SEC11-BP06 Deploy software programmatically

Perform software deployments programmatically where possible. This approach reduces the likelihood that a deployment fails or an unexpected issue is introduced due to human error.

Desired outcome: Keeping people away from data is a key principle of building securely in the AWS Cloud. This principle includes how you deploy your software.

The benefits of not relying on people to deploy software is the greater confidence that what you tested is what gets deployed, and that the deployment is performed consistently every time. The software should not need to be changed to function in different environments. Using the principles of twelve-factor application development, specifically the externalizing of configuration, allows you to deploy the same code to multiple environments without requiring changes. Cryptographically signing software packages is a good way to verify that nothing has changed between environments. The overall outcome of this approach is to reduce risk in your change process and improve the consistency of software releases.

Common anti-patterns:

Manually deploying software into production.
Manually performing changes to software to cater to different environments.

Benefits of establishing this best practice:

Increased confidence in the software release process.
Reduced risk of a failed change impacting business functionality.
Increased release cadence due to lower change risk.
Automatic rollback capability for unexpected events during deployment.
Ability to cryptographically prove that the software that was tested is the software deployed.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Build your AWS account structure to remove persistent human access from environments and use CI/CD tools to perform deployments. Architect your applications so that environment-specific configuration data is obtained from an external source, such as AWS Systems Manager Parameter Store. Sign packages after they have been tested, and validate these signatures during deployment. Configure your CI/CD pipelines to push application code and use canaries to confirm successful deployment. Use tools such as AWS CloudFormation or AWS CDK to define your infrastructure, then use AWS CodeBuild and AWS CodePipeline to perform CI/CD operations.

Implementation steps

Build well-defined CI/CD pipelines to streamline the deployment process.
Using AWS CodeBuild and AWS Code Pipeline to provide CI/CD capability makes it simple to integrate security testing into your pipelines.
Follow the guidance on separation of environments in the Organizing Your AWS Environment Using Multiple Accounts whitepaper.
Verify no persistent human access to environments where production workloads are running.
Architect your applications to support the externalization of configuration data.
Consider deploying using a blue/green deployment model.
Implement canaries to validate the successful deployment of software.
Use cryptographic tools such as AWS Signer or AWS Key Management Service (AWS KMS) to sign and verify the software packages that you are deploying.

Resources

Related best practices:

SEC11-BP02 Automate testing throughout the development and release lifecycle

Related documents:

Related videos:

Hands-off: Automating continuous delivery pipelines at Amazon

Related examples:

Blue/Green deployments with AWS Fargate

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

SEC11-BP05 Centralize services for packages and dependencies

SEC11-BP07 Regularly assess security properties of the pipelines