awslabs · azpaulp · May 14, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
@@ -57,9 +57,11 @@ to ensure patterns follow AWS recommendations.
 - Don't ask "Lambda or Fargate?" - just pick the obvious one
 - If genuinely ambiguous, then ask
 - **Never recommend AWS App Runner** — it is in maintenance mode. Use ECS Express Mode instead.
+- When user explicitly requests a managed application platform or signals low infrastructure involvement, route to Elastic Beanstalk
 
 ## References
 
 - [Service defaults](references/defaults.md)
 - [Security defaults](references/security.md)
 - [Cost estimation patterns](references/cost-estimation.md)
+- [Elastic Beanstalk skill](../elastic-beanstalk/SKILL.md)
@@ -11,20 +11,21 @@ Use the **awspricing** MCP server to get accurate cost estimates before generati
 
 ## Service Codes
 
-| Service           | Code                | Notes                                          |
-| ----------------- | ------------------- | ---------------------------------------------- |
-| Fargate           | `AmazonECS`         | Filter by `usagetype` containing "Fargate"     |
-| Aurora PostgreSQL | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora PostgreSQL" |
-| Aurora MySQL      | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora MySQL"      |
-| RDS PostgreSQL    | `AmazonRDS`         | Filter: `databaseEngine` = "PostgreSQL"        |
-| Amazon DocumentDB | `AmazonDocDB`       | MongoDB-compatible managed database            |
-| ALB               | `AWSELB`            | Application Load Balancer                      |
-| S3                | `AmazonS3`          | Storage and requests                           |
-| CloudFront        | `AmazonCloudFront`  | CDN distribution                               |
-| Amplify           | `AWSAmplify`        | Hosting, build minutes                         |
-| Lambda            | `AWSLambda`         | Requests and duration                          |
-| DynamoDB          | `AmazonDynamoDB`    | On-demand or provisioned                       |
-| Secrets Manager   | `AWSSecretsManager` | Per secret per month                           |
+| Service           | Code                | Notes                                            |
+| ----------------- | ------------------- | ------------------------------------------------ |
+| Fargate           | `AmazonECS`         | Filter by `usagetype` containing "Fargate"       |
+| Aurora PostgreSQL | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora PostgreSQL"   |
+| Aurora MySQL      | `AmazonRDS`         | Filter: `databaseEngine` = "Aurora MySQL"        |
+| RDS PostgreSQL    | `AmazonRDS`         | Filter: `databaseEngine` = "PostgreSQL"          |
+| Amazon DocumentDB | `AmazonDocDB`       | MongoDB-compatible managed database              |
+| ALB               | `AWSELB`            | Application Load Balancer                        |
+| S3                | `AmazonS3`          | Storage and requests                             |
+| CloudFront        | `AmazonCloudFront`  | CDN distribution                                 |
+| Amplify           | `AWSAmplify`        | Hosting, build minutes                           |
+| Lambda            | `AWSLambda`         | Requests and duration                            |
+| DynamoDB          | `AmazonDynamoDB`    | On-demand or provisioned                         |
+| Secrets Manager   | `AWSSecretsManager` | Per secret per month                             |
+| Elastic Beanstalk | N/A (free service)  | No EB charge; query EC2, AWSELB for actual costs |
 
 ## Fargate Pricing
 
@@ -70,6 +71,19 @@ storage (GB-month), and I/O (standard config only).
 
 - ~$130-400/month depending on load
 
+## Elastic Beanstalk Pricing
+
+Elastic Beanstalk itself has no service fee. Cost equals the underlying AWS
+resources provisioned for the environment (EC2, ELB, EBS, CloudWatch).
+Query awspricing MCP server for region-accurate estimates. Approximate
+us-east-1 pricing:
+
+**Dev web (1x t3.small + ALB):** ~$35-40/month
+**Dev worker (1x t3.small, no ALB):** ~$15-20/month
+**Production web (4x t3.medium + ALB, Multi-AZ):** ~$150-200/month
+
+Include EBS volume costs (8GB gp3 default: ~$1/month per instance).
+
 ## Quick Reference Estimates
 
 **Small web app (Fargate + Aurora Serverless v2 + ALB):**
@@ -97,6 +111,16 @@ storage (GB-month), and I/O (standard config only).
 - Low traffic: ~$5-20/month
 - High traffic: scales with requests
 
+**Web app on Elastic Beanstalk:**
+
+- Dev (1 instance + ALB): ~$35-40/month
+- Production (load-balanced, Multi-AZ): ~$80-200/month
+
+**Web app on EB + Aurora Serverless v2:**
+
+- Dev: ~$80-130/month
+- Production: ~$200-400/month
+
 ## Presenting Estimates
 
 Always show:

@@ -4,13 +4,14 @@ Default AWS service selections. Override only when user explicitly requests alte
 
 ## Compute
 
-| App Pattern                                           | Default              | Override Trigger                         |
-| ----------------------------------------------------- | -------------------- | ---------------------------------------- |
-| Web framework (Django, Rails, Express, FastAPI, etc.) | Fargate + ALB        | "serverless" → Lambda + API Gateway      |
-| Static site / SPA                                     | Amplify Hosting      | "S3" or "more control" → S3 + CloudFront |
-| Background workers                                    | Fargate              | Short tasks (<15min) → Lambda            |
-| Scheduled jobs                                        | EventBridge + Lambda | Long-running → EventBridge + Fargate     |
-| API-only (no web UI)                                  | Fargate + ALB        | "serverless" → API Gateway + Lambda      |
+| App Pattern                                           | Default              | Override Trigger                                                                                      |
+| ----------------------------------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------- |
+| Web framework (Django, Rails, Express, FastAPI, etc.) | Fargate + ALB        | "serverless" → Lambda + API Gateway; "managed platform" or "Elastic Beanstalk" → Elastic Beanstalk    |
+| Static site / SPA                                     | Amplify Hosting      | "S3" or "more control" → S3 + CloudFront                                                              |
+| Background workers                                    | Fargate              | Short tasks (<15min) → Lambda; "managed platform" or "Elastic Beanstalk" → Elastic Beanstalk (Worker) |
+| Scheduled jobs                                        | EventBridge + Lambda | Long-running → EventBridge + Fargate                                                                  |
+| API-only (no web UI)                                  | Fargate + ALB        | "serverless" → API Gateway + Lambda; "managed platform" or "Elastic Beanstalk" → Elastic Beanstalk    |
+| Existing Heroku/Render/Railway app migrating to AWS   | Elastic Beanstalk    | "container orchestration" or "ECS" → Fargate + ALB; "serverless" → Lambda                             |
 
 > **⚠️ App Runner is in maintenance mode** — AWS has moved App Runner to maintenance mode. Do **not** recommend App Runner for new workloads. Use **ECS Express Mode** instead.
 
@@ -30,6 +31,13 @@ or has existing CloudFront infrastructure.
 Use `amplify_docs` topic in awsknowledge MCP for framework-specific guidance
 (React, Next.js, Vue, Angular, etc.).
 
+### Why Elastic Beanstalk for managed platform deployments
+
+Elastic Beanstalk is an application management service: the user provides code,
+AWS manages deployments, scaling, patching, monitoring, and health response.
+Choose when the user wants production-grade reliability with the lowest ongoing
+maintenance cost. Choose Fargate when the user wants direct container control.
+
 ## Database
 
 | Data Pattern       | Default (Dev)                | Default (Prod)               | Override Trigger                              |
@@ -81,11 +89,13 @@ type safety without requiring Python/Java knowledge. If user's repo already has
 
 ## Sizing (Dev vs Production)
 
-| Component         | Dev           | Production     |
-| ----------------- | ------------- | -------------- |
-| Fargate           | 0.5 vCPU, 1GB | 1+ vCPU, 2+ GB |
-| Aurora Serverless | 0.5-2 ACU     | 2-16+ ACU      |
-| ALB               | Single AZ OK  | Multi-AZ       |
+| Component                  | Dev               | Production                     |
+| -------------------------- | ----------------- | ------------------------------ |
+| Fargate                    | 0.5 vCPU, 1GB     | 1+ vCPU, 2+ GB                 |
+| Aurora Serverless          | 0.5-2 ACU         | 2-16+ ACU                      |
+| ALB                        | Single AZ OK      | Multi-AZ                       |
+| Elastic Beanstalk (web)    | 1x t3.small + ALB | 2-4x t3.medium + ALB, Multi-AZ |
+| Elastic Beanstalk (worker) | 1x t3.small       | 2-4x t3.medium                 |
 
 Default to **dev sizing** unless user says "production", "prod", or "production-ready".
 

@@ -56,13 +56,15 @@ When serving static content via CloudFront:
 
 ## VPC Placement
 
-| Component         | Default (Dev)                    | Default (Prod)                   |
-| ----------------- | -------------------------------- | -------------------------------- |
-| Fargate tasks     | Private subnet + NAT Gateway     | Private subnet + NAT Gateway     |
-| ALB               | Public subnet                    | Public subnet                    |
-| RDS/Aurora        | Private subnet (no public IP)    | Private subnet (no public IP)    |
-| Amazon DocumentDB | Private subnet (no public IP)    | Private subnet (no public IP)    |
-| Lambda            | VPC-attached if DB access needed | VPC-attached if DB access needed |
+| Component           | Default (Dev)                    | Default (Prod)                   |
+| ------------------- | -------------------------------- | -------------------------------- |
+| Fargate tasks       | Private subnet + NAT Gateway     | Private subnet + NAT Gateway     |
+| ALB                 | Public subnet                    | Public subnet                    |
+| RDS/Aurora          | Private subnet (no public IP)    | Private subnet (no public IP)    |
+| Amazon DocumentDB   | Private subnet (no public IP)    | Private subnet (no public IP)    |
+| Lambda              | VPC-attached if DB access needed | VPC-attached if DB access needed |
+| EB web instances    | Private subnet + ALB in public   | Private subnet + ALB in public   |
+| EB worker instances | Private subnet + NAT Gateway     | Private subnet + NAT Gateway     |
 
 ### Why private subnets for compute
 
@@ -76,12 +78,14 @@ Use `awsknowledge` topic `vpc_patterns` for multi-AZ production layouts.
 
 ## IAM
 
-| Pattern              | Default                                          |
-| -------------------- | ------------------------------------------------ |
-| Task/function roles  | Least privilege (only resources explicitly used) |
-| Service-linked roles | Use AWS-managed where available                  |
-| Cross-service access | Via IAM roles, never access keys                 |
-| Admin access         | Not created (user manages separately)            |
+| Pattern              | Default                                                     |
+| -------------------- | ----------------------------------------------------------- |
+| Task/function roles  | Least privilege (only resources explicitly used)            |
+| Service-linked roles | Use AWS-managed where available                             |
+| Cross-service access | Via IAM roles, never access keys                            |
+| Admin access         | Not created (user manages separately)                       |
+| EB instance profile  | Least privilege (S3 for deploys, CloudWatch, ECR if Docker) |
+| EB service role      | AWS-managed (aws-elasticbeanstalk-service-role)             |
 
 ### Principle: Explicit grants only
 
@@ -93,13 +97,16 @@ Consult `awsiac` MCP for IAM policy patterns by service.
 
 ## Security Groups
 
-| Component         | Default Inbound              | Default Outbound   |
-| ----------------- | ---------------------------- | ------------------ |
-| ALB               | 443 from 0.0.0.0/0           | Fargate SG only    |
-| Fargate           | ALB SG only (on app port)    | 443 (HTTPS), DB SG |
-| RDS/Aurora        | Fargate SG only (on DB port) | None               |
-| Amazon DocumentDB | Fargate SG only (port 27017) | None               |
-| Lambda (VPC)      | None                         | 443, DB SG         |
+| Component           | Default Inbound                 | Default Outbound     |
+| ------------------- | ------------------------------- | -------------------- |
+| ALB                 | 443 from 0.0.0.0/0              | Fargate SG only      |
+| Fargate             | ALB SG only (on app port)       | 443 (HTTPS), DB SG   |
+| RDS/Aurora          | Fargate SG only (on DB port)    | None                 |
+| Amazon DocumentDB   | Fargate SG only (port 27017)    | None                 |
+| Lambda (VPC)        | None                            | 443, DB SG           |
+| EB ALB              | 443 from 0.0.0.0/0              | EB instances SG only |
+| EB web instances    | EB ALB SG only (on app port)    | 443 (HTTPS), DB SG   |
+| EB worker instances | None (EB health agent is local) | 443 (HTTPS), DB SG   |
 
 ### Why deny-by-default
 
@@ -156,15 +163,17 @@ Before deployment, run available checks:
 
 ## Logging & Monitoring
 
-| Component              | Default (Dev)          | Default (Prod)             |
-| ---------------------- | ---------------------- | -------------------------- |
-| CloudTrail             | Account-level (shared) | Account-level (shared)     |
-| VPC Flow Logs          | Disabled               | Enabled (S3 destination)   |
-| ALB Access Logs        | Disabled               | Enabled (S3 destination)   |
-| Container logs         | CloudWatch Logs        | CloudWatch Logs            |
-| RDS/Aurora logs        | Error log only         | Error + slow query + audit |
-| Amazon DocumentDB logs | Profiler (slow ops)    | Profiler + audit           |
-| S3 Access Logs         | Disabled               | Enabled                    |
+| Component              | Default (Dev)          | Default (Prod)                    |
+| ---------------------- | ---------------------- | --------------------------------- |
+| CloudTrail             | Account-level (shared) | Account-level (shared)            |
+| VPC Flow Logs          | Disabled               | Enabled (S3 destination)          |
+| ALB Access Logs        | Disabled               | Enabled (S3 destination)          |
+| Container logs         | CloudWatch Logs        | CloudWatch Logs                   |
+| RDS/Aurora logs        | Error log only         | Error + slow query + audit        |
+| Amazon DocumentDB logs | Profiler (slow ops)    | Profiler + audit                  |
+| S3 Access Logs         | Disabled               | Enabled                           |
+| EB application logs    | CloudWatch Logs agent  | CloudWatch Logs + enhanced health |
+| EB platform logs       | Disabled               | Enabled (CloudWatch Logs)         |
 
 ### Why minimal logging in dev