Enable people to perform actions at a distance

PostedNovember 28, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

In today’s dynamic cloud environment, protecting compute resources requires implementing multiple layers of defense. By minimizing direct access to resources, organizations can significantly reduce the risk of human errors and misconfigurations, thereby enhancing security and compliance.

Best Practices

Implement Infrastructure as Code (IaC)

Utilize tools like AWS CloudFormation, AWS CDK, or Terraform to define and deploy your infrastructure programmatically. This minimizes manual configuration errors and ensures consistency across environments.
Regularly review and update your IaC templates to incorporate best practices and security policies, which helps keep your environment secure and up to date.

Use AWS Systems Manager for Remote Management

Leverage AWS Systems Manager to perform maintenance tasks on your EC2 instances and other compute resources remotely without the need for SSH access. This significantly reduces the exposure to potential threats and human error associated with direct access.
Configure Systems Manager to use IAM roles for secure access and ensure that only authorized users can execute commands or scripts on your compute resources.

Enforce Least Privilege Access

Define strict IAM policies that grant the minimum permissions necessary for users and applications to perform their tasks effectively. This limits the potential impact of compromised credentials.
Regularly audit IAM roles and policies to ensure they align with the principle of least privilege, reducing the attack surface of your compute resources.

Implement Monitoring and Logging

Enable AWS CloudTrail and Amazon CloudWatch to continuously monitor API calls and resource usage. This allows you to detect unauthorized access or anomalous behavior in real-time.
Set up alerts for unusual activity and create dashboards to visualize access patterns, helping you to proactively address potential security incidents before they escalate.

Questions to ask your team

Do you use AWS Systems Manager or similar tools to manage your compute resources instead of direct access?
Have you documented your infrastructure-as-code practices and ensured they are followed consistently?
How do you manage permissions and access controls for those performing actions on your compute resources remotely?
What processes do you have in place to monitor and audit actions taken on your resources through remote access?
Are you using version control for your infrastructure code to track changes and facilitate rollbacks if necessary?

Who should be doing this?

Cloud Security Architect

Design and implement multi-layered security strategies for compute resources.
Develop and enforce policies for remote access to EC2 instances using infrastructure-as-code practices.
Collaborate with development teams to ensure security best practices are integrated into CI/CD pipelines.
Evaluate and recommend security tools and services that enhance protection for compute resources.

DevOps Engineer

Automate deployment processes using infrastructure-as-code techniques.
Utilize AWS Systems Manager for maintenance and operational tasks to minimize direct access to compute resources.
Monitor and manage compute resources to ensure compliance with security policies.
Conduct regular assessments of deployment scripts for security vulnerabilities.

Security Analyst

Analyze security incidents related to compute resources and recommend remediation strategies.
Perform security assessments on infrastructure-as-code deployments for vulnerabilities or misconfigurations.
Maintain documentation on security processes and configurations for compute resources.
Collaborate with incident response teams to mitigate risks associated with human error.

What evidence shows this is happening in your organization?

Remote Access Policy: A policy outlining the restrictions on direct interactive access to compute resources, specifying which tasks must be performed via infrastructure-as-code and AWS Systems Manager.
Infrastructure-as-Code Deployment Template: A CloudFormation template that automates the setup of compute resources, ensuring consistent and repeatable deployments without direct access to EC2 instances.
Maintenance Runbook: A runbook detailing the processes for maintaining compute resources through AWS Systems Manager, eliminating the need for manual configurations.
IAM Roles and Policies Matrix: A matrix that defines the roles and permissions for users and services, ensuring that only necessary access is granted for performing tasks remotely.
Compliance Check Checklist: A checklist to ensure that all compute resource tasks are performed according to the established policy for remote operations, enhancing security and compliance.

Cloud Services

AWS

AWS Systems Manager: Provides operational data from multiple AWS services allowing you to automate tasks across AWS resources without needing direct access.
AWS CloudFormation: Helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications.
AWS Config: Enables you to assess, audit, and evaluate the configurations of your AWS resources. This helps to ensure compliance and security best practices.

Azure

Azure Automation: Allows you to automate manual, repetitive tasks, which supports management of your Azure resources without the need for direct login.
Azure Resource Manager: Provides a management layer that enables you to create, update, and delete resources in your Azure account through a declarative template.
Azure Policy: Enables you to define policies for your Azure resources, ensuring compliance and governance, and automating the enforcement of those policies.

Google Cloud Platform

Google Cloud Deployment Manager: Infrastructure as code service that allows you to manage and automate the deployment of your resources in GCP.
Google Cloud Operations Suite: Provides monitoring, logging, and diagnostics to help you understand how your application is performing and identify issues early.
Google Cloud Identity and Access Management (IAM): Allows you to manage access to resources in a centralized way, ensuring users can perform tasks without direct interaction with compute resources.

Question: How do you protect your compute resources?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals