Theme 3: Manage mutable infrastructure with automation - AWS Prescriptive Guidance
Related best practicesImplementing this themeMonitoring this theme

Theme 3: Manage mutable infrastructure with automation

Essential Eight strategies covered

Application control, patch applications, patch operating systems

Similar to immutable infrastructure, you manage mutable infrastructure as IaC, and you modify or update this infrastructure through automated processes. Many of the implementation steps for immutable infrastructure also apply to mutable infrastructure. However, for mutable infrastructure, you must also implement manual controls to make sure that modified workloads still follow best practices.

For mutable infrastructure, you can automate patch management by using Patch Manager, a capability of AWS Systems Manager. Enable Patch Manager in all accounts in your AWS organization.

Prevent direct SSH and RDP access and require users to use Session Manager or Run Command, which are also capabilities of Systems Manager. Unlike SSH and RDP, these capabilities can log system access and changes.

To monitor and report on compliance, you must perform ongoing reviews of patch compliance. You can use AWS Config rules to make sure that all Amazon EC2 instances are managed by Systems Manager, have the required permissions and installed applications, and are in patch compliance.

Related best practices in the AWS Well-Architected Framework

Implementing this theme

Automate patching

Use automation rather than manual processes

Use automation to install the following on EC2 instances

Use peer review before any release to ensure that changes are meeting best practices

  • IAM policies that are too permissive, such as those that use wildcards

  • Security group rules that are too permissive, such as those that use wildcards or allow SSH access

  • Access logs that aren't enabled

  • Encryption that isn't enabled

  • Password literals

  • Secure IAM policies

Use identity-level controls

  • To require that users modify resources through automated processes and prevent manual configuration, allow read-only permissions for roles that users can assume

  • Grant permissions to modify resources only to service roles, such as the role used by Systems Manager

Implement vulnerability scanning

Monitoring this theme

Monitor patch compliance on an ongoing basis

Monitor IAM and logs on an ongoing basis

  • Periodically review your IAM policies to make sure that:

    • Only deployment pipelines have direct access to resources

    • Only approved services have direct access to data

    • Users don't have direct access to resources or data

  • Monitor AWS CloudTrail logs to make sure that users are modifying resources through pipelines and aren't directly modifying resources or accessing data

  • Periodically review AWS Identity and Access Management Access Analyzer findings

  • Set up an alert to notify you if the root user credentials for an AWS account are used

Implement the following AWS Config rules

  • EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK

  • EC2_INSTANCE_MANAGED_BY_SSM

  • EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED - SELinux/fapolicyd/OpenSCAP, CW Agent

  • EC2_MANAGEDINSTANCE_APPLICATIONS_BLACKLISTED - any unsupported apps

  • IAM_ROLE_MANAGED_POLICY_CHECK - CW Logs, SSM

  • EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK

  • REQUIRED_TAGS

  • RESTRICTED_INCOMING_TRAFFIC - 22, 3389