At SENTIA we manage many AWS accounts and for this we quite often need to login to the AWS Console of these accounts. We wanted a way to access the AWS Console that was both secure and easy to use.
We have looked at a couple of options (see table) for authentication to the AWS console:
|No shared credentials||❌||✅||✅||✅|
|No shared MFA||❌||✅||✅||✅|
|Ease of Use|
Of these options we found using IAM Roles to be the most secure, but logging into the AWS Console using IAM Roles is quite a hassle, therefore Locksmith – a Chrome Extension for AWS Console login using Cross-Account IAM Roles – was created.
We use a single IAM user per person. This user has a single MFA, and you can easily remove the IAM user to revoke a person’s access to all accounts.
…doesn’t the AWS Console support this already?
Yes indeed, we developed Locksmith before AWS announced this feature. Even so, we still might have developed Locksmith since it has the following advantages over the tool built into the AWS Console:
Cloud Systems Architect and Security Officer for the Public Clouds Team