Netflix has recently open-sourced ConsoleMe, a AWS multi-account management service, and its CLI utility, Weep. The tools provide a central control plane for permissions management across all of AWS accounts of an organization and help to implement the principle of least privilege.
ConsoleMe allows users to access the AWS console, retrieve and serve short-lived AWS credentials through Weep, request IAM permissions through a step-by-step self-service wizard, create or clone IAM roles across accounts or use policy editors for advanced requests. Extensible and pluggable, the tool currently supports permissions for IAM roles, S3 buckets, SQS queues, and SNS topics using the built in policy editor.
Starting with Chaos Monkey, a project released in 2012 that randomly terminates EC2 instances, Netflix has open-sourced different products used to manage their AWS infrastructure and other internal projects. In the last year, as for InfoQ's coverage, the company has released the Domain Graph Service Framework and Dispatch, their crisis management orchestration framework.
With an article on the Netflix Technology Blog, the team explains the motivation behind ConsoleMe:
Growth in the cloud has exploded, and it is now easier than ever to create infrastructure on the fly. Groups beyond software engineering teams are standing up their own systems and automation. This is an amazing movement providing numerous opportunities for product innovation, but managing this growth has introduced a support burden of ensuring proper security authentication & authorization, cloud hygiene, and scalable processes. At many companies, managing cloud hygiene and security usually falls under the infrastructure or security teams. They are the one-stop-shop for cloud permissions and access. As the company scales, this centralized and manual management approach falls over, becoming impractical for both operations teams and their users.
Curtis Castrapel, senior cloud security software engineer at Netflix, presented at the latest AWS re:Invent "Untangling multi-account management with ConsoleMe", a talk that covers the new tool and a demo of the functionalities. ConsoleMe uses Celery to run tasks on a schedule or on-demand such as data processing and caching or AWS Infrastructure updates and modifications. The open-source celery tasks include caching IAM roles, SQS queues, SNS topics, and S3 buckets to Redis/DynamoDB and reporting Celery metrics.
Victor Grenu, an independent cloud infrastructure architect, suggests that ConsoleMe might be the missing AWS Organizations console and Christopher Hughes, principal cybersecurity engineer at Rise8, explains why ConsoleMe is needed:
Identity and Access Management as well as managing permissions with accounts/roles continues to be a challenge for many organizations in cloud environments and in Amazon Web Services.
Victor Maevskiy, product solutions engineer at Google, agrees:
This would make the lives of many DevSecOps engineers so much better! Especially useful when a large complex organization has to create several additional AWS accounts for accounting and billing purposes.
Going forward, Netflix plans to add easier permissions debugging, support the creation and management of team roles, enhanced cross-account policy generation, policy rollback, decentralized policy request management and multi-cloud support.