Monday, August 19, 2019

Frequently asked questions for alertchimp

TL;DR: and watch the demo video. Please share your thoughts. No signup required to access the service.

What problem does it solve?

Administrators should not create permanent user accounts for users of cloud services (except root user which should be carefully guarded and used very rarely). Access should be granted through an automated role elevation that goes through an optional approval by one or more persons. Alerchimp help achieving this without an in-house developed service. Alerchimp's own actions can be logged and audited which Alertchimp service can not temper.

What it does

You can securely access your AWS accounts and people can request for short term access to any role.

The workflow

  • You can create a set of roles in your AWS accounts
  • Then create an organization in alertchimp and add people to it
  • No one has access to these roles by default (highly recommended for security anyway - even if you do not use alertchimp)
  • When someone needs to login to AWS s/he requests to elevate her/himself (for 1-4 hours)
  • A person with approval permission approves the request
  • The person can access the account (assumes the role) and do any work on AWS
  • After 1-4 hours (based on request parameter) the permission is revoked
  • There is a simple admin panel to manage all these

Next set of features

  • Forgot to add the auto approval - but you may make a user with approval permission so user can self approve the requests
  • It will log all access and show audit record (next dot release in a week or so)
  • Multiple approver for high impact roles.
  • Multi factor authentication with hardware token support
  • On-call rotation (alert by SMS, call, app push) and app to approve elevation request and get paged

How is the software is delivered?

Software as a Service or deployed in customers own account / infrastructure.

This makes sure no one has any access to the AWS account (except root) by default but still can request and get elevated for a fixed period of time.
You do not need to signup - just give your phone number and it'll send you a token.
If you are using from outside USA and it does not work, please let me know your country and I can white-list maybe. Please do not abuse it - we are already poor. We can add protection but it'll have to wait until it becomes a tiny but useful tool.

No comments:

Post a Comment