Tips for Deploying EC2 Instances

  1. Use the Ubuntu 20 AMI's built by EC2 Image Builder in your account. Both Dokku and non-Dokku variants are published. To identify the AMI ID, go to the EC2 service console > Images > AMIs and change the selection filter to "Owned by me."
  2. AMIs are built with a 50 GB root volume. If you need additional storage, either specify a larger size for this volume during instance provisioning, or add a secondary data volume. AWS EBS volumes are encrypted by default per a global policy.
  3. To have the instance automatically report metrics to CloudWatch, set the following snippet in the instance userData section during provisioning:
    /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:AmazonCloudWatch-agent-config
    /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a start
  4. To enable nightly file integrity scanning by AIDE, set the following tag in your instance:
    key="aide", value="enabled"
  5. To enable nightly malware scanning by ClamAV, set the following tag in your instance:
    key="clamscan", value="enabled"
  6. Avoid using the "default" VPC when selecting your networking configuration; instead, use the "vpc-x" option (or request an additional VPC if you'd like further segementation of resources).
  7. For the IAM instance role, either select EC2InstanceDefaultRole or create a new role that has the same policies at the minimum.