Compute¶
EC2 Instances¶
All EC2 instances run Debian with Docker, managed via SSM (no SSH access). Each instance has a 4GB swap file and the IMDS host route fix for IMDSv2 compatibility.
Instance Summary¶
| Instance | Type | Subnet | Volume | Apps | HIPAA |
|---|---|---|---|---|---|
prod-nhc-django |
t3.small | private-1 (AZ b) | 30 GB (KMS encrypted) | Django API, Portal | ✅ |
prod-nhc-app |
t3.small | private-0 (AZ a) | 40 GB (KMS encrypted) | WP CMS, Gatsby | ❌ |
prod-nhc-foursites |
t3.small | private-0 (AZ a) | 30 GB (KMS encrypted) | 4× Astro sites | ❌ |
prod-nhc-gitlab-runner |
t3.small | private-0 (AZ a) | 50 GB (KMS encrypted) | GitLab Runner | ❌ |
Common Userdata¶
All instances bootstrap with:
- SSM Agent — installed from official Debian package (not pre-installed on Debian AMIs)
- IMDS Host Route —
ip route add 169.254.0.0/16 dev eth0for IMDSv2 compatibility - Swap — 4GB swapfile at
/swapfile - Docker — official Docker CE repository for Debian
No SSH Access
Instances have no SSH key pairs and no inbound port 22. All access is via AWS SSM Session Manager, which provides audit logging and IAM-based access control.
Auto-Recovery Alarms¶
Every EC2 instance has a CloudWatch alarm that triggers automatic recovery if the underlying hardware fails:
- Metric:
StatusCheckFailed_System - Alarm action:
arn:aws:automate:us-east-2:ec2:recover - Evaluation: 2 consecutive failures over 2 minutes
IAM Instance Profile¶
All instances share the ec2_ssm instance profile which grants:
- SSM Session Manager access
- CloudWatch Logs publishing
- ECR image pulling
- S3 access for application assets
- SSM Parameter Store read (for secrets)