As organizations increasingly adopt cloud services such as Amazon Web Services (AWS) to improve their digital infrastructure, managing access permissions becomes a crucial concern. In AWS, addressing ad hoc access within an AWS Organization can be especially challenging.
Background
In our daily, our cloud operation team operate more than a hundred accounts within our AWS Organization. The process of granting user access to an account might appear straightforward with just a few accounts, but as we continue to grow, managing a vast array of permissions presents its own distinct challenges.
For example, an operator may need to request temporary access to a project team's AWS account to perform maintenance work. With hundreds of requests like this daily, our team burnt out. We realized that action needed to be taken.
In this blog post, we will explore JIT, our internal access manager that helps make cloud access more secure.
Solutions
Why not use an existing solution, you may ask. Although there are some solutions out there from CyberArk and even AWS itself, we have a few constraints that are convincing enough to create our own masterpiece:
We need a more customizable approval step. An approval step might come from different people, with the ability for an approver to delegate their job to others while they're busy, for example, on vacation.
We need to have a mechanism for grouping permission sets. In AWS, permission sets are created and ready to use for any account in its AWS organization.
We want to allow ticket requesters to extend their ticket time frame.
Our requester might be a team manager who wants to request tickets for other user.
Let's dive deeper
We will split JIT into smaller services:
Ticket service
Approval service
Approval rule service
Permission set manager service
Account manager service
Notification service
Audit service
...
Requester sequence diagram:
Approver sequence diagram:
Requester request ticket
Ticket is approved, account assignment created when timer starts
Approver can audit user session
At the heart of JIT is Temporal, which we use to orchestrate background processes handling notifications, approval verification logic, and resource creation logic. Temporal greatly assists us in building durable workflows with multiple parallel logic branches. Additionally, Temporal's workflow status query and workflow signal help simplify a significant amount of implementation code. We can see what's happening in the workflow of each ticket and send signals to it.
Since we are only creating account assignments behind the scenes, we've decided that Terraform (a popular IaC tool written in Go) is overkill. Instead, we create resources directly with the AWS Go SDK v2 and utilize Temporal workflows with a simple stack to record which resources were created, allowing us to clean them up afterward.
Authorization in JIT is implemented with Casbin, a popular authorization library also written in Go. Each approval rule/permission set access scope is converted to a Casbin policy. With a careful use of Casbin, we can enforce our own customizable logic into AWS permission set 🎉
Building the UI was also a challenge for us, as the UI needed to be as familiar as possible to end users. Since we work in an enterprise that recently adopted AWS, we want users to feel at home whether they are using the actual AWS console or the JIT console. Fortunately, AWS has their design system open-sourced under the name Cloudscape. Users will have an AWS-like experience when using JIT.
We hope that we can release JIT to open source world soon, stay tuned!
Top comments (0)