DEV Community: Sesank Munukutla (Naga) The latest articles on DEV Community by Sesank Munukutla (Naga) (@sesank_naga_m_01). https://dev.to/sesank_naga_m_01 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3764862%2F1c85bbb3-0756-4f3b-9be2-33032604f5e5.png DEV Community: Sesank Munukutla (Naga) https://dev.to/sesank_naga_m_01 en From Compliance to Drift: Building and Breaking ISO 27001 Controls on AWS (Hands-on Evidence) Sesank Munukutla (Naga) Mon, 06 Apr 2026 17:13:07 +0000 https://dev.to/sesank_naga_m_01/from-compliance-to-drift-building-and-breaking-iso-27001-controls-on-aws-hands-on-evidence-3p7a https://dev.to/sesank_naga_m_01/from-compliance-to-drift-building-and-breaking-iso-27001-controls-on-aws-hands-on-evidence-3p7a <h2> Introduction </h2> <p>Most ISO 27001 implementations fail at one critical point: they treat compliance as a <strong>static checklist</strong>, not a <strong>continuous process</strong>.</p> <p>In reality:</p> <ul> <li>Systems drift</li> <li>Configurations change</li> <li>Controls break silently</li> </ul> <p>This project demonstrates a <strong>real-world compliance lifecycle</strong>:</p> <blockquote> <p>Build → Break → Detect → Investigate → Fix → Verify</p> </blockquote> <p>Using:</p> <ul> <li>Terraform (baseline provisioning)</li> <li>AWS Config (continuous compliance)</li> <li>Security Hub (aggregation)</li> <li>CloudTrail (audit evidence)</li> <li>S3 (evidence storage)</li> </ul> <h2> Architecture Overview </h2> <p>The system was designed as a lightweight continuous compliance engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform → AWS Config → Security Hub → CloudTrail → S3 Evidence </code></pre> </div> <ul> <li>Terraform establishes a <strong>compliant baseline</strong> </li> <li>AWS Config continuously evaluates resources</li> <li>Security Hub aggregates findings</li> <li>CloudTrail records audit evidence</li> </ul> <h2> Baseline Deployment (Terraform) </h2> <p>Infrastructure was deployed using Terraform, creating:</p> <ul> <li>AWS Config (recorder + rules)</li> <li>CloudTrail (logging enabled)</li> <li>S3 bucket (encrypted evidence storage)</li> <li>Security Hub (enabled)</li> </ul> <p>This ensures a <strong>controlled, compliant starting point</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpze3dmn7p9gp6gfr2n7z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpze3dmn7p9gp6gfr2n7z.png" alt="Image01" width="800" height="356"></a></p> <h2> Initial Compliance State </h2> <p>After deployment:</p> <ul> <li>AWS Config begins evaluation</li> <li>Initial state may show <code>INSUFFICIENT_DATA</code> </li> <li>Eventually stabilizes into <strong>COMPLIANT / NON_COMPLIANT</strong> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzgrv2jjnxw0pi8lxkna8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzgrv2jjnxw0pi8lxkna8.png" alt="Image02" width="800" height="394"></a></p> <p>This represents:</p> <blockquote> <p>A baseline security posture before any drift</p> </blockquote> <h2> Simulating Real-World Misconfiguration </h2> <h3> (ISO Control A.8.12 – Encryption of Data at Rest) </h3> <p>To simulate drift, an intentional violation was introduced:</p> <ul> <li>Created an S3 bucket</li> <li><strong>Disabled default encryption</strong></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0dfclpkjfl631u4nv67.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0dfclpkjfl631u4nv67.png" alt="Image03" width="800" height="449"></a></p> <p>This represents a common real-world failure:</p> <blockquote> <p>Data stored without encryption due to misconfiguration</p> </blockquote> <h2> Detection via AWS Config </h2> <p>AWS Config automatically evaluated the resource and flagged:</p> <ul> <li>Rule: <code>s3-bucket-server-side-encryption-enabled</code> </li> <li>Status: <strong>NON_COMPLIANT</strong> </li> </ul> <p>Drilling into the resource:</p> <ul> <li>Specific bucket identified</li> <li>Evaluation result recorded</li> <li>Timeline shows compliance change</li> </ul> <p>This demonstrates:</p> <blockquote> <p>Continuous monitoring instead of periodic audits</p> </blockquote> <h2> Aggregation via Security Hub </h2> <p>The same issue is surfaced in Security Hub as a finding.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5fg4cjg22s6ypxv1khjz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5fg4cjg22s6ypxv1khjz.png" alt="Image04" width="800" height="353"></a></p> <p>Key observations:</p> <ul> <li>Findings categorized by severity</li> <li>Centralized visibility across services</li> <li>Enables prioritization</li> </ul> <p>This layer answers:</p> <blockquote> <p>“Which issues matter most right now?”</p> </blockquote> <h2> Audit Evidence via CloudTrail </h2> <p>Detection alone is not sufficient — audit requires <strong>traceability</strong>.</p> <p>CloudTrail provides that.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa1svojx0rqgzsa9d07io.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa1svojx0rqgzsa9d07io.png" alt="Image05" width="800" height="378"></a></p> <p>Relevant events:</p> <ul> <li><code>CreateBucket</code></li> <li>No encryption configuration applied</li> </ul> <p>This proves:</p> <blockquote> <p>The violation originated at resource creation, not later drift</p> </blockquote> <h2> Remediation Phase </h2> <p>The issue was fixed by:</p> <ul> <li>Enabling S3 default encryption (SSE-S3)</li> </ul> <p>After remediation:</p> <ul> <li>AWS Config → <strong>COMPLIANT</strong> </li> <li>Timeline updated with state transition</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tpgxgb8gn74duag1xhj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tpgxgb8gn74duag1xhj.png" alt="Image06" width="737" height="305"></a></p> <p>This completes the full lifecycle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NON_COMPLIANT → FIX APPLIED → COMPLIANT </code></pre> </div> <h2> What This Demonstrates </h2> <h3> 1. Compliance is Dynamic </h3> <p>Traditional audits capture a snapshot.<br> Real systems require <strong>continuous validation</strong>.</p> <h3> 2. Terraform ≠ Compliance </h3> <p>Terraform establishes a baseline, but:</p> <blockquote> <p>Drift happens outside Infrastructure as Code</p> </blockquote> <h3> 3. Detection vs Evidence </h3> <ul> <li>AWS Config → detects issues</li> <li>Security Hub → aggregates</li> <li>CloudTrail → proves what happened</li> </ul> <p>Without CloudTrail:</p> <blockquote> <p>You cannot defend your audit findings</p> </blockquote> <h3> 4. Real Gap in Organizations </h3> <p>Most organizations:</p> <ul> <li>Don’t monitor continuously</li> <li>Don’t store evidence properly</li> <li>Don’t validate remediation</li> </ul> <h2> Key Takeaway </h2> <p>This project moves ISO 27001 from:</p> <blockquote> <p>Documentation-driven compliance</p> </blockquote> <p>To:</p> <blockquote> <p><strong>Operational, continuously validated security posture</strong></p> </blockquote> <h2> Final Thought </h2> <p>Compliance is not about passing an audit.</p> <p>It’s about being able to answer:</p> <ul> <li>What broke?</li> <li>When did it break?</li> <li>Who changed it?</li> <li>Was it fixed?</li> </ul> <p>This lab proves that with the right tooling,<br> ISO 27001 controls can be <strong>measured, enforced, and verified in real-time</strong>.</p> <h2> What’s Next </h2> <p>This was just one control (S3 encryption).</p> <p>You can extend this to:</p> <ul> <li>IAM MFA enforcement (A.5.23)</li> <li>Logging validation (A.8.16)</li> <li>Resource tagging (A.8.9)</li> <li>Least privilege enforcement</li> </ul> <p>If you’re building in cloud:</p> <blockquote> <p>Start thinking in terms of <strong>control → detection → evidence → remediation</strong></p> </blockquote> <p>That’s where real security engineering begins.</p> ai beginners devops architecture Event-Driven EC2 Isolation in AWS: Building a Minimal Cloud SOAR Without Buying One Sesank Munukutla (Naga) Fri, 13 Feb 2026 16:56:02 +0000 https://dev.to/sesank_naga_m_01/event-driven-ec2-isolation-in-aws-building-a-minimal-cloud-soar-without-buying-one-32aj https://dev.to/sesank_naga_m_01/event-driven-ec2-isolation-in-aws-building-a-minimal-cloud-soar-without-buying-one-32aj <p>Detection without response is operational noise.</p> <p>GuardDuty alerts are valuable — but if a human has to read, decide, and manually isolate an instance, your blast radius window is still open.</p> <p>I wanted high-confidence findings to trigger automatic containment.</p> <p>So I built a minimal AWS-native SOAR pipeline.</p> <p>No third-party tooling.<br><br> No overengineering.<br><br> Just deterministic, event-driven response.</p> <h1> 🎯 Objective </h1> <p>Build an automated containment workflow that:</p> <ul> <li>Responds only to high-severity GuardDuty findings</li> <li>Automatically isolates compromised EC2 instances</li> <li>Preserves forensic access</li> <li>Avoids recursive execution</li> <li>Is observable and debuggable</li> </ul> <p>All event-driven. No polling. No manual trigger.</p> <h1> 🏗 Architecture Overview </h1> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">GuardDuty Finding</span> <span class="s">↓</span> <span class="s">EventBridge Rule (severity &gt;= 7)</span> <span class="s">↓</span> <span class="s">Lambda Function (Isolation Logic)</span> <span class="s">↓</span> <span class="s">Modify EC2 Security Group → Quarantine SG</span> <span class="s">↓</span> <span class="s">SNS Notification (Visibility Layer)</span> </code></pre> </div> <p>Minimal. Deterministic. Cheap.</p> <h1> Filtering at the Event Layer (Not Inside Lambda) </h1> <p>Instead of checking severity inside the Lambda function, I filtered directly in EventBridge.</p> <p><strong>Why this matters:</strong></p> <ul> <li>Reduces unnecessary Lambda invocations</li> <li>Makes response criteria explicit</li> <li>Improves audit clarity</li> <li>Lowers operational cost</li> </ul> <p>Example event pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"GuardDuty Finding"</span><span class="p">],</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"numeric"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"&gt;="</span><span class="p">,</span><span class="w"> </span><span class="mi">7</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Only high-confidence findings trigger automation.</p> <p>Everything else remains visible — but not auto-remediated.</p> <h2> Quarantine Security Group Design </h2> <p>Containment is not termination.</p> <p>Terminating an instance destroys forensic evidence.</p> <p>My quarantine security group:</p> <ul> <li><p>❌ No outbound internet</p></li> <li><p>❌ No inbound from public IP ranges</p></li> <li><p>✅ Allow only SOC bastion IP</p></li> <li><p>✅ Allow forensic collection host</p></li> <li><p>✅ Optional: allow VPC Flow Logs / monitoring endpoint</p></li> </ul> <p>The goal is isolation with controlled investigation access.</p> <p>Isolation Logic (Lambda Example)</p> <p>Core logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="n">ec2</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ec2</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">isolate_instance</span><span class="p">(</span><span class="n">instance_id</span><span class="p">,</span> <span class="n">quarantine_sg_id</span><span class="p">):</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">modify_instance_attribute</span><span class="p">(</span> <span class="n">InstanceId</span><span class="o">=</span><span class="n">instance_id</span><span class="p">,</span> <span class="n">Groups</span><span class="o">=</span><span class="p">[</span><span class="n">quarantine_sg_id</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p>Additional safeguards added:</p> <ul> <li><p>Check instance state before modification</p></li> <li><p>Tag instance Quarantined=true</p></li> <li><p>Exit if already isolated</p></li> <li><p>Log original security groups for rollback</p></li> </ul> <p>Containment must be idempotent.</p> <h2> Idempotency: Preventing Recursive Triggers </h2> <p>When Lambda modifies security groups, CloudTrail events may fire.</p> <p>Without safeguards, you risk infinite loops.</p> <p>Mitigation:</p> <ul> <li><p>Tag check before modification</p></li> <li><p>Structured event filtering</p></li> <li><p>Explicit function logging</p></li> <li><p>DLQ configured for failure cases</p></li> </ul> <p>Automation that can repeat blindly is dangerous.</p> <h2> Failure Modes I Modeled </h2> <p>Automation amplifies mistakes.</p> <p>I explicitly accounted for:</p> <ul> <li><p>IAM permission drift</p></li> <li><p>Partial security group modification</p></li> <li><p>Concurrent findings on same instance</p></li> <li><p>Cross-region GuardDuty setup</p></li> <li><p>High-volume alert bursts</p></li> </ul> <p>Mitigations:</p> <ul> <li><p>Dead Letter Queue</p></li> <li><p>Lambda concurrency limits</p></li> <li><p>CloudWatch error metrics + alarms</p></li> <li><p>Explicit structured logs (JSON format)</p></li> <li><p>Permission boundary controls</p></li> </ul> <p>Automation without observability becomes silent failure.</p> <h2> Impact </h2> <p>This reduced:</p> <ul> <li><p>MTTR from minutes to seconds</p></li> <li><p>Human triage fatigue</p></li> <li><p>Decision bottlenecks</p></li> <li><p>Inconsistent containment actions</p></li> </ul> <p>But the real improvement was consistency.</p> <p>Humans improvise during incidents.<br> Code executes predictably.</p> <h2> Trade-Offs &amp; Risks </h2> <p>Auto-isolating compute is not trivial.</p> <p>You must consider:</p> <ul> <li><p>False positives at high severity</p></li> <li><p>Production-critical workloads</p></li> <li><p>Stateful applications</p></li> <li><p>Already-compromised lateral movement</p></li> <li><p>Multi-account architecture</p></li> </ul> <p>Severity threshold tuning took longer than writing the Lambda function.</p> <p>That surprised me.</p> <h2> Lessons Learned </h2> <ol> <li><p>Detection maturity does not equal response maturity.</p></li> <li><p>Event-driven architecture scales better than polling remediation.</p></li> <li><p>Idempotency is mandatory.</p></li> <li><p>Multi-account containment becomes architecture work.</p></li> <li><p>Automation exposes operational blind spots you didn’t know existed.</p></li> </ol> <h2> Next Iterations </h2> <p>If I evolve this into a more mature Cloud SOAR pattern:</p> <ul> <li><p>Step Functions for multi-stage workflows</p></li> <li><p>Automated EBS snapshot before isolation</p></li> <li><p>Memory capture integration</p></li> <li><p>Slack/Jira enrichment with context</p></li> <li><p>Cross-account orchestration via AWS Organizations</p></li> <li><p>GuardDuty central delegated admin integration</p></li> </ul> <p>At that point, it becomes a response framework — not a script.</p> <h2> Final Thought </h2> <p>You don’t need a commercial SOAR platform to start automating response.</p> <p>Start with:</p> <ul> <li><p>Deterministic triggers</p></li> <li><p>Guardrails</p></li> <li><p>Observability</p></li> <li><p>Explicit blast radius control</p></li> </ul> <p>If detection isn’t wired to action, it’s just telemetry.</p> aws cloudsecurity devsecops incidentresponse How to Implement Just-In-Time SSH Access for AWS EC2 (Stop Leaving Port 22 Open!) Sesank Munukutla (Naga) Wed, 11 Feb 2026 16:53:55 +0000 https://dev.to/sesank_naga_m_01/how-to-implement-just-in-time-ssh-access-for-aws-ec2-stop-leaving-port-22-open-4p8m https://dev.to/sesank_naga_m_01/how-to-implement-just-in-time-ssh-access-for-aws-ec2-stop-leaving-port-22-open-4p8m <p><strong>The problem:</strong> Most EC2 instances have permanent SSH access. Port 22 is open to the world. Long-lived keys floating around. Security groups that nobody remembers creating.</p> <p><strong>The reality:</strong> You get brute-force attempts within hours. Keys get leaked. Forgotten access stays forever.</p> <p>I spent last week implementing Just-In-Time (JIT) access for EC2, and it completely changed how I think about server access. Here's what I built and what I learned.</p> <h2> What You'll Learn </h2> <ul> <li>✅ How to eliminate permanent SSH access to EC2</li> <li>✅ Build auto-expiring access with native AWS services (no third-party tools)</li> <li>✅ Set up full audit trails with CloudTrail</li> <li>✅ Use Lambda to automate security group changes</li> <li>✅ Apply least-privilege IAM design</li> </ul> <h2> Why JIT Access Matters </h2> <p>Permanent SSH access to EC2 is one of the <strong>most common and dangerous</strong> cloud misconfigurations.</p> <p>Here's what happens when you leave SSH open:</p> <ul> <li>🚨 Open port 22 = instant target for attackers</li> <li>🚨 Long-lived SSH keys = credential sprawl</li> <li>🚨 Forgotten security group rules = standing access nobody uses</li> <li>🚨 No audit trail = "who logged in last month?"</li> </ul> <p><strong>JIT access solves this:</strong></p> <ul> <li>SSH access granted <strong>only when needed</strong> </li> <li>Access is <strong>time-bound</strong> (expires automatically)</li> <li>Revocation is <strong>automatic</strong> (no manual cleanup)</li> <li>Every action is <strong>fully auditable</strong> </li> </ul> <h2> Architecture Overview </h2> <p>The solution uses only native AWS services:</p> <ul> <li> <strong>Amazon EC2</strong> – The target instance</li> <li> <strong>AWS Lambda</strong> – JIT automation engine</li> <li> <strong>IAM</strong> – Least-privilege roles</li> <li> <strong>CloudTrail</strong> – Audit evidence</li> <li> <strong>CloudWatch</strong> – Execution logs</li> </ul> <p><strong>Design principle:</strong><br><br> <em>No standing access. Access exists only while the automation is running.</em></p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8f0ekmhby6eyu70gw79q.png" alt="Architecture Overview" width="720" height="525"> </h2> <h2> Step 1: Lock Down the EC2 Instance (Baseline) </h2> <p>Start with <strong>zero access</strong> by default.</p> <p>The EC2 instance is launched with:</p> <ul> <li>❌ <strong>No inbound SSH rules</strong> </li> <li>❌ <strong>No 0.0.0.0/0 on port 22</strong> </li> <li>✅ Only necessary outbound access</li> </ul> <p><strong>Why this matters:</strong></p> <ul> <li>Eliminates permanent exposure</li> <li>Forces all access through controlled mechanisms</li> <li>Creates a secure baseline</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faslj70c1kxf5pbgdm70o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faslj70c1kxf5pbgdm70o.png" alt="EC2 Security Group with no inbound SSH rules" width="800" height="287"></a><br> <em>Security group showing zero SSH access by default - no port 22 open</em></p> <h2> Step 2: EC2 IAM Role – SSM Only </h2> <p>The EC2 instance gets an IAM role with <strong>only</strong> the SSM managed policy.</p> <p><strong>Key point:</strong> The instance <strong>cannot</strong> modify its own security group.</p> <p>This prevents:</p> <ul> <li>Self-escalation attacks</li> <li>Instance-level privilege creep</li> <li>Unauthorised security group changes</li> </ul> <p><strong>Separation of duties is critical here.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fti5yvvgaru6y1gj3l8lc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fti5yvvgaru6y1gj3l8lc.png" alt="IAM Role attached to EC2 instance with SSM policy only" width="800" height="386"></a><br> <em>EC2 instance role with only SSM permissions - cannot modify security groups</em></p> <h2> Step 3: CloudTrail for Auditability </h2> <p>CloudTrail is configured to log <strong>management events only</strong>.</p> <p>This captures:</p> <ul> <li>✅ Security group changes</li> <li>✅ Who made the change</li> <li>✅ When it happened</li> <li>✅ What was modified</li> </ul> <p><strong>Why not data events?</strong></p> <ul> <li>JIT access modifies infrastructure, not data</li> <li>Precision logging beats noisy logging</li> <li>Lower costs, better signal-to-noise ratio</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy2i1p1c7krsw8p1e13uf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy2i1p1c7krsw8p1e13uf.png" alt="CloudTrail configured for management events only" width="800" height="334"></a><br> <em>CloudTrail logging configuration - management events capture security group changes</em></p> <h2> Step 4: JIT Lambda Function </h2> <p>The core automation: a Lambda function that controls the access lifecycle.</p> <p><strong>What it does:</strong></p> <ol> <li> <strong>Grant</strong> – Add SSH rule for a single IP</li> <li> <strong>Wait</strong> – Hold access for configured duration</li> <li> <strong>Revoke</strong> – Remove the rule automatically</li> </ol> <p><strong>Lambda pseudo-code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># Read configuration from environment variables </span> <span class="n">security_group_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">SECURITY_GROUP_ID</span><span class="sh">'</span><span class="p">]</span> <span class="n">allowed_ip</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">ALLOWED_IP</span><span class="sh">'</span><span class="p">]</span> <span class="n">duration</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">DURATION</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># seconds </span> <span class="c1"># Grant SSH access </span> <span class="n">ec2</span><span class="p">.</span><span class="nf">authorize_security_group_ingress</span><span class="p">(</span> <span class="n">GroupId</span><span class="o">=</span><span class="n">security_group_id</span><span class="p">,</span> <span class="n">IpPermissions</span><span class="o">=</span><span class="p">[{</span> <span class="sh">'</span><span class="s">IpProtocol</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">tcp</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">FromPort</span><span class="sh">'</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="sh">'</span><span class="s">ToPort</span><span class="sh">'</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="sh">'</span><span class="s">IpRanges</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span><span class="sh">'</span><span class="s">CidrIp</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">allowed_ip</span><span class="si">}</span><span class="s">/32</span><span class="sh">'</span><span class="p">}]</span> <span class="p">}]</span> <span class="p">)</span> <span class="c1"># Wait for configured duration </span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">duration</span><span class="p">)</span> <span class="c1"># Revoke SSH access automatically </span> <span class="n">ec2</span><span class="p">.</span><span class="nf">revoke_security_group_ingress</span><span class="p">(</span> <span class="n">GroupId</span><span class="o">=</span><span class="n">security_group_id</span><span class="p">,</span> <span class="n">IpPermissions</span><span class="o">=</span><span class="p">[{</span> <span class="sh">'</span><span class="s">IpProtocol</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">tcp</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">FromPort</span><span class="sh">'</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="sh">'</span><span class="s">ToPort</span><span class="sh">'</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="sh">'</span><span class="s">IpRanges</span><span class="sh">'</span><span class="p">:</span> <span class="p">[{</span><span class="sh">'</span><span class="s">CidrIp</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">allowed_ip</span><span class="si">}</span><span class="s">/32</span><span class="sh">'</span><span class="p">}]</span> <span class="p">}]</span> <span class="p">)</span> </code></pre> </div> <h2> Step 5: Lambda Configuration via Environment Variables </h2> <p>All JIT behavior is externalized:</p> <ul> <li> <code>SECURITY_GROUP_ID</code> – Which security group to modify</li> <li> <code>ALLOWED_IP</code> – Which IP gets access</li> <li> <code>DURATION</code> – How long access lasts (seconds)</li> </ul> <p><strong>Why environment variables?</strong></p> <ul> <li>✅ No hardcoding</li> <li>✅ Easy to audit</li> <li>✅ Safe to change duration without code changes</li> <li>✅ Works across environments (dev/staging/prod)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu71xtwn8p98kzl3c2a4l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu71xtwn8p98kzl3c2a4l.png" alt="Lambda environment variables: SECURITY_GROUP_ID, ALLOWED_IP, DURATION" width="800" height="375"></a><br> <em>Lambda configuration externalized - no secrets hardcoded in the function</em></p> <h2> Step 6: Least-Privilege Lambda Execution Role </h2> <p>The Lambda execution role gets <strong>only</strong> the permissions needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:AuthorizeSecurityGroupIngress"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:RevokeSecurityGroupIngress"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:ec2:*:*:security-group/sg-xxxxxxxxx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>This enforces:</strong></p> <ul> <li>Separation of duties</li> <li>Minimal blast radius</li> <li>Defense in depth</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3e0yku9cuyo3tmjg0usr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3e0yku9cuyo3tmjg0usr.png" alt="Lambda execution role with least-privilege IAM policy" width="800" height="378"></a><br> <em>IAM policy allowing only security group ingress modifications - nothing else</em></p> <h2> Step 7: JIT Execution (Grant → Revoke) </h2> <p>When you execute the Lambda:</p> <p><strong>Timeline:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>00:00 – Lambda starts 00:01 – SSH access GRANTED for 203.0.113.45/32 05:00 – Access active (you can SSH in) 10:00 – SSH access REVOKED automatically 10:01 – Lambda completes </code></pre> </div> <p><strong>Key log evidence:</strong></p> <ul> <li>✅ SSH access granted (CloudWatch)</li> <li>✅ SSH access revoked (CloudWatch)</li> <li>✅ Execution duration ≈ configured timeout</li> <li>✅ No manual intervention</li> </ul> <p><strong>This confirms true JIT behavior, not manual cleanup.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9djtx6jn5yxryxugevb3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9djtx6jn5yxryxugevb3.png" alt="CloudWatch logs showing SSH access granted and then revoked automatically" width="800" height="386"></a><br> <em>The smoking gun: Logs prove access was granted at 00:01 and auto-revoked at 10:00</em></p> <h2> Step 8: CloudTrail Proof (Audit Evidence) </h2> <p>CloudTrail records both sides of the access lifecycle:</p> <p><strong>Grant event:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"eventName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AuthorizeSecurityGroupIngress"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userIdentity"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AssumedRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"principalId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AROAXXXXXXXXX:jit-lambda-function"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestParameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"groupId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sg-xxxxxxxxx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ipPermissions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"items"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"ipProtocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fromPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"toPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"ipRanges"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"203.0.113.45/32"</span><span class="p">]</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Revoke event:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"eventName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RevokeSecurityGroupIngress"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userIdentity"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AssumedRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"principalId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AROAXXXXXXXXX:jit-lambda-function"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What this proves:</strong></p> <ul> <li>📊 Who made the change (Lambda role)</li> <li>📊 What was changed (security group rule)</li> <li>📊 When it happened (timestamp)</li> <li>📊 That it was revoked (not forgotten)</li> </ul> <p><strong>This is audit-grade evidence, not just console screenshots.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4f36qyb4kajvm4ir937m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4f36qyb4kajvm4ir937m.png" alt="CloudTrail event showing AuthorizeSecurityGroupIngress" width="800" height="354"></a><br> <em>CloudTrail proof #1: Lambda granted SSH access for specific IP at exact timestamp</em></p> <h2> What This Project Demonstrates </h2> <p>✅ <strong>No standing SSH access</strong> – Zero permanent exposure<br><br> ✅ <strong>Time-bound, IP-restricted</strong> – Access expires automatically<br><br> ✅ <strong>Automatic revocation</strong> – Enforced by code, not humans<br><br> ✅ <strong>Full auditability</strong> – CloudTrail logging for compliance<br><br> ✅ <strong>Least-privilege IAM</strong> – Minimal permissions everywhere </p> <h2> The 5 Mistakes I Made (So You Don't Have To) </h2> <ol> <li> <strong>Forgot to add CloudWatch Logs permissions</strong> – Lambda couldn't log execution</li> <li> <strong>Used <code>0.0.0.0/0</code> in testing</strong> – Defeated the entire point</li> <li> <strong>Didn't externalize duration</strong> – Had to redeploy Lambda to change timing</li> <li> <strong>Set timeout too short</strong> – Lambda terminated before revoking access</li> <li> <strong>Didn't test CloudTrail delay</strong> – Events take 5-15 minutes to appear</li> </ol> <h2> Final Takeaway </h2> <p><strong>Security isn't about blocking access — it's about granting the right access, for the right time, with proof.</strong></p> <p>This project shows how JIT access can be implemented using native AWS services without introducing operational complexity or permanent risk.</p> <p><strong>No third-party tools. No manual cleanup. Just automatic, auditable, time-bound access.</strong></p> <h2> What's Next? </h2> <p>In the next post, I'll cover:</p> <ul> <li>Integrating this with AWS Systems Manager Session Manager (no SSH at all!)</li> <li>Adding Slack notifications when access is granted</li> <li>Building a self-service portal for developers</li> </ul> <p><strong>Have you implemented JIT access in your environment? What challenges did you face?</strong></p> <p>Drop a comment below or connect with me on <a href="https://www.linkedin.com/in/suryasesank" rel="noopener noreferrer">LinkedIn</a>.</p> <h3> Series: AWS Security Projects </h3> <p>This is part of my Friday Security Projects series, where I build hands-on cloud security projects focused on real-world failures and defence-in-depth design.</p> <p><strong>Previous projects:</strong></p> <ul> <li>Project 5: Zero-Trust EC2 Access with IAM, SSM, and GuardDuty</li> <li>Project 4: Eliminating SSH with AWS Systems Manager</li> <li>Project 3: Implementing Security Controls in Production</li> <li>Project 2: Security Design Trade-offs</li> <li>Project 1: Building a Secure Cloud Baseline</li> </ul> aws security cybersecurity cloud