Administrators should not create permanent user accounts for users of cloud services (except root user which should be carefully guarded and used very rarely). Access should be granted through an automated role elevation that goes through an optional approval by one or more persons. Alerchimp help achieving this without an in-house developed service. Alerchimp's own actions can be logged and audited which Alertchimp service can not temper.
What it does
You can securely access your AWS accounts and people can request for short term access to any role.
You can create a set of roles in your AWS accounts
Then create an organization in alertchimp and add people to it
No one has access to these roles by default (highly recommended for security anyway - even if you do not use alertchimp)
When someone needs to login to AWS s/he requests to elevate her/himself (for 1-4 hours)
A person with approval permission approves the request
The person can access the account (assumes the role) and do any work on AWS
After 1-4 hours (based on request parameter) the permission is revoked
There is a simple admin panel to manage all these
Next set of features
Forgot to add the auto approval - but you may make a user with approval permission so user can self approve the requests
It will log all access and show audit record (next dot release in a week or so)
Multiple approver for high impact roles.
Multi factor authentication with hardware token support
On-call rotation (alert by SMS, call, app push) and app to approve elevation request and get paged
How is the software is delivered?
Software as a Service or deployed in customers own account / infrastructure.
This makes sure no one has any access to the AWS account (except root) by default but still can request and get elevated for a fixed period of time.
You do not need to signup - just give your phone number and it'll send you a token.
If you are using from outside USA and it does not work, please let me know your country and I can white-list maybe. Please do not abuse it - we are already poor. We can add protection but it'll have to wait until it becomes a tiny but useful tool.
This privacy notice discloses the privacy practices for https://www.alertchimp.com. This privacy notice applies solely to information collected by this website. It will notify you of the following:
What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
What choices are available to you regarding the use of your data.
The security procedures in place to protect the misuse of your information.
How you can correct any inaccuracies in the information.
Information Collection, Use, and Sharing
We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via web forms, email or other direct contact from you. We will not sell or rent this information to anyone.
We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.
Registration In order to use this website, a user must first complete the registration form. During registration a user is required to give certain information (such as name, phone number and email address). This information is used to contact you about the products/services on our site in which you have expressed interest. At your option, you may also provide demographic information (such as photo, gender or age) about yourself, but it is not required. We use third party service facebook account kit or github signin service and will only share necessary information with these sites.
Cookies, Session and Local Storage We use "cookies", "session storage" and "local storage" features of browsers on this site. Pieces of data stored on a site visitor's hard drive to help us improve your access to our site and identify repeat visitors to our site. For instance, when we use a session stored data to identify you, you would not have to log in a password more than once, thereby saving time while on our site. These data can also enable us to track and target the interests of our users to enhance the experience on our site.
Your Access to and Control Over Information
You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:
See what data we have about you, if any.
Change/correct any data we have about you.
Have us delete any data we have about you.
Express any concern you have about our use of your data.
We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.
Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for "https" at the beginning of the address of the Web page.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.
Change in this policy document
We may change this policy anytime without notice and will post latest version policy on our website for you to view.
AlertChimp manages users of cloud service like AWS and creates login session for limited time.
It allows to log and audit each login
It can add approval workflow for users - bob wants to use the cloud service as power user. He does not have that permission by default. He requests for an elevation of privilege for fixed time like 4 hours and the request goes to Alice and when she approves bobs account gets an elevation for 4 hours. He can login to with that role for 4 hours and then the privilege is revoked automatically.
It is possible to create Alerts based on request and logins. Alerts are delivered to phone or app.