Deploying 1C-Bitrix on AWS
AWS remains relevant for companies with an international presence or for those working with foreign clients who do not store Russian personal data. The eu-central-1 (Frankfurt) or eu-west-1 (Ireland) regions provide acceptable latency. For data without localisation restrictions, AWS offers mature infrastructure, a rich set of managed services, and predictable operation.
The main problem for companies paying from abroad: payment through foreign cards or via resellers. This is solvable but requires separate accounting.
Architecture on AWS
Recommended production scheme:
Route 53 → CloudFront → ALB → EC2 (Auto Scaling Group)
↓
RDS MySQL (Multi-AZ)
ElastiCache Redis
S3 (uploads)
For smaller projects, the following is sufficient: EC2 + RDS + S3 + CloudFront.
EC2: Choosing the Instance Type
For Bitrix sites:
| Load | Instance type | RAM | CPU |
|---|---|---|---|
| Start / development | t3.medium | 4 GB | 2 vCPU |
| Medium traffic | c6i.xlarge | 8 GB | 4 vCPU |
| High traffic | c6i.2xlarge | 16 GB | 8 vCPU |
The c6i type (compute-optimized) is preferable over t3 for PHP — no CPU credits, stable performance.
# Create via AWS CLI
aws ec2 run-instances \
--image-id ami-0faab6bdbac9486fb \
--instance-type c6i.xlarge \
--key-name my-keypair \
--security-group-ids sg-xxxxxxxx \
--subnet-id subnet-xxxxxxxx \
--block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":50,"VolumeType":"gp3","Iops":3000}}]' \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=bitrix-web}]'
Disk type — gp3 instead of gp2: cheaper and 3000 IOPS by default at no extra cost.
VPC and Security Groups
# Security Group for the web server
aws ec2 create-security-group \
--group-name bitrix-web-sg \
--description "Bitrix web server" \
--vpc-id vpc-xxxxxxxx
# Allow HTTP, HTTPS, SSH
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxx \
--ip-permissions \
'IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges=[{CidrIp=0.0.0.0/0}]' \
'IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges=[{CidrIp=0.0.0.0/0}]' \
'IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=YOUR_IP/32}]'
RDS MySQL
# Create RDS MySQL 8.0
aws rds create-db-instance \
--db-instance-identifier bitrix-db \
--db-instance-class db.t3.medium \
--engine mysql \
--engine-version 8.0.35 \
--master-username bitrix_admin \
--master-user-password 'STRONG_PASSWORD' \
--allocated-storage 50 \
--storage-type gp3 \
--vpc-security-group-ids sg-xxxxxxxx \
--db-subnet-group-name bitrix-subnet-group \
--no-publicly-accessible \
--backup-retention-period 7 \
--character-set-name utf8mb4
Connection in bitrix/.settings.php:
'connections' => [
'value' => [
'default' => [
'className' => '\\Bitrix\\Main\\DB\\MysqlConnection',
'host' => 'bitrix-db.xxxx.eu-central-1.rds.amazonaws.com',
'database' => 'bitrix',
'login' => 'bitrix_admin',
'password' => 'STRONG_PASSWORD',
'options' => 2,
],
],
],
S3 for Uploads
# Create bucket
aws s3 mb s3://my-bitrix-uploads --region eu-central-1
# Enable versioning
aws s3api put-bucket-versioning \
--bucket my-bitrix-uploads \
--versioning-configuration Status=Enabled
# Access policy for public files (only for /upload/)
aws s3api put-bucket-policy \
--bucket my-bitrix-uploads \
--policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bitrix-uploads/*"}]}'
Integration with Bitrix via IAM role (not access keys — more secure):
# Create IAM role for EC2
aws iam create-role \
--role-name BitrixS3Role \
--assume-role-policy-document file://ec2-trust-policy.json
# Attach S3 access policy
aws iam attach-role-policy \
--role-name BitrixS3Role \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
CloudFront for Static Assets and CDN
CloudFront is AWS's CDN with points of presence around the world. For Bitrix — cache static assets (/bitrix/cache/, /upload/, CSS, JS), do not cache dynamic content.
# Create CloudFront distribution (simplified)
aws cloudfront create-distribution \
--distribution-config file://cloudfront-config.json
Key settings in cloudfront-config.json:
-
Origins: EC2 (for PHP) + S3 (for/upload/). -
CacheBehaviors: path/upload/*→ S3 origin,/*.php→ EC2, default → EC2. -
ViewerProtocolPolicy: redirect-to-https. -
Compress: true — automatic compression of text resources.
ElastiCache Redis
aws elasticache create-cache-cluster \
--cache-cluster-id bitrix-redis \
--cache-node-type cache.t3.medium \
--engine redis \
--engine-version 7.0 \
--num-cache-nodes 1 \
--cache-subnet-group-name bitrix-cache-subnet
ACM: SSL Certificate
AWS Certificate Manager issues free certificates for use with ALB and CloudFront:
aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--subject-alternative-names "*.example.com"
After creation — add the DNS record for validation (the certificate ARN is attached to ALB or CloudFront).
Least-Privilege IAM Policy for Bitrix
Principle of least privilege: instead of AmazonS3FullAccess — only what is needed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::my-bitrix-uploads/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bitrix-uploads"
}
]
}
Deployment Timelines
| Option | Composition | Duration |
|---|---|---|
| EC2 + RDS + S3 | Basic production infrastructure | 2–3 days |
| + CloudFront + ElastiCache | CDN, session cache | 1–2 additional days |
| HA with Auto Scaling | ALB, ASG, Multi-AZ RDS, full failover | 5–8 days |