Monitoring
CloudWatch Alarms
EC2 Auto-Recovery
All 4 EC2 instances have StatusCheckFailed_System alarms that trigger automatic recovery:
| Instance |
Alarm |
Action |
prod-nhc-django |
System status check |
Auto-recover |
prod-nhc-app |
System status check |
Auto-recover |
prod-nhc-foursites |
System status check |
Auto-recover |
prod-nhc-gitlab-runner |
System status check |
Auto-recover |
ALB Health Checks
| ALB |
Health Check Path |
Interval |
Healthy Threshold |
| Django |
/ping/ (API), /health (Portal) |
30s |
2 |
| WordPress |
/ |
30s |
2 |
| Foursites |
/ |
30s |
2 |
Logging
CloudTrail
- Trail:
nhc-cloudtrail — logs all API calls to S3
- S3 Bucket:
nhc-cloudtrail-* (encrypted with KMS)
- Multi-region: Enabled
WAF Logs
| Web ACL |
Log Group |
Retention |
prod-nhc-django |
aws-waf-logs-prod-nhc-django |
90 days |
prod-nhc-foursites |
aws-waf-logs-prod-nhc-foursites |
30 days |
Security Services
| Service |
Status |
Purpose |
| GuardDuty |
✅ Enabled |
Threat detection |
| Security Hub |
✅ Enabled |
Compliance posture |
| AWS Config |
✅ Enabled |
Configuration compliance |
| CloudTrail |
✅ Enabled |
API audit trail |