Executive Summary

This section of InfraHub provides guidance and reference material for IT administrators and developers on securing public-facing EC2 instances and containerized backends. It demonstrates how traffic can be safely routed through CDNs like CloudFront and Fastly, how NGINX header validation can limit exposure, and how TLS encryption and edge-level protections reduce risk. Operational strategies such as automated container refreshes, systemd management, and AMI snapshots are explained as best practices for maintaining security and consistency. All insights are intended as educational examples so readers can apply these concepts to their own AWS architectures, rather than InfraHub providing a deployable system.

Security Goals & Challenges

• Protect publicly reachable EC2 instances from direct exposure.
• Ensure only CDN-originated requests are served via NGINX header validation.
• Maintain TLS encryption from browser to CDN.
• Prevent DoS attacks at the edge.
• Automate secure deployments and container updates using CI/CD.
• Maintain privacy: no user data is collected, logged, or tracked.

System Architecture & Security Controls

Traffic flows through Route 53, CloudFront, or Fastly, before reaching the EC2 backend. EC2 instances run a container stack: NGINX reverse proxy + Flask backend. Backup EC2 exists for manual failover.

• CDNs handle TLS termination, SSL enforcement, and edge-level DoS protection.
• NGINX validates special headers from CloudFront and Fastly; all other requests return 404.
• Containers isolate application code from the host environment, limiting attack surfaces.
• Systemd services automatically refresh containers and clear caches on reboot to prevent drift.
• AWS Systems Manager is used exclusively for access, avoiding SSH exposure.

Operational Security

Deployment and operations are designed to maintain consistency and security:

• AMI snapshots allow instant recovery of both production and backup EC2 instances.
• Containers are pulled fresh on reboot using systemd to prevent stale images.
• NGINX blocks all non-CDN traffic at the edge.
• Route 53 health checks and multi-CDN failover ensure uninterrupted service.
• GHCR tokens are securely stored in GitHub Secrets, preventing unauthorized access.

Privacy & Accessibility

• No personal data is collected or logged; only pre-rendered/static content is served.
• Frontend is lightweight and readable on mobile and desktop devices.
• Health Check page uses simple HTML for clarity and accessibility, compatible with assistive technologies.

Limitations & Future Work

• EC2 remains publicly reachable; future work could include PrivateLink or private load balancer.
• Manual failover for backup EC2; future improvements could automate scaling and failover.
• IP-restricted security groups are currently impractical due to rotating CDN IP ranges.
• Deep observability is limited; structured logs, metrics, and error-budget tracking could be added.
• Potential migration to ECS for automated scaling, containerized backends, and independent S3 buckets for rapid recovery.

References & Resources

• AWS Documentation
• Amazon S3 Documentation
• CloudFront Documentation
• Fastly Documentation
• M. Wittig & A. Wittig, Amazon Web Services in Action, Manning Publications
• B. Holder et al., AWS Certified Solutions Architect Study Guide, Wiley