Security Model
Three independent layers
All three must pass before any access succeeds.
Layer 1: Identity (CE side)
Engineers authenticate to continuous.engineering's AWS IAM Identity Center with MFA before they can attempt anything. This happens on our infrastructure. You do not manage our engineers' credentials. When an engineer leaves CE, their SSO access is revoked and they immediately lose access to all client accounts.
Layer 2: ExternalId
When our system attempts to assume a role in your account, it must present an ExternalId (continuous.engineer). This prevents a confused deputy attack, where a malicious actor tricks our identity provider into assuming a role on their behalf. Without the correct ExternalId, the call is rejected by AWS.
Layer 3: MFA age (your side)
The role trust policy in your account checks how recently the engineer completed MFA:
| Role | MFA must be within |
|---|---|
| CE-ReadOnly, CE-Security, CE-SRE, CE-DevOps, CE-Data | 8 hours |
| CE-Admin | 1 hour |
An engineer who authenticated 9 hours ago cannot assume CE-Admin. They must re-authenticate.
What we can access
Only resources in accounts you have explicitly onboarded, through the roles you have deployed, during active sessions. Sessions last 2-4 hours. New tokens cannot be issued after you delete the stack.
What we cannot access
- Any account you have not onboarded
- Resources tagged
env-prod=trueif you have attached CE-DenyProd to our roles - EC2 instances not tagged
database=truewhen using CE-Data - Anything not covered by the role's policy
What we never have
- Long-lived access keys
- SSH keys to your servers
- Passwords to any of your systems
- Access that survives deletion of the CloudFormation stack
Revoking access
| Action | Effect | Time |
|---|---|---|
| Delete the CloudFormation stack | All CE roles removed | Immediate |
| Attach CE-DenyProd to a role | Prod access blocked for that role | Immediate |
| Contact us to offboard | Your account removed from our allow list | Immediate |
Active tokens issued before deletion expire within their remaining lifetime (max 4 hours).
Network access
CE engineers access EC2 instances through AWS Systems Manager Session Manager. Traffic goes through AWS's own control plane over HTTPS port 443. Port 22 does not need to be open. Your security groups do not change.
Monitoring
The stack creates a dedicated CloudWatch log group (continuous.engineering-access) that receives only CE role events, routed by EventBridge. Nothing else in your account goes into this log group. A 17-widget dashboard is also created, covering:
- Live alarm state for CE-Admin and access denied spikes
- Per-role session counts and trends
- Full chronological activity feed
- Which EC2 instances were shelled into
- Which data resources CE-Data touched (S3 buckets, RDS instances)
- Source IPs, after-hours activity, week-over-week comparison, anomaly detection
See the monitoring guide for the dashboard URL and all available queries.