OpenSkillIndex← back to search
claude-code

Developer-kit aws-cloudformation-ec2

Provides AWS CloudFormation patterns for EC2 instances, Security Groups, IAM roles, and load balancers. Use when creating EC2 instances, SPOT instances, Security Groups, IAM roles for EC2, Application Load Balancers (ALB), Target Groups, and implementing template structure with Parameters, Outputs, Mappings, Conditions, and cross-stack references.

install
source · Clone the upstream repo
git clone https://github.com/giuseppe-trisciuoglio/developer-kit
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/giuseppe-trisciuoglio/developer-kit "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-ec2" ~/.claude/skills/giuseppe-trisciuoglio-developer-kit-aws-cloudformation-ec2 && rm -rf "$T"
manifest: plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-ec2/SKILL.md
source content

AWS CloudFormation EC2 Infrastructure

Overview

Create production-ready EC2 infrastructure using AWS CloudFormation templates. Covers EC2 instances (On-Demand and SPOT), Security Groups, IAM roles, Application Load Balancers (ALB), template structure, parameters, outputs, and cross-stack references.

When to Use

  • Creating EC2 instances (On-Demand or SPOT) with Security Groups and IAM roles
  • Setting up Application Load Balancers with target groups
  • Implementing template Parameters, Mappings, Conditions, and cross-stack references

Instructions

Step 1 — Define Template Parameters

Use AWS-specific parameter types for validation and console dropdowns.

Parameters:
  LatestAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2

  InstanceType:
    Type: AWS::EC2::InstanceType
    Default: t3.micro
    AllowedValues: [t3.micro, t3.small, t3.medium]

  KeyName:
    Type: AWS::EC2::KeyPair::KeyName

See template-structure.md for advanced parameter patterns, mappings, conditions, and cross-stack references.

Step 2 — Create Security Group

Define ingress/egress rules for network access.

InstanceSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Security group for EC2 instance
    VpcId: !Ref VpcId
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 10.0.0.0/16

See security-iam.md for advanced security group patterns, self-references, and IAM roles.

Step 3 — Configure IAM Role

Define instance profile with least privilege permissions.

Ec2Role:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            Service: ec2.amazonaws.com
          Action: sts:AssumeRole
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

Ec2InstanceProfile:
  Type: AWS::IAM::InstanceProfile
  Properties:
    Roles: [!Ref Ec2Role]

See security-iam.md for least privilege policies, SSM roles, and trust policies.

Step 4 — Launch EC2 Instance

Configure instance with security group, IAM role, and user data.

Ec2Instance:
  Type: AWS::EC2::Instance
  Properties:
    ImageId: !Ref LatestAmiId
    InstanceType: !Ref InstanceType
    KeyName: !Ref KeyName
    SecurityGroupIds: [!Ref InstanceSecurityGroup]
    IamInstanceProfile: !Ref Ec2InstanceProfile
    SubnetId: !Ref SubnetId
    UserData:
      Fn::Base64: |
        #!/bin/bash
        yum update -y
        yum install -y httpd
        systemctl start httpd
    Tags:
      - Key: Name
        Value: !Sub ${AWS::StackName}-instance

See ec2-instances.md for multi-volume configurations, detailed monitoring, SPOT instances, and complete stack examples.

Validate template: 

aws cloudformation validate-template --template-body file://template.yaml

Step 5 — Add Application Load Balancer

Create ALB with target group and listener for traffic distribution.

ApplicationLoadBalancer:
  Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  Properties:
    Name: !Sub ${AWS::StackName}-alb
    Scheme: internet-facing
    SecurityGroups: [!Ref AlbSecurityGroup]
    Subnets: [!Ref PublicSubnet1, !Ref PublicSubnet2]

ApplicationTargetGroup:
  Type: AWS::ElasticLoadBalancingV2::TargetGroup
  Properties:
    Port: 80
    Protocol: HTTP
    VpcId: !Ref VpcId
    HealthCheckPath: /health

ApplicationListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref ApplicationTargetGroup
    LoadBalancerArn: !Ref ApplicationLoadBalancer
    Port: 80
    Protocol: HTTP

See load-balancers.md for HTTPS configuration, path-based routing, host-based routing, listener rules, and ALB attributes.

Step 6 — Define Outputs

Export values for cross-stack references.

Outputs:
  InstanceId:
    Description: EC2 Instance ID
    Value: !Ref Ec2Instance
    Export:
      Name: !Sub ${AWS::StackName}-InstanceId

  SecurityGroupId:
    Description: Security Group ID
    Value: !Ref InstanceSecurityGroup
    Export:
      Name: !Sub ${AWS::StackName}-SecurityGroupId

  LoadBalancerDnsName:
    Description: ALB DNS Name
    Value: !GetAtt ApplicationLoadBalancer.DNSName

See template-structure.md for cross-stack reference patterns and import/export strategies.

Examples

Minimal EC2 with ALB Template

AWSTemplateFormatVersion: "2010-09-09"
Description: EC2 instance with ALB

Parameters:
  LatestAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
  InstanceType:
    Type: AWS::EC2::InstanceType
    Default: t3.micro

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable HTTP and SSH
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

  Ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref LatestAmiId
      InstanceType: !Ref InstanceType
      SecurityGroupIds: [!Ref InstanceSecurityGroup]

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internet-facing
      SecurityGroups: [!Ref InstanceSecurityGroup]
      Subnets: [subnet-12345678, subnet-87654321]

Outputs:
  InstanceId:
    Value: !Ref Ec2Instance
  LoadBalancerDns:
    Value: !GetAtt LoadBalancer.DNSName

Deploy with Change Set

# Create change set
aws cloudformation create-change-set \
  --stack-name my-ec2-stack \
  --template-body file://template.yaml \
  --change-set-type CREATE

# Execute after review
aws cloudformation execute-change-set \
  --change-set-name <change-set-name>

See examples.md for complete production-ready templates.

Best Practices

Template Structure

  • Use AWS-specific parameter types for validation (
    AWS::EC2::VPC::Id
    , 
    AWS::EC2::InstanceType
    )
  • Organize by lifecycle - separate network, security, and application stacks
  • Use meaningful names with 
    AWS::StackName
    prefix
  • Enable termination protection on production stacks

Security

  • Apply least privilege to IAM roles - grant minimum required permissions
  • Use security group references instead of IP addresses where possible
  • Enable IMDSv2 on all EC2 instances
  • Restrict security group rules to specific CIDR blocks

Cost & Availability

  • Use SPOT instances for fault-tolerant, interruptible workloads
  • Deploy across multiple AZs for high availability
  • Set up CloudWatch alarms for CPU and status checks
  • Use EBS gp3 volumes for cost-effective storage

Operations

  • Always use change sets for production stack updates
  • Enable drift detection to maintain template compliance
  • Apply stack policies to protect critical resources
  • Validate templates before deployment with 
    aws cloudformation validate-template

See best-practices.md for detailed guidance on stack policies, termination protection, drift detection, change set automation, and validation scripts.

References

Core Configuration

  • template-structure.md — Template sections, parameters, mappings, conditions, outputs, cross-stack references
  • ec2-instances.md — EC2 instances, SPOT fleets, multi-volume configurations, complete stack examples
  • security-iam.md — Security groups, IAM roles, instance profiles, least privilege policies
  • load-balancers.md — ALB configuration, target groups, listeners, path-based routing, HTTPS

Operational Guides

  • best-practices.md — Stack policies, termination protection, drift detection, change sets, validation
  • constraints.md — Resource limits, instance constraints, cost considerations, common issues, monitoring

Additional Resources

  • examples.md — Complete production-ready examples and use cases
  • reference.md — CloudFormation EC2 resource reference documentation

Constraints and Warnings

Resource Limits

  • Maximum 500 resources per CloudFormation stack
  • Maximum 500 security groups per VPC
  • Instance types vary by region/A availability

Cost Considerations

  • EC2 instances incur costs while running
  • EBS volumes charged per GB-month even when not attached
  • ALBs have hourly + LCU data processing costs
  • Unattached Elastic IPs incur hourly costs

Security Considerations

  • Key pairs cannot be recovered if lost
  • Instance profile roles cannot be changed after creation
  • IMDSv1 has security vulnerabilities - use IMDSv2
  • Spot instances can be terminated with 2-minute notice

See constraints.md for complete constraints, troubleshooting guides, and monitoring setup.