Skip to main content

Overview

What is IAMbic?

IAMbic tackles the complex task of managing distributed permissions across multiple cloud environments, such as AWS, Azure Active Directory, Okta, and Google Workspace. IAMbic creates a comprehensive copy of your human and cloud principals, and permissions, in the form of human readable "iambic templates" within Git. IAMbic ensures these templates stay in sync with your cloud environment, and supports bidirectional synchronization and round-trip functionality. This allows you to create or adjust templates and apply changes back to the cloud.

Check out our IAMOps Philosophy documentation to see examples of IAMbic templates, the structure of an iambic templates repository, and request workflows.

IAMbic is built on top of a plugin-based architecture and can be extended to internal identity providers. We are expanding IAMbic to support additional cloud providers, and actively encouraging community contributions.

How does IAMbic work?

IAMbic provides a user-friendly setup wizard (iambic setup) that allows you to get started in under 10 minutes. IAMbic will import your existing cloud resources into IAMbic template files, which are human-readable files used to represent and manage your cloud identities, principals, and permissions within IAMbic. For AWS, IAMbic intelligently organizes and groups similar resources across accounts into dynamic permission templates.

IAMbic templates support declarative definitions of temporary principals, permissions, and access rules, enabling zero-standing-permissions and breakglass access.

IAMbic leverages a Github App that automatically run IAMbic plan and apply workflows via CI/CD. Recurring workflows are triggered by Amazon Eventbridge Rules, and run on a schedule.

These workflows manage the following tasks:

IAMbic enables you to create custom GitOps approval processes for managing permissions and access, a concept we refer to as IAMOps.

Features

  • Universal Cloud Identity: Unify cloud identity management for AWS, Okta, Azure Active Directory, Google Workspace with more to come.
  • Temporary Access: Declaratively define and automate expiration dates for resources, permissions, and access rules.
  • Dynamic AWS Permissions: Simplify multi-account AWS management with flexible templates, allowing multi-account roles to have different permissions and access rules on different accounts.
  • Drift Prevention: Protect the IAM resources you want to be exclusively managed via IAMbic. What is in Git becomes the absolute source of truth.
  • GitOps-driven Cloud IAM (IAMOps): Leverage GitOps-driven Cloud IAM with human-readable formats and your favorite tools.
  • Centralized Management: IAMbic keeps Git updated with the latest, complete state of your cloud environment, maintaining a single source of truth for auditing and compliance across multiple cloud providers in Git.
  • Extendable: Integrate with various clouds and applications through a powerful plugin architecture.
  • Auditable: Track changes to IAM policies, permissions, and rules with Git history. For AWS, IAmbic annotates out-of-band commits with details from CloudTrail.

Why IAMbic?

Modern, cloud-first companies have empowered employees with an unprecedented level of freedom and control through shifting left, adopting the cloud, and countless SaaS products. But as an unintended side effect, security and compliance teams have lost both control and visibility regarding who has access to what within their organization.

The impact of this problem is that security and compliance teams face increased risks, including data breaches and non-compliance with regulations. This can lead to damage to company reputation, loss of trust among customers, and significant financial penalties. The lack of visibility and control also creates inefficiencies, as security and compliance teams struggle to keep up with the volume of changes, access requests, and difficulties in auditing their systems.

IAMbic's approach to regaining control over cloud permissions and access management is to provide a system of record that has the necessary depth into custom permission frameworks (i.e. The 7 layers and 13,000 actions in AWS policy language) and breadth (i.e. downstream SaaS applications) to meet the needs of modern enterprises. This system of record, a modern cloud enterprise directory, combines records of SSO and cloud identity into one central location, as well as tracking all related permissions for those identities. This comprehensive record enables cross-account management, and provides a single source of truth for permissions.

IAMbic intends to standardize the permissions request workflow across the organization. Approvals for shared access are integrated into the Git workflow, providing a streamlined and efficient process for managing cloud permissions.

What is the difference between IAMbic and Infrastructure-as-Code (IaC)?

Infrastructure-as-Code (IaC) is a great way for developers to manage their infrastructure, but it comes with its own challenges when trying to manage IAM at scale across multiple providers. IaC promotes decentralization by project, meaning it's hard to get a full picture of the identities in your environment in a single place.

IAMbic is designed specifically to help manage your cloud principals and their permissions across multiple providers and accounts by centralizing them into a single Git repository. IAMbic leverages Amazon Eventbridge Rules to keep your permissions updated with the actual state of your cloud environments and identity providers. This way, you can have a complete and current picture of your permissions, regardless of how they are being managed.

IAMbic is not trying to be a replacement for Infrastructure-as-Code (IaC). IAMbic operates alongside IaC and ClickOps©, without needing exclusive control over all IAM resources.

In summary, while IaC is great for managing infrastructure, IAMbic is designed specifically to manage cloud permissions and provide a complete and mutable representation of your permissions in one central location.

Getting started

To get started with IAMbic, head on over to Install and Configure.