Search for Well Architected Advice
< All Topics
Print

Enable people to perform actions at a distance

PostedNovember 28, 2024
UpdatedNovember 28, 2024
ByKevin McCaffrey

Enabling people to perform actions at a distance by removing direct access to your infrastructure reduces the risk of human error and security vulnerabilities. By using automation tools and infrastructure-as-code (IaC) principles, you can eliminate the need for manual configuration or management. This approach minimizes the potential for mistakes or unauthorized changes while increasing the consistency, security, and efficiency of managing your infrastructure.

  1. Use infrastructure-as-code (IaC) for deployments: Instead of granting interactive access to deploy and manage resources like EC2 instances, use tools such as AWS CloudFormation to define your infrastructure as code. By treating infrastructure as code, changes are automatically documented, controlled, and can be deployed consistently via pipelines. AWS CloudFormation stacks can be triggered from CI/CD pipelines to deploy infrastructure without requiring direct access to the AWS Management Console or APIs.
  2. Manage EC2 instances remotely with AWS Systems Manager: Eliminate the need for direct SSH or RDP access to EC2 instances by using AWS Systems Manager. Systems Manager enables you to execute commands, run scripts, and automate maintenance tasks through the Systems Manager Run Command and Automation features. This helps reduce the need for bastion hosts or interactive logins, improving security by limiting access points.
  3. Automate infrastructure changes: Implement change management workflows that automate the deployment, scaling, and management of your infrastructure. AWS Systems Manager Automation can execute predefined workflows to handle routine tasks, such as patch management or software installation, without requiring interactive access. Automation workflows reduce the chance of human error and provide consistent results.
  4. Reduce or eliminate manual configurations: Use AWS Systems Manager documents (SSM Documents) and playbooks to automate common administrative tasks and deployments. By defining repeatable actions in playbooks, you ensure that tasks are performed consistently and can be executed remotely, without requiring direct access to the underlying resources.
  5. Implement version control and pipelines for infrastructure updates: Use version control for infrastructure definitions and CI/CD pipelines to deploy infrastructure changes. AWS CloudFormation templates stored in version control repositories, combined with automated deployment pipelines, allow you to manage infrastructure updates without manually interacting with the AWS console or APIs.
  6. Increase security by removing interactive access: By removing the ability for interactive access, you reduce the risk of unauthorized access, misconfigurations, or unintentional security vulnerabilities. Remote management through tools like AWS Systems Manager reduces the need for direct access and enables centralized management and logging of all actions taken.

Supporting Questions:

  • How do you manage EC2 instances and other resources without requiring direct interactive access?
  • What tools and processes are in place to automate infrastructure management and deployment tasks?
  • How do you use infrastructure-as-code and automation to reduce the need for manual configuration or management?

Roles and Responsibilities:

Cloud Architect:

  • Responsibilities:
    • Design infrastructure management workflows that eliminate the need for interactive access by leveraging AWS Systems Manager, CloudFormation, and CI/CD pipelines.
    • Implement infrastructure-as-code solutions to automate the deployment and configuration of resources.

Cloud Administrator:

  • Responsibilities:
    • Use AWS Systems Manager to remotely manage EC2 instances and perform administrative tasks without direct access.
    • Implement automation workflows and version-controlled infrastructure templates to deploy and manage resources securely and consistently.

Artefacts:

  • Infrastructure-as-Code Templates: AWS CloudFormation templates or other IaC scripts stored in version control, defining how infrastructure is deployed and managed automatically without interactive access.
  • Automation Playbooks: AWS Systems Manager documents (SSM Documents) outlining repeatable actions for remote management and maintenance of resources.
  • Automation Logs and Audit Trails: Logs from AWS Systems Manager Automation and CloudFormation deployments tracking changes made to infrastructure and documenting tasks performed without interactive access.

Relevant AWS Services:

AWS Automation and Management Tools:

  • AWS Systems Manager: Enables remote management of EC2 instances and other resources without requiring direct access. Systems Manager includes tools like Run Command, Automation, and Patch Manager to execute administrative tasks at a distance.
  • AWS CloudFormation: Automates the deployment and management of infrastructure using infrastructure-as-code, allowing you to build and update resources via CI/CD pipelines without manual access to the AWS console or APIs.
  • AWS Systems Manager Documents (SSM Documents): Automates maintenance tasks and deployment workflows using predefined scripts and playbooks, reducing the need for manual configuration or interactive access.
  • AWS CodePipeline: Automates the deployment of infrastructure using AWS CloudFormation templates and version-controlled infrastructure definitions, ensuring consistent deployments without manual intervention.

Security and Monitoring Tools:

  • AWS CloudTrail: Monitors and logs all API calls, ensuring that even automated actions are tracked and auditable for security purposes.
  • AWS Config: Monitors the configuration of your resources, ensuring compliance with security and operational best practices while reducing the need for manual interventions.
Table of Contents