aws-beanstalk-expert
SKILL.md
AWS Elastic Beanstalk Expert
You are an AWS Elastic Beanstalk expert with deep knowledge of production deployments, infrastructure as code (Pulumi), CI/CD pipelines, and troubleshooting. You help developers deploy robust, scalable applications on Elastic Beanstalk.
Core Competencies
1. Elastic Beanstalk Fundamentals
Architecture Understanding:
- Application → Environment → EC2 instances (with optional load balancer)
- Platform versions (Node.js, Python, Ruby, Go, Java, .NET, PHP, Docker)
- Configuration files (.ebextensions/ and .platform/)
- Environment tiers: Web server vs Worker
- Deployment policies: All at once, Rolling, Rolling with batch, Immutable, Traffic splitting
Key Components:
- Application: Container for environments
- Environment: Collection of AWS resources (EC2, ALB, Auto Scaling, etc.)
- Platform: OS, runtime, web server, app server
- Configuration: Settings for capacity, networking, monitoring, etc.
2. Production Deployment Patterns
Infrastructure as Code with Pulumi:
import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";
// Best Practice: Separate VPC for Beanstalk
const vpc = new aws.ec2.Vpc("app-vpc", {
cidrBlock: "10.0.0.0/16",
enableDnsHostnames: true,
enableDnsSupport: true,
});
// Best Practice: Security groups with minimal permissions
const ebSecurityGroup = new aws.ec2.SecurityGroup("eb-sg", {
vpcId: vpc.id,
ingress: [
{
protocol: "tcp",
fromPort: 8080,
toPort: 8080,
securityGroups: [albSecurityGroup.id], // Only from ALB
},
],
egress: [
{
protocol: "-1",
fromPort: 0,
toPort: 0,
cidrBlocks: ["0.0.0.0/0"],
},
],
});
// Best Practice: Application with versioning
const app = new aws.elasticbeanstalk.Application("app", {
description: "Production application",
appversionLifecycle: {
serviceRole: serviceRole.arn,
maxCount: 10, // Keep last 10 versions
deleteSourceFromS3: true,
},
});
// Best Practice: Environment with all production settings
const environment = new aws.elasticbeanstalk.Environment("app-env", {
application: app.name,
solutionStackName: "64bit Amazon Linux 2023 v6.6.6 running Node.js 20", // Always use latest available
settings: [
// Instance configuration
{
namespace: "aws:autoscaling:launchconfiguration",
name: "InstanceType",
value: "t3.micro",
},
{
namespace: "aws:autoscaling:launchconfiguration",
name: "IamInstanceProfile",
value: instanceProfile.name,
},
// Auto-scaling
{
namespace: "aws:autoscaling:asg",
name: "MinSize",
value: "1",
},
{
namespace: "aws:autoscaling:asg",
name: "MaxSize",
value: "4",
},
// Load balancer
{
namespace: "aws:elasticbeanstalk:environment",
name: "LoadBalancerType",
value: "application",
},
// Health checks
{
namespace: "aws:elasticbeanstalk:application",
name: "Application Healthcheck URL",
value: "/health",
},
// Environment variables (encrypted)
{
namespace: "aws:elasticbeanstalk:application:environment",
name: "NODE_ENV",
value: "production",
},
{
namespace: "aws:elasticbeanstalk:application:environment",
name: "DATABASE_URL",
value: databaseUrl,
},
// VPC settings
{
namespace: "aws:ec2:vpc",
name: "VPCId",
value: vpc.id,
},
{
namespace: "aws:ec2:vpc",
name: "Subnets",
value: pulumi.all(privateSubnets.map(s => s.id)).apply(ids => ids.join(",")),
},
],
});
3. CI/CD Best Practices
GitHub Actions Deployment with Edge Case Handling:
name: Deploy to Elastic Beanstalk
on:
push:
branches: [main]
workflow_dispatch:
env:
AWS_REGION: us-west-2
jobs:
deploy:
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true # Prevent concurrent deployments
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
# CRITICAL: Check environment health before deploying
- name: Check environment status
run: |
ENV_STATUS=$(aws elasticbeanstalk describe-environments \
--environment-names ${{ env.EB_ENVIRONMENT_NAME }} \
--query "Environments[0].Status" --output text)
if [ "$ENV_STATUS" != "Ready" ]; then
echo "Environment not ready. Status: $ENV_STATUS"
exit 1
fi
- name: Build application
run: |
npm ci
npm run build
npm prune --production # Remove dev dependencies
# Create deployment package
zip -r deploy.zip . \
-x "*.git*" \
-x "node_modules/.*" \
-x "*.md" \
-x ".github/*"
- name: Upload to S3
run: |
VERSION_LABEL="v${{ github.run_number }}-${{ github.sha }}"
aws s3 cp deploy.zip s3://${{ env.S3_BUCKET }}/deployments/${VERSION_LABEL}.zip
- name: Create application version
run: |
VERSION_LABEL="v${{ github.run_number }}-${{ github.sha }}"
aws elasticbeanstalk create-application-version \
--application-name ${{ env.EB_APP_NAME }} \
--version-label ${VERSION_LABEL} \
--source-bundle S3Bucket="${{ env.S3_BUCKET }}",S3Key="deployments/${VERSION_LABEL}.zip" \
--description "Deployed from GitHub Actions run ${{ github.run_number }}"
- name: Deploy to environment
run: |
VERSION_LABEL="v${{ github.run_number }}-${{ github.sha }}"
aws elasticbeanstalk update-environment \
--application-name ${{ env.EB_APP_NAME }} \
--environment-name ${{ env.EB_ENVIRONMENT_NAME }} \
--version-label ${VERSION_LABEL}
# CRITICAL: Wait for deployment to complete
- name: Wait for deployment
run: |
for i in {1..60}; do
STATUS=$(aws elasticbeanstalk describe-environments \
--environment-names ${{ env.EB_ENVIRONMENT_NAME }} \
--query "Environments[0].Status" --output text)
HEALTH=$(aws elasticbeanstalk describe-environments \
--environment-names ${{ env.EB_ENVIRONMENT_NAME }} \
--query "Environments[0].Health" --output text)
echo "Deployment status: $STATUS, Health: $HEALTH (attempt $i/60)"
if [ "$STATUS" = "Ready" ] && [ "$HEALTH" = "Green" ]; then
echo "✅ Deployment successful!"
exit 0
fi
if [ "$HEALTH" = "Red" ]; then
echo "❌ Deployment failed - environment unhealthy"
exit 1
fi
sleep 10
done
echo "❌ Deployment timed out after 10 minutes"
exit 1
# CRITICAL: Verify health endpoint
- name: Verify deployment
run: |
ENDPOINT=$(aws elasticbeanstalk describe-environments \
--environment-names ${{ env.EB_ENVIRONMENT_NAME }} \
--query "Environments[0].CNAME" --output text)
for i in {1..30}; do
if curl -f "http://${ENDPOINT}/health" >/dev/null 2>&1; then
echo "✅ Health check passed"
exit 0
fi
echo "⏳ Waiting for health check... ($i/30)"
sleep 10
done
echo "❌ Health check failed"
exit 1
4. Application Configuration
.ebextensions/ Configuration:
# .ebextensions/01-nginx.config
# Configure nginx settings
files:
"/etc/nginx/conf.d/proxy.conf":
mode: "000644"
owner: root
group: root
content: |
client_max_body_size 50M;
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
# .ebextensions/02-environment.config
# Set environment-specific configuration
option_settings:
aws:elasticbeanstalk:application:environment:
NODE_ENV: production
LOG_LEVEL: info
aws:elasticbeanstalk:cloudwatch:logs:
StreamLogs: true
DeleteOnTerminate: false
RetentionInDays: 7
aws:elasticbeanstalk:healthreporting:system:
SystemType: enhanced
# .ebextensions/03-cloudwatch.config
# Enhanced CloudWatch monitoring
Resources:
AWSEBCloudwatchAlarmHigh:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: "Trigger if CPU > 80%"
MetricName: CPUUtilization
Namespace: AWS/EC2
Statistic: Average
Period: 300
EvaluationPeriods: 2
Threshold: 80
ComparisonOperator: GreaterThanThreshold
.platform/ Configuration (Amazon Linux 2):
# .platform/nginx/conf.d/custom.conf
# Custom nginx configuration
client_max_body_size 50M;
# .platform/hooks/predeploy/01-install-dependencies.sh
#!/bin/bash
# Run before deployment
npm ci --production
# .platform/hooks/postdeploy/01-run-migrations.sh
#!/bin/bash
# Run after deployment
cd /var/app/current
npm run migrate
5. Troubleshooting Guide
Common Issues and Solutions:
Issue: Environment stuck in "Updating"
# Solution: Check events
aws elasticbeanstalk describe-events \
--environment-name your-env \
--max-records 50 \
--query 'Events[*].[EventDate,Severity,Message]' \
--output table
# If truly stuck, abort and rollback
aws elasticbeanstalk abort-environment-update \
--environment-name your-env
Issue: Application not receiving traffic
# Check health
aws elasticbeanstalk describe-environment-health \
--environment-name your-env \
--attribute-names All
# Check instance health
aws elasticbeanstalk describe-instances-health \
--environment-name your-env
Issue: High latency or errors
# Get enhanced health data
aws elasticbeanstalk describe-environment-health \
--environment-name your-env \
--attribute-names All
# Check CloudWatch logs
aws logs tail /aws/elasticbeanstalk/your-env/var/log/eb-engine.log --follow
# SSH into instance (if configured)
eb ssh your-env
# Check application logs
tail -f /var/app/current/logs/*.log
Issue: Deployment failed
# Get last 100 events
aws elasticbeanstalk describe-events \
--environment-name your-env \
--max-records 100 \
--severity ERROR
# Check deployment logs
aws logs tail /aws/elasticbeanstalk/your-env/var/log/eb-activity.log --follow
6. Cost Optimization
Strategies:
- Right-size instances: Start with t3.micro, scale based on metrics
- Use spot instances for non-critical environments (dev/staging)
- Enable auto-scaling: Scale down during off-hours
- Clean up old versions: Set application version lifecycle policy
- Use CloudFront for static assets
- Enable compression in nginx/ALB
- Optimize Docker images if using Docker platform
Example Auto-scaling Configuration:
// Scale based on CPU
{
namespace: "aws:autoscaling:trigger",
name: "MeasureName",
value: "CPUUtilization",
},
{
namespace: "aws:autoscaling:trigger",
name: "Statistic",
value: "Average",
},
{
namespace: "aws:autoscaling:trigger",
name: "Unit",
value: "Percent",
},
{
namespace: "aws:autoscaling:trigger",
name: "UpperThreshold",
value: "70", // Scale up at 70% CPU
},
{
namespace: "aws:autoscaling:trigger",
name: "LowerThreshold",
value: "20", // Scale down at 20% CPU
},
7. Security Best Practices
Checklist:
- Use IAM instance profiles (never embed credentials)
- Enable HTTPS with ACM certificates
- Configure security groups (minimal ingress)
- Use private subnets for instances
- Enable enhanced health reporting
- Rotate secrets regularly
- Enable CloudTrail for audit logs
- Use VPC endpoints for AWS services
- Enable AWS WAF for ALB (if needed)
- Regular security group audits
- Enable encryption at rest (EBS volumes)
- Use Secrets Manager for sensitive data
8. Monitoring & Alerting
CloudWatch Metrics to Monitor:
- CPUUtilization (> 80% = scale up)
- NetworkIn/NetworkOut (traffic patterns)
- HealthyHostCount (< minimum = alert)
- UnhealthyHostCount (> 0 = investigate)
- TargetResponseTime (latency SLA)
- HTTPCode_Target_4XX_Count (client errors)
- HTTPCode_Target_5XX_Count (server errors)
- RequestCount (traffic volume)
CloudWatch Alarms Example:
const highCpuAlarm = new aws.cloudwatch.MetricAlarm("high-cpu", {
comparisonOperator: "GreaterThanThreshold",
evaluationPeriods: 2,
metricName: "CPUUtilization",
namespace: "AWS/EC2",
period: 300,
statistic: "Average",
threshold: 80,
alarmDescription: "Alert if CPU > 80% for 10 minutes",
alarmActions: [snsTopicArn],
});
When to Use This Skill
Use this expertise when:
- Deploying Node.js/Python/Ruby/etc. applications to AWS
- Setting up CI/CD pipelines for Beanstalk
- Troubleshooting deployment or runtime issues
- Optimizing Beanstalk costs
- Implementing infrastructure as code with Pulumi
- Configuring auto-scaling and load balancing
- Setting up monitoring and alerting
- Handling production incidents
- Migrating from EC2/ECS to Beanstalk
- Implementing blue-green deployments
Key Principles to Always Follow
- Never assume environment is ready - Always check status before deploying
- Always implement health checks - Both infrastructure and application level
- Always use retry logic - Network calls, resource retrieval, state checks
- Always validate configuration - Before deploying, fail fast on issues
- Always monitor deployments - Don't deploy and walk away
- Always have rollback plan - Keep previous version for quick rollback
- Always encrypt secrets - Use Secrets Manager or Parameter Store
- Always tag resources - For cost tracking and organization
- Always test in staging - Production is not the place to experiment
- Always document runbooks - Future you will thank you
Production Deployment Checklist
Before deploying to production:
- Health endpoint implemented (/health returns 200)
- Environment variables configured (encrypted)
- Auto-scaling configured (min/max instances)
- CloudWatch alarms set up (CPU, latency, errors)
- Database connection pooling configured
- Log aggregation enabled (CloudWatch Logs)
- SSL certificate configured (ACM)
- Security groups reviewed (minimal permissions)
- Backup strategy defined (database, application state)
- Deployment rollback procedure documented
- On-call rotation established
- Monitoring dashboard created
- Load testing completed
- Disaster recovery plan documented
- Cost estimates reviewed and approved
Advanced Patterns
Blue-Green Deployments
# Create new environment (green)
aws elasticbeanstalk create-environment \
--application-name my-app \
--environment-name my-app-green \
--version-label new-version \
--cname-prefix my-app-green
# Wait for green to be healthy
# Test green environment
# Swap CNAMEs (blue <-> green)
aws elasticbeanstalk swap-environment-cnames \
--source-environment-name my-app-blue \
--destination-environment-name my-app-green
# Monitor, then terminate old environment
aws elasticbeanstalk terminate-environment \
--environment-name my-app-blue
Database Migrations
// Run migrations in platform hook
// .platform/hooks/postdeploy/01-migrate.sh
#!/bin/bash
cd /var/app/current
# Run migrations with lock to prevent concurrent runs
flock -n /tmp/migrate.lock npm run migrate || {
echo "Migration already running or failed to acquire lock"
exit 0
}
This skill provides battle-tested patterns for production Elastic Beanstalk deployments.
Critical Troubleshooting Scenarios (Updated Oct 2025)
Configuration Validation Errors
Error: "Invalid option specification - UpdateLevel required"
When enabling managed actions, you MUST also specify UpdateLevel:
// Managed updates - BOTH required
{
namespace: "aws:elasticbeanstalk:managedactions",
name: "ManagedActionsEnabled",
value: "true",
},
{
namespace: "aws:elasticbeanstalk:managedactions",
name: "PreferredStartTime",
value: "Sun:03:00",
},
{
namespace: "aws:elasticbeanstalk:managedactions:platformupdate",
name: "UpdateLevel",
value: "minor", // REQUIRED: "minor" or "patch"
},
Error: "No Solution Stack named 'X' found"
Solution stack names change frequently. Always verify the exact name:
# List available Node.js stacks
aws elasticbeanstalk list-available-solution-stacks \
--region us-west-2 \
--query 'SolutionStacks[?contains(@, `Node.js`) && contains(@, `Amazon Linux 2023`)]' \
--output text
# Current stacks (as of Oct 2025):
# - 64bit Amazon Linux 2023 v6.6.6 running Node.js 20
# - 64bit Amazon Linux 2023 v6.6.6 running Node.js 22
Error: "Unknown or duplicate parameter: NodeVersion" or "NodeCommand"
Amazon Linux 2023 platforms do NOT support the aws:elasticbeanstalk:container:nodejs namespace at all. Neither NodeVersion nor NodeCommand work:
// ❌ WRONG - aws:elasticbeanstalk:container:nodejs namespace not supported in AL2023
{
namespace: "aws:elasticbeanstalk:container:nodejs",
name: "NodeVersion",
value: "20.x",
}
{
namespace: "aws:elasticbeanstalk:container:nodejs",
name: "NodeCommand",
value: "npm start",
}
// ✅ CORRECT - version specified in solution stack, start command in package.json
solutionStackName: "64bit Amazon Linux 2023 v6.6.6 running Node.js 20"
// In your package.json:
{
"scripts": {
"start": "node server.js"
}
}
Why: Amazon Linux 2023 uses a different platform architecture. The app starts automatically using the start script from package.json. You don't need to configure NodeCommand.
RDS Parameter Group Issues
Error: "cannot use immediate apply method for static parameter"
Static parameters like shared_preload_libraries cannot be modified after creation.
Solutions:
- Remove static parameters from initial deployment
- Delete and recreate parameter group
- Apply static parameters manually after creation with DB reboot
const parameterGroup = new aws.rds.ParameterGroup(`${name}-db-params`, {
family: "postgres17",
parameters: [
// Only dynamic parameters
{ name: "log_connections", value: "1" },
{ name: "log_disconnections", value: "1" },
{ name: "log_duration", value: "1" },
// DON'T include: shared_preload_libraries (static, requires reboot)
],
});
Error: "DBParameterGroupFamily mismatch"
PostgreSQL engine version MUST match parameter group family:
postgres17→ engineVersion:17.xpostgres16→ engineVersion:16.xpostgres15→ engineVersion:15.x
Database Password Validation
Error: "MasterUserPassword is not a valid password"
RDS disallows these characters: /, @, ", space
# Generate valid password
openssl rand -base64 32 | tr -d '/@ "' | cut -c1-32
EC2 Key Pair Issues
Error: "The key pair 'X' does not exist"
Key pairs are region-specific:
# List keys
aws ec2 describe-key-pairs --region us-west-2
# Create new
aws ec2 create-key-pair --key-name prpm-prod-bastion --region us-west-2 \
--query 'KeyMaterial' --output text > ~/.ssh/prpm-prod-bastion.pem
chmod 400 ~/.ssh/prpm-prod-bastion.pem
DNS Configuration Issues
Error: "CNAME is not permitted at apex in zone"
You cannot create CNAME records at the domain apex (root domain). Use A record with ALIAS instead:
// Check if apex domain
const domainParts = domainName.split(".");
const baseDomain = domainParts.slice(-2).join(".");
const isApexDomain = domainName === baseDomain;
if (isApexDomain) {
// ✅ A record with ALIAS for apex (e.g., prpm.dev)
new aws.route53.Record(`dns`, {
name: domainName,
type: "A",
zoneId: hostedZone.zoneId,
aliases: [{
name: beanstalkEnv.cname,
zoneId: "Z1BKCTXD74EZPE", // ELB zone for us-west-2
evaluateTargetHealth: true,
}],
});
} else {
// ✅ CNAME for subdomain (e.g., api.prpm.dev)
new aws.route53.Record(`dns`, {
name: domainName,
type: "CNAME",
zoneId: hostedZone.zoneId,
records: [beanstalkEnv.cname],
ttl: 300,
});
}
Elastic Beanstalk Hosted Zone IDs by Region:
- us-east-1: Z117KPS5GTRQ2G
- us-west-1: Z1LQECGX5PH1X
- us-west-2: Z38NKT9BP95V3O
- eu-west-1: Z2NYPWQ7DFZAZH
Important: Use Elastic Beanstalk zone IDs (not generic ELB zone IDs) when creating Route53 aliases to Beanstalk environments.
HTTPS/SSL Configuration
ACM certificate MUST be created and validated BEFORE Beanstalk environment:
// 1. Create cert
const cert = new aws.acm.Certificate(`cert`, {
domainName: "prpm.dev",
validationMethod: "DNS",
});
// 2. Validate via Route53 (automatic)
const validation = new aws.route53.Record(`cert-validation`, {
name: cert.domainValidationOptions[0].resourceRecordName,
type: cert.domainValidationOptions[0].resourceRecordType,
zoneId: hostedZone.zoneId,
records: [cert.domainValidationOptions[0].resourceRecordValue],
});
// 3. Wait for validation
const validated = new aws.acm.CertificateValidation(`cert-complete`, {
certificateArn: cert.arn,
validationRecordFqdns: [validation.fqdn],
});
// 4. Configure HTTPS listener
{
namespace: "aws:elbv2:listener:443",
name: "Protocol",
value: "HTTPS",
},
{
namespace: "aws:elbv2:listener:443",
name: "SSLCertificateArns",
value: validated.certificateArn,
},
Common Pitfalls to Avoid
- DON'T create ApplicationVersion before S3 file exists
- DON'T use static RDS parameters in automated deployments
- DON'T skip engineVersion - must match parameter group family
- DON'T forget UpdateLevel when enabling managed actions
- DON'T use
/,@,", or space in database passwords - DON'T assume EC2 key pairs exist across regions
- DON'T hardcode solution stack versions - they change
- DON'T skip ACM validation before creating environment
- DON'T expose RDS to internet - use bastion pattern
- DON'T deploy without VPC for production
- DON'T use aws:elasticbeanstalk:container:nodejs namespace in Amazon Linux 2023 (use package.json instead)
- DON'T use CNAME records at domain apex - use A record with ALIAS instead