Maintaining security and compliance by using AWS Systems Manager, leveraging built-in features to seamlessly view, manage, and patch your infrastructure.
Challenge
Our customer had an existing enterprise workload running in production on AWS. Some of the workloads consisted of various long-running EC2 instances and required sophisticated access and maintenance techniques to help the customer effectively manage their workloads at scale. Automation was key to ensuring adoption and creating a sustainable way to maintain the state of a growing solution. Due to the size of this enterprise consisting of many teams and disciplines , controlling the access to the instances was paramount to the solution.
Due to the large footprint of instances, they also required a way to automate and schedule patches. The customer was also looking for a way to improve their CI/CD pipelines that they use across several teams for deploying infrastructure as code.
Solution
We leveraged the many features of AWS System Manager to greatly improve their existing infrastructure. By utilizing Session Manager, Patch Manager, and Parameter Store, we were able to alleviate the issues the infrastructure management issues that the client was having. Session Manager was set up to give terminal access to employees in a secure and straight-forward fashion.
By using Session Manager the client eliminated the need for SSH keys, established an audit for all host level activity, and binds all access to the enterprise identity provider. This was implemented by created tag-based policies that only allowed certain user groups to ssh onto specific instances. As these IAM roles can only be accessed via the customers centralized user directory and authentication mechanisms, it creates a single point of truth for who is allowed to access various resources.
Patch Manager was enabled to assess and maintain inventory of the state of OS patches. By doing so, the client was able to utilize Resource Groups to allow subsets of EC2 instances to be patched in cycles. Parameter Store was used to drastically improve the clients CI/CD pipelines. With Parameter Store, abstract configuration variables could be set to make development and deployment across several teams much easier. It was also used to help develop patterns for integration Session Manager as an IAM + iDP bound terminal access mechanism.
Tech Stack
Systems Manager
Patch Manager
Session Manager
Parameter Store
Lambda
CloudFormation
EC2
Gitlab
Outcome
Focus on Strategy and Adoption– With security being the front the center of this enterprise, this was a great opportunity to seed DevSecOps adoption from a centralized place. With dozens of teams being impacted by the same challenges, we structured our team to be the champion to the solution with these teams. We didn’t just make it about the technical solutions, but about breaking silos and coming up with a sustainable solution together.
Baked in Security – Moving security controls to the far left of the pipeline allowed a centralized control model for defining and enforcing security controls. Integrations with code analysis, CASB, and other toolchains gave consuming teams confidence that they are building responsible, secure cloud architectures.
Streamlined Operations – Having a single, flexible security pipeline definition created a single lens to track and maintain secured resources. Once we’ve created the initial set of security controls, It helped shift our attention to self healing and the ability to create metigation plans for variious scenarios.