Security isn't an add-on.
It's the foundation.
Every 45SQUARED server is built on a CIS-hardened Golden AMI with automated patching, real-time threat detection, and a zero-SSH architecture. Security isn't something we bolt on after deployment — it's baked into every layer of the stack.
Defense in Depth
We apply security at every layer — from the AMI build pipeline to runtime threat detection. No single point of failure, no single control to bypass.
Layer 1
Golden AMI
Layer 2
VPC Isolation
Layer 3
WAF + CDN
Layer 4
SSM Access
Layer 5
GuardDuty
CIS Level 1 Golden AMI
Every server starts from a hardened Amazon Machine Image built with Packer, validated against CIS Benchmark Level 1 for Amazon Linux 2023. This isn't a checklist — it's a fully automated pipeline that rebuilds the AMI weekly, runs CIS compliance scans, and only promotes images that pass.
- Automated weekly AMI builds via Packer pipeline
- CIS Benchmark Level 1 compliance validated with Inspector
- Immutable base — no manual server configuration
- AMI promotion requires passing all security checks
Zero-SSH Architecture
There are no SSH keys, no open ports for remote access, and no bastion hosts. All server management happens through AWS Systems Manager (SSM), which provides authenticated, audited, and encrypted access without ever opening a network port.
- No SSH keys to manage, rotate, or leak
- No port 22 open — reduced attack surface
- All access through IAM-authenticated SSM sessions
- Full audit trail of every command in CloudTrail
GuardDuty Threat Detection
Amazon GuardDuty continuously monitors your server for malicious activity, unauthorized access attempts, and anomalous behavior. It analyzes VPC flow logs, DNS queries, and CloudTrail events using machine learning to detect threats in real time.
- Continuous monitoring of network and API activity
- ML-powered anomaly detection for new threat patterns
- Automatic alerting to our ops team via Slack
- Covers cryptomining, credential theft, C2 communication
Automated Patching
Security patches are applied automatically on a weekly schedule using SSM Run Command — no downtime, no manual intervention. Critical vulnerabilities trigger immediate out-of-band patches. Your server is never left running outdated software.
- Weekly automated patch cycle via SSM fleet management
- Critical CVE patches applied within 24 hours
- Patch compliance tracked per-instance in DynamoDB
- Rollback capability if a patch causes issues
Tenant Isolation
Every customer gets their own dedicated EC2 instance — not a shared container, not a virtual host, not a multi-tenant database. Your data, your processes, your resources. A noisy neighbor on another server cannot affect your performance or security.
- Dedicated EC2 instance per customer — not shared
- Isolated VPC security groups — no cross-tenant traffic
- Per-site IAM roles scoped to only their resources
- Separate database instance per site (not shared)
Security Checklist
Every 45SQUARED deployment meets these security requirements — no exceptions, no optional toggles.
- IMDSv2 enforced (no v1 instance metadata)
- EBS volumes encrypted at rest with KMS
- All traffic encrypted in transit (TLS 1.2+)
- CloudTrail enabled across all accounts
- VPC flow logs captured for forensics
- S3 bucket policies deny public access by default
- IAM roles follow least-privilege principle
- Secrets managed via AWS Secrets Manager with rotation
- Daily automated EBS snapshots with 30-day retention
- AWS Backup for disaster recovery
How we compare
| Security Feature | Shared Hosting | Managed WP | 45SQUARED |
|---|---|---|---|
| Dedicated instance | No | No | Yes |
| CIS-hardened base | No | Varies | Yes |
| Zero SSH access | No | No | Yes |
| Automated patching | Varies | Yes | Yes |
| Real-time threat detection | No | Add-on | Yes |
| Per-tenant IAM isolation | No | No | Yes |
| Full audit trail | No | Varies | Yes |
| Encrypted at rest + transit | Varies | Yes | Yes |
Ready for enterprise-grade security?
Every plan includes the full security stack. No add-ons, no premium tiers.
Launch Your Site