Developer Tools AWS

Drupal CMS on AWS User Guide

| Product: Drupal CMS on AWS

Overview

This image runs Drupal behind nginx, with PHP FPM 8.3 and OPcache enabled. Site content and configuration are stored in MariaDB on the same instance, bound to the loopback interface only. The Composer dependency manager and the drush command line tool are preinstalled, and Drupal's scheduled tasks run hourly through a systemd timer so cache maintenance, search indexing, and other lifecycle jobs fire without manual intervention.

Drupal administrator and MariaDB credentials are generated on the first boot of every deployed instance. Two instances launched from the same Amazon Machine Image never share passwords. The initial administrator password and the MariaDB password are written to /root/drupal-credentials.txt with mode 0600 so that only the root user can read them.

Drupal is configured to accept requests on any host, so the site automatically works on whatever public DNS name or IP address visitors reach the instance on. There is no instance metadata lookup and no value to edit on first boot — deployments behind an Application Load Balancer, a private subnet, or a custom domain all work without changes.

Prerequisites

Before you deploy this image you need:

  • An Amazon Web Services account where you can launch EC2 instances
  • IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
  • An EC2 key pair in the target Region for SSH access to the instance
  • A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network and inbound ports 80 and 443 from the networks your visitors will use
  • The AWS CLI (version 2) installed locally if you plan to deploy from the command line

Step 1: Launch the Instance from the AWS Marketplace

Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Drupal CMS. Select the cloudimg listing and choose Select, then Continue on the subscription summary.

Pick an instance type of m5.large or larger — the Drupal workload is PHP and MariaDB heavy. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network and inbound ports 80 and 443 from the networks your visitors use. Leave the root volume at the default size or larger.

Select Launch instance. First boot initialisation takes approximately one minute after the instance state becomes Running and the status checks pass.

Step 2: Launch the Instance from the AWS CLI

The following block launches an instance from the cloudimg Drupal Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens ports 22, 80, and 443 as described above.

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type m5.large \
  --key-name <key-name> \
  --subnet-id <subnet-id> \
  --security-group-ids <security-group-id> \
  --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=drupal-cms-01}]'

The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.

Step 3: Connect and Retrieve Initial Credentials

Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:

AMI variant SSH login user
Drupal 11 on Ubuntu 24.04 ubuntu

The first boot service runs before the SSH daemon becomes ready, so the credentials file is always in place when you log in for the first time.

ssh <login-user>@<public-ip>
sudo cat /root/drupal-credentials.txt

You will see a plain text file containing the Drupal URL, the administrator username (admin), the administrator password, and the MariaDB database name, user, and password. Copy these values somewhere secure (a password manager or encrypted vault). Do not commit them to source control.

From the same SSH session you can confirm the deployment is healthy:

curl -fsS -o /dev/null -w 'login page HTTP %{http_code}\n' http://127.0.0.1/user/login

A login page HTTP 200 response confirms the full stack — nginx, PHP and MariaDB — is serving Drupal.

Step 4: First Login to the Drupal Web Interface

Open a web browser and navigate to http://<public-ip>/user/login. Drupal presents the sign-in form to visitors who do not yet have a session.

Drupal login page

Enter the administrator username admin and the administrator password from /root/drupal-credentials.txt. Select Log in. On the first successful sign in Drupal records your session and shows the administration toolbar across the top of every page.

Step 5: The Administration Interface

Once signed in, the dark administration toolbar gives you every management area: Content for pages and articles, Structure for content types, menus, blocks and taxonomy, Appearance for themes, Extend for modules, Configuration for site settings, People for user accounts and roles, and Reports for logs and status.

Drupal administration content overview

The content overview at /admin/content lists every page and article on the site with filters for type, status, and author. Reports then Status report is the first place to check the health of a deployment — it flags pending updates, cron status, and configuration warnings.

Step 6: Change the Administrator Password

For a production deployment rotate the administrator password that was generated on first boot. Select your account in the toolbar, choose Edit, enter a new password in the Password and Confirm password fields, and select Save.

From the command line the same thing can be done with the preinstalled drush tool:

sudo -u www-data /var/www/drupal/vendor/bin/drush --root=/var/www/drupal/web \
  user:password admin '<new-password>'

Step 7: Create Your First Content

Select Content in the toolbar, then Add content, then Basic page for a static page or Article for a dated, taggable post. Enter a title and body, set the Published checkbox under the right hand sidebar, and select Save.

Drupal content creation form

Use Structure then Content types to add fields to a content type or to create new content types of your own. Menus are managed under Structure then Menus, and the front page is set under Configuration then System then Basic site settings.

Step 8: Extend with Modules and Themes

Drupal's functionality is extended with contributed modules and themes from https://www.drupal.org/. The Extend page at /admin/modules lists every module installed on the site and lets you enable or disable each one.

Drupal Extend page for installing modules

Because this image installs Drupal with Composer, add a new module by requiring it with Composer and then enabling it with drush:

cd /var/www/drupal
sudo -u www-data composer require drupal/<module-name>
sudo -u www-data /var/www/drupal/vendor/bin/drush --root=/var/www/drupal/web \
  pm:install <module-name>

Themes are installed the same way and activated under Appearance at /admin/appearance.

Step 9: Configure Outbound Email

By default Drupal sends mail through the server's PHP mail function. For reliable delivery on a cloud instance route mail through an SMTP provider such as Amazon SES, SendGrid, or Mailgun by installing a mail module:

cd /var/www/drupal
sudo -u www-data composer require drupal/symfony_mailer
sudo -u www-data /var/www/drupal/vendor/bin/drush --root=/var/www/drupal/web \
  pm:install symfony_mailer

After the module is installed, open Configuration then System then Mailer to enter your provider's SMTP host, port, encryption, and credentials, then send a test message.

Step 10: Enable HTTPS with Let's Encrypt

For any production Drupal deployment serve the site over HTTPS so session cookies and authentication tokens cannot be intercepted. The image ships with nginx, which certbot can configure automatically.

The following assumes you have a DNS record pointing your fully qualified domain name at the instance's public IP address.

sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d drupal.your-domain.example \
  --non-interactive --agree-tos -m you@your-domain.example \
  --redirect

After certbot finishes, rebuild Drupal's caches so it serves assets under the new HTTPS base URL with sudo -u www-data /var/www/drupal/vendor/bin/drush --root=/var/www/drupal/web cache:rebuild.

Step 11: Backups and Maintenance

Drupal has two data sources that must be backed up together: the MariaDB database and the site files in /var/www/drupal (the code tree, the Composer dependencies, and uploaded files under web/sites/default/files).

sudo mysqldump --single-transaction drupal > /var/backups/drupal-db-$(date +%F).sql
sudo tar --acls --xattrs -czf /var/backups/drupal-files-$(date +%F).tgz -C /var/www drupal

Ship both artifacts to an Amazon S3 bucket or another object store. The drush cron timer installed with the image runs Drupal's scheduled tasks hourly; review its status under Reports then Status report.

For kernel and package updates, Ubuntu's unattended-upgrades is enabled by default — security patches apply automatically. To update Drupal core and contributed modules, use Composer: sudo -u www-data composer update in /var/www/drupal, followed by drush updatedb and drush cache:rebuild.

Step 12: Scaling Beyond a Single Instance

For larger deployments decouple Drupal from the single instance pattern:

  • Move MariaDB to Amazon RDS for MariaDB and update the database connection in /var/www/drupal/web/sites/default/settings.php
  • Put the Drupal web tier behind an Application Load Balancer and scale horizontally with an Auto Scaling group, with web/sites/default/files on Amazon EFS shared storage
  • Offload caching to Amazon ElastiCache for Redis via the Drupal redis module
  • Push static assets and uploaded files to Amazon S3 via the Drupal s3fs module

Each of these is documented in the official Drupal documentation at https://www.drupal.org/docs under "Hosting, installing, and upgrading".

Support

cloudimg provides 24/7/365 expert technical support for this image. Guaranteed response within 24 hours, one hour average for critical issues. Contact support@cloudimg.co.uk.

For general Drupal administration questions consult the community at https://www.drupal.org/ and the documentation at https://www.drupal.org/docs.