Sold by: Lynxroute
Deployed on AWS
Free Trial
This product has charges associated with it for hardening, security configuration, and support.
Twenty is a self-hosted open-source CRM with kanban pipelines, custom objects, GraphQL API, multi-workspace support, and OAuth (Google, Microsoft) - a modern Salesforce and HubSpot alternative that runs as a Node and Postgres docker-compose stack with a bundled React front. Unlike bare Twenty AMIs that ship on 0.0.0.0:3000 with no TLS, default credentials, open signup, and a trivially-guessable APP_SECRET, this Lynxroute build is ready out of the box: first owner seeded at first boot, signup auto-locked to single-tenant, 64-char APP_SECRET randomized per launch, web UI bound to loopback and reachable only through Nginx with TLS and WebSocket support, Postgres and Redis on the docker bridge only, UFW pre-configured, and a CIS Level 1 hardened Ubuntu 24.04 LTS base.
AGPL-3.0 license - fully auditable, no vendor lock-in.
Overview
This is a repackaged software product wherein additional charges apply for hardening, security configuration, and support.
WHAT IS TWENTY
Twenty is an open-source self-hosted CRM - a modern, opinionated alternative to Salesforce and HubSpot. The stack runs as four docker containers: a NestJS server that exposes the REST and GraphQL APIs and serves the bundled React front on TCP 3000, a NestJS worker that processes BullMQ background jobs (record imports, calendar sync, email notifications), a PostgreSQL 16 database, and a Redis 7 cache and queue backend. The web UI gives sales and operations teams kanban pipelines for opportunities and deals, contact and company records, custom objects with arbitrary fields and relations, multi-step workflows, public-share views, and a GraphQL API for integrations. Built-in connectors (Google, Microsoft) sync calendars and inbox events into the CRM. Multi-workspace mode lets one server back several teams or customers. AGPL-3.0 license, no vendor lock-in. The core differentiator vs. SaaS alternatives is sovereignty: customer records, deals, custom objects, and OAuth tokens stay on your own AWS account - none of it transits a third-party CRM cloud.
WHAT THIS AMI ADDS
Security hardening:
- First owner seeded at first boot via the GraphQL signUpInWorkspace mutation - email admin@lynxroute.local , password set to the EC2 Instance ID, change from Settings on first login
- Signup auto-locked after the owner is created - IS_MULTIWORKSPACE_ENABLED=false makes the GraphQL mutation reject every subsequent signup with SIGNUP_DISABLED, so a public AMI cannot be hijacked by a stranger registering before you log in
- APP_SECRET (64 chars, base64) randomized at first boot - the master key for JWT access, refresh, login, and file tokens is unique per AMI launch, never baked
- Postgres password (32 chars, A-Za-z0-9) and Redis password (32 chars) generated at first boot and written into /opt/twenty/.env - never baked into the AMI
- All four containers reachable only via the docker bridge - the host port 3000 is bound to 127.0.0.1 only, the only public-facing endpoint is Nginx on TCP 443
- Nginx reverse proxy with self-signed TLS, HTTP-to-HTTPS redirect, WebSocket upgrade for graphql-ws subscriptions, and security headers
- Redis password-protected with AOF persistence enabled
- All four container images pre-pulled at build time so first launch is fast and not dependent on Docker Hub availability
- Docker daemon log rotation pre-configured to prevent json-file logs from filling the root volume
- UFW firewall pre-configured - only TCP 22, 80, 443 are exposed
- fail2ban, AppArmor
- CVE scan - every image is scanned for vulnerabilities before release
OS hardening (CIS Level 1):
- CIS Ubuntu 24.04 LTS Level 1 benchmark applied via ansible-lockdown
- auditd, SSH hardening, kernel hardening, IMDSv2 enforced
Compliance artifacts:
- SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json
- CIS Conformance Report at /etc/lynxroute/cis-report.html
- CIS Tailored Profile at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
Highlights
- Twenty CRM security baked in: first admin seeded at first boot, sign-up auto-locks to single-tenant after the owner is created, session and database secrets randomized per instance, the CRM reachable only through Nginx with TLS, and the database kept on the internal container network - unlike bare Twenty AMIs that expose the CRM with no TLS, hard-code the session signing secret, ship the default database password, and leave sign-up open so a stranger can claim your CRM before you log in.
- CIS Level 1 hardened Ubuntu 24.04 LTS: auditd, fail2ban, AppArmor, SSH key-only, IMDSv2 enforced. CVE-scanned before every release. SBOM (CycloneDX) and CIS Conformance Report included.
- Full CRM stack on by default: NestJS server with bundled React front, BullMQ worker for background jobs, Postgres 16, Redis 7 - all four container images pre-pulled into the AMI so first launch is fast and self-contained. Schema migrations run automatically on first boot. AGPL-3.0 license, no vendor lock-in.
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
Ubuntu 24.04
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 5 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
t3.large Recommended | $0.03 |
t3.medium | $0.02 |
m6i.xlarge | $0.05 |
m6i.large | $0.03 |
Vendor refund policy
We do not offer refunds for this product. AWS infrastructure charges (EC2, EBS, data transfer) are billed separately by AWS and are not refundable by us.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Version 2.2.0 - Initial release (May 2026)
- Twenty 2.2.0 (full docker-compose stack: server, worker, postgres 16, redis 7) on Ubuntu 24.04 LTS
- CIS Level 1 hardening applied (ansible-lockdown/UBUNTU24-CIS)
- CVE-scanned before every release
- IS_MULTIWORKSPACE_ENABLED=false - signup auto-locked once the first workspace exists; subsequent signups return SIGNUP_DISABLED with no flag flip needed
- APP_SECRET (64 chars base64) generated at first boot - master key for JWT tokens
- Postgres password (32 chars random) and Redis password (32 chars random) generated at first boot
- Web UI, Postgres, and Redis reachable only through Nginx on TCP 443 (TLS) - host port 3000 bound to 127.0.0.1 only
- Nginx WebSocket upgrade configured for graphql-ws subscriptions
- All four container images pre-pulled into the AMI for fast first launch
- Docker daemon log rotation pre-configured
- UFW firewall pre-configured (TCP 22, 80, 443 only)
- fail2ban, auditd, AppArmor pre-configured
- SBOM (CycloneDX 1.6) at /etc/lynxroute/sbom.json
- CIS Conformance Report (OpenSCAP) at /etc/lynxroute/cis-report.html
- IMDSv2 enforced
Additional details
Usage instructions
- Launch instance (t3.large recommended for typical team use, t3.medium minimum)
- Open Security Group - allow TCP 443 from your IP only (very important - the first browser to reach the URL can claim the admin role), allow TCP 80 if you want Let's Encrypt
- SSH: ssh -i key.pem ubuntu@<PUBLIC_IP>
- Read connection details: sudo cat /root/twenty-credentials.txt
- Open https://<PUBLIC_IP>/ in your browser - accept the self-signed certificate warning
- Click "Sign up" on the Twenty welcome screen and register with YOUR real email - the first registered user becomes the workspace owner and admin
- After your registration, signup auto-locks (subsequent attempts return SIGNUP_DISABLED). Verify in sudo systemctl status twenty-register-watch that the first workspace was detected.
- Invite teammates from Settings -> Members -> Invite (only invited members can join from now on)
- (Recommended) Once registered, widen the Security Group on TCP 443 back to the audience you want.
Resources
Vendor resources
Support
Vendor support
Visit us online: https://lynxroute.com
For Twenty documentation: https://docs.twenty.com/user-guide/introduction For Twenty upstream issues: https://github.com/twentyhq/twenty/issues For AWS infrastructure issues:
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
7twenty AI Agents Platform is a platform for deploying, managing, and operating AI voice agents for inbound and outbound phone calls.
The platform enables organizations to automate voice interactions such as customer support, information delivery, appointment handling, and call routing, while maintaining control over data, security, and operational behavior.
The solution is designed for enterprise and public-sector use, supporting scalable telephony integration, real-time speech processing, and configurable conversational logic.
Streamline Appointments with Smart Automation:
Transform your appointment management with 7twenty omnichannel scheduling solution, designed for seamless user experiences across a landing page, bot, mini-site, and WhatsApp. 7twenty automates scheduling, confirmations, and updates, significantly reducing manual efforts and enhancing customer satisfaction and organizational efficiency.
IVCISA Enterprise Support Plan: comprehensive and priority cloud support for up to twenty AWS or Snowflake accounts, enabling innovation, availability, and compliance.
vMeet is a flexible, enterprise-grade video meeting platform that enables organizations to deliver their services to customers online - via computer or smartphone - without requiring any application installation. Customers join meetings directly through a secure browser link on Windows, macOS, iOS, or Android.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.