I'm so happy with my architecture on AWS!!
Not only that AWS now enabled encryption at rest for EFS , the NFS option on AWS. On top of that I enabled also SSL for the data in transit to and from my Aurora cluster. So now everything should be encrypted at rest and in transit. The best part is that encryption at AWS does cost you nothing extra.
But I also found a way to save some money. Until some days ago, I had a server which only served the email functions of Drupal and a separate server which was spun up by autoscaling. Now, I don't need to have two separate servers for autoscaling and email anymore, because I found out that I may associate the Elastic IP for the email service also to a server launched by the autoscaling function and I'm able to prevent autoscaling to terminate the email server, when scaling down by setting a flag. This way I always have an email server with an Elastic IP and the same server is able to serve all the rest of the traffic, when the traffic on this website is low. As a result of that optimization, I'm able to run the whole architecture for under 100 EUR/month and there is enough room for additional helper instances which I have to spin up, when I need to update Drupal.
The helper instances are necessary, because I decided to use immutable webservers without SSH keys in production. These immutable webservers update themselves with a script that runs as a cronjob everyday. And I don't need to do any maintenance on them, because the Drupal code is stored on EFS and not on those servers themselves. This way there is no way for anyone to get SSH access to my webservers, because they have no SSH key on them and the SSH port is also closed on the security group.
For any updates to Drupal or any updates to the scripts I use, I have configured myself a kind of Bastion host that has access to EFS and gets a SSH key for the time I need to update Drupal. After the update the Bastion host is terminated and any SSH access to my architecture is denied, because outside maintenance hours no security group in my architecture has a SSH port entry and no server has a SSH key on them.
As an additional security layer I also hide my whole architecture behind the ELB (Elastic Load Balancer). This way there is no way to get direct http or https access to a server of my architecture. Even if someone gets to know the IP of the email server for Drupal. There is no direct access to that IP. All traffic has to flow through the ELB. This way I want to make it very hard to implement any kind of unwanted shell on my website, because the ELB and Cloudfront, which sits before the ELB in my architecture, do not store the Drupal code on them. They only cache the results and deliver them, when requested.
Next month I won't have the AWS free tier benefits anymore, which AWS gives any new customer within the first 12 months. I'm pretty curious how much my architecture as it stands now, will cost.