Keycloak on Amazon Web Services

This solution runs Amazon ECS clusters using Amazon Fargate, which is a serverless computing service for containers. With Amazon Fargate, you don't need to manage servers, and you can assign and pay for resources for each application and improve security by designing isolate applications. To ensure high system availability, two tasks are defined in the Amazon ECS service so that if one task fails to provide service, the other task continues to provide service. Amazon ECS supports Docker and enables you to run and manage Docker containers. Keycloak's container images are deployed and run on Amazon ECS without any configuration changes.

Amazon ECR is used to store Keycloak's Docker image files.

Amazon Certificate Manager (ACM) manages SSL Certificate in HTTPS listener (TLS: 443) for ALB.

Amazon Identity and Access Management (IAM) is used for managing Roles for Cognito Identity Pool for user authentication in conjunction with Keycloak. There can be two Roles: one owned by users who are not logged in and the other one owned by users who are logged in. Depending on the Policy owned by the Role, users can access different Amazon Web Services services.

Amazon Secrets Manager(ASM) automatically generates and stores the initial username and password for the Keycloak administrator account. It also automatically generates and stores initial administrator account username, password, and connection domain and port information for the database

This solution uses Amazon RDS as default database. You can also choose Amazon Aurora Serverless or single Amazon RDS instance. The default settings are as below, you can modify the settings based on your need:

- Database type is Amazon RDS for MySQL.

- Database instance type is db.r5.large.

- Amazon RDS Multi-Available Zone deployment.

- Automatic backup is 7 days.

- KMS encryption is enabled.