NetFlix’s Tool Fixes AWS Permission Whack-A-Mole. (Now For Everything Else!)

May 18, 2021
by Paul Roberts

NetFlix isn’t just your favorite video streaming service. It is also a powerful development shop and technology “first mover” on many fronts – cyber security and privacy among them.

That’s why the folks at Zilla have taken a particular interest in a new tool from Netflix aimed at helping with a problem that’s familiar to us: cloud entitlements.

Netflix introduced the new tool, dubbed ConsoleMe, on March 10, describing it as a “multi-account AWS Swiss Army knife” designed to provide a single web interface (some might call it a “console” 😉 ) for managing multiple Amazon Web Services (AWS) accounts.

Self-Service for IAM on AWS? OMG!

Developed internally at Netflix for use by the company’s user support team, ConsoleMe supports self-service requests and management of permissions for IAM roles, S3 buckets, SQS queues, SNS topics, and more. The company released the tool as an open source tool along with a companion CLI utility (dubbed Weep) as part of Amazon’s re:Invent 2020 conference.

Why is Netflix developing open source tools to make managing cloud entitlements for Amazon customers easier? After all, isn’t Amazon a Netflix competitor? It helps to understand a couple things about Netflix. First and foremost, Netflix is a huge Amazon customer. In fact, as this AWS case study notes, “Netflix uses Amazon Web Services (AWS) for nearly all its computing and storage needs, including databases, analytics, recommendation engines, video transcoding, and more.” In all, that adds up to hundreds of functions and more than 100,000 server instances on AWS.

In other words, while Amazon’s Prime streaming service may be a big competitor of Netflix’s own streaming services, Netflix is also highly reliant on AWS to run its business. Welcome to the 21st Century!

The other thing to take note of is Netflix’s technology-first culture and long-standing commitment to “giving back” to the open source community that the company, itself, is deeply reliant on. ConsoleMe and Weep are just the latest in a string of security and optimization tools with names like Scrumblr, FIDO and Stethoscope that have emerged from Netflix’s top-shelf internal development team.

A Pain Point: Cloud Entitlement Management

The new tools highlight a growing tension point for sophisticated, technology dependent organizations like Netflix: how to manage security and entitlements across sprawling cloud applications and infrastructure. As described by Netflix’s Curtis CastrapelPatrick Sanders, and Hee Won Kim, the process at Netflix before the development of the tool that became ConsoleMe was highly manual, time consuming and resource-intensive. The company’s Cloud Infrastructure Security team was the sole arbiter of AWS permissions and had to handle numerous requests from Netflix employees for cloud permissions and access.

The multi-step process of granting those permissions, as well as provisioning access to both AWS and other resources often devolved into a game of permissions “Whack-a-Mole,” as the team and the requesting employee chased down cryptic “access denied” messages in an effort to make the access grant or integration work.

End Users Take The Lead

Netflix’s new tool is a great resource that allows requestors themselves to request IAM permissions through a self-service wizard, craft their own access policies using a policy editor, and locate and navigate to AWS resources within their organization that they may wish to get access to. Cloud administrators can use the tool to manage IAM and resource policies directly, without needing to log in to the AWS Console, as well as create new AWS accounts or clone IAM roles across accounts.

According to the Netflix blog, cloud administrators can manage resource policies and tags directly using ConsoleMe, while end-users can make (suggested) changes to access policies and tags, then submit changes for approval. Policy templates make it easy to generate new inline policies consistently across an organization while users can view recent CloudTrail errors for a given resource to spot problems.

Life Beyond Amazon

No doubt ConsoleMe and Weep will be a huge time saver when it comes to provisioning. Considering it is an open-source project, someone will most likely extend support to other platforms such as Azure, Google Cloud and even private cloud. However, provisioning is just the beginning of the path towards least privilege.

The key to maintaining least privilege is to keep track of those permissions and periodically assess whether the permissions still need to be there. This challenge is not just limited to AWS but across all cloud applications. In fact, the cloud has caused an explosion of permissions across a myriad of systems. It is important to both gain visibility into and review these permissions. And that’s what Zilla provides.

Zilla automates all aspects of user access reviews starting with:

  1. Automatically connecting to systems to gather permissions data
  2. Automating the cleanup of permissions data and
  3. Automating access reviews so business users can bring in their context to decide whether permissions should be maintained or revoked.

To learn more, check out our website or sign up to speak with a sales person!