diff --git a/plugins/deploy-on-aws/skills/deploy/references/cost-estimation.md b/plugins/deploy-on-aws/skills/deploy/references/cost-estimation.md index ebaefd3..459ba0d 100644 --- a/plugins/deploy-on-aws/skills/deploy/references/cost-estimation.md +++ b/plugins/deploy-on-aws/skills/deploy/references/cost-estimation.md @@ -17,6 +17,7 @@ Use the **awspricing** MCP server to get accurate cost estimates before generati | Aurora PostgreSQL | `AmazonRDS` | Filter: `databaseEngine` = "Aurora PostgreSQL" | | Aurora MySQL | `AmazonRDS` | Filter: `databaseEngine` = "Aurora MySQL" | | RDS PostgreSQL | `AmazonRDS` | Filter: `databaseEngine` = "PostgreSQL" | +| DocumentDB | `AmazonDocDB` | MongoDB-compatible managed database | | ALB | `AWSELB` | Application Load Balancer | | S3 | `AmazonS3` | Storage and requests | | CloudFront | `AmazonCloudFront` | CDN distribution | @@ -53,6 +54,23 @@ Aurora Serverless v2 charges per ACU-hour (Aurora Capacity Unit). - ~$180-360/month depending on load +## DocumentDB Serverless Pricing + +DocumentDB Serverless charges per DCU-hour (DocumentDB Capacity Unit), +storage (GB-month), and I/O (standard config only). + +- Minimum: 0.5 DCU, scales in 0.5 DCU increments +- 1 DCU ≈ 2 GiB memory with corresponding CPU and networking +- Standard: $0.0822/DCU-hour, I/O-Optimized: $0.0905/DCU-hour (us-east-1) + +**Dev estimate (0.5-2 DCU range, 10GB storage):** + +- ~$35-120/month depending on usage patterns (scales to 0.5 DCU when idle) + +**Production estimate (2-8 DCU range, 100GB storage, multi-AZ):** + +- ~$130-400/month depending on load + ## Quick Reference Estimates **Small web app (Fargate + Aurora Serverless v2 + ALB):** @@ -60,6 +78,11 @@ Aurora Serverless v2 charges per ACU-hour (Aurora Capacity Unit). - Dev: ~$70-100/month - Production: ~$200-400/month +**Small web app (Fargate + DocumentDB Serverless + ALB):** + +- Dev: ~$70-155/month +- Production: ~$200-450/month + **Static site / SPA (Amplify Hosting):** - Low traffic: ~$0-5/month (free tier covers most small sites) diff --git a/plugins/deploy-on-aws/skills/deploy/references/defaults.md b/plugins/deploy-on-aws/skills/deploy/references/defaults.md index 6779d27..f1cba46 100644 --- a/plugins/deploy-on-aws/skills/deploy/references/defaults.md +++ b/plugins/deploy-on-aws/skills/deploy/references/defaults.md @@ -34,6 +34,7 @@ Use `amplify_docs` topic in awsknowledge MCP for framework-specific guidance | ----------------- | ---------------------- | ---------------------- | ------------------ | | PostgreSQL | Aurora Serverless v2 | Aurora Serverless v2 | "simple RDS" → RDS | | MySQL | Aurora Serverless v2 | Aurora Serverless v2 | "simple RDS" → RDS | +| DocumentDB / MongoDB | DocumentDB Serverless | DocumentDB Serverless | "provisioned" → DocumentDB provisioned | | NoSQL / Key-Value | DynamoDB | DynamoDB | - | | Redis / Caching | ElastiCache Serverless | ElastiCache Serverless | - | | Full-text search | OpenSearch Serverless | OpenSearch Serverless | - | @@ -44,6 +45,15 @@ Scales to near-zero in dev (0.5 ACU minimum), scales up automatically for produc Single choice works for both environments. Only use provisioned RDS if user has specific cost constraints or compliance requirements. +### Why DocumentDB Serverless for MongoDB + +DocumentDB Serverless is the on-demand, auto-scaling configuration of Amazon DocumentDB. +It dynamically adjusts capacity based on application demand so you only pay for what you +use. Ideal for dev/test, variable workloads, and new applications where capacity needs +are unknown. Compatible with MongoDB 3.6, 4.0, 5.0 and 8.0 APIs. +Use provisioned DocumentDB only when you have predictable, steady-state workloads +or specific compliance requirements that need fixed instance sizing. + ## Storage | Pattern | Default | diff --git a/plugins/deploy-on-aws/skills/deploy/references/security.md b/plugins/deploy-on-aws/skills/deploy/references/security.md index 11f757e..d76dfe2 100644 --- a/plugins/deploy-on-aws/skills/deploy/references/security.md +++ b/plugins/deploy-on-aws/skills/deploy/references/security.md @@ -25,6 +25,7 @@ Apply these patterns automatically when generating IaC: | --------------- | --------------------------- | -------------------------- | ---------------- | | S3 buckets | SSE-S3 (AES-256) | SSE-KMS (customer-managed) | "no encryption" | | RDS/Aurora | Encrypted (AWS-managed key) | Encrypted (CMK) | - | +| DocumentDB | Encrypted (AWS-managed key) | Encrypted (CMK) | - | | EBS volumes | Encrypted | Encrypted | - | | ALB | TLS 1.2+ only | TLS 1.2+ only | - | | Secrets Manager | AWS-managed key | CMK | - | @@ -60,6 +61,7 @@ When serving static content via CloudFront: | Fargate tasks | Private subnet + NAT Gateway | Private subnet + NAT Gateway | | ALB | Public subnet | Public subnet | | RDS/Aurora | Private subnet (no public IP) | Private subnet (no public IP) | +| DocumentDB | Private subnet (no public IP) | Private subnet (no public IP) | | Lambda | VPC-attached if DB access needed | VPC-attached if DB access needed | ### Why private subnets for compute @@ -96,6 +98,7 @@ Consult `awsiac` MCP for IAM policy patterns by service. | ALB | 443 from 0.0.0.0/0 | Fargate SG only | | Fargate | ALB SG only (on app port) | 443 (HTTPS), DB SG | | RDS/Aurora | Fargate SG only (on DB port) | None | +| DocumentDB | Fargate SG only (port 27017) | None | | Lambda (VPC) | None | 443, DB SG | ### Why deny-by-default @@ -160,6 +163,7 @@ Before deployment, run available checks: | ALB Access Logs | Disabled | Enabled (S3 destination) | | Container logs | CloudWatch Logs | CloudWatch Logs | | RDS/Aurora logs | Error log only | Error + slow query + audit | +| DocumentDB logs | Profiler (slow ops) | Profiler + audit | | S3 Access Logs | Disabled | Enabled | ### Why minimal logging in dev @@ -176,6 +180,7 @@ When user requests "production" or "prod", additionally enable: - [ ] ALB Access Logs - [ ] S3 Access Logs - [ ] RDS Performance Insights +- [ ] DocumentDB profiler + audit logs exported to CloudWatch Logs - [ ] AWS WAF on ALB (if public-facing web app) - [ ] GuardDuty (recommend, don't auto-enable) - [ ] Run `checkov` or `cfn-nag` before deployment