I have a single, small AWS Lightsail instance ($5/mo) running all of my Ghost websites, with Nginx acting as a reverse proxy to route each website's URL to the appropriate local Ghost instance.
Each Ghost instance is running in its own Docker container, as is Nginx. Using Docker makes it trivial not only to install and upgrade the applications, but to also run them locally for troubleshooting or development.
SSL uses certificates from LetsEncrypt, and terminated by Nginx.
AWS SES is used for transactional (SMTP) email sending, Forward Email is used for domain email forwarding, and Mailgun is used for bulk email sending (newsletters to subscribers). Each email solution is chosen to fit its best usage - SES doesn't support domain email forwarding, so Forward Email does that, while Ghost only supports Mailgun for bulk email. This separation is good, it helps prevent bad reputation scores for bulk email from Mailgun impacting the transactional emails from SES.
Lightsail manages the DNS records for all my domains, but I use Pair Domains as external domain registrar which points to the Lightsail nameservers. By using an external domain registrar I avoid having all my eggs in one basket and I can easily redirect my domains to another host. This is mostly insurance against having my AWS account hacked or suspended.
I'll go into the detailed setup of each component in later blog posts.