Disclaimer: This project is a Proof of Concept (POC), entirely generated by AI. It has not been audited for production use. Review all code, configurations, and IAM permissions thoroughly before deploying to any environment handling real workloads.
A Slack-integrated system for managing temporary AWS Systems Manager (SSM) document access with approval workflows.
SSM Access Manager allows users to request temporary access to AWS resources through Slack. Access requests require two-tier approval from configured Slack user groups (security and manager), and the system automatically creates time-limited SSM documents with ABAC (Attribute-Based Access Control) tags.
- π Slack-based Access Requests - Users request access via
/ssm-accesscommand - β Two-Tier Approval Workflow - Security and manager approvals via Slack user groups
- π₯ Group-based Approvals - Manage approvers through Slack user groups
- π Real-time Updates - Approval messages update instantly for all group members
- β° Time-based Expiration - Documents automatically expire and are cleaned up
- π’ Multi-Account Support - Manage access across multiple AWS accounts
- π Audit Trail - All actions logged to CloudWatch with structured logging
- π ABAC Tags - Documents tagged with user identity for fine-grained access control
Get up and running in ~1 hour:
# 1. Build Lambda functions
./scripts/build.sh
# 2. Deploy infrastructure
./scripts/deploy.sh test us-east-1
# 3. Configure Slack app with endpoints from Terraform output
# 4. Add yourself as administrator
./scripts/add-user.sh test YOUR_USER_ID your.name your@email.com administrator us-east-1
# 5. Create Slack user groups and configure approval groups
/ssm-admin add-approval-group group_id=YOUR_SECURITY_GROUP_ID name="Security Team" type=security
/ssm-admin add-approval-group group_id=YOUR_MANAGER_GROUP_ID name="Manager Team" type=manager
# 6. Test in Slack
/ssm-admin help
/ssm-accessFull setup guide: See QUICKSTART.md
βββββββββββββββ
β Slack β
β Users β
ββββββββ¬βββββββ
β /ssm-access
β /ssm-admin
βΌ
βββββββββββββββββββββββββββββββββββββββββββ
β API Gateway β
β /slack/command /slack/admin β
β /slack/interaction /admin β
ββββββββ¬βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββ
β Lambda Functions β
β β’ Request Handler β
β β’ Approval Handler β
β β’ Admin Slack Handler β
β β’ Document Creator β
β β’ Expiration Cleanup β
ββββββββ¬βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββ
β DynamoDB Tables β
β β’ Access Requests β
β β’ SSM Documents β
β β’ Users (Administrators) β
β β’ AWS Accounts β
β β’ Approval Groups β
βββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββ
β Target AWS Accounts β
β β’ Assume IAM Role β
β β’ Create/Delete SSM Documents β
βββββββββββββββββββββββββββββββββββββββββββ
- User: Can request access via
/ssm-access - Approval Group Member: Can approve/deny requests (managed via Slack user groups)
- Administrator: Can manage approval groups, administrators, and accounts via
/ssm-admin
/ssm-access
Opens a modal to request temporary access to a resource. Fill in:
- Host (hostname or IP)
- Port (default: 22)
- AWS Account (dropdown)
- Manager Group (dropdown)
- Expiration Date (optional, defaults to 14 days)
/ssm-admin add-approval-group group_id=<id> name=<name> type=<security|manager> # Add approval group
/ssm-admin list-approval-groups # List approval groups
/ssm-admin add-admin @user # Add an administrator
/ssm-admin remove-admin @user # Remove an administrator
/ssm-admin list-admins # List all administrators
/ssm-admin approve-request <request_id> # Approve a request
/ssm-admin deny-request <request_id> <reason> # Deny a request
/ssm-admin help # Show all commands
- QUICKSTART.md - Complete setup and deployment guide (~1 hour)
- docs/USER_GUIDE.md - How to request and use access
- docs/ADMIN_GUIDE.md - Administrator management and operations
- docs/OPERATIONS.md - Day-to-day operations and monitoring
- AWS CLI configured with admin credentials
- Terraform >= 1.0
- Go >= 1.25
- Slack workspace with app installation permissions
- At least one AWS account for target resources
Customize the SSM document naming prefix to match your organization's conventions:
# In Terraform variables
export TF_VAR_document_prefix="ACME" # Default: "PF" (PortForwarding)Documents will be named: {PREFIX}-{username}-{host}-{port}
- Default:
PF-john.doe-db.example.com-5432 - Custom:
ACME-john.doe-db.example.com-5432
The prefix must:
- Start with an alphanumeric character
- Contain only alphanumeric, hyphens, and underscores
- Be 20 characters or less
- Language: Go 1.25+
- Infrastructure: Terraform
- Cloud: AWS (Lambda, DynamoDB, API Gateway, SSM, IAM)
- Integration: Slack API
- Logging: CloudWatch with structured JSON logs
- Slack signature verification for all requests
- Two-tier approval system (security + manager)
- Group-based access control via Slack user groups
- Time-limited access with automatic expiration
- ABAC tags on SSM documents for fine-grained control
- Audit trail in CloudWatch logs
- PII sanitization in logs
- IAM role assumption with credential caching
.
βββ cmd/ # Lambda function handlers
β βββ request-handler/ # /ssm-access command
β βββ approval-handler/ # Approval button interactions
β βββ admin-slack-handler/# /ssm-admin command
β βββ document-creator/ # SSM document creation
β βββ expiration-cleanup/ # Cleanup expired documents
β βββ admin-handler/ # Admin REST API
βββ internal/ # Internal packages
β βββ models/ # Data models
β βββ repository/ # DynamoDB repositories
β βββ service/ # Business logic
β βββ slack/ # Slack client
β βββ validation/ # Input validation
β βββ logging/ # Structured logging
βββ infrastructure/ # Terraform configurations
β βββ terraform/
βββ scripts/ # Helper scripts
βββ docs/ # Documentation
βββ QUICKSTART.md # Quick start guide
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the Apache License 2.0.
- Issues: Report bugs or request features via GitHub Issues
- Documentation: See
docs/directory for detailed guides - Logs: Check CloudWatch logs for troubleshooting
Built with: