It's about time I started planning for OCAU's next hosting setup. Our current setup has served us very well for over 5 years but needs a hardware and software refresh. Also it seems likely we will be leaving Internode at the end of January as their sponsorship setup has changed under iiNet - no hard feelings there, they've been very kind to us for a long time. So, one of the main goals is to get us away from dedicated hardware. I've looked at a few options (Rackspace, Linode etc) and I keep finding myself coming back to Amazon's AWS. It's not the cheapest option but I think it should be affordable. I've already moved some simple parts of OCAU over to them, with our DNS handled by their Route 53, and the Misc Pics images served from S3. So the obvious next step is to move the databases over to an RDS instance presenting a MySQL interface and the PHP/files to an EC2 instance (and in the future look at loadbalancing multiple instances etc). But actually the main concern I have is not really an AWS issue, rather a general Linux issue. Once EC2 spins up a virtual server, AWS are hands off. So the security and updates etc are our problem. I can "apt-get update" like anyone but the security config is much more of a big deal nowadays than when I last did it. When the current servers were rebuilt in 2009 (in response to a security issue) we had the assistance of a vendor, but I'm not sure what they're up to nowadays or who else's niche it would fall into, or if we can get to where we need to be by installing a few what-the-cool-kids-use packages and following some online guides. What I don't want to do is move from our current setup onto nice shiny AWS and then find some old hole in our code is now exposed and we get pwned. I'm quite out of the loop on this stuff so I don't even really know if this is something I should particularly be worried about or, or if following a few online guides will get us where we need to be, or if I should be bringing a vendor in, or even if we should ditch the AWS idea and go to something more managed, where we only worry about the application side of things.. really I'd like to be as hands-off as possible as that will let me focus on content and community stuff (and other aspects of my life) rather than lying awake waiting for a PSU to blow or some new security issue. I may be a bit brain-fried by the options and over-thinking all this. Surely "hosting a PHP+mysql website" is something that happens a zillion times a day.. anyway, any info you have would be appreciated.