Cloud Infrastructure

The Golden AMI Pattern: How We Provision Hardened WordPress Sites in 30 Seconds

Traditional server provisioning takes 10+ minutes and introduces drift. We bake everything — security, runtime, application — into a single immutable image. Here’s how.

Packer
AWS AMI
CIS Hardening
Nginx
WordPress
30–45s
Tenant Provisioning Time
CIS L1
Security Compliance Baked In
7 Layers
Of Automated Hardening

The Problem With Provisioning on the Fly

Most SaaS platforms provision tenant infrastructure the same way: spin up a bare EC2 instance, run a configuration management tool, install packages, download application code, harden the OS, and hope nothing drifts. For a single tenant, this works. For a platform that needs to launch hundreds of isolated WordPress instances, it doesn’t.

The problems compound quickly:

Speed. Installing Nginx, PHP, MariaDB, and WordPress from scratch takes 10–15 minutes per instance. That’s an eternity when a customer is waiting for their site.
Drift. Every package install pulls the latest version at build time. Instance #1 and instance #100 end up with different configurations, different patch levels, different behavior.
Security. Post-deploy hardening is an afterthought. CIS benchmarks, firewall rules, and audit logging get missed or applied inconsistently.
Reliability. Network-dependent provisioning fails. An apt mirror goes down, a CDN throttles you, a GitHub tarball times out — and your customer gets a broken deploy.

The golden AMI pattern eliminates all of this. You build once, validate once, and deploy the same proven image hundreds of times.

What’s in the Golden AMI

Our golden AMI is a pre-baked Ubuntu 24.04 LTS image running on AWS Graviton (ARM64) that contains everything a WordPress instance needs — already installed, configured, and hardened before a single tenant touches it.

The Build Pipeline

We use HashiCorp Packer to orchestrate seven provisioner scripts that run in sequence. Each script handles one concern, and the output is an encrypted EBS-backed AMI registered in AWS.

Phase Script What It Does
1 system-packages Installs Nginx, PHP 8.3-FPM, MariaDB 11.4 LTS, AWS CLI, CloudWatch Agent, SSM Agent, WP-CLI
2 mariadb-setup Secures MariaDB, removes anonymous users, tunes InnoDB for 2 GB RAM (t4g.small)
3 nginx-base Configures security headers, FastCGI page caching, PHP-FPM socket, disables XML-RPC
4 wordpress-cache Downloads WordPress core, Ollie theme, and plugins (CF7, Yoast, S3 Offload) to /opt cache
5 cis-harden Applies CIS Ubuntu 24.04 Level 1 benchmark — kernel hardening, SSH lockdown, UFW, auditd, Fail2ban
6 aide-init Initializes AIDE file integrity database, schedules daily integrity checks via CloudWatch
7 cleanup Removes build artifacts, SSH keys, logs, shell history — minimizes snapshot size

The result is a 20 GB encrypted AMI that contains a complete, production-ready WordPress stack. No downloads needed at deploy time. No apt-get. No pip install. Everything is already on disk.

CIS Level 1 Hardening — Baked In, Not Bolted On

Most teams treat security hardening as a post-deploy step — if they do it at all. We run the CIS Ubuntu 24.04 Level 1 benchmark as part of the AMI build. Every instance launched from this image is compliant from the moment it boots.

Here’s what the hardening layer covers:

Kernel & Network

  • IP forwarding disabled
  • ICMP redirects blocked
  • Source routing rejected
  • Unused filesystems disabled (USB, HFS, UDF)

SSH & Access

  • Root login disabled
  • Key-only authentication
  • Session timeouts enforced
  • SSM Session Manager for shell access

Firewall & Monitoring

  • UFW default-deny (allow 80, 443, 22)
  • Fail2ban on SSH and wp-login.php
  • Auditd for privilege escalation
  • AIDE file integrity monitoring

Additional hardening on the PHP side: dangerous functions are disabled, session cookies are secured, and direct file access is blocked. Nginx enforces security headers (X-Frame-Options, X-Content-Type-Options) and blocks access to sensitive files like wp-config.php and .env at the web server level.

Services that have no business running on a web server — snapd, CUPS, Avahi, Bluetooth — are masked. Unattended-upgrades handles security patches automatically. This isn’t a checklist we run after launch. It’s infrastructure that ships compliant by default.

From AMI to Live Site in 30 Seconds

The golden AMI handles the what — a hardened, pre-loaded server image. The tenant bootstrap handles the who — configuring that image for a specific customer. Here’s how the full provisioning flow works:

1
EC2 launches from golden AMI

Instance boots with the full stack pre-installed. Nginx, PHP-FPM, MariaDB, WordPress core — all on disk and ready.

2
SSM Run Command triggers bootstrap

Our ECS provisioner sends the tenant ID via SSM. The bootstrap script fetches the tenant config JSON from S3 — domain, credentials, branding, AI-generated content.

3
Database, vhost, and WordPress configured

MariaDB database and user created. Nginx vhost configured for the tenant’s domain. WordPress copied from the AMI cache and installed with wp core install — takes about 10 seconds.

4
AI content and theme injected

The bootstrap creates a child theme with tenant brand colors, downloads AI-generated pages (Home, Services, Contact) with Gutenberg blocks, and sets up Contact Form 7.

5
Monitoring and backups activated

CloudWatch Agent configured with tenant-specific metrics and log groups. Daily backup cron set. AIDE monitoring extended to the WordPress directory. Instance is live.

The entire bootstrap runs in a single script with 7 phases. No orchestration tool, no Ansible pull, no Chef converge. Just a shell script that reads a JSON config and applies it. Total wall clock time: 30–45 seconds from EC2 launch to a customer-facing WordPress site with AI-generated content, a custom theme, and full monitoring.

The CI/CD Pipeline

Golden AMIs are only useful if they stay current. Stale images mean unpatched vulnerabilities and outdated runtimes. Our build pipeline runs automatically and keeps the image fresh:

Automated Weekly Builds

GitHub Actions triggers a Packer build every Sunday at 00:00 UTC. The new AMI picks up the latest OS patches, PHP updates, and WordPress releases. Old AMIs are automatically cleaned up — we keep the last two for rollback.

Change-Triggered Builds

Any push to the Packer or bootstrap directories triggers a new build. Infrastructure changes are validated before they reach production — ShellCheck lints every script, PHP syntax is verified, and Nginx configs are tested.

Semantic Versioning

Production builds get major versions (X.0.0), staging gets minor versions (1.X.0). The current AMI version is stored in SSM Parameter Store so the provisioner always knows which image to launch.

Zero Long-Lived Credentials

The CI/CD pipeline authenticates to AWS using OIDC federation — no access keys stored in GitHub Secrets. The build instance uses IMDSv2 exclusively, preventing SSRF-based credential theft.

Why Not Containers?

It’s a fair question. Containers are the default choice for multi-tenant SaaS in 2026. We chose AMIs for WordPress specifically because of what WordPress is:

WordPress expects a full Linux environment. Cron jobs, file permissions, mail utilities, MariaDB on localhost. Containerizing all of this means running multiple processes in a single container (an anti-pattern) or orchestrating 3–4 containers per tenant (expensive and complex).
Tenant isolation is simpler at the VM level. Each tenant gets their own EC2 instance with their own kernel, their own firewall, their own file system. No shared container runtime, no noisy-neighbor risk, no container escape concerns.
Graviton instances are cheap. A t4g.small (2 vCPU, 2 GB RAM) runs WordPress comfortably and costs less than the orchestration overhead of running ECS or EKS per tenant.
CIS compliance is easier on bare metal. Container-level CIS benchmarks exist, but they add complexity. VM-level hardening is well-understood, well-documented, and maps directly to audit requirements.

The golden AMI pattern gives us container-like reproducibility with VM-level isolation. For WordPress multi-tenancy, that’s the right tradeoff.

Multi-Tenant Operations

Launching a site is only half the problem. Running hundreds of them requires operational tooling baked into the platform from day one.

Per-Tenant Monitoring

CloudWatch Agent ships Nginx access/error logs, MariaDB slow query logs, and custom metrics to tenant-specific log groups. Each tenant is observable independently.

Automated Backups

Daily cron at 02:00 UTC dumps the database and syncs the WordPress directory to a tenant-specific S3 bucket. No manual configuration per tenant — the bootstrap sets it all up.

File Integrity Detection

AIDE runs daily checks on the WordPress directory. If a file is modified outside of a deployment, CloudWatch alerts fire. This catches compromised plugins, injected backdoors, and unauthorized changes.

Dunning & Lockout

A must-use plugin handles payment delinquency. Day 3: admin notice with billing link. Day 7: wp-login.php returns 402 Payment Required. Password reset links are whitelisted through the lockout for account recovery.

The Tech Stack at a Glance

Layer Technology Why
OS Ubuntu 24.04 LTS (ARM64) Long-term support, Graviton-native
Compute AWS Graviton (t4g.small) 40% better price-performance than x86
Web Server Nginx + FastCGI Cache High concurrency, low memory footprint
Runtime PHP 8.3-FPM JIT compilation, hardened php.ini
Database MariaDB 11.4 LTS MySQL-compatible, InnoDB tuned for 2 GB
Application WordPress 6.9+ / Ollie FSE Theme Full Site Editing, AI-ready child themes
Image Build HashiCorp Packer Declarative, CI/CD-native, multi-provider
Security CIS L1 / AIDE / Fail2ban / Auditd Defense in depth, compliance-ready
Observability CloudWatch Agent Native AWS, per-tenant log isolation
CDN / TLS CloudFront Edge termination, global distribution

Build Once, Deploy Hundreds

The golden AMI pattern isn’t new — it’s an AWS best practice that most teams skip because the upfront investment feels heavy. For a multi-tenant SaaS platform, that upfront cost pays for itself on the second deployment.

Here’s what we gained:

Before
10–15 min
Provisioning with Terraform + Ansible
After
30–45 sec
Golden AMI + bootstrap script

Every instance is identical. Every instance is compliant. Every instance is monitored from boot. And when we need to update the base image — new PHP version, new security patch, new WordPress release — we rebuild the AMI, test it, and let the next launch pick it up automatically.

That’s the power of immutable infrastructure: you stop fixing servers and start replacing them.

This Is the Engine Behind the AI Site Launcher

Golden AMIs, CIS hardening, AI-generated content, and 30-second provisioning — this is the infrastructure that powers the 45Squared AI Site Launcher. Get a production-ready WordPress site built and deployed automatically.

Explore the AI Site Launcher

Need custom infrastructure? Book an Implementation Sprint — 2 weeks, fixed scope, production-ready.