Open in app

Sign in

Write

Sign in

Home

Following

Library

Stories

Stats

Shreya Kale
6 min readMar 5, 2024

For S3 Buckets, CloudFront Distributions, EC2 Instances, Route 53 Record Sets, EC2 Instance, and associated EBS Volumes

Creating Cloud Formation template for setup

1)S3 Bucket setup steps

For File and Frontend (UI) Bucket

  1. Bucket name as per there requirement
  2. Region should be always Mumbai
  3. Object owenership should be ACLs enabled
  4. Object owener preferred
  5. Block all public access
  6. Bucket versoning should be disable
  7. Default encryption as usual
  8. Create bucket

2)Cloudfront setup steps for Frontend (UI) Bucket

  1. Create distribution
  2. Select S3 Frontend bucket as a origin domain
  3. Origin access:- Origin access control settings (recommended)
  4. Origin access control take or Create new OAC
  5. Copy S3 Bucket policy and Go to S3 bucket permissions
  6. Default cache
  7. Viewer protocol policy — Redirect HTTP to HTTPS
  8. For S3 Allowed HTTP methods — GET, HEAD, OPTIONS
  9. Cache key and origin request — caching disabled
  10. Origin request policy CORS-S3Origin
  11. WAF enabled
  12. CNAME as per requirement
  13. Select Custom SSL Certificate
  14. Don’t forget to tag them
  15. Give path index.html (default root object)
  16. For frontend bucket standard logging and cookies ON
  17. In standard logging add S3 bucket dump in S3 bucket file and add log prefix mm-00*/ui/

3)Cloudfront setup steps for ALB(Application Load Balancer)

  1. Create distribution
  2. Select ALB as a origin domain
  3. Origin access:- Origin access control settings (recommended)
  4. Origin access control take or Create new OAC
  5. Default cache

Choose ALB on origin domain

  1. Protocol HTTP only
  2. Viewer policy Redirect HTTP to HTTPS
  3. For ALB GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
  4. Cache Policy: CachingDisabled
  5. Origin request policy — AllViewerAndCloudFrontHeaders-2***–0*
  6. WAF enabled
  7. Create
  8. In ALB cdn standard logging and cookies logging should be ON
  9. In standard logging add S3 bucket dump in S3 bucket file and add log prefix mm-00*/api/

4) Cloudfront setup steps for Files

  1. Create distribution
  2. Select S3 Files bucket as a origin domain
  3. Origin access:- Origin access control settings (recommended)
  4. Origin access control take or Create new OAC
  5. Default cache
  6. Viewer protocol policy — Redirect HTTP to HTTPS
  7. For S3 Allowed HTTP methods — GET, HEAD, OPTIONS
  8. Cache key and origin request — (Create new cache policy or use existing)
  9. Origin request policy CORS-S3Origin
  10. WAF diasbled
  11. CNAME as per requirement
  12. Select Custom SSL Certificate
  13. Don’t forget to tag them
  14. In FILE cdn standard logging and cookies logging sholud be off

5) EC2 instance setup

  1. Go to the AMI
  2. Select AMI ******(name)
  3. take t4g.small instance type
  4. Click instance from AMI
  5. Name to instance
  6. Select size
  7. Edit network setting Auto-assign public IP — Disable ( for not public IP)
  8. Take VPC , Subnet , SG existing
  9. Don’t forget to add IAM role

4)Elastic IP

  1. Create new allocate elastic IPs
  2. Tag Create
  3. Go to action
  4. Associate with ip address
  5. Select public ip
  6. Don’t allow reassociation and Associate

5)Application load balancer

  1. Create target group
  2. Associate that target group to load balancer
  3. when you are registered Listner give port 8080
  4. Add rule
  5. Take http host header alb api domain name
  6. 1–60000 give any number
  7. Tag them
  8. In target group registred instance to newly lunch ec2 instance

6) Add DNS records in template

7)Add lifecycle policy with 7 days snapshoot
Create bucket

2)Cloudfront setup steps for Frontend (UI) Bucket

Create distribution

Select S3 Frontend bucket as a origin domain

Origin access:- Origin access control settings (recommended)

Origin access control take or Create new OAC

Copy S3 Bucket policy and Go to S3 bucket permissions

Default cache

Viewer protocol policy — Redirect HTTP to HTTPS

For S3 Allowed HTTP methods — GET, HEAD, OPTIONS

Cache key and origin request — caching disabled

Origin request policy CORS-S3Origin

WAF enabled

CNAME as per requirement

Select Custom SSL Certificate

Don’t forget to tag them

Give path index.html (default root object)

For frontend bucket standard logging and cookies ON

In standard logging add S3 bucket dump in S3 bucket file and add log prefix mm-00*/ui/

3)Cloudfront setup steps for ALB(Application Load Balancer)

Create distribution

Select ALB as a origin domain

Origin access:- Origin access control settings (recommended)

Origin access control take or Create new OAC

Default cache

Choose ALB on origin domain

Protocol HTTP only

Viewer policy Redirect HTTP to HTTPS

For ALB GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

Cache Policy: CachingDisabled

Origin request policy — AllViewerAndCloudFrontHeaders-2***–0*

WAF enabled

Create

In ALB cdn standard logging and cookies logging should be ON

In standard logging add S3 bucket dump in S3 bucket file and add log prefix mm-00*/api/

4) Cloudfront setup steps for Files

Create distribution

Select S3 Files bucket as a origin domain

Origin access:- Origin access control settings (recommended)

Origin access control take or Create new OAC

Default cache

Viewer protocol policy — Redirect HTTP to HTTPS

For S3 Allowed HTTP methods — GET, HEAD, OPTIONS

Cache key and origin request — (Create new cache policy or use existing)

Origin request policy CORS-S3Origin

WAF diasbled

CNAME as per requirement

Select Custom SSL Certificate

Don’t forget to tag them

In FILE cdn standard logging and cookies logging sholud be off

5) EC2 instance setup

Go to the AMI

Select AMI ******(name)

take t4g.small instance type

Click instance from AMI

Name to instance

Select size

Edit network setting Auto-assign public IP — Disable ( for not public IP)

Take VPC , Subnet , SG existing

Don’t forget to add IAM role

4)Elastic IP

Create new allocate elastic IPs

Tag Create

Go to action

Associate with ip address

Select public ip

Don’t allow reassociation and Associate

5)Application load balancer

Create target group

Associate that target group to load balancer

when you are registered Listner give port 8080

Add rule

Take http host header alb api domain name

1–60000 give any number

Tag them

In target group registred instance to newly lunch ec2 instance

6) Add DNS records in template

7)Add lifecycle policy with 7 days snapshots

AWSTemplateFormatVersion: '2010-09-09' 
Description: > 
  AWS CloudFormation Template for S3 Buckets, CloudFront Distributions, EC2 Instances,  
 Route 53 Record Sets, EC2 Instance, and associated EBS Volumes 
 
Parameters: 
  EnableAutomatedSnapshots: 
    Type: String 
    AllowedValues: ['true', 'false'] 
    Default: 'true' 
    Description: Flag to enable/disable automated snapshots for EC2 instance 
 
  FrontendBucketName: 
    Type: String 
    Description: Name for the frontend S3 bucket 
 
  ArtifactsBucketName: 
    Type: String 
    Description: Name for the artifacts S3 bucket 
 
  InstanceTagName: 
    Type: String 
    Default: YourInstanceTagName 
    Description: The tag name to apply to the EC2 instance and associated EBS volumes. 
 
Resources: 
  MyIAMRole: 
    Type: 'AWS::IAM::Role' 
    Properties: 
      AssumeRolePolicyDocument: 
        Version: '2012-10-17' 
        Statement: 
          - Effect: Allow 
            Principal: 
              Service: ec2.amazonaws.com 
            Action: 'sts:AssumeRole' 
      Policies: 
        - PolicyName: MyEC2RolePolicy 
          PolicyDocument: 
            Version: '2012-10-17' 
            Statement: 
              - Effect: Allow 
                Action: 'ec2:*' 
                Resource: '*' 
 
  MyEC2InstanceProfile: 
    Type: 'AWS::IAM::InstanceProfile' 
    Properties: 
      Roles: 
        - "fussion_demo" 
 
  MyEC2Instance: 
    Type: 'AWS::EC2::Instance' 
    Properties: 
      InstanceType: 't4g.small' 
      ImageId: 'ami-0*******7779' 
      KeyName: 'ec2key*' 
      SubnetId: 'subnet-0e502*****c9ad51' 
      SecurityGroupIds: 
        - 'sg-04774****6023d96e' 
      IamInstanceProfile: !Ref MyEC2InstanceProfile 
      Tags: 
        - Key: CreatedBy 
          Value: giveyourname 
        - Key: Name 
          Value: !Ref InstanceTagName 
        - Key: EnableAutomatedSnapshots 
          Value: !Ref EnableAutomatedSnapshots 
 
  EC2Volume: 
    Type: 'AWS::EC2::Volume' 
    Properties: 
      AvailabilityZone: !GetAtt MyEC2Instance.AvailabilityZone 
      Size: 8 
      Tags: 
        - Key: Name 
          Value: !Ref InstanceTagName 
 
  EC2VolumeAttachment: 
    Type: 'AWS::EC2::VolumeAttachment' 
    Properties: 
      InstanceId: !Ref MyEC2Instance 
      VolumeId: !Ref EC2Volume 
      Device: /dev/sdf 
 
  MyElasticIP: 
    Type: 'AWS::EC2::EIP' 
    Properties: 
      InstanceId: !Ref MyEC2Instance 
 
  MyTargetGroup: 
    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup' 
    Properties: 
      HealthCheckPath: "/health" 
      HealthCheckProtocol: "HTTP" 
      HealthCheckIntervalSeconds: 30 
      HealthCheckTimeoutSeconds: 10 
      HealthyThresholdCount: 5 
      UnhealthyThresholdCount: 2 
      Port: 8080 
      Protocol: "HTTP" 
      VpcId: "vpc-035a***b2a**004bb" 
      Targets: 
        - Id: !Ref MyEC2Instance 
      Tags: 
        - Key: CreatedBy 
          Value: giveyourname 
 
  MyListenerRule: 
    Type: 'AWS::ElasticLoadBalancingV2::ListenerRule' 
    Properties: 
      Actions: 
        - Type: "forward" 
          TargetGroupArn: !Ref MyTargetGroup 
      Conditions: 
        - Field: "host-header" 
          HostHeaderConfig: 
            Values: 
              - "mn-data-api.test1.*****s.in" 
      ListenerArn: "arn:aws:elasticloadbalancing:ap-south-1:58174**5630:listener/app/dearmeraneta/e5ea40294a91c9a9/a709c6a09b5bc26a" 
      Priority: 39 
 
  FrontendBucket: 
    Type: AWS::S3::Bucket 
    Properties: 
      OwnershipControls: 
        Rules: 
          - ObjectOwnership: BucketOwnerPreferred 
      BucketName: !Ref FrontendBucketName 
      AccessControl: Private 
      VersioningConfiguration: 
        Status: Suspended 
      PublicAccessBlockConfiguration: 
        BlockPublicAcls: true 
        BlockPublicPolicy: true 
        IgnorePublicAcls: true 
        RestrictPublicBuckets: true 
      Tags: 
        - Key: CreatedBy 
          Value: putyourname 
 
  ArtifactsBucket: 
    Type: AWS::S3::Bucket 
    Properties: 
      OwnershipControls: 
        Rules: 
          - ObjectOwnership: BucketOwnerPreferred 
      BucketName: !Ref ArtifactsBucketName 
      AccessControl: Private 
      VersioningConfiguration: 
        Status: Suspended 
      PublicAccessBlockConfiguration: 
        BlockPublicAcls: true 
        BlockPublicPolicy: true 
        IgnorePublicAcls: true 
        RestrictPublicBuckets: true 
      Tags: 
        - Key: CreatedBy 
          Value: putyourname 
 
  FrontendDistribution: 
    Type: AWS::CloudFront::Distribution 
    Properties: 
      DistributionConfig: 
        Origins: 
          - Id: FrontendBucketOrigin 
            DomainName: !GetAtt FrontendBucket.DomainName 
            S3OriginConfig: 
              OriginAccessIdentity: origin-access-identity/cloudfront/E1H86UNMLAVP6A 
        DefaultCacheBehavior: 
          TargetOriginId: FrontendBucketOrigin 
          ViewerProtocolPolicy: redirect-to-https 
          AllowedMethods: 
            - GET 
            - HEAD 
            - OPTIONS 
          ForwardedValues: 
            QueryString: false 
        DefaultRootObject: index.html 
        Logging: 
          Bucket: !GetAtt FrontendBucket.DomainName 
          IncludeCookies: true 
        Enabled: true 
 
  ArtifactsDistribution: 
    Type: AWS::CloudFront::Distribution 
    Properties: 
      DistributionConfig: 
        Origins: 
          - Id: ArtifactsBucketOrigin 
            DomainName: !GetAtt ArtifactsBucket.DomainName 
            S3OriginConfig: 
              OriginAccessIdentity: origin-access-identity/cloudfront/E59T4MW6FF3R6 
        DefaultCacheBehavior: 
          TargetOriginId: ArtifactsBucketOrigin 
          ViewerProtocolPolicy: redirect-to-https 
          AllowedMethods: 
            - GET 
            - HEAD 
            - OPTIONS 
          ForwardedValues: 
            QueryString: true 
        Enabled: true 
 
  ALBDistribution: 
    Type: AWS::CloudFront::Distribution 
    Properties: 
      DistributionConfig: 
        Origins: 
          - Id: MyOrigin 
            DomainName: dearmeraneta-72**83514.ap-south-1.elb.amazonaws.com 
            CustomOriginConfig: 
              HTTPPort: 80 
              OriginProtocolPolicy: http-only 
        DefaultCacheBehavior: 
          TargetOriginId: MyOrigin 
          ViewerProtocolPolicy: redirect-to-https 
          AllowedMethods: 
            - GET 
            - HEAD 
            - OPTIONS 
            - PUT 
            - POST 
            - PATCH 
            - DELETE 
          ForwardedValues: 
            QueryString: true 
        Enabled: true 
 
  OriginAccessIdentityforFrontend: 
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity 
    Properties: 
      CloudFrontOriginAccessIdentityConfig: 
        Comment: Identity for frontend S3 bucket 
 
  OriginAccessIdentityforArtifacts: 
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity 
    Properties: 
      CloudFrontOriginAccessIdentityConfig: 
        Comment: Identity for artifacts S3 bucket 
 
  myDNSRecordFrontend: 
    Type: AWS::Route53::RecordSet 
    Properties: 
      HostedZoneId: Z0653697223**85Y96A 
      Name: "frontend.w***tes.in" 
      Type: CNAME 
      TTL: "900" 
      ResourceRecords: 
        - !GetAtt FrontendDistribution.DomainName 
 
  myDNSRecordArtifacts: 
    Type: AWS::Route53::RecordSet 
    Properties: 
      HostedZoneId: Z06536****LTTI5Y96A 
      Name: "artifacts.***tes.in" 
      Type: CNAME 
      TTL: "900" 
      ResourceRecords: 
        - !GetAtt ArtifactsDistribution.DomainName 
 
  myDNSRecordALB: 
    Type: AWS::Route53::RecordSet 
    Properties: 
      HostedZoneId: Z065369***3LTTI5Y96A 
      Name: "alb.****es.in" 
      Type: CNAME 
      TTL: "900" 
      ResourceRecords: 
        - !GetAtt ALBDistribution.DomainName 
 
  EC2VolumeLifecyclePolicy: 
    Type: 'AWS::EC2::VolumeLifecyclePolicy' 
    Properties: 
      PolicyDetails: 
        PolicyType: 'automated' 
        ResourceId: !Ref EC2Volume 
        Schedules: 
          - Name: DailySnapshot 
            TagsToAdd: 
              - Key: CreatedBy 
                Value: putyourname 
              - Key: Name 
                Value: !Ref InstanceTagName 
            CreateRule: 
              Interval: 1 
              IntervalUnit: 'DAILY' 
              Times: 
                - '09:00' 
 
Outputs: 
  FrontendDistributionURL: 
    Description: URL of the CloudFront distribution for the frontend bucket 
    Value: !GetAtt FrontendDistribution.DomainName 
 
  ArtifactsDistributionURL: 
    Description: URL of the CloudFront distribution for the artifacts bucket 
    Value: !GetAtt ArtifactsDistribution.DomainName 
 
  ALBDistributionURL: 
    Description: URL of the CloudFront distribution for the ALB 
    Value: !GetAtt ALBDistribution.DomainName 
   
 InstanceId: 
    Value: !Ref MyEC2Instance 
  VolumeId: 
    Value: !Ref EC2Volume

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Shreya Kale
Shreya Kale

Written by Shreya Kale

27 Followers
16 Following

AWS Cloud DevOps Engineer AWS Cloud, Azure Cloud, GCP Cloud, Alibaba Cloud

No responses yet

Write a response

What are your thoughts?

More from Shreya Kale

See all from Shreya Kale

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech