Opal + Amazon Web Services
AWS (Amazon Web Services) is a comprehensive, evolving cloud computing platform that includes a mixture of infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and packaged-software-as-a-service (SaaS) offerings. AWS services can offer an organization tools such as compute power, database storage and content delivery services.
Opal supports broad integrations into Amazon Web Services through API-based connections. To support enterprise deployments, we integrate with AWS Accounts, AWS Organizations, and AWS Identity Center (formerly known as SSO). Without proxies or agents, Opal can automatically discover managed services and be deployed in minutes. To explain our integration approaches, we have created a deployment overview.
Start-ups to publicly traded companies trust our platform to build, maintain, and automate access management best practices.
1. The right people having access: decentralized access to AWS
In the product, every resource and group has Admins and Required Reviewers. Admins are responsible for setting necessary security configurations, such as:
- Who should be able to see this resource in their app catalog?
- What is the maximum duration for which “write” access can be requested?
- Does the approver need 2FA?
Required reviewers are the teams and managers that can approve the request. Example workflows would include:
- Managers must first approve access requests to a customer database before the InfoSec team
- Read-only access to SSH can be auto-approved
The context is compelling. It enables companies to increase productivity and security. Access requests can be routed directly to those who understand the applications and their boundaries, bypassing manual follow-ups with freeform justifications. Approvers can get the info they need fast with configurable request templates and have a simple, auditable way to request more information.
2. Having the right amount of access: granular cloud resources
IAM roles govern access to AWS services. These roles are critical for provisioning bulk access to developers. However, they are most commonly distributed based on coarse, user-based attributes such as belonging to a large, multi-purpose engineering team. For this reason, typical management of IAM roles suffers from a few critical problems:
- Access is indefinite and not dynamic.
- It’s difficult to understand how roles are grouped or “bundled.”
- Roles need to be manually managed and updated by operators.
Opal solves this problem through the usage of resources. By automatically syncing with AWS tags, Opal can represent databases, servers, IAM roles, Kubernetes clusters, and applications as resources. Furthermore, individual permissions, such as ReadOnly or Admin, are known as access levels. In Opal’s catalog, developers can browse and request access to resources directly. Operators can also map resources to familiar identity provider groups where those relationships are transparent and well understood for the best of both worlds.
3. Having access for the right amount of time: context-based access
Once permissions are granted to employees, they usually have access until they leave the company. Despite having permanent access, most employees don’t need permanent access. Since most provisioning processes are fairly manual, companies don’t have the resources or time to de-provision access. People who are granted access for one-off tasks, changed departments or just received over-provisioned access now have permanent access long after they need it.
The first shift that Opal brings is the concept of just-in-time access. Rather than inheriting birthright access, employees have to request it explicitly. To make this process efficient, Opal has heavily invested in Slack automation, delegation, and self-service user experience.
The second shift that Opal brings is time-based access. Usually, an engineer only needs access temporarily to accomplish a defined task. Once completed, their access is no longer needed. Employees can specify the duration of their access requests, which automatically deprovisions their access. Reviewers can also reject the request if they think the duration is unnecessarily long for the tasks
The third shift is event-based access. While time-based access revokes permissions after a specified duration, such as one day or week, event-based access revokes permissions after completing a specific task. This relationship grants engineers access based on-call schedule membership or an assigned support ticket.
4. Unifying identity governance with privileged access management
Thus far, we have covered how Opal can help provide granular, short-lived, just-in-time access. However, access is one-half of the problem. The second half is credential management. Traditionally, engineers use shared credentials in a centralized vault presenting security risks and operational challenges:
- Operators can use local credentials if they lose access to their email during termination, for example, AWS IAM session tokens.
- Shared credentials make it impossible to attribute logins or session activity based on identities.
- Rotating passwords to servers and databases is a manual, labor-intensive process prone to human error.
With Opal, developers can automatically generate identity-based credentials that expire after 15-minutes. This workflow strengthens a company's security posture and eliminates an entire category of operational tasks.
1. In the Apps sidebar, click on "New App", and select Amazon Web Services
2. Opal requires an IAM user to manage your AWS Cloud on your behalf. To simplify the process of creating a user with the proper IAM policies, you can use our official CloudFormation Stack to automatically generate one.
- Once the user is created, admins just need to fill out the form to add user access key ID and user secret access key.
Developers can easily discover and request for just-in-time short-lived access for IAM roles. Additionally, developers can request for the creation of new IAM roles.
All access is granted through attributable federated IAM sessions. With Opal, engineers can access roles via AWS web console or command line.
Opal supports AWS-managed RDS databases out of the box. Database access can be scoped to any granularity your database allows including table and even column-level access. Developers can easily discover and request for just-in-time short-lived access to RDS databases. All databases can be accessed using your favorite 3rd party database viewers, like Postico, or through the command line.
Opal supports AWS-managed servers using Amazon Secure Session Manager (SSM). This allows developers to move away from private key rotation and manage server access using federated IAM sessions. In addition, all sessions will be recorded and captured for later auditing!
Opal lets you define fine-grained access controls to Kubernetes clusters on EKS using federated IAM sessions. This simplifies and unifies access controls to AWS IAM while enabling developers to connect easily and request new access to many different clusters. Similar to other integrations, sessions are logged and captured with solid attribution.