SEC06-BP03: Reduce manual management and interactive access

Reduce the risk of human error and the potential for configuration drift by replacing manual processes with automated processes where possible. Reduce interactive access to compute resources, for example, by using change management workflows to manage EC2 instances, and by using tools such as Amazon EC2 Systems Manager Session Manager instead of allowing direct access or bastion hosts.

Implementation guidance

Reducing manual management and interactive access is crucial for maintaining a secure and consistent compute environment. By minimizing human interaction with production systems, you can significantly reduce the risk of security incidents, configuration errors, and unauthorized access while improving operational efficiency and compliance.

Key steps for implementing this best practice:

  1. Implement Infrastructure as Code (IaC):
    • Use AWS CloudFormation or AWS CDK for infrastructure provisioning
    • Version control all infrastructure definitions
    • Implement automated testing for infrastructure changes
    • Establish code review processes for infrastructure modifications
    • Use immutable infrastructure patterns where possible
  2. Automate configuration management:
    • Use AWS Systems Manager for configuration management
    • Implement configuration drift detection and remediation
    • Automate software installation and updates
    • Use desired state configuration tools
    • Establish configuration baselines and compliance monitoring
  3. Replace interactive access with secure alternatives:
    • Use AWS Systems Manager Session Manager for secure shell access
    • Implement break-glass procedures for emergency access
    • Use AWS Systems Manager Run Command for remote execution
    • Eliminate SSH key management where possible
    • Implement just-in-time access for administrative tasks
  4. Implement automated deployment pipelines:
    • Use CI/CD pipelines for application deployments
    • Implement blue-green or canary deployment strategies
    • Automate rollback procedures for failed deployments
    • Use container orchestration for application management
    • Implement automated testing and validation in pipelines
  5. Establish monitoring and alerting for manual access:
    • Monitor and log all interactive access attempts
    • Set up alerts for unauthorized or unusual access patterns
    • Implement session recording for audit purposes
    • Track and report on manual interventions
    • Establish metrics for automation coverage
  6. Implement change management workflows:
    • Use ticketing systems for change requests
    • Implement approval workflows for infrastructure changes
    • Establish emergency change procedures
    • Document all changes and their business justification
    • Implement automated change validation and testing

Implementation examples

Example 1: AWS Systems Manager Session Manager configuration

Example 2: Automated configuration management with Systems Manager

Example 3: CI/CD pipeline for infrastructure automation

Example 4: Immutable infrastructure with container orchestration

AWS services to consider

AWS Systems Manager Session Manager

Provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Enables secure shell access with comprehensive logging.

AWS Systems Manager Automation

Simplifies common maintenance and deployment tasks of Amazon EC2 instances and other AWS resources. Enables automated configuration management and reduces manual intervention.

AWS CodePipeline

Fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.

AWS CloudFormation

Gives you an easy way to model a collection of related AWS and third-party resources. Enables Infrastructure as Code and reduces manual infrastructure management.

Amazon ECS/EKS

Container orchestration services that eliminate the need for manual container management. Provide automated deployment, scaling, and management of containerized applications.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Helps detect configuration drift and automate remediation of non-compliant resources.

Benefits of reducing manual management and interactive access

  • Reduced human error: Automation eliminates mistakes that can occur during manual operations and configuration changes
  • Improved security posture: Limiting interactive access reduces the attack surface and potential for unauthorized access
  • Enhanced auditability: Automated processes provide better audit trails and compliance evidence than manual operations
  • Increased consistency: Automated processes ensure consistent application of configurations and security policies
  • Better scalability: Automated management scales more effectively than manual processes as infrastructure grows
  • Faster incident response: Automated remediation can respond to issues faster than manual intervention
  • Cost efficiency: Reduced manual effort translates to lower operational costs and improved resource utilization

Related Resources

Copyright © 2025 Cloudvisor. Distributed under the MIT license.

Powered by Just the Docs, a documentation theme for Jekyll.