SEC11-BP06 Deploy software programmatically
Perform software deployments programmatically where possible. This approach reduces the likelihood that a deployment fails or an unexpected issue is introduced due to human error.
Desired outcome: Keeping people away from data is a key principle of building securely in the AWS Cloud. This principle includes how you deploy your software.
The benefits of not relying on people to deploy software is the greater confidence that what you tested is what gets deployed, and that the deployment is performed consistently every time. The software should not need to be changed to function in different environments. Using the principles of twelve-factor application development, specifically the externalizing of configuration, allows you to deploy the same code to multiple environments without requiring changes. Cryptographically signing software packages is a good way to verify that nothing has changed between environments. The overall outcome of this approach is to reduce risk in your change process and improve the consistency of software releases.
Common anti-patterns:
-
Manually deploying software into production.
-
Manually performing changes to software to cater to different environments.
Benefits of establishing this best practice:
-
Increased confidence in the software release process.
-
Reduced risk of a failed change impacting business functionality.
-
Increased release cadence due to lower change risk.
-
Automatic rollback capability for unexpected events during deployment.
-
Ability to cryptographically prove that the software that was tested is the software deployed.
Level of risk exposed if this best practice is not established: High
Implementation guidance
Build your AWS account structure to remove persistent human access
from environments and use CI/CD tools to perform deployments.
Architect your applications so that environment-specific
configuration data is obtained from an external source, such as
AWS Systems Manager Parameter Store. Sign packages after they
have been tested, and validate these signatures during deployment.
Configure your CI/CD pipelines to push application code and use
canaries to confirm successful deployment. Use tools such as
AWS CloudFormation
Implementation steps
-
Build well-defined CI/CD pipelines to streamline the deployment process.
-
Using AWS CodeBuild
and AWS Code Pipeline to provide CI/CD capability makes it simple to integrate security testing into your pipelines. -
Follow the guidance on separation of environments in the Organizing Your AWS Environment Using Multiple Accounts whitepaper.
-
Verify no persistent human access to environments where production workloads are running.
-
Architect your applications to support the externalization of configuration data.
-
Consider deploying using a blue/green deployment model.
-
Implement canaries to validate the successful deployment of software.
-
Use cryptographic tools such as AWS Signer or AWS Key Management Service (AWS KMS)
to sign and verify the software packages that you are deploying.
Resources
Related best practices:
Related documents:
Related videos:
Related examples: