Our goal at Altostra is to streamline cloud development, deployment and management for developers. We want our users to enjoy and use all the cloud infrastructure advantages with as little as possible hurdles and configuration while keeping maximum security.
Once you integrate your AWS account, Altostra can deploy, manage and monitor your projects on your behalf. To ensure you're fully protected, we follow and adhere to the AWS best practices and security guidelines on providing access to AWS accounts owned by third parties.
How it works
For Altostra to operate within your AWS account on your behalf, AWS requires several things:
- An IAM Role in your account that can be assumed by Altostra
- An appropriate policy for the Role
- An explicit permission on that role that it can be used only by Altostra (by specifying Altostra's account ID)
- A secret token called
externalIdthat is known only to Altostra and yourself and is used to prevent the "Confused Deputy" attack.
This process is safe yet cumbersome. So instead of asking you to perform these steps manually when you connect your account to Altostra, we generate a CloudFromation template for you, with all the relevant parameters preset.
Once you run the template, it generates all of the required resources and sends a notification to Altostra. You can then use Altostra to deploy projects to your account.
You can read a detailed technical post on how the mechanism works on our blog
Resources created by the template
|Logical ID||Resource Type||Description|
|AltostraS3Bucket||AWS::S3::Bucket||This is where Altostra will store all your project versions and account related data|
|CrossAccountRole||AWS::IAM::Role||This is the IAM role Altostra assumes when it stores and deploys your projects|
|PhoneHomeCustomResource||Custom||This one-time resource is used to send the connections details to Altostra - namely, the newly generated IAM Role ARN|