April 4, 2026 · Tim Fraser, Cloud Operations Lead
Running Client Sites on AWS Without an Ops Team
Digital agencies build websites. Clients expect those sites to stay online, load quickly, and not get hacked. But agencies aren't infrastructure companies — there's no ops team, no on-call rotation, no one whose job is watching servers.
The result is predictable: the site launches, everything works, and six months later something breaks — an SSL certificate expires, a disk fills up, a security patch doesn't get applied — and the client calls asking why their site is down.
This is fixable. Not by hiring an ops team, but by setting up the right things once and automating the regular checks.
What to set up once
Configure these at launch, then mostly forget about them.
Automated backups. For RDS, enable automated backups with at least 7 days retention. For EC2, set up AWS Backup with a daily schedule. For S3, enable versioning. Test a restore once — backups that have never been tested aren't backups. SSL auto-renewal. ACM certificates renew automatically via DNS validation. Make sure the CNAME validation records exist. If the client manages their own DNS, document which records must stay in place — clients deleting "unused" DNS records is the most common cause of renewal failures. CloudWatch alarms. CPU above 80%, disk above 80%, HTTP 5xx errors above 10 in 5 minutes. Point notifications at an SNS topic that emails your team. This takes 15 minutes per site and is the difference between finding problems from monitoring versus finding them from client phone calls. Security group lockdown. SSH restricted to your office IP, or removed entirely in favour of Systems Manager Session Manager. No security groups allowing 0.0.0.0/0 on anything other than ports 80 and 443.What to check regularly
Disk usage. Log files, uploads, and database logs grow. A site using 20GB at launch might use 60GB a year later. Set a CloudWatch alarm or check monthly. Costs. Data transfer increases with traffic. Instances that were right-sized at launch may be over or undersized a year later. Check per-client costs quarterly. Security patches. OS packages, CMS versions, and language runtimes need updates. Check monthly for critical updates. For managed services (RDS, ElastiCache), enable auto minor version upgrades. Unused resources. After migrations or redesigns, resources get left behind: old load balancers, detached EBS volumes, unused Elastic IPs ($3.65/month each), orphaned snapshots. These cost money and add clutter.The agency hosting trap
Many agencies offer hosting as part of a retainer but don't price it to cover the operational overhead. Building the site is a one-time project. Keeping it running is an ongoing commitment. If you charge $200/month for hosting and spend an hour per client on manual checks, troubleshooting, and patching, you're losing money.
The fix is to price hosting to cover the ops time, reduce ops time through automation, or both.
How plainfra handles the regular checks
plainfra connects to your AWS account with read-only access and runs weekly health checks across all resources. For an agency managing multiple client sites, this replaces the manual monthly review.
The weekly report covers disk usage trends, SSL certificate expiry, cost changes, security group configurations, unused resources, and backup status. If everything is fine, the report is a quick scan. If a client's database disk is at 75% and growing, or an SSL cert hasn't renewed with 21 days left, it's flagged.
For agencies, the value is straightforward: a 5-minute weekly report review replaces an hour of console clicking per client per month, and catches things the manual review would miss.
Try plainfra free → 50K tokens, 7 days, no charge. Or see the interactive demo →.