Skip to content
Rendorix

AWS setup

These notes sit around your Terraform modules: organization, IAM, DNS, quotas, and observability. Exact resource names belong in the Rendorix infrastructure repository.

Accounts and organization

Section titled “Accounts and organization”
  • Prefer separate prod and non-prod accounts so test workloads cannot read production buckets or secrets by mistake.
  • Use AWS Organizations SCPs if you need org-wide rules (e.g. block public S3 ACLs, require TLS to S3 APIs).
  • Apply a tagging standard (Environment, Service, Owner) on billable resources for cost allocation.

IAM and least privilege

Section titled “IAM and least privilege”
  • Lambda (image worker): grant s3:GetObject only on the originals prefix; add s3:ListBucket only if the code truly needs listing (often it does not for key-based GET).
  • Edge (CloudFront Function, Lambda@Edge): follow AWS docs for minimal permissions to write logs and invoke targets.
  • CI for Terraform: scoped role for planned resources; avoid blanket AdministratorAccess in production if you can.
  • Human access: SSO with MFA; no shared root credentials; break-glass admin only when required.

Prefer OIDC from CI to AWS over long-lived access keys on runners; rotate static keys rarely or not at all.

Networking and DNS (if applicable)

Section titled “Networking and DNS (if applicable)”
  • CloudFront is the public entry point. Origins are typically S3 with OAC and/or a Lambda URL or API Gateway origin, depending on design. Originals buckets stay private—no need for public subnets on S3.
  • Route 53: alias A/AAAA records to the distribution; ACM certificates for CloudFront must be in us-east-1 in standard setups.
  • IPv6: enable dual-stack on the distribution if you want AAAA records for clients that prefer IPv6.

Service limits and quotas

Section titled “Service limits and quotas”

Request quota increases before high-traffic launches. Commonly reviewed:

  • Regional Lambda concurrent execution account limit
  • S3 request rate patterns (hot prefixes—see AWS guidance on key naming)
  • CloudFront invalidation monthly path limits and batch sizes

Use the Service Quotas console or API to inspect limits and open increase cases early.

Monitoring and alarms

Section titled “Monitoring and alarms”

Minimum useful signals (tune thresholds to your baseline):

SignalWhy it matters
CloudFront 4xx / 5xx rateClient errors vs origin problems
Lambda errors, throttles, durationTransform health and capacity
S3 request errors (where metrics exist)Origin read failures
Spikes in edge 403 (e.g. from log metric filters)Signing misconfiguration or abuse

Page on-call only for SLO-impacting conditions; route informational alerts to chat or email.

Note: This rendorix-web repo deploys the marketing site and docs to Cloudflare Pages; that hosting is separate from the AWS image-delivery stack described in these deployment docs.

Section titled “Related reading”