Observability:
- CloudWatch Metrics: System and custom metrics
- CloudWatch Logs: Centralized log aggregation
- CloudWatch Alarms: Alert on thresholds
- X-Ray: Distributed tracing
Security:
- IAM: Users, roles, policies. Least privilege principle
- Security Groups: Instance-level firewall (stateful)
- NACLs: Subnet-level firewall (stateless)
- Secrets Manager: Secrets storage
- KMS: Encryption key management
Interview question: "How do you grant EC2 access to S3?"
Create an IAM role with S3 permissions. Attach to the instance profile. The instance uses metadata to get temporary credentials.