Request IAM permissions through a self-service wizard
ConsoleMe provides a step-by-step self-service wizard to help users request AWS IAM permissions.
Users no longer need to worry about the IAM JSON permissions syntax. They can simply search for their role and choose the permissions they need. ConsoleMe will generate an IAM policy and, if required, cross-account resource policies that are applicable to the request. Users can modify the generated policy if they desire, and then submit for approval.
ConsoleMe’s configurable self-service wizard offers the following features:
- Fully configurable based on an organization’s most common requests
- Typeaheads against all known AWS permissions and resource ARNs across an organization
- Automatic approval of low-risk permission requests, governed by ConsoleMe’s configuration and powered by Zelkova
ConsoleMe’s self-service wizard has reduced our response time in servicing access requests, provided more consistency in our IAM policies, and simplified AWS permissions for our users.
Utilize ConsoleMe’s native policy editors for advanced requests
ConsoleMe offers a native policy editor for popular resource types. Administrators use it to manage permissions and tags for common resource types. End-users can manipulate a resource and submit policy change requests.
The policy editor offers the following features:
- Cloud administrators can manage resource policies and tags directly
- End-users can manipulate policies and tags, then submit changes for approval
- Code editors provide typeaheads for AWS permissions and known AWS resources
- Policy templates make it easy to generate new inline policies consistently
- Users can view recent CloudTrail errors for a given resource
Today, ConsoleMe supports a small number of popular resource types. We’d love your help with adding support for new resource types. Reach out to us on Discord or better yet, create an issue or submit a pull request on GitHub.
Quickly locate and navigate to AWS resources within an organization
ConsoleMe provides a centralized, filterable view of your most critical cloud resources, synchronized from AWS Config. It allows users to quickly find an AWS resource across all of the accounts within an organization.
For resource types that ConsoleMe doesn’t have native policy editors for, ConsoleMe provides a link that will both log users into the AWS console and redirect them to the appropriate resource.
Create or clone IAM roles across accounts
ConsoleMe makes it easy for cloud administrators to create or clone new IAM roles across multiple AWS accounts. We created this feature because we found ourselves in the AWS Console copying and pasting various policies by hand.
The clone feature can copy one or more of the following to a new role:
- IAM role Trust Policies (Assume Role Policy Document)
- Inline Policies
- Managed Policies
At Netflix, we use IAM roles instead of IAM users because roles do not allow long-lived, static credentials. IAM user credentials are more vulnerable to accidental exposure, difficult to rotate, and generally harder to secure.
In addition, we prefer using inline policies instead of managed policies for our IAM roles because it’s easier to enforce least-privilege as inline policies are specific to an IAM role while managed policies can be attached to multiple roles. It’s hard to remove permissions from shared managed policies because some roles may be using permissions from the policy that other roles are not.
We use ConsoleMe in conjunction with RepoKid to remove unused permissions, and then to make the process of requesting them back as painless as possible.
ConsoleMe has example Terraform files that you can reference when you’re ready to deploy.
ConsoleMe still has a long way to go, and we could use your help. ConsoleMe and Weep work great for us here at Netflix, and we want them to work great for everyone else too. The best way to get started is to read through the documentation and code, install ConsoleMe, and take a look at our open issues to see what work needs to be done, or submit issues yourself.
Not a coder or an IAM expert? No problem. We have a lot of documentation that could use proofreading and clarifying to make it more approachable.
For more information on how you can get involved, check out our Contributing guide.
Also, we’re hiring! If you’re interested in these sorts of problems, take a look at https://jobs.netflix.com/teams/security, and apply.
Over the last couple of years, we’ve battle tested ConsoleMe and have added features to scale it with our needs at Netflix. We’ve now brought ConsoleMe out in the open. As companies adopt ConsoleMe, we want to continue growing it to address the unique challenges of large-scale cloud permissions management that many of us face.
We have a lot of plans for the future of ConsoleMe. Many of these goals are ambitious, and we can’t do it without your support. If any of these excite you, please reach out to us on our Discord channel or submit feature enhancements on GitHub.
Some of the ideas we have in mind are:
Easier Permissions Debugging
AWS permissions can be hard to debug with opaque Access Denied errors. We aim to simplify and automate the debugging process. This might include exposing and connecting information from the following sources:
- CloudTrail logs
- Service Control Policies
- Resource policies
- Permission boundaries
- Session policies
- Inline Policies
- Managed Policies
Ideally, users would be able to ask ConsoleMe whether an IAM role can take a specific action on a given resource. If not, ConsoleMe would provide an explanation and context about any policies that are preventing the action.
Support for Team Roles
We plan to add features supporting the creation and management of team roles. Team roles are IAM roles that an entire team has access to. These roles can be propagated across multiple accounts, and can have differing permissions on each account. A simplified management interface will make it easy to create, request, or modify a team role.
Enhanced Cross-Account Policy Generation
ConsoleMe only supports cross-account policy generation for a subset of resource types. We hope to expand this in the future and make generated policies as accurate as possible by adding awareness of permission boundaries and service control policies.
Decentralized Policy Request management
Cloud administrators should have the option to no longer manage and review all policy requests. If ConsoleMe has context on the owner of a resource, and is able to determine that the policy is within a set of defined safety limits, policy requests should be routed to the owners of the resources affected by the policy.
On occasion, we need to rollback policy changes that either break an IAM role or prevent new functionality from working. ConsoleMe should allow users to revert a role to an older snapshot.
Centrally manage access and permissions across all of your clouds.
Here are some helpful resources:
We would like to give a special thanks to Srinath Kuruvadi, Jay Dhulia, the Cloud Infrastructure Security Team at Netflix, the Infosec team at Netflix, and our AWS partners.