I don’t think we have that.
Darius created Playing around with OpenMRS in the cloud , but it was Google Cloud.
OpenMRS is a pretty standard java application, it’s not particularly special from the OPS point of view (as far as I can see it). What makes is very special is the type of data it’s holding - it’s health data, which is probably the most dangerous type of data we can handle.
But security is done in the very same way as any other sensitive application in AWS.
We are talking here about encryption at rest everywhere (encryption - via KMS - to EBS, databases, S3 buckets, EFS) and encryption in transit (TLS in all places). Security groups need to be pretty restrict (only allow 443, for example), and you can apply security on the network level too (NACL rules), and enable logs for network (flowlog). You can enable Guardduty to try to find any weird behaviour. Your S3 bucket policies should be very strict, also your AWS console should be strict and with MFA.
Ideally your operational system is hardened (let’s say, with CIS benchmark or SELinux) and regularly patched. You should have audit logs and centralised logs. Access to machines should be controlled, secure and auditable.
If you want to protect your system from DDoS attacks and other threats (like SQL injection), you can add a Cloudfront + WAF in front of your application. It’s nice as well to do IP whitelist here if desired. Other possibility is setting up a VPN tunnel between the place which should access the application and the AWS VPC; so the application is not publicly accessible.
But sure, everything has a cost.