I migrated this blog from AWS S3 to Cloudflare Pages. Until now, I had been hosting statically on S3 and delivering through CloudFront, but I decided to adopt Cloudflare Pages to simplify management and improve performance.
Amazon S3 Files is a service that allows you to directly mount S3 buckets as an NFS file system on compute resources such as EC2. Data remains stored in S3 while enabling typical file operations (ls, cp, cat, etc.) for reading and writing.
S3 Files is a shared file system built on Amazon EFS, providing file system access to data stored in S3 buckets.
Key features include:
| Item | Description |
|---|---|
| Protocol | NFS 4.1 / 4.2 |
| Supported Compute | EC2, Lambda, ECS, EKS |
| Concurrent Connections | Up to 25,000 compute resources |
| Read Throughput | Up to TB/second |
| IOPS | Over 10 million / bucket |
| Encryption | TLS (in transit) + AWS KMS (at rest) |
| File System Features | POSIX permissions, file locking, read-after-write consistency |
S3 Files automatically loads accessed data to high-performance storage and provides it with low latency.
Data on high-performance storage is automatically deleted after a certain period of inactivity (default 30 days, configurable from 1 to 365 days).
AmazonS3FilesClientFullAccess managed policyTwo IAM roles are required for S3 Files.
Automatically created when using the management console, so this step is not necessary
This is the role that allows S3 Files to access the bucket.
# Create role
aws iam create-role \
--role-name S3Files-FileSystem-Role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "s3files.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}'
# Attach S3 Files client policy
aws iam attach-role-policy \
--role-name S3Files-FileSystem-Role \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess
Specify this role with --role-arn when creating the file system.
Failure to attach the IAM role will result in mount failure
Create the following role in CloudShell.
# Create role
aws iam create-role \
--role-name EC2-S3Files-Role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}'
# Attach S3 Files client policy
aws iam attach-role-policy \
--role-name EC2-S3Files-Role \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess
# Create and attach instance profile
aws iam create-instance-profile \
--instance-profile-name EC2-S3Files-Profile
aws iam add-role-to-instance-profile \
--instance-profile-name EC2-S3Files-Profile \
--role-name EC2-S3Files-Role
Attach this role to the instance.
Create a general-purpose bucket in the S3 console. You can also use an existing bucket.
However, versioning must be enabled for the bucket.
Creating from the console automatically creates mount targets and access points in all AZs.
Record the output file system ID (e.g., fs-0123456789abcdef0).
In the terminal, execute the following:
# Create mount point
sudo mkdir /mnt/s3files
# Mount
sudo mount -t s3files fs-0123456789abcdef0:/ /mnt/s3files
If the mount fails, execute the following command and retry.
sudo dnf install -y amazon-efs-utils # Amazon Linux, RHEL
# sudo apt install -y amazon-efs-utils (Ubuntu, Debian)
If there is connectivity issue when executing the dnf command, set up an S3 endpoint (gateway) and assign it to the same AZ as the instance.
Ensure that the route table for the S3 endpoint matches the subnet where the instance is located.
To verify the mount:
df -h /mnt/s3files
You should see output similar to the following:
Filesystem Size Used Avail Use% Mounted on
<s3files-dns> 8.0E 129M 8.0E 1% /mnt/s3files
cd /mnt/s3files
# Create a file
sudo sh -c 'echo "Hello, s3 Files!" > test.txt'
# Read the file
cat test.txt
# Create a directory
sudo mkdir test-directory
ls -la
# Copy the file
sudo cp test.txt test-directory/
cd test-directory/
# Check the file list
ls -la
The file you wrote will sync to the S3 bucket in about one minute. You can verify that the object has been created in the S3 console.
aws s3 ls s3://<bucket-name>/
To maintain the mount after a reboot, add the following line to /etc/fstab.
# Add to /etc/fstab
fs-0123456789abcdef0:/ /mnt/s3files s3files _netdev,nofail 0 0
_netdev is an option that ensures the mount occurs after the network connection is established and is required. Adding nofail prevents the instance from becoming unbootable in the event of mount failure.
The pricing for S3 Files is composed of the following components:
It operates on a usage-based pricing model with no provisioning required, and according to AWS, it can achieve cost savings of up to 90% compared to traditional data copying between S3 and file systems.
ls, cat, and cp/etc/fstab ensures persistence after a rebootI am using Amazon Cognito for user authentication in a file storage API built with AWS SAM. Recently, I added login via passkeys (WebAuthn), so I will summarize the configuration details.
To use passkeys with Cognito, the following must all be in place:
| Requirement | Current Configuration |
|---|---|
| UserPool Tier | ESSENTIALS or higher |
| Managed Login | v2 (New login UI) |
| Custom Domain | login.example.com (Used as Relying Party ID) |
Cognito's passkeys will be registered and used through the Managed Login v2 UI. WebAuthn cannot be used with the LITE tier (free), so the ESSENTIALS tier is necessary.
For the first time, log in with a password and register the passkey from the account settings.
After registration, authentication can be done directly via the "Sign in with passkey" button.
The changes made to the template.yaml (SAM template) for adding the passkey amount to just 6 lines.
UserPool:
Type: AWS::Cognito::UserPool
Properties:
# ...
Policies:
PasswordPolicy:
MinimumLength: 8
# ...
MfaConfiguration: "OFF"
UserPool:
Type: AWS::Cognito::UserPool
Properties:
# ...
Policies:
PasswordPolicy:
MinimumLength: 8
# ...
SignInPolicy:
AllowedFirstAuthFactors:
- PASSWORD
- WEB_AUTHN # ← Added passkey
MfaConfiguration: "OFF"
WebAuthnRelyingPartyID: login.example.com # ← Specify RP ID
WebAuthnUserVerification: required # ← Require biometric verification
SignInPolicy.AllowedFirstAuthFactorsThis is the list of authentication methods that can be used during the first authentication step. With only PASSWORD, it allows password-only authentication; adding WEB_AUTHN allows passkeys as an option.
WebAuthnRelyingPartyIDThis is the Relying Party ID (RP ID) for WebAuthn. Passkeys are generated and stored associated with this domain, so it must match the domain serving the actual login page.
In this case, I have directly specified the custom domain login.example.com. If you are using the Cognito default domain (xxx.auth.ap-northeast-1.amazoncognito.com), specify that one.
WebAuthnUserVerificationThis defines the required level of user verification when using passkeys.
| Value | Description |
|---|---|
required | Requires biometric authentication or PIN |
preferred | Prefer user verification but allow even without it |
discouraged | Skip user verification (no biometric, etc.) |
To enhance security, I chose required.
In the Managed Login v2 interface, after configuring the passkey, the "Sign in with passkey" button will be automatically added to the login screen. For initial registration, you can add a passkey from the account settings after logging in with a password.
sam build
sam deploy --no-confirm-changeset
Since the stack name, region, and parameters are defined in samconfig.toml, there is no need to specify options each time.
The key points for enabling passkeys in Cognito are:
WEB_AUTHN to SignInPolicy.AllowedFirstAuthFactorsWebAuthnUserVerification: required to make biometric verification mandatoryWith just 6 lines of changes, passkey login has become available. The convenience of Cognito lies in the ability to gradually transition to passkeys while still retaining passwords.
When using Claude via API, you have more than two options: in addition to calling the Anthropic API directly, you can also use it via AWS Bedrock, Google Vertex AI, or Microsoft Azure (Azure AI Foundry). Base pricing is the same across all routes, but there are differences in batch processing and cloud ecosystem integration.
Unit: USD / 1M tokens (MTok). Information as of March 2026.
| Model | Type | Anthropic API | Bedrock | Vertex AI | Azure |
|---|---|---|---|---|---|
| Claude Opus 4.6 | Input | $5.00 | $5.00 | $5.00 | $5.00 |
| Output | $25.00 | $25.00 | $25.00 | $25.00 | |
| Claude Sonnet 4.6 | Input | $3.00 | $3.00 | $3.00 | $3.00 |
| Output | $15.00 | $15.00 | $15.00 | $15.00 | |
| Claude Haiku 4.5 | Input | $1.00 | $1.00 | $1.00 | $1.00 |
| Output | $5.00 | $5.00 | $5.00 | $5.00 | |
| Claude Sonnet 4.5 | Input | $3.00 | $3.00 | $3.00 | $3.00 |
| Output | $15.00 | $15.00 | $15.00 | $15.00 |
Base pricing is identical across all routes.
Note that Vertex AI regional endpoints carry a 10% surcharge over global endpoint pricing. Bedrock offers Long Context variants as separate SKUs at the same price; on the Anthropic API, Long Context is integrated into the standard models.
Prompt Caching rates are also identical across all routes.
| Model | Cache Type | Anthropic API | Bedrock | Vertex AI | Azure |
|---|---|---|---|---|---|
| Claude Opus 4.6 | 5-min cache write | $6.25 | $6.25 | $6.25 | $6.25 |
| 1-hour cache write | $10.00 | $10.00 | $10.00 | $10.00 | |
| Cache read | $0.50 | $0.50 | $0.50 | $0.50 | |
| Claude Sonnet 4.6 | 5-min cache write | $3.75 | $3.75 | $3.75 | $3.75 |
| 1-hour cache write | $6.00 | $6.00 | $6.00 | $6.00 | |
| Cache read | $0.30 | $0.30 | $0.30 | $0.30 | |
| Claude Haiku 4.5 | 5-min cache write | $1.25 | $1.25 | $1.25 | $1.25 |
| 1-hour cache write | $2.00 | $2.00 | $2.00 | $2.00 | |
| Cache read | $0.10 | $0.10 | $0.10 | $0.10 |
Cache writes come in two TTL tiers: 5-minute (short-term) and 1-hour (long-term). Longer TTL means higher write cost, but for applications with lengthy system prompts that are read repeatedly, the savings on read pricing more than compensate.
Bedrock, Vertex AI, and the Anthropic API all offer an asynchronous batch API at 50% off on-demand pricing. Azure does not explicitly list batch pricing at this time.
| Model | Batch Input | Batch Output |
|---|---|---|
| Claude Opus 4.6 | $2.50 | $12.50 |
| Claude Sonnet 4.6 | $1.50 | $7.50 |
| Claude Haiku 4.5 | $0.50 | $2.50 |
| Claude Sonnet 4.5 | $1.50 | $7.50 |
For large-scale batch workloads (log analysis, embedding generation, etc.), any of these routes can cut costs in half.
| Feature | Anthropic API | Bedrock | Vertex AI | Azure |
|---|---|---|---|---|
| Base pricing | Same | Same | Same | Same |
| Regional surcharge | — | — | +10% (regional) | — |
| Batch processing (50% off) | ○ | ○ | ○ | Not listed |
| Tokyo region | — | ○ | ○ | — |
| IAM / audit log integration | — | AWS | Google Cloud | Azure |
| VPC / PrivateLink | — | ○ | ○ | ○ |
| Billing integration | Anthropic direct | AWS | Google Cloud | Azure |
| New feature rollout speed | Fastest | Delayed | Delayed | Delayed |
New features (such as Extended Thinking) roll out to the Anthropic API first; Vertex AI, Bedrock, and Azure typically follow weeks later.
I wanted to add a comment section to this blog, so instead of using an off-the-shelf solution like Disqus or giscus, I built my own API on AWS serverless. Here's a look at the design and implementation.
Requests flow through the following stack:
Browser (www.hikari-dev.com)
↓ HTTPS
API Gateway
├── GET /comment?postId=... → Fetch comments
├── POST /comment → Submit a comment
└── PATCH /comment/{id} → Admin (toggle visibility)
↓
Lambda (Node.js 20 / arm64)
↓
DynamoDB (comment storage)
+ SES v2 (admin email notifications)
The code is written in TypeScript and managed as IaC with SAM (Serverless Application Model). Lambda runs on arm64 (Graviton2) to shave a bit off the cost.
The table is named blog-comments, with postId as the partition key and commentId as the sort key.
| Key | Type | Description |
|---|---|---|
postId | String | Post identifier (e.g. /blog/2026/03/20/hime) |
commentId | String | ULID (lexicographically sortable by time) |
Using ULID for the sort key means comments retrieved with QueryCommand are automatically returned in chronological order — which is why I chose ULID over UUID.
Before writing a comment to DynamoDB, the handler checks it against a keyword list defined in keywords.json.
If a keyword matches, the comment is saved with isHidden: true and isFlagged: "1", hiding it automatically. If nothing matches, it goes live immediately.
isFlagged is used as the key for a Sparse GSI. Comments that pass the filter don't get this attribute at all, which keeps unnecessary partitions from appearing in the index — good for both cost and efficiency. This is achieved simply by setting removeUndefinedValues: true on the DynamoDB Document Client.
export const ddb = DynamoDBDocumentClient.from(client, {
marshallOptions: {
removeUndefinedValues: true,
},
});
Every time a comment is submitted, SES v2 sends me an email containing the author name, body, rating, IP address, and flag status.
The email is sent asynchronously, and any failure is silently swallowed. This keeps the POST response time unaffected by email delivery.
sendCommentNotification(record).catch((err) => {
console.error("sendCommentNotification error:", err);
});
IP addresses and User-Agent strings are stored in DynamoDB for moderation purposes, but they are never included in GET responses. This separation is enforced at the type level.
| Layer | Measure |
|---|---|
| Network | AWS WAF rate limit: 100 req / 5 min / IP |
| CORS | Restricted to https://www.hikari-dev.com |
| Admin API | API Gateway API key auth (X-Api-Key header) |
| Spam | Keyword filter with automatic hiding |
For the admin endpoint (PATCH /comment/{id}), setting ApiKeyRequired: true in the SAM template is all it takes to enable API key authentication — no need to implement a custom Lambda Authorizer.
The serverless setup means no server management, and DynamoDB's on-demand billing keeps costs minimal for a low-traffic personal blog.
The whole thing is packaged with SAM + TypeScript + esbuild, and deploying is as simple as sam build && sam deploy.
I wanted a personal file sharing system, so I built a file storage service using only AWS serverless services.
In this article, I'll walk through the key design decisions and the actual architecture I ended up with.
The cloud storage service that lets you upload, download, and manage folders through a web browser.
Here's the architecture diagram.
Most of the authentication is handled by Cognito. For file transfers, Lambda issues S3 Presigned URLs so the client communicates directly with S3.
| Layer | Technology |
|---|---|
| Backend | C# (.NET 8) / AWS Lambda |
| Authentication | Amazon Cognito + Managed Login v2 |
| API | API Gateway (REST) + Cognito Authorizer |
| Storage | Amazon S3 |
I leveraged Cognito's OAuth 2.0 endpoints and Managed Login to implement authentication.
In the end, I only needed a single Lambda function for auth: TokenFunction.
In terms of both functionality and security, less code is better. There's no need to write what AWS services already do for you.
Routing file uploads and downloads through Lambda introduces several problems:
With Presigned URLs, Lambda only issues the URL — the actual file transfer happens directly between the browser and S3.
Lambda execution time stays in the tens of milliseconds, and the file size limit extends all the way to S3's own limits.
Upload flow:
1. Browser → Lambda: "I want to upload file.pdf! Send me an upload URL."
2. Lambda → Browser: "Here's a Presigned URL. PUT your file here."
3. Browser → S3: "Sending PUT to S3."
4. Browser → Lambda: "Upload complete!"
S3 doesn't have a built-in feature to download an entire folder.
For bulk downloads, I generate a ZIP file in Lambda, temporarily store it in S3, and return a Presigned URL for it.
The temporary ZIP file is automatically deleted after 1 day via an S3 lifecycle rule, so there's no garbage buildup.
| Measure | Implementation |
|---|---|
| Brute-force protection | Cognito's built-in lockout (5 failures: 15-minute lock) |
| API protection | JWT verification via Cognito Authorizer |
| CORS | AllowedOrigin restricted to a specific domain |
| Temporary file management | S3 lifecycle rule auto-deletes files after 1 day |
With a serverless architecture, costs are nearly zero when not in use.
For personal use, monthly costs should land somewhere between a few cents and a couple of dollars.
The entire infrastructure is defined in a single template.yaml (AWS SAM).
Cognito User Pool, API Gateway, 3 Lambda functions, S3 bucket, CloudWatch alarms, SNS — all resources defined in roughly 600 lines of YAML.
PS C:\> aws ec2-instance-connect ssh --instance-id i-0aa38de21acf2aa1c --region ap-south-1
Bad permissions. Try removing permissions for user: \\OWNER RIGHTS (S-1-3-4) on file C:/Users/hikari/AppData/Local/Temp/tmpm9m1bf7j/private-key.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\\Users\\hikari\\AppData\\Local\\Temp\\tmpm9m1bf7j\\private-key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\\Users\\hikari\\AppData\\Local\\Temp\\tmpm9m1bf7j\\private-key": bad permissions
ec2-user@192.168.0.4: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Verification as of 2025/06/11.
PS C:\> wsl -- aws ec2-instance-connect ssh --instance-id i-0aa38de21acf2aa1c --region ap-south-1
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Tue Jun 10 22:50:33 2025 from 192.168.0.183
[ec2-user@ip-192-168-0-4 ~]$
Why?
Downgrading allowed connection.
I wish they would fix this.
Reference: https://github.com/aws/aws-cli/issues/9114
msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2-2.17.35.msi
EC2 Instance Connect is a service designed to simplify SSH connections to AWS EC2 instances.
With traditional SSH connection methods, a public key needed to be pre-configured on the instance. However, EC2 Instance Connect allows you to send a temporary SSH public key to the instance to establish a connection. (However, an Instance Connect package needs to be installed, except for some AMIs).
There are several ways to connect to an instance.
Direct connection from the internet requires passing through an Internet Gateway or a NAT Gateway. It also needs a public IP address and cannot be used in a private network environment.
Since the ssh command can be used, it's the simplest method.
ssh <username>@<public IP address>
By using the AWS CLI to connect via an EC2 Instance Connect endpoint, a public IP address is not required.
This also helps save on costs (a few hundred yen per month).
You can connect using a command like the following with the AWS CLI, but you must first import a key pair and configure it for the instance.
For example, a specific connection method is possible with the following command:
aws ec2-instance-connect ssh --private-key-file .ssh/id_ed25519 --os-user <username> --instance-id <instance ID> --connection-type eice
Note: You must first obtain an access key and configure it using aws configure.
This connection method is best if you want to avoid connecting to the internet and wish to use a non-official AMI.
For Amazon Linux and Ubuntu, if you have an Instance Connect endpoint created, you can connect to the instance directly from the Management Console.
However, an Instance Connect package needs to be installed, except for some AMIs.
For details, refer to: https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html
Two endpoints for Session Manager need to be set up, and an IAM role that allows connections from Session Manager must be attached to the instance.
Also, a Session Manager package needs to be installed, except for some AMIs.
Using the serial console allows direct connection to the instance. Be aware that if a password is not set, you won't even be able to log in.
By default, all traffic is allowed, so no specific configuration is needed if using the default settings.
The minimum required settings are as follows:
Inbound rules must allow SSH (port 22).
This allows communication to the instance's SSH server, which typically listens on port 22.
Outbound rules must allow custom TCP (ports 1024-65535).
1024-65535 is the port range used by the client side during an SSH connection.
Inbound rules must allow SSH (port 22).
This setting is absolutely necessary.
Security groups remember communication (stateful), so outbound rules are usually not required.
Not required due to statefulness.
SSH (port 22) must be allowed.
This allows communication to the instance's port 22.
Obtain the AMI from the official page.
https://rockylinux.org/ja-JP/download
Select the architecture for your instance (ARM (aarch64)) and choose AWS AMI under Cloud Images.
Filter by version number to find the appropriate one.
The AMI ID cannot be copied directly, so click the "Deploy" button and copy it from the AWS console.
Searching by AMI ID will show it.
It might be better to filter by owner.
Owner = 792107900819
ssh-keygen -t ed25519 beforehand to create a public key, then import .ssh/id_ed25519.pub into your key pair.aws configure).An Elastic IP is cheaper than a NAT Gateway, so create an Elastic IP.
The network architecture looks like this:
Creating an EC2 Instance Connect Endpoint allows you to log in from the AWS CLI.
Therefore, I launched an instance with the following conditions:
.ssh/id_ed25519.pub)Open your PC's terminal and run the following:
aws ec2-instance-connect ssh --private-key-file .ssh/id_ed25519 --os-user rocky --instance-id i-*****************
The Rocky Linux AMI does not include the Instance Connect package, preventing connections from the Management Console. Therefore, the package must be installed.
Refer to https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html for instructions on downloading the package.
curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_arm64/ec2-instance-connect.rhel8.rpm -o /tmp/ec2-instance-connect.rpm
curl https://amazon-ec2-instance-connect-us-west-2.s3.us-west-2.amazonaws.com/latest/linux_amd64/ec2-instance-connect-selinux.noarch.rpm -o /tmp/ec2-instance-connect-selinux.rpm
sudo dnf install -y /tmp/ec2-instance-connect.rpm /tmp/ec2-instance-connect-selinux.rpm
Once installed, you will be able to access the instance from the Management Console.
I've included the CDK code I created for reference.
Remember to change the keyName (key pair) name.
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
export interface RockyLinuxStackProps extends cdk.StackProps {
}
export class RockyLinuxStack extends cdk.Stack {
public constructor(scope: cdk.App, id: string, props: RockyLinuxStackProps = {}) {
super(scope, id, props);
// Resources
const ec2dhcpOptions = new ec2.CfnDHCPOptions(this, 'EC2DHCPOptions', {
domainName: 'ap-south-1.compute.internal',
domainNameServers: [
'AmazonProvidedDNS',
],
],
});
ec2dhcpOptions.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2InternetGateway = new ec2.CfnInternetGateway(this, 'EC2InternetGateway', {
{
value: 'igw',
key: 'Name',
},
],
});
ec2InternetGateway.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2vpc = new ec2.CfnVPC(this, 'EC2VPC', {
cidrBlock: '10.0.0.0/16',
enableDnsSupport: true,
instanceTenancy: 'default',
enableDnsHostnames: true,
{
value: 'vpc',
key: 'Name',
},
],
});
ec2vpc.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2VPCGatewayAttachment = new ec2.CfnVPCGatewayAttachment(this, 'EC2VPCGatewayAttachment', {
vpcId: ec2vpc.ref,
internetGatewayId: ec2InternetGateway.ref,
});
ec2VPCGatewayAttachment.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2NetworkAcl = new ec2.CfnNetworkAcl(this, 'EC2NetworkAcl', {
vpcId: ec2vpc.ref,
],
});
ec2NetworkAcl.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2RouteTable = new ec2.CfnRouteTable(this, 'EC2RouteTable', {
vpcId: ec2vpc.ref,
});
ec2RouteTable.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2SecurityGroup = new ec2.CfnSecurityGroup(this, 'EC2SecurityGroup', {
groupDescription: 'launch-wizard-1 created 2025-04-27T00:11:58.641Z',
groupName: 'launch-wizard-1',
vpcId: ec2vpc.ref,
securityGroupIngress: [
{
cidrIp: '0.0.0.0/0',
ipProtocol: 'tcp',
fromPort: 22,
toPort: 22,
},
{
cidrIp: '0.0.0.0/0',
ipProtocol: 'icmp',
fromPort: 8,
toPort: -1,
},
],
securityGroupEgress: [
{
cidrIp: '0.0.0.0/0',
ipProtocol: '-1',
fromPort: -1,
toPort: -1,
},
],
});
ec2SecurityGroup.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2Subnet = new ec2.CfnSubnet(this, 'EC2Subnet', {
vpcId: ec2vpc.ref,
mapPublicIpOnLaunch: false,
enableDns64: false,
availabilityZoneId: 'aps1-az1',
privateDnsNameOptionsOnLaunch: {
EnableResourceNameDnsARecord: false,
HostnameType: 'ip-name',
EnableResourceNameDnsAAAARecord: false,
},
cidrBlock: '10.0.0.0/20',
ipv6Native: false,
{
value: 'subnet-public1-ap-south-1a',
key: 'Name',
},
],
});
ec2Subnet.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2InstanceConnectEndpoint = new ec2.CfnInstanceConnectEndpoint(this, 'EC2InstanceConnectEndpoint', {
preserveClientIp: false,
securityGroupIds: [
ec2SecurityGroup.attrGroupId,
],
subnetId: ec2Subnet.attrSubnetId,
});
ec2InstanceConnectEndpoint.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2vpcdhcpOptionsAssociation = new ec2.CfnVPCDHCPOptionsAssociation(this, 'EC2VPCDHCPOptionsAssociation', {
vpcId: ec2vpc.ref,
dhcpOptionsId: ec2dhcpOptions.ref,
});
ec2vpcdhcpOptionsAssociation.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2RouteHg = new ec2.CfnRoute(this, 'EC2RouteHG', {
routeTableId: ec2RouteTable.ref,
destinationCidrBlock: '0.0.0.0/0',
gatewayId: ec2InternetGateway.ref,
});
ec2RouteHg.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2SubnetNetworkAclAssociation = new ec2.CfnSubnetNetworkAclAssociation(this, 'EC2SubnetNetworkAclAssociation', {
networkAclId: ec2NetworkAcl.ref,
subnetId: ec2Subnet.ref,
});
ec2SubnetNetworkAclAssociation.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2SubnetRouteTableAssociation = new ec2.CfnSubnetRouteTableAssociation(this, 'EC2SubnetRouteTableAssociation', {
routeTableId: ec2RouteTable.ref,
subnetId: ec2Subnet.ref,
});
ec2SubnetRouteTableAssociation.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2Instance = new ec2.CfnInstance(this, 'EC2Instance', {
tenancy: 'default',
instanceInitiatedShutdownBehavior: 'stop',
cpuOptions: {
threadsPerCore: 1,
coreCount: 2,
},
blockDeviceMappings: [
{
ebs: {
volumeType: 'gp3',
iops: 3000,
volumeSize: 10,
encrypted: false,
deleteOnTermination: true,
},
deviceName: '/dev/sda1',
},
],
availabilityZone: 'ap-south-1a',
privateDnsNameOptions: {
enableResourceNameDnsARecord: false,
hostnameType: 'ip-name',
enableResourceNameDnsAaaaRecord: false,
},
ebsOptimized: true,
disableApiTermination: false,
keyName: 'hikari',
sourceDestCheck: true,
placementGroupName: '',
networkInterfaces: [
{
privateIpAddresses: [
{
privateIpAddress: '10.0.3.59',
primary: true,
},
],
secondaryPrivateIpAddressCount: 0,
deviceIndex: '0',
groupSet: [
ec2SecurityGroup.ref,
],
ipv6Addresses: [
],
subnetId: ec2Subnet.ref,
associatePublicIpAddress: true,
deleteOnTermination: true,
},
],
imageId: 'ami-0415efd8380284dc4',
instanceType: 't4g.medium',
monitoring: false,
],
creditSpecification: {
cpuCredits: 'unlimited',
},
});
ec2Instance.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2ElasticIp = new ec2.CfnEIP(this, 'EC2ElasticIp', {
domain: 'vpc',
{
key: 'Name',
value: 'elastic-ip',
},
],
});
ec2ElasticIp.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
const ec2EipAssociation = new ec2.CfnEIPAssociation(this, 'EC2EipAssociation', {
eip: ec2ElasticIp.ref,
instanceId: ec2Instance.ref,
});
ec2EipAssociation.cfnOptions.deletionPolicy = cdk.CfnDeletionPolicy.DELETE;
}
}