Skip to main content
Version: v1.1

Required AWS Services

This page catalogs every AWS service required for an AosCloud deployment. Use it to prepare your AWS account, request service quota increases, and understand which services are mandatory versus optional before beginning infrastructure provisioning.

Service Catalog

The following table lists every AWS service required for an AosCloud deployment. Services are grouped by function and marked as mandatory or optional.

ServicePurposeStatusCategory
Amazon EKSManaged Kubernetes cluster with node groupsMandatoryCompute
EC2 (Node Groups)EKS worker nodes (managed via EKS launch templates)MandatoryCompute
Amazon VPCSingle-VPC network isolation for all resourcesMandatoryNetworking
VPC SubnetsSubnet layout across availability zonesMandatoryNetworking
VPC EndpointsPrivate connectivity to AWS services (12 endpoints)MandatoryNetworking
Security GroupsNetwork access control between resource tiersMandatoryNetworking
Subnet GroupsGrouped subnets for managed database servicesMandatoryNetworking
Amazon CloudFrontCDN for S3-hosted Deployable Items and static assetsMandatoryNetworking
AWS WAFv2Web application firewall for CloudFront (IP reputation, common rules, bad inputs)MandatoryNetworking
Application Load BalancerPublic ingress to EKS via AWS Load Balancer ControllerMandatoryNetworking
Aurora PostgreSQLPrimary relational data store (cluster mode)MandatoryDatabase
Amazon DocumentDBMongoDB-compatible alert data storageMandatoryDatabase
Amazon ElastiCache (Redis)Caching, session management, and pub/sub messagingMandatoryDatabase
Amazon S3Aos artifact storage, logs, backups, Helm chartsMandatoryStorage
Amazon EFSPersistent storage for InfluxDB metrics (mounted into EKS pods)MandatoryStorage
Amazon ECRContainer registry for all microservice images and external dependenciesMandatoryStorage
AWS KMSCustomer-managed encryption keys for data at restMandatorySecurity
AWS Secrets ManagerApplication credentials, certificates, and configurationMandatorySecurity
IAM RolesEKS Pod Identity or IRSA service accounts, admin rolesMandatorySecurity
AWS BackupDaily backup vault for S3, DocumentDB, PostgreSQL, EBS volumesMandatorySecurity
Amazon SESTransactional email (registration, sign-in links, notifications)MandatoryMessaging
Amazon CloudWatch LogsEKS container insights, FluentBit log forwardingMandatoryMonitoring
AWS CloudTrailAPI audit logging for S3 and ECR callsOptionalMonitoring
AWS Resource GroupsLogical grouping of tagged resources for managementMandatoryManagement

Compute

Amazon EKS

The core compute platform. A managed Kubernetes cluster runs all AosCloud microservices as containerized workloads.

  • Node groups: Managed node groups with configurable instance types and auto-scaling
  • Addons: EBS CSI driver, CoreDNS, kube-proxy, VPC CNI (deployed as EKS-managed addons)
  • Pod Identity / IRSA: EKS Pod Identity (modern) or IRSA via OIDC provider (legacy) grants pods access to AWS services through IAM role associations
  • Launch template: Custom launch template with 50 GB EBS volumes

Networking

VPC Architecture

AosCloud deploys into a single VPC with a default CIDR of 10.231.0.0/16. The VPC hosts all compute, database, and storage resources.

  • Key resources: Internet gateway, default route table, default security group, default network ACL

Twelve VPC endpoints provide private connectivity to AWS services without traversing the public internet:

EndpointService
EC2Instance metadata and management
ECR APIContainer registry API calls
ECR DKRContainer image pull (Docker)
CloudWatch LogsLog forwarding
STSSecurity token service (IRSA)
Elastic Load BalancingLoad balancer management
Auto ScalingNode group scaling
Secrets ManagerSecret retrieval
RDSDatabase management
S3Object storage (gateway endpoint)
ElastiCacheRedis cluster management
SES SMTPEmail sending

CloudFront + WAFv2

A CloudFront distribution serves S3-hosted Deployable Items (services, layers, components) and static assets with WAFv2 protection:

  • WAF rules: IP Reputation List, Common Rule Set, Known Bad Inputs Rule Set (all AWS-managed)
  • Origin: S3 backend bucket with OAC (Origin Access Control)
  • Logging: Access logs written to infrastructure S3 bucket

Database

Aurora PostgreSQL (Cluster Mode)

The primary relational data store for AosCloud. Provisioned as an Aurora PostgreSQL cluster (not standalone RDS) with the following characteristics:

  • Cluster mode: Multi-AZ writer with read replicas (Aurora cluster, not single-instance RDS)
  • Encryption: KMS customer-managed key for encryption at rest
  • Subnet group: Distributed across 3 availability zones
  • Backup: 7-day automated snapshots plus AWS Backup daily continuous backup
Important

AosCloud requires Aurora PostgreSQL in cluster mode, not standalone Amazon RDS for PostgreSQL. Using a standalone RDS instance is not supported.

Amazon DocumentDB

MongoDB-compatible document database used for alert data storage. DocumentDB provides MongoDB wire-protocol compatibility while running as a fully managed AWS service.

  • Port: 27017
  • Encryption: KMS customer-managed key
  • Authentication: SCRAM-SHA-256 with TLS enabled
  • Replica set: rs0 with secondary-preferred read preference
  • Subnet group: Distributed across 3 availability zones

Amazon ElastiCache (Redis)

Redis 6.x or later in-transit-encrypted cluster providing:

  • Caching: Application-level caching for API and backend services
  • Session management: Distributed session storage for WebSocket and API services
  • Pub/sub: Inter-service messaging for real-time events
  • RabbitMQ metrics: Dedicated Redis database (DB 5) for queue metrics

Single-AZ deployment with password authentication (AUTH token).

Storage

Amazon S3

Two primary S3 buckets serve different roles:

BucketPurposeKMS KeyLifecycle Rules
{name}-backendDeployable Items, application artifacts, media filesPrimary KMS keyNone (CloudFront origin)
{name}-infraHelm charts, InfluxDB backups, logsInfrastructure KMS key7-day backup cleanup, 14-day Helm chart versioning

Both buckets enforce SSE-KMS encryption, versioning, and restricted access policies.

Amazon EFS

Elastic File System provides persistent storage for InfluxDB time-series metrics data. Mounted into EKS pods via the EFS CSI driver:

  • Access point: /influxdb2 with UID/GID 1000 and 775 permissions
  • Mount targets: Deployed to all EKS pod subnets
  • Encryption: KMS infrastructure key
  • Security group: EKS default security group

Amazon ECR

Elastic Container Registry hosts all container images:

  • AOS service repos (12): alert-handler, api, auth, data-migration, message-handler, management, nginx, service-discovery, unit-monitoring, units-queues-management, websocket-api, unit-message-handler
  • External dependency repos (20+): Istio components, cert-manager, Prometheus, Fluent Bit, CSI drivers, metrics-server, AWS Load Balancer Controller, InfluxDB, etc.
  • Helm chart OCI repo: OCI-format Helm chart storage

All repos enforce VPC-subnet pull restrictions and IAM-based access policies.

Security

AWS KMS

Two customer-managed KMS keys provide encryption at rest:

KeyPurposeEncrypted Resources
Primary ({name})Application data encryptionS3 backend, Aurora PostgreSQL, DocumentDB, Secrets Manager
Infrastructure ({name}-infra)Infrastructure data encryptionS3 infrastructure bucket, EFS

Both keys use custom key policies granting access to admin ARNs, IRSA service account roles, and the backup service.

AWS Secrets Manager

All application credentials, certificates, and configuration are stored in Secrets Manager. Multiple secret paths organize credentials by function:

Secret PathContents
{project}-{env}-appcfgApplication configuration (endpoints, regions, feature flags)
{project}-{env}-appsecApplication secrets (Redis passwords, Django keys, certificates)
{project}-{env}-dbcfgDatabase configuration (host, port, database name)
{project}-{env}-dbsecDatabase secrets (credentials, connection strings)
{project}-{env}-taskcfgTask service configuration
{project}-{env}-tasksecTask service secrets
{project}-{env}-mhcfgMessage handler configuration
{project}-{env}-mhsecMessage handler secrets
{project}-{env}-sdcfgService discovery configuration
{project}-{env}-sdsecService discovery secrets
{project}-{env}-baseShared infrastructure secrets (all service endpoints, admin credentials)
{project}-{env}-ingressTLS certificates for Istio ingress gateway
{project}-{env}-landingLanding page configuration
{project}-{env}-data-servicesAlert handler and InfluxDB configuration

AWS Backup

A centralized backup vault with daily backup rules protects stateful resources:

  • Schedule: Daily at 12:00 UTC
  • Retention: 14 days with continuous backup enabled
  • Protected resources: S3 backend bucket, DocumentDB cluster, Aurora PostgreSQL cluster, EKS EBS volumes (tagged)
  • Encryption: KMS-encrypted vault

Messaging

Amazon SES

Amazon Simple Email Service provides transactional email for:

  • User registration: Sign-up confirmation emails with sign-in tokens and information
  • Notifications: System alerts and administrative notifications
  • Certificates reissuing: Secure certificates recovery or renew flows

Configured via SMTP interface (email-smtp.<region>.amazonaws.com). The SES SMTP VPC endpoint ensures email sending remains within the AWS network.

Monitoring

Amazon CloudWatch Logs

Log groups provisioned for:

  • EKS Container Insights: Four log groups (performance, application, host, dataplane)
  • Fluent Bit: Application log forwarding from EKS pods

Log retention is configurable (default: 90 days).

AWS CloudTrail (Optional)

Audit logging for API calls against S3 and ECR resources. Currently disabled but the configuration remains available.

Management

AWS Resource Groups organize all provisioned resources by tagging convention:

  • Base group: All core infrastructure (group-name: base)

Tags include environment, project, and group-name for filtering in the AWS Console.

Multi-Region Considerations

AosCloud requires resources in two AWS regions for a complete deployment:

RegionResourcesReason
Primary (e.g., eu-central-1)All infrastructure (VPC, EKS, databases, S3, etc.)Main deployment region
us-east-1WAFv2 Web ACL, ACM certificate (if used)CloudFront global resources must reside in us-east-1

The WAFv2 Web ACL requires scope = "CLOUDFRONT" which must be in the us-east-1 region regardless of where the CloudFront distribution is configured.

note

If you use ACM certificates for CloudFront custom domains, those certificates must also be provisioned in us-east-1.

Service Quotas

The following service quotas may need increases for production deployments:

ServiceQuotaDefaultRecommended
VPCVPC endpoints per VPC2020 (12 used)
EKSClusters per region100Sufficient
EKSManaged node groups per cluster30Sufficient
EC2Running on-demand instancesVaries by typeReview based on EKS instance type
ECRRepositories per region10,000Sufficient (35+ repos created)
S3Buckets per account100Sufficient
Secrets ManagerSecrets per region500,000Sufficient (15+ secrets)
EFSFile systems per account1,000Sufficient
ElastiCacheNodes per region300Sufficient
DocumentDBClusters per region40Sufficient
AuroraDB clusters per region40Sufficient
CloudFrontDistributions per account200Sufficient
WAFv2Web ACLs per region100Sufficient
KMSCMKs per region100Sufficient (2 keys)
SESSending rateVariesReview based on expected user registrations
tip

Request quota increases before provisioning infrastructure. A failed provisioning mid-way due to quota limits requires manual cleanup. Pay particular attention to EC2 instance limits matching your chosen EKS instance type and scaling configuration.