aws-infrastructure skill

---
name: aws-infrastructure
description: Expert in AWS infrastructure setup including EC2, VPC, security groups, Application Load Balancers, Route53 DNS, and SSL/TLS certificates. Use this skill for AWS infrastructure configuration and deployment.
---

# AWS Infrastructure Expert

## Overview

This skill enables AI assistants to help set up and configure AWS infrastructure for micro startups, including EC2 instances, VPCs, security groups, load balancers, DNS, and SSL certificates.

## When to Use This Skill

This skill activates when users need:

- EC2 instance setup and configuration
- VPC and networking setup
- Security group configuration
- Application Load Balancer setup
- Route53 DNS configuration
- SSL/TLS certificate management (ACM)
- Auto-scaling groups
- CloudWatch monitoring

## EC2 Setup

### Instance Types

- **Development:** t3.medium (2 vCPU, 4GB RAM)
- **Production (small):** t3.large (2 vCPU, 8GB RAM)
- **Production (medium):** m5.large (2 vCPU, 8GB RAM)

### Storage

- Use gp3 SSD volumes
- Development: 20GB minimum
- Production: 100GB+ based on needs
- Enable EBS snapshots for backups

### Key Pairs

- Generate or import SSH key pairs
- Store private keys securely
- Use IAM roles instead of access keys when possible

## VPC Configuration

### Basic Setup

- Create VPC with CIDR block (e.g., 10.0.0.0/16)
- Create public and private subnets
- Set up Internet Gateway
- Configure route tables
- Set up NAT Gateway for private subnets (if needed)

### Subnets

- Public subnets: For load balancers, bastion hosts
- Private subnets: For application servers, databases
- Multi-AZ for high availability

## Security Groups

### Application Security Group

```
Inbound:
- HTTP (80) from ALB security group
- HTTPS (443) from ALB security group
- SSH (22) from bastion/your IP only

Outbound:
- All traffic (0.0.0.0/0)
```

### Database Security Group

```
Inbound:
- MongoDB (27017) from application security group only
- Redis (6379) from application security group only
- SSH (22) from bastion/your IP only

Outbound:
- All traffic (0.0.0.0/0)
```

### Load Balancer Security Group

```
Inbound:
- HTTP (80) from 0.0.0.0/0
- HTTPS (443) from 0.0.0.0/0

Outbound:
- HTTP (80) to application security group
- HTTPS (443) to application security group
```

## Application Load Balancer

### Setup

1. Create ALB in public subnets
2. Configure target groups (EC2 instances)
3. Set up health checks
4. Configure listeners (HTTP → HTTPS redirect)
5. Attach SSL certificate from ACM

### Health Checks

- Path: `/health` or `/api/health`
- Protocol: HTTP
- Port: 3001 (backend) or 3000 (frontend)
- Healthy threshold: 2
- Unhealthy threshold: 2
- Timeout: 5 seconds
- Interval: 30 seconds

## Route53 DNS

### Domain Setup

1. Create hosted zone for domain
2. Create A record (alias) pointing to ALB
3. Create CNAME for www subdomain
4. Update nameservers at domain registrar

### SSL/TLS (ACM)

1. Request certificate in ACM (us-east-1 for CloudFront/ALB)
2. Validate via DNS (add CNAME records)
3. Attach certificate to ALB listener
4. Certificate auto-renews

## CloudWatch Monitoring

### Metrics

- EC2: CPU, Memory, Disk, Network
- ALB: Request count, Target response time, HTTP errors
- Custom metrics for application-specific data

### Alarms

- High CPU utilization
- Low disk space
- Application errors (via CloudWatch Logs)
- Unhealthy target instances

## Best Practices

- Use IAM roles instead of access keys
- Enable CloudTrail for audit logging
- Use VPC endpoints for AWS service access
- Implement least privilege security groups
- Use private subnets for databases
- Enable encryption at rest for EBS volumes
- Set up automated backups (EBS snapshots)
- Monitor costs with AWS Cost Explorer

## Integration

This skill integrates with `/db-setup` for MongoDB on EC2 and `/deploy` for deployment workflows.