CASE 41 · ASPER · 2024
Privileged sessions on the record, by default.
A defence contractor had to demonstrate to a government auditor that every privileged shell session on a production host was logged with full transcript. They had been doing this through screen-recording on Workspaces. We replaced it with SSM Session Manager logging and a tamper-evident archive.
Defence contractor
SECURITY
2024
RESULTS
What changed, by the numbers.
SSH KEYS RETIRED
100%
SESSION COVERAGE
100%
AUDIT FINDINGS
0
TIME TO ATTRIBUTE A SESSION
< 30s
HOW IT WENT
The previous setup was elaborate: a bastion host, a screen recorder, an upload job. The recordings were big (video of a terminal session), the search was awful (you watched the video to find the command), and the integrity story was thin.
Session Manager replaced all of it. Engineers connected via IAM Identity Center → AWS CLI → start-session. Every keystroke landed in CloudWatch Logs, encrypted with a KMS key only the security account could decrypt. Transcripts archived to S3 with Object Lock in compliance mode.
The auditor’s test query was specific: "show us every command run by user X on host Y between dates A and B." Previous answer time: half a day of video review. New answer time: 28 seconds via CloudWatch Logs Insights. The bastion was retired in week three.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.