Theme 2: Manage immutable infrastructure through secure pipelines
Essential Eight strategies covered: Application control, patch applications, patch operating systems
For immutable infrastructure, you must secure deployment pipelines for system changes. AWS Distinguished Engineer, Colm MacCárthaigh, explained this principle in the Zero-Privilege Operations: Running Services Without Access to Data
By restricting direct access to configure AWS resources, you can require that all resources are deployed or changed through approved, secured, and automated pipelines. Usually, you create AWS Identity and Access Management (IAM) policies that allow users to access only the account that hosts the deployment pipeline. You also configure IAM policies that allow break-glass access for a limited number of users. To prevent manual changes, you can use security groups to block SSH and Windows remote desktop protocol (RDP) access to servers. Session Manager, a capability of AWS Systems Manager, can provide access to instances without the need to open inbound ports or maintain bastion hosts.
Amazon Machine Images (AMIs) and container images must be built securely and repeatably. For Amazon EC2 instances, you can use EC2 Image Builder to build AMIs that have built-in security features, such as instance discovery, application control, and logging. For more information about application control, see Implementing Application Control
Applications must be defined in infrastructure as code (IaC), by using services such as AWS CloudFormation or AWS Cloud Development Kit (AWS CDK). Code analysis tools, such as AWS CloudFormation Guard, cfn-nag, or cdk-nag, can automatically test code against security best practices in your approved pipeline.
As with Theme 1: Use managed services, Amazon Inspector can report vulnerabilities across your AWS accounts. Centralised cloud and security teams can use this information to verify that the application team is meeting security and compliance requirements.
To monitor and report on compliance, perform ongoing reviews of IAM resources and logs. Use AWS Config rules to make sure that only approved AMIs are used, and make sure that Amazon Inspector is configured to scan Amazon ECR resources for vulnerabilities.
Related best practices in the AWS Well-Architected Framework
Implementing this theme
Implement AMI and container build pipelines
Use EC2 Image Builder and build the following into your AMIs:
AWS Systems Manager Agent (SSM Agent), which is used for instance discovery and management
Security tools for application control, such as Security Enhanced Linux (SELinux)
(GitHub), File Access Policy Daemon (fapolicyd) (GitHub), or OpenSCAP Amazon CloudWatch Agent, which is used for logging
For all EC2 instances, include the
CloudWatchAgentServerPolicyandAmazonSSMManagedInstanceCorepolicies in the instance profile or IAM role that Systems Manager uses to access your instanceMake sure that application teams are referencing the latest AMIs
Implement container build pipelines:
Implement secure application build pipelines
Implement build pipelines for IaC, such as by using EC2 Image Builder and AWS CodePipeline
(AWS blog post) Use code analysis tools, such as AWS CloudFormation Guard, cfn-nag
(GitHub), or cdk-nag (GitHub), in CI/CD pipelines to help detect violations of best practices, such as: IAM policies that are too permissive, such as those that use wildcards
Security group rules that are too permissive, such as those that use wildcards or allow SSH access
Access logs that are not enabled
Encryption that is not enabled
Password literals
Implement scanning tools in pipelines
(AWS blog post) Use AWS Identity and Access Management Access Analyzer in pipelines
(AWS blog post) to validate IAM policies that are defined in CloudFormation templates Configure IAM policies and service control policies for least-privilege access to use the pipeline or make any modifications to it
Implement vulnerability scanning
Enable Amazon Inspector in all accounts in your organization
Use Amazon Inspector to scan AMIs in your AMI build pipeline:
Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector
Build a vulnerability management program to triage and remediate security findings
Monitoring this theme
Monitor IAM and logs on an ongoing basis
Periodically review your IAM policies to make sure that:
Only deployment pipelines have direct access to resources
Only approved services have direct access to data
Users don't have direct access to resources or data
Monitor AWS CloudTrail logs to confirm that users are modifying resources through pipelines and aren't directly modifying resources or accessing data
Periodically review IAM Access Analyzer findings
Set up an alert to notify you if the root user credentials for an AWS account are used
Implement the following AWS Config rules
APPROVED_AMIS_BY_IDAPPROVED_AMIS_BY_TAGECR_PRIVATE_IMAGE_SCANNING_ENABLED