed, our architecture will look like this:

Section2 App Arch

Move through the sections below to complete the repository configuration and application stack deployment:

2.1. Configure the ECS Container Repository.

Our initial sample application preparation will require running several docker commands to create a local image in your computer which we will push into Amazon ECR. The following diagram shows the image creation process:

Section2 ECR Arch

To make this process simple for you, we have created a basic application and script to build the container for you.

Complete the instructions as follows to download the :


Our environment used to push the container to the repository will need to be running Docker version 18.09.9 or above. To achieve this on a laptop such as a mac involves installing not only Docker itself, but also the Docker Machine and VirtualBox. Because of this, we will use AWS Cloud9 IDE in the console which has all of the dependencies pre-configured for you.


From the main console, launch the Cloud9 service.

When you get to the welcome screen, select Create Environment as shown here:

Section 2 Cloud9 IDE Welcome Screen


Now we will enter naming details for the environment. To do this enter the following into the name environment dialog box:

Name: pattern1-environment Description: re:Invent 2020 pattern1 environment!

When you are ready, click on Next Step to continue as shown:

Section 2 Cloud9 IDE Welcome Screen


On the Configure Settings dialog box, leave defaults and click Next Step


On the Review dialog box, click Create Environment

The Cloud9 IDE environment will now build, integrating the AWS command line and all docker components that we require to build out our lab.

This step can take a few minutes, so please be patient.


Once our environment is built, you will be greeted with a command prompt to your environment.

We will use this to build our application for upload to the repository.

Firstly we will need to download the files which contain all of the application dependencies. To do this, run the following command within the Cloud9 IDE:

curl -o

The command should show the file download as follows:

Section 2 Cloud9 IDE Welcome Screen


When you have downloaded the application, unzip it as follows:



Now we will build our application and upload to the repository. We have built a script to help you with this process, which will query the previous CloudFormation stack which you created for the necessary repository information, build an image and then upload to the new repository.

Execute the script with the argument of pattern1-base as follows:

cd app/
./ pattern1-base

Once your command runs successfully, you should be seeing the image being pushed to ECR and URI marked as shown here:

Section 2 Cloud9 IDE Application Build

Take note of the ECS Image URI produced at the end of the script as we will require it later. This is highlighted in the screenshot above.


Confirm that the ECR repository exists in the ECR console. To do this, launch ECR in your AWS Console.

You can then follow this guide to check to your repository as shown:

Section2 Script Output

2.2. Deploy The Application Stack

Now that we have pushed the docker image into our Amazon ECR repository, we will now deploy it within Amazon ECS .

Our sample application is configured as follows:

  • Our application is built using nodejs express ( You can find the source code under app/app.js file of the github repository )
  • The service will expose a REST API wth /encrypt and /decrypt action.
  • The /encrypt will take an input of a JSON payload with key and value as below '{"Name":"Andy Jassey","Text":"Welcome To ReInvent 2020!"}'
  • The Name Key will be the identifier that we will use to store the encrypted value of Text Value.
  • The application will then call the KMS Encrypt API and encrypt it again using a KMS key that we designate. (For simplicity, in this mock app we will be using the same KMS key for every Name you put in, ideally you want to use individual key for each name)
  • The encrypted value of Text key will then be stored in an RDS database, and the app will return a Encryption Key value that the user will have to pass on to decrypt the Text later
  • The decrypt API will do the reverse, taking the Encryption Key you pass to decrypt the text {"Text":"Welcome To ReInvent 2020!"}

Note: In this section we will be deploying a CloudFormation Stack which will launch an ECS cluster. If this is the first time you are working with the ECS service, you will need to deploy a service linked role which will be able to assume the IAM role to perform the required activities within your account. To do this, run the following from the command line using appropriate profile flags: aws iam create-service-linked-role --aws-service-name

Download the application template from here and deploy according to your preference below.

Click here for CloudFormation command-line deployment steps
Click here for CloudFormation console deployment steps

2.3. Confirm Stack Status.


Once the command deployed successfully, go to your Cloudformation console to locate the stack named pattern1-app.


Confirm that the stack is in a ‘CREATE_COMPLETE’ state.


Record the following output details as they will be required later:

  • Take note of this stack name
  • Take note of the DNS value specified under OutputPattern1ApplicationEndpoint of the Outputs.
  • Take note of the ECS Task Role Arn value specified under OutputPattern1ECSTaskRole of the Outputs.
  • Take note of the OutputPattern1ECSTaskRole.

The following diagram shows the output from the cloudformation stack:

Section2 DNS Output

2.4. Test the Application launched.

In this part of the Lab, we will be testing the encrypt API of the sample application we just deployed. Our application will basically take a JSON payload with Name and Text key, and it will encrypt the value under text key with a designated KMS key. Once the text is encrypted, it will store the encrypted text in the RDS database with the Name as the primary key.

Note: For simplicity our sample application is not generating individual KMS keys for each record generated. Should you wish to deploy this pattern to production, we recommend that you use a separate KMS key for each record.

From your Cloud9 terminal, replace the < Application Endpoint URL > with the OutputPattern1ApplicationEndpoint from previous step.

ALBURL="< Application Endpoint URL >"

curl --header "Content-Type: application/json" --request POST --data '{"Name":"Andy Jassey","Text":"Welcome to ReInvent 2020!"}' $ALBURL/encrypt

Once you’ve executed this you should see an output similar to this:

{"Message":"Data encrypted and stored, keep your key save","Key":"<encrypt key (take note) >"}

Take note of the encrypt key value under Key from your output as we will need it for decryption later in the lab.

This completes section 2 of the lab. Proceed to section 3 where we will be configuring CloudTrail.