April 18, 2023
Curtis Castrapel

Introducing IAMbic: Multi-cloud IAM-as-code

We're excited to announce the open-source launch of IAMbic, a multi-cloud IAM control plane designed to simplify IAM management in a GitOps workflow. IAMbic streamlines the management of cloud identities, permissions, and access by presenting everything in a human-readable, as-code format. Key features include Universal Cloud Identity, Dynamic AWS Permissions, Temporary Access, and Drift prevention.

Hey everyone, Curtis here. We're excited to announce the open-source launch of IAMbic (IAM, but in code), a multi-cloud control plane that simplifies IAM management in a GitOps workflow. It’s like Terraform for Cloud IAM, but way easier. See for yourself on GitHub.

During my time on Netflix’s Cloud Security team, we faced the challenge of managing IAM at scale. We had to manage shared user roles with different permissions for dev and prod accounts, grant temporary access to developers to test new services (which we forgot to remove), protect sensitive policies from misconfiguration, and help users with IAM. Things only got more complex as we added more employees, AWS accounts, applications, and cloud resources. It was like playing Clue to find IAM misconfigurations, Jenga to carefully remove temporary/unused permissions, and Tetris to organize the right access rules for each user and app. These tasks were time consuming and made us dread being on-call. 

As permissions piled up, the mental burden of maintenance increased, and security risks and mistakes grew over time. We knew it was only a matter of time before an over-provisioned developer caused critical infrastructure to fail, or even worse, for a sensitive application role to be compromised.

We created IAMbic to solve these problems by making it easy to unify all cloud identities, going beyond access to manage complex cloud permissions, tracking access all the way from users to cloud resources, and presenting everything in a human-readable, as-code, and open-source format. 

IAMbic supports bidirectional syncing and round-trip capabilities in a GitOps workflow, and includes the following key features:

  • Universal Cloud Identity: Integrate identities from AWS IAM and Identity Center, Okta, Azure AD, and Google Workspace with more to come.
  • Dynamic AWS Permissions: Multi-account roles with different permissions and access rules on different accounts.
  • Temporary Access: Declaratively define and automate expiration dates for cloud access, fine-grained permissions, and identities.
  • Drift prevention: Prevent out-of-band changes to IAM resources you want to be exclusively managed via IAMbic, like cookie-cutter roles or sensitive identity provider groups.

We’re just getting started on our journey to change the way cloud IAM is managed. We’re huge fans of open source and eager to grow together through your feedback and contributions. Try out IAMbic by following the Getting Started guide. We’d love to chat and hear about your experiences in our Slack community.

Curtis Castrapel

Noq Founder

The First IAM Ops Platform for AWS

Learn More