Level 200: Automated Deployment of EC2 Web Application
- Ben Potter, Security Lead, Well-Architected
- Rodney Lester, Reliability Lead, Well-Architected
Table of Contents
Overview of wordpress stack architecture:
Please note a prerequisite to this lab is that you have deployed the CloudFormation VPC stack in the lab Automated Deployment of VPC with the default parameters and recommended stack name.
This step will create the web application and all components using the example CloudFormation template, inside the VPC you have created previously. An SSH key is not configured in this lab, instead AWS Systems Manager should be used to manage the EC2 instances as a more secure and scalable method.
- Choose the version of the CloudFormation template and download to your computer, or by cloning this repository:
- wordpress.yaml to create a WordPress site, including an RDS database.
- staticwebapp.yaml to create a static web application that simply displays the instance ID for the instance it is running upon.
- Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/. Note if your CloudFormation console does not look the same, you can enable the redesigned console by clicking New Console in the CloudFormation menu.
- Click Create Stack, then With new resources (standard).
- Click Upload a template file and then click Choose file.
- Choose the CloudFormation template you downloaded in step 1, return to the CloudFormation console page and click Next.
- Enter the following details:
- Stack name: The name of this stack. For this lab, for the WordPress stack use WebApp1-WordPress or for the static web stack use WebApp1-Static and match the case.
- ALBSGSource: Your current IP address in CIDR notation which will be allowed to connect to the application load balancer, this secures your web application from the public while you are configuring and testing. The remaining parameters may be left as defaults, you can find out more in the description for each.
- At the bottom of the page click Next.
- In this lab, we won't add any tags, permissions or advanced options. Click Next. Tags, which are key-value pairs, can help you identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.
- Review the information for the stack. When you're satisfied with the configuration, check I acknowledge that AWS CloudFormation might create IAM resources with custom names then click Create stack.
- After a number of minutes the final stack status should change from CREATE_IN_PROGRESS to CREATE_COMPLETE.
You have now created the WordPress stack (well actually CloudFormation did it for you).
- In the stack click the Outputs tab, and open the WebsiteURL value in your web browser, this is how to access what you just created.
- After you have played and explored with your web application, don't forget to tear it down to save cost.
- Grant access through roles or federation: A role is attached to the auto-scaled instances.
- Implement dynamic authentication: The role attached to the auto-scaled instances dynamically acquires credentials.
- Grant least privileges: The role attached to the auto-scaled instances uses minimum privileges to accomplish the task.
- Implement new security services and features: New features including secrets manager have been adopted.
- Limit exposure: Security groups restrict network traffic to a minimum.
- Automate configuration management: CloudFormation is being used to deploy the application automatically.
- Control traffic at all layers: Traffic is controlled in multiple tiers, using subnets with different route tables.
- Reduce attack surface: Instances do not allow for SSH, instead Systems Manager may be used for administration.
- Implement managed services: Managed services are utilized including Secrets Manager, Aurora serverless.
- Implement secure key management: AWS Key Management Service is used for key management of Aurora database.
- Provide mechanisms to keep people away from data: SSH to the instances is not allowed, Systems Manager may be used to control access and CloudFormation is used to deploy and update all infrastructure to reduce human error.
- Enable TLS (SSL) on application load balancer to encrypt communications, using Amazon Certificate Manager.
- WordPress that is deployed stores the database password in clear text in a configuration file and is not rotated, best practice if supported would be to encrypt and automatically rotate preferably accessing the Secrets Manager API.
- Encrypting the EC2 AMI for the web instances would automatically enable encrypted volumes.
- Implementing a Web Application Firewall such as AWS WAF, and a content delivery service such as Amazon CloudFront.
- Create an automated process for patching the AMI's and scanning for vulnerabilities before updating in production.
- Create a pipeline that verifies the CloudFormation template for misconfigurations before creating or updating the stack.
The following instructions will remove the resources that you have created in this lab.
Delete the WordPress or Static Web Application CloudFormation stack:
- Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/.
- Click the radio button on the left of the WebApp1-WordPress or WebApp1-Static stack.
- Click the Actions button then click Delete stack.
- Confirm the stack and then click Delete button.
- Access the Key Management Service (KMS) console https://console.aws.amazon.com/cloudformation/
References & useful resources
Licensed under the Apache 2.0 and MITnoAttr License.
Copyright 2019-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.