continuous.engineering

Appearance

Why This Model

Most consultants access client infrastructure one of three ways. None of them are good.

The old ways

Shared IAM users with access keys

An IAM user is created, access keys are generated and emailed over. The keys live in a config file on the consultant's laptop forever. When the engagement ends, someone has to remember to delete them. Often nobody does.

What goes wrong:

  • Keys have no expiry by default
  • No MFA on API calls
  • No way to know which engineer used the key
  • Rotation is manual and rarely happens
  • Keys get committed to git, saved in Slack, emailed around

VPN + SSH

A VPN account is created. An SSH key is generated and added to every server. The consultant connects over VPN and SSHes in.

What goes wrong:

  • VPN accounts outlive engagements
  • SSH keys proliferate across servers
  • Port 22 must be open on your security groups
  • No audit trail of what commands were run
  • Key rotation requires touching every server

Shared root or admin passwords

The consultant is given the root password or a shared admin account. No comment needed.

The continuous.engineering model

We use AWS IAM Identity Center (SSO) as our identity provider. Our engineers authenticate once with MFA. They never hold access keys. There is no VPN. There are no SSH keys.

Engineer logs in via CE SSO  (MFA required)
            |
            v
CE issues a short-lived session token
            |
            v
Engineer assumes a role in your account (e.g. CE-SRE)
            |
            v
Token expires automatically in 2-4 hours
            |
            v
Every action is logged in your CloudTrail under the engineer's identity

What makes this different

Short-lived credentials. Every session token expires in 2-4 hours. There is nothing to revoke when the engagement ends. Delete the CloudFormation stack and access is gone.

MFA on every session. MFA is enforced by the role's trust policy, not by a policy document someone could update. AWS will not issue a token without it.

Full audit trail. Every API call made by every CE engineer appears in your CloudTrail with their identity. You can see exactly who did what, when, from which IP.

Least privilege by design. Engineers get the role that matches the work. Read-only work gets CE-ReadOnly. Infrastructure work gets CE-DevOps. Nothing broader.

You are in control. You deploy the stack. You own the roles. You can restrict production, limit database access to tagged instances, and delete everything instantly.

No open ports. All instance access goes through AWS Systems Manager Session Manager over HTTPS. Port 22 stays closed.

Admin alerting. Every CE-Admin session triggers an email to your security team. You know about every high-privilege session the moment it happens.

Built-in monitoring. A CloudWatch dashboard is deployed with the stack. It captures every API call made by every CE role in a dedicated log group and displays it across 17 widgets - role usage, trends, source IPs, instances accessed, data resources touched, anomaly detection, and week-over-week comparison. No setup required. See the monitoring guide.