ConsoleMe: A Central Control Plane for AWS Permissions and Access

At AWS re:Invent 2020, we open sourced two new tools for managing multi-account AWS permissions and access. We’re very excited to bring you ConsoleMe (pronounced: kuhn-soul-mee), and its CLI utility, Weep (pun intended)!

If you missed the talk, check it out here.

Motivation

Growth in the cloud has exploded, and it is now easier than ever to create infrastructure on the fly. Groups beyond software engineering teams are standing up their own systems and automation. This is an amazing movement providing numerous opportunities for product innovation, but managing this growth has introduced a support burden of ensuring proper security authentication & authorization, cloud hygiene, and scalable processes.

At many companies, managing cloud hygiene and security usually falls under the infrastructure or security teams. They are the one-stop-shop for cloud permissions and access. As the company scales, this centralized and manual management approach falls over, becoming impractical for both operations teams and their users.

This happened for us at Netflix. Our Cloud Infrastructure Security team is the arbiter of AWS permissions, handling numerous requests from Netflix employees for cloud permissions and access. Our historical approach of helping Netflix internal cloud users looks something like this:

  1. A user messages us in our support channel
  2. We clarify what the user needs, and why. Risks are analyzed, and we make suggestions of better approaches if applicable.
  3. We hand-craft an IAM policy for the end-user
  4. We log into the AWS account with the applicable IAM role and manipulate the policy
  5. If the request involves a cross-account resource, we log out of the AWS account, log in to the account with the resource, and manipulate the resource policy
  6. We ask the user to test
  7. The user comes back with an additional permissions error
  8. We play a game of permission whack-a-mole (Steps 3–7) until we resolve all of the user’s issues
  9. We repeat this multiple times a day with different users.

This process is manual, time-consuming, inconsistent, and often a game of trial and error.

Permission whack-a-mole

At Netflix, we’re firm believers in empowering our employees and providing low-friction systems that allow users to get their jobs done in a safe way. By integrating best practices such as least privilege into an IAM pipeline, we transitioned the security team from being gatekeepers of the cloud into cloud development accelerators.

What is ConsoleMe?

ConsoleMe is a self-service tool for AWS that provides an easier way of managing permissions and access across multiple accounts, while encouraging least-privilege permissions. Users can use the following features:

  • Access the AWS console
  • Retrieve and utilize short-lived AWS credentials through Weep
  • Request IAM permissions through a self-service wizard
  • Utilize ConsoleMe’s native policy editors for more advanced requests
  • Quickly locate and navigate to AWS resources within an organization

In addition, cloud administrators can use ConsoleMe to:

  • Manage IAM and resource policies without logging in to the AWS Console
  • Create or clone IAM roles across accounts

Check out the demos in our documentation, give ConsoleMe a test ride by logging in to our demo site (Requires a Google account), then try it locally with your own account.

(docs, talk, demo)

ConsoleMe allows users to access the AWS console through the use of temporary IAM role credentials. After the user authenticates, ConsoleMe determines which roles they’re authorized to access based on their identity and group memberships.

ConsoleMe generates an authorization mapping that is used to determine which users/groups are allowed to access a given IAM role. This mapping can be generated through role tags that indicate which users/groups are allowed to retrieve credentials for the role, ConsoleMe’s Dynamic Configuration, or through an organization’s custom logic. (docs).

Users have a number of ways they can log in to the AWS console. The simplest way is by browsing to ConsoleMe and clicking on the desired role via the web interface. They can also use URL parameters to log into a particular role, access a specific region, AWS service, or AWS resource without having to navigate around ConsoleMe’s web interface.

At Netflix, we’ve seen users integrate ConsoleMe with productivity tools like Alfred, chat bots, and custom browser search engines.

(docs, talk)

Weep is ConsoleMe’s CLI utility. It retrieves temporary (1-hour) AWS credentials from ConsoleMe, and offers a number of different ways to serve them locally. Weep can automatically refresh credentials. This ensures that long-lived AWS actions are successful (Like an s3:GetObject action taking longer than an hour). Weep can also transparently perform nested AssumeRole calls, and serve the assumed role credentials to the local user. Credentials are discoverable by the AWS CLI and AWS SDKs through the default credential provider chain.

Weep supports the following methods of serving credentials:

  1. Write credentials to a user’s ~/.aws/credentials file
  2. Export credentials as environment variables
  3. Emulate the EC2 instance metadata proxy
  4. Emulate the ECS credential provider
  5. Generate and provide credential_process commands to source credentials
Weep service credentials in ECS credential provider mode

(docs, talk, demo)

ConsoleMe provides a step-by-step self-service wizard to help users request AWS IAM permissions.

Users no longer need to worry about the IAM JSON permissions syntax. They can simply search for their role and choose the permissions they need. ConsoleMe will generate an IAM policy and, if required, cross-account resource policies that are applicable to the request. Users can modify the generated policy if they desire, and then submit for approval.

Low-risk permission requests can be automatically approved.

ConsoleMe’s configurable self-service wizard offers the following features:

  1. Fully configurable based on an organization’s most common requests
  2. Typeaheads against all known AWS permissions and resource ARNs across an organization
  3. Automatic approval of low-risk permission requests, governed by ConsoleMe’s configuration and powered by Zelkova

ConsoleMe’s self-service wizard has reduced our response time in servicing access requests, provided more consistency in our IAM policies, and simplified AWS permissions for our users.

(docs, talk, demo)

ConsoleMe offers a native policy editor for popular resource types. Administrators use it to manage permissions and tags for common resource types. End-users can manipulate a resource and submit policy change requests.

The policy editor offers the following features:

  1. Cloud administrators can manage resource policies and tags directly
  2. End-users can manipulate policies and tags, then submit changes for approval
  3. Code editors provide typeaheads for AWS permissions and known AWS resources
  4. Policy templates make it easy to generate new inline policies consistently
  5. Users can view recent CloudTrail errors for a given resource

[“source=netflixtechblog”]