FAQ
Can continuous.engineering access my account without me knowing?
No. The trust is two-way. Your CloudFormation stack trusts our identity provider, but we also have to add your account to our allow list on our side. Both must be in place. We do our side only when you tell us to.
What happens when the engagement ends?
Delete the CloudFormation stack. All CE roles are removed immediately. We also remove your account from our allow list. Active tokens expire within their remaining lifetime (max 4 hours). Nothing lingers.
Can I see what CE engineers are doing?
Yes, in full detail. The stack creates a dedicated CloudWatch log group (continuous.engineering-access) and a 17-widget dashboard. Every API call from every CE role is captured there with the engineer's ARN, the action, the resource, the source IP, and the timestamp. You can also query it from CloudTrail, Athena, or any SIEM that ingests CloudTrail events.
See the monitoring guide for the dashboard URL, widget descriptions, and example Logs Insights queries.
What if I only want to start with read-only access?
Deploy the stack and let us know you want CE-ReadOnly only. We assume only that role. When broader access is appropriate, you tell us. You can also delete individual roles from the stack if you want a hard technical guarantee.
Can I restrict which engineers get which role?
The AWS roles trust continuous.engineering's identity provider as a whole. Individual engineer access is managed on our side via SSO. If you have specific requirements (e.g. only senior engineers on CE-Admin), raise this with your CE engagement manager. We enforce it on our end.
Does this require changes to my security groups?
No. CE engineers access EC2 instances through AWS Systems Manager Session Manager, which runs over HTTPS port 443. Port 22 does not need to be open. If your instances do not have the SSM agent installed, CE can help set that up.
What is the ExternalId?
The ExternalId (continuous.engineer) must be presented when our system assumes a role in your account. It prevents a confused deputy attack where a malicious actor tricks our identity provider into assuming your role on their behalf. Without the correct ExternalId, the call is rejected by AWS.
Can I attach CE-DenyProd to CE-Admin?
Yes. Even full admin access cannot touch resources tagged env-prod=true once CE-DenyProd is attached. The deny overrides AdministratorAccess. Unusual configuration since CE-Admin is typically used when production access is needed, but the option is there if your compliance requirements demand it.
What if I have multiple AWS accounts?
Deploy the stack in each account and share all the account IDs with us. We add each independently. You can grant different roles in different accounts.
Is the CloudFormation template auditable?
Yes. The template is in a public GitHub repository. You can review exactly what it creates before deploying. The deployed stack in your account also shows the current state of all resources.
Do I need to sign anything before deploying?
Deploying the stack is not itself a legal agreement. You should have a signed engagement agreement with continuous.engineering before granting access. If your environment handles PHI, a BAA is also required. Contact hello@continuous.engineering.