Theme 3: Manage mutable infrastructure with automation
Essential Eight strategies covered: Application control, patch applications, patch operating systems
Similar to immutable infrastructure, you manage mutable infrastructure as IaC, and you modify or update this infrastructure through automated processes. Many of the implementation steps for immutable infrastructure also apply to mutable infrastructure. However, for mutable infrastructure, you must also implement manual controls to make sure that modified workloads still follow best practices.
For mutable infrastructure, you can automate patch management by using Patch Manager, a capability of AWS Systems Manager. Enable Patch Manager in all accounts in your AWS organization.
Prevent direct SSH and RDP access and require users to use Session Manager or Run Command, which are also capabilities of Systems Manager. Unlike SSH and RDP, these capabilities can log system access and changes.
To monitor and report on compliance, you must perform ongoing reviews of patch compliance. You can use AWS Config rules to make sure that all Amazon EC2 instances are managed by Systems Manager, have the required permissions and installed applications, and are in patch compliance.
Related best practices in the AWS Well-Architected Framework
Implementing this theme
Automate patching
Implement the steps in Enable Patch Manager in all accounts in your AWS organization
For all EC2 instances, include the
CloudWatchAgentServerPolicyandAmazonSSMManagedInstanceCorein the instance profile or IAM role that Systems Manager uses to access your instance
Use automation rather than manual processes
Implement the guidance in Implement AMI and container build pipelines in Theme 2: Manage immutable infrastructure through secure pipelines
Use Session Manager or Run Command instead of direct SSH or RDP access
Use automation to install the following on EC2 instances
AWS Systems Manager Agent (SSM Agent), which is used for instance discovery and management
Security tools for application control, such as Security Enhanced Linux (SELinux)
(GitHub), File Access Policy Daemon (fapolicyd) (GitHub), or OpenSCAP Amazon CloudWatch Agent, which is used for logging
Use peer review before any release to ensure that changes are meeting best practices
IAM policies that are too permissive, such as those that use wildcards
Security group rules that are too permissive, such as those that use wildcards or allow SSH access
Access logs that aren't enabled
Encryption that isn't enabled
Password literals
Secure IAM policies
Use identity-level controls
To require that users modify resources through automated processes and prevent manual configuration, allow read-only permissions for roles that users can assume
Grant permissions to modify resources only to service roles, such as the role used by Systems Manager
Implement vulnerability scanning
Implement the guidance in Implement vulnerability scanning in Theme 2: Manage immutable infrastructure through secure pipelines
Scan your EC2 instances by using Amazon Inspector
Monitoring this theme
Monitor patch compliance on an ongoing basis
Report on patch compliance by using automation and dashboards
Implement a mechanism to review dashboards for patch compliance
Monitor IAM and logs on an ongoing basis
Periodically review your IAM policies to make sure that:
Only deployment pipelines have direct access to resources
Only approved services have direct access to data
Users don't have direct access to resources or data
Monitor AWS CloudTrail logs to make sure that users are modifying resources through pipelines and aren't directly modifying resources or accessing data
Periodically review AWS Identity and Access Management Access Analyzer findings
Set up an alert to notify you if the root user credentials for an AWS account are used
Implement the following AWS Config rules
EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECKEC2_INSTANCE_MANAGED_BY_SSMEC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED - SELinux/fapolicyd/OpenSCAP, CW AgentEC2_MANAGEDINSTANCE_APPLICATIONS_BLACKLISTED - any unsupported appsIAM_ROLE_MANAGED_POLICY_CHECK - CW Logs, SSMEC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECKREQUIRED_TAGSRESTRICTED_INCOMING_TRAFFIC - 22, 3389