AWS Cloud Infrastructure
Deploy Node.js applications on AWS using EC2, RDS, and managed services with security best practices. Apply when setting up AWS infrastructure, configuring databases, managing security, or optimizing costs.
git clone --depth 1 https://github.com/ThamJiaHe/claude-code-handbook /tmp/aws-cloud-infrastructure && cp -r /tmp/aws-cloud-infrastructure/skills/examples/aws-cloud-infrastructure- ~/.claude/skills/aws-cloud-infrastructureaws-cloud-infrastructure-skill.md
# AWS Cloud Infrastructure
Systematic AWS deployment for Node.js applications ensuring scalability, security, and cost efficiency.
## Overview
This Skill enforces:
- EC2 instance configuration and security
- RDS (Relational Database Service) setup
- IAM roles and least-privilege access
- Environment variable and secrets management
- Auto-scaling and load balancing
- Security group and network configuration
- CloudWatch monitoring
Apply when deploying to AWS, configuring databases, or managing cloud infrastructure.
## Deployment Workflow
**Every AWS deployment follows this process**:
```
Step 1: Create EC2 Instance
↓
Step 2: Configure Security Groups
↓
Step 3: Install Node.js and dependencies
↓
Step 4: Deploy application with PM2
↓
Step 5: Set up RDS database
↓
Step 6: Configure environment variables
↓
Step 7: Set up monitoring and scaling
```
## Step 1: EC2 Instance Setup
### Launch EC2 Instance
```bash
# Using AWS CLI
aws ec2 run-instances \
--image-id ami-0c55b159cbfafe1f0 \
--instance-type t3.micro \
--key-name your-key-pair \
--security-groups your-security-group
```
### Instance Types by Use Case
- **Development**: t3.micro (free tier eligible)
- **Production**: m5.large or c5.xlarge (more CPU/memory)
- **High-traffic**: c6i.2xlarge or m6i.2xlarge
### SSH into Instance
```bash
ssh -i "your-key.pem" ubuntu@<ec2-public-ip>
```
### Install Node.js and Dependencies
```bash
sudo apt update
sudo apt install nodejs npm nginx git curl -y
# Install NVM for Node version management
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
# Load NVM
export NVM_DIR="$HOME/.nvm"
source "$NVM_DIR/nvm.sh"
# Install Node 20 (LTS)
nvm install 20
nvm use 20
```
## Step 2: Security Groups Configuration
### Configure Security Group Rules
```
Inbound Rules:
- SSH (port 22): Only from your IP
- HTTP (port 80): From 0.0.0.0/0
- HTTPS (port 443): From 0.0.0.0/0
- Custom TCP (your app port): From Load Balancer
Outbound Rules:
- Allow all traffic
```
### Using AWS CLI
```bash
# Allow SSH from specific IP
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxx \
--protocol tcp \
--port 22 \
--cidr YOUR_IP/32
# Allow HTTP
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxx \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
# Allow HTTPS
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxx \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
```
## Step 3: Deploy Application
### Clone Repository and Install Dependencies
```bash
git clone https://github.com/your-repo/project.git
cd project
npm ci # Install exact versions from package-lock.json
```
### Setup Environment Variables
```bash
# Create .env file
cat > .env << EOF
NODE_ENV=production
DATABASE_URL=postgresql://user:password@your-rds-endpoint:5432/dbname
PORT=3000
EOF
# Verify .env is not committed
cat .gitignore | grep .env
```
### Install PM2 Process Manager
```bash
npm install -g pm2
# Start application
pm2 start npm --name "myapp" -- start
# Save PM2 process list to restart on reboot
pm2 startup
pm2 save
```
### Verify Application Running
```bash
curl http://localhost:3000
```
## Step 4: Set Up Nginx Reverse Proxy
### Configure Nginx
```nginx
# /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### Enable and Test Nginx
```bash
sudo systemctl enable nginx
sudo systemctl start nginx
sudo nginx -t # Test configuration
```
## Step 5: RDS Database Setup
### Create RDS Instance
```bash
aws rds create-db-instance \
--db-instance-identifier mydb \
--db-instance-class db.t3.micro \
--engine postgres \
--master-username admin \
--master-user-password YourPasswordHere \
--allocated-storage 20 \
--publicly-accessible false
```
### Configure RDS Security Group
```bash
# Allow EC2 to access RDS
aws ec2 authorize-security-group-ingress \
--group-id sg-rds-xxxxx \
--protocol tcp \
--port 5432 \
--source-security-group-id sg-ec2-xxxxx
```
### Get RDS Endpoint
```bash
aws rds describe-db-instances \
--db-instance-identifier mydb \
--query 'DBInstances[0].Endpoint.Address'
```
### Connect to RDS
```bash
psql -h mydb.xxxxxx.us-east-1.rds.amazonaws.com \
-U admin \
-d postgres
```
## Step 6: Secrets Management
### MUST NOT: Hardcode Secrets
Use AWS Secrets Manager or Parameter Store:
```bash
# Store in Secrets Manager
aws secretsmanager create-secret \
--name prod/database/password \
--secret-string YourSecurePassword
# Retrieve secret
aws secretsmanager get-secret-value \
--secret-id prod/database/password
```
### Environment Variable Best Practices
```ts
// ✅ GOOD: Use environment variables
const dbPassword = process.env.DATABASE_PASSWORD;
const apiKey = process.env.API_KEY;
// ❌ BAD: Hardcoded secrets
const dbPassword = 'MyPassword123';
const apiKey = 'sk-1234567890';
```
### IAM Role for EC2
```bash
# Create IAM role with least privilege
aws iam create-role \
--role-name EC2-App-Role \
--assume-role-policy-document file://trust-policy.json
# Attach policy to access RDS and Secrets Manager
aws iam attach-role-policy \
--role-name EC2-App-Role \
--policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess
```
## Step 7: Monitoring and Logging
### CloudWatch Configuration
```bash
# View application logs
pm2 logs myapp
# Configure CloudWatch Logs
sudo apt install awslogs -y
# Check CloudWatch metrics
aws cloudwatch get-metric-statistics \
--namespaBuild REST APIs with proper error handling, status codes, request validation, response formatting, and rate limiting. Apply when creating API routes, handling errors, validating input, or designing API responses.
Harden REST and GraphQL APIs against common attack vectors. Apply when building API endpoints, implementing authentication, handling file uploads, or exposing APIs to external consumers.
Rapidly fix build failures, type errors, and lint issues with minimal diffs. Apply when builds fail, TypeScript reports errors, or CI/CD pipelines break. Focuses on getting the build green fast.
STRIDE-based threat modeling for application architecture. Apply when designing new systems, reviewing architecture, or assessing security posture of existing applications.
Production-ready Docker patterns for multi-stage builds, security hardening, and orchestration. Apply when creating Dockerfiles, docker-compose configs, or deploying containerized applications.
Enforces Conventional Commits, PR standards, merge conflict resolution, and branch management. Apply when committing code, opening PRs, resolving conflicts, managing branches, or handling Git operations.
Deploy Node.js applications on Google Cloud with Cloud Run, Cloud Firestore, and Google APIs. Implement OAuth2 authentication and manage service accounts. Apply when building serverless applications, integrating Google services, or deploying to GCP.
Structured production incident triage, resolution, and post-mortem. Apply when production systems are down, degraded, or behaving unexpectedly. Covers detection, containment, resolution, and learning.