From a security perspective, start from inside the ec2 instance and work back from there (don't just assume AWS platform configurations such as security groups and NACLs are the answer - although they definately are part of it).

So making sure your OS is patched and under some sort of configuraiton management and reporting, then:

• Ensure that any un-used services are off, strip it right down.
• Design your hosting VPC accordingly with public/private subnets, internet gateways and NAT instances where required, don't just drop an ec2 instance into a public subnet.
• Use AWS session manager for any remote connectivity
• Use AWS back up
• Ensure you are checking the access logs and have them setup through CloudTrail and CloudWatch
• Encrypt the EBS volume
• Ensure that you have IAM setup properly, only use IAM roles for ec2 privilages to other AWS services with the principle of least privilege (again with logging). You can use IAM Access Analyzer here to understand more about what is required.
• Use a load balancer if needed
• Configure your ec2 security groups to only allow certain ports from specific ip ranges, take it a step further with NACLS if needed
• Consider using AWS firewall and other services such as WAF and Shield if public facing.
• Consider offloading content to Cloudfront if public facing.

That should keep you busy for a while 😂

this will be helpful. Also, I would like to understand and learn more about related guidelines.