https://github.com/broamski/cooper
A web portal to access all of your AWS accounts with ease
https://github.com/broamski/cooper
Last synced: 7 months ago
JSON representation
A web portal to access all of your AWS accounts with ease
- Host: GitHub
- URL: https://github.com/broamski/cooper
- Owner: broamski
- License: gpl-3.0
- Created: 2017-01-04T19:07:32.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2017-12-06T21:27:05.000Z (almost 8 years ago)
- Last Synced: 2024-06-20T11:59:40.812Z (over 1 year ago)
- Language: Go
- Homepage:
- Size: 104 KB
- Stars: 3
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# cooper
Broker access to all of your AWS accounts
----
Consider the scenario where you need access to a number of AWS accounts. You may **own** or **manage** _(have administrator access or root credential access)_ some or all of these accounts. Regardless, the management cost associated with accessing these accounts via individual IAM Users becomes linear as the number of accounts increase. Thankfully, AWS has lessened the burden by offering the ability to obtain access to any number of accounts through the Security Token Service (STS). **`cooper`** utilizes the `AssumeRole` and `GetFederationToken` STS API actions to provide you a simple way to access all of your accounts.
### Implementation Details
Option 1: Run cooper on EC2, leveraging IAM Roles for Amazon EC2, eliminating the need to store authortative credentials in code or config.
Option 2: Run cooper on compute resources outside of AWS, such as your datacenter or another provider. This is least preferred as you fork your security framework and are required to use IAM user access keys.
Create an AWS account exclusively for cooper operations. This can reduce the scope and increase the security posture of cooper.
----
### Concepts
#### **Target** - A `Target` is any IAM Role or Federated User that you could potentially become.
----
#### Build Specifications
##### Technologies
- DynamoDB for persistent storage of cooper data
- KMS -- A KMS Key is required for referencing sensitive data
#### Authentication - Extendable and flexible, to include any number of these:
- Local authentication sceheme (local meaning handled on the backend)
- SAML Integration - Use your typical SSO: Okta, OneLogin, etc.
#### Authorization
Administrators
- Can add/remove/modify targets and their group asssociations
- Deteremined via IdP group membership
Assumption Targets
- IAM Roles
- Federated Users
**High Security Areas** - If an Admin user is operating within a sensitive area, require the users setup a local TOTP that they must provide in order to perform the particular operation.
----
#### Execution Examples
`cooper -setup` - Creates the necessary DynamoDB tables when first installing the app. This does not start the application
`cooper -encrypt -encrypt-payload "AKIAIOSFODNN7EXAMPLE|wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" --kmskey 0bd3695d-96a9-4642-8477-0a95e3b968fd -region us-east-1` - This will output a base64 encoded string you can use to supply the "Federation Keys" field when creating a new target
`cooper -region us-east-1` - Starts the application