Elmer: A secure and streamlined Framework for AWS Access Management

Ever wasted hours hunting stale AWS keys, untangling role maps, or scrambling for audit logs? Secure and efficient AWS account management is a core principle that drives base2Services. That is why we built Elmer, a tailored security framework that simplifies and safeguards access across every AWS account we manage.

Elmer centralises compliance and security for multi-account, multi-organisation environments. Instead of juggling separate IAM configurations, we manage team access from one place, eliminating the risk of a single account slipping through the cracks. Every login is time-limited, every action is logged end-to-end, and auditors can pull a complete, timestamped history in minutes.

The results: engineers gain one-click, least-privilege access; security teams see real-time activity; and your business enjoys provable, always-on protection without the weekend firefighting. 

How Elmer Makes AWS Access Safer and Simpler

Regardless of whether a web console or temporary access keys are used for API tasks, this framework provides a secure method of connection. Therefore, to keep accounts protected, Elmer demands that users log in through a VPN and use multi-factor authentication (MFA) affording an additional layer of security and ensuring that only the right people can get in.

Key Features of Elmer

The highest standards of cloud security are met through three key features designed to protect AWS environments. These are: 

1. Temporary Access Only
   

   Permanent AWS keys are difficult to control and pose significant security risks. Elmer eliminates these vulnerabilities by issuing temporary credentials that expire automatically, creating a safer and more secure environment.

2. Role-Based Controls 
   

   Every AWS account is provisioned with three pre-defined roles, catering to specific access needs. Once connected, Elmer automatically configures these three IAM roles in each AWS account: 

   - Read-Only: Safeguards access by limiting it to resource viewing. 
   - Support: Enables limited changes to resolve issues. 
   - Admin: Grants complete control when necessary.

3. Controlled User Authentication 
   Access to Elmer is guarded by VPN and MFA, this ensures that only verified and authorised users can connect. Enforcement of this heavily regulated controlled access reduces attack surface and enhances security.

Unlock the Advantages of Elmer

This framework presents a sophisticated, secure, and adaptable solution tailored to meet the dynamic needs of both base2Services and our clients. It combines advanced security, streamlined operations and comprehensive oversight. Therefore, delivering superior AWS account management through the following benefits:

• Enhanced Security with Temporary Credentials
  By issuing short-lived credentials, Elmer ensures that permanent access keys are no longer a concern, simplifying management and enhancing security.
• Detailed Logging for Auditability
  Elmer integrates seamlessly with Amazon CloudWatch and AWS CloudTrail, providing comprehensive logs of all activities. This capability ensures traceability and simplifies event correlation for audits.
• Integration with Amazon Cognito
  Elmer works seamlessly with Amazon Cognito, enabling precise control for user access based on roles or authority levels.
  
• Secure, Simple and Flexible
  By combining temporary credentials, role-based access, and secure authentication, Elmer delivers a robust framework for managing AWS accounts with confidence.

How does Elmer work?

This diagram illustrates how Elmer securely manages access to AWS accounts for base2 engineers. 

1. Access begins with engineers connecting via VPN and Multi-Factor Authentication (MFA), ensuring only verified users can proceed. 
2. Once authenticated, requests flow through the API Gateway to Elmer API, which coordinates access control. 
3. Amazon Cognito manages user identity and matches users to predefined User Pools: Admin, Support, or Read-only. 
4. These roles are dynamically linked to IAM Roles within the target AWS accounts, and temporary credentials are issued via AWS Secure Token Service (AWS STS). 
5. Engineers are then granted access to either the AWS Management Console or AWS Tools and SDKs, based on their assigned role. 

Built by base2Services and used for base2 managed and customer managed accounts, this central gate unifies access for every account and organisation: one console, time-limited credentials, and full-stack logs auditors can grab in seconds. Engineers click once, security sees everything, and you leave the office on time - no firefighting required. 

Ready to simplify and fortify your AWS security? Book a quick consult with our experts now and elevate your cloud posture in minutes.