diff --git a/lib/barcelona/network/nat_builder.rb b/lib/barcelona/network/nat_builder.rb
index 48ebb289..1a2178c0 100644
--- a/lib/barcelona/network/nat_builder.rb
+++ b/lib/barcelona/network/nat_builder.rb
@@ -40,6 +40,15 @@ def build_resources
             ]
           end
 
+          add_resource("AWS::EC2::LaunchTemplate", nat_launch_template_name) do |j|
+            j.LaunchTemplateName nat_launch_template_name
+            j.LaunchTemplateData do |d|
+              d.MetadataOptions do |m|
+                m.HttpTokens 'required'
+              end
+            end
+          end
+
           add_resource("AWS::EC2::Instance", nat_name,
                        depends_on: ["VPCGatewayAttachment"]) do |j|
             j.InstanceType options[:instance_type] || 't3.nano'
@@ -53,8 +62,9 @@ def build_resources
                 "GroupSet" => [ref("SecurityGroupNAT")]
               }
             ]
-            j.MetadataOptions do |m|
-              m.HttpTokens 'required'
+            j.LaunchTemplate do |t|
+              t.LaunchTemplateName nat_launch_template_name
+              t.Version get_attr(nat_launch_template_name, "LatestVersionNumber")
             end
             j.Tags [
               tag("barcelona", stack.district.name),
@@ -98,6 +108,10 @@ def eip_name
       def nat_name
         "NAT#{options[:type].to_s.classify}#{options[:nat_id]}"
       end
+
+      def nat_launch_template_name
+        "NAT#{options[:type].to_s.classify}#{options[:nat_id]}LaunchTemplate"
+      end
     end
   end
 end
diff --git a/lib/tasks/bootstrap.rake b/lib/tasks/bootstrap.rake
index 7cc86427..61494fcb 100644
--- a/lib/tasks/bootstrap.rake
+++ b/lib/tasks/bootstrap.rake
@@ -14,6 +14,10 @@ namespace :bcn do
     end
   end
 
+  def secret_key_base
+    ENV["SECRET_KEY_BASE"] || SecureRandom.hex(64)
+  end
+
   desc "Deploy Barcelona to the specified ECS cluster(local)"
   task :bootstrap => ["db:setup", :environment] do
     access_key_id = ENV["AWS_ACCESS_KEY_ID"]
@@ -64,6 +68,7 @@ namespace :bcn do
       image_tag: "master"
     )
     heritage.env_vars.build(key: "DATABASE_URL", value: ENV["BOOTSTRAP_DATABASE_URL"], secret: true)
+    heritage.env_vars.build(key: "SECRET_KEY_BASE", value: secret_key_base, secret: true)
     heritage.env_vars.build(key: "DISABLE_DATABASE_ENVIRONMENT_CHECK", value: "1", secret: false)
     heritage.env_vars.build(key: "AWS_REGION", value: region, secret: false)
     heritage.env_vars.build(key: "AWS_ACCESS_KEY_ID", value: access_key_id, secret: false)
@@ -142,7 +147,7 @@ EOS
           {key: "RAILS_LOG_TO_STDOUT", value: "true", secret: false},
           {key: "GITHUB_ORGANIZATION", value: ENV['GITHUB_ORGANIZATION'], secret: false},
           {key: "DATABASE_URL",  value: ENV["DATABASE_URL"], secret: true},
-          {key: "SECRET_KEY_BASE", value: SecureRandom.hex(64), secret: true},
+          {key: "SECRET_KEY_BASE", value: secret_key_base, secret: true},
           {key: "ENCRYPTION_KEY", value: ENV["ENCRYPTION_KEY"], secret: true}
         ],
         services_attributes: [