Tidy Cloud AWS issue #20 - Detecting ClickOps, using Granted for multiple AWS account access
Hello all!
Welcome to the next issue of the Tidy Cloud AWS bulletin!
This issue of the bulletin talks about detecting manual changes in the AWS console, plus a simple tool for handling assuming and switching between AWS credentials.
Enjoy!
Detecting ClickOps
If you are setting up your cloud infrastructure with infrastructure-as-code, a goal may be to avoid that resources are set up manually through the AWS Console, also known as ClickOps. This can be for multiple reasons, including messing up your automated infrastructure setup, and setting up infrastructure which may become snowflakes and hard to repeat, reproduce or manage.
For this reason, you may look for ways to detect undesired ClickOps. One way, if you are using CloudFormation, or something that generates CloudFormation (such as AWS CDK), is to use CloudFormation Drift detection. This can check if what has been deployed via CloudFormation actually is the same that is running right now.
You can trigger and set up CloudFormation drift detection via CloudFormation, via AWS CLI, AWS Tools for PowerShell, or also via ClickOps (!). If you want to read more about, look at the articles about How to detect messed up CloudFormation resources.
Another approach is to capture any activity in the AWS Console that changes/creates AWS resources. This can be done via monitoring CloudTrail events and filtering out those that seem to come via AWS Console and which may change/create resources.
This article outlines an approach to implement this (via ClickOps!): https://towardsdatascience.com/protect-your-infrastructure-with-real-time-notifications-of-aws-console-user-changes-3144fd18c680
Inspired by this, there is also an infrastructure-as-code implementation for this, using Terraform: https://github.com/phzietsman/aws-slack-clickoops-watcher
Thank you to Ricardo Sueiras and Corey Quinn for pointing to this setup.
Granted
This is another neat tool which I picked up from a Corey Quinn podcast: Granted
It is simply a brilliant command-line tool which allows you to get and assume the credentials of any AWS profile you have set up, both regular IAM access keys and AWS SSO logins.
There are multiple tools available in this space, but I think Granted stands out with the simple and nice user experience it provides. You get two commands, called granted and assume. The assume command is the one that you will do your daily credentials work with.
After installation and shell setup, you will be able to just run the command assume:
assume
You can use the arrow keys to select the one you want from the list. It will then assume those credentials, asking for MFA code if needed, etc. It is then active in your command-line window. If you want to use a specific AWS profile, you simply enter the name of that profile as an argument:
assume myprofile
This is all good as it is, but an additional nicety is that you can also use it to open up an appropriate browser window/tab for that login, e.g.,
assume -c myprofile
The first time you can select which browser to use. My recommendation is to use Firefox, since its container tab feature allows to have multiple logins at the same time in different tabs easily. Granted includes setup of a plugin for using this feature as well.
You can also specify region and which service the browser window should open up in, for example, to open up EC2 service in Stockholm region:
assume -c myprofile -r eu-north-1 -s ec2
There are only a handful of services that are available though this way, though. It is a quite nice tool, and it is open-source too. Go to https://granted.dev to find out more!
You can find the contents of this bulletin and older ones, and more at Tidy Cloud AWS. You will also find other useful articles around AWS automation and infrastructure-as-software.
Until next time,
/Erik
