- Use the Ubuntu 20 AMI's built by EC2 Image Builder in your account. Both Dokku and non-Dokku variants are published. To identify the AMI ID, go to the EC2 service console > Images > AMIs and change the selection filter to "Owned by me."
- AMIs are built with a 50 GB root volume. If you need additional storage, either specify a larger size for this volume during instance provisioning, or add a secondary data volume. AWS EBS volumes are encrypted by default per a global policy.
- To have the instance automatically report metrics to CloudWatch, set the following snippet in the instance userData section during provisioning:
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:AmazonCloudWatch-agent-config /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a start
- To enable nightly file integrity scanning by AIDE, set the following tag in your instance:
key="aide", value="enabled" - To enable nightly malware scanning by ClamAV, set the following tag in your instance:
key="clamscan", value="enabled" - Avoid using the "default" VPC when selecting your networking configuration; instead, use the "vpc-x" option (or request an additional VPC if you'd like further segementation of resources).
- For the IAM instance role, either select EC2InstanceDefaultRole or create a new role that has the same policies at the minimum.