Identity and Access Management

Use Case: Authenticating and authorizing members of your team with just the right amount of access to be productive, while limiting the security and reliability risks of too much access. Achieving your compliance program goals by ensuring access is properly scoped and auditable.

Challenge: Long lived credentials and managing access keys.

Solution: Temporary Credentials and IdP integration

Substrate grants credentials for 12 hours at a time, striking a balance between convenience and security. It allows engineers to start their day by authorizing with your IdP and then getting a whole day of work done without the inconvenience of re-authorizing nor the security risk of credentials stored on clients.

No credentials are stored locally, and there is no need to distribute AWS CLI configs.

Challenge: Too many people have access to production

Solution: Role-Based Access Control with a multi-account strategy

Use substrate create-account to create and manage accounts and environments so you can isolate non-production environments from from production and even one application from another within production.

Use ‘substrate create-role’ to manage AWS IAM roles for humans and machines. You can have roles per team, function, service or anything else and scope access down to a minimum. Refer to environments and accounts using application names, not ARNs and account numbers.

Challenge: Using AWS IAM roles is complex, error prone and hard to understand

Solution: Use Substrate to quickly and easily create new roles for humans and machines and enumerate all your custom IAM roles

The substrate create-role command is a more intuitive way to manage custom IAM roles for humans and services to grant just the right amount of access to your AWS accounts and environments.

‘substrate roles’ can be used to enumerate all your custom roles. You can view your roles in human or machine readable (shell or json) formats.

Challenge: Auditing access in your organization

Solution: Auto-configured AWS CloudTrail with an Auditor role

Substrate configures AWS CloudTrail with a single trail that covers all your accounts in all regions. An Auditor role is created for you so you can access these logs. We also provide instructions for allowing third party audit tools access to these logs.

See Auditing your Substrate Managed Organization for more details.