Frequently Asked Questions

We're aware of an issue currently affecting in-app FAQ articles and feedback and are working with Apple to resolve it.

Miscellaneous

How can I get in touch with you?

There are a couple of ways to get in touch with us:

Within Pocket Console

Within the app you can access these FAQ questions, as well as leave feedback. Down the bottom of the main menu there is a Pocket Console section, and a feedback item.

To leave feedback, enter the subject of your feedback and any details you want to provide. As our help desk software requires a name and an email address we ask that you provide these also. See our privacy policy for more on how we handle your personal information. If you do not wish to provide your contact information, please enter fake details. This means, however, that we will be unable to respond to your feedback.

Via Social Media

You can find Pocket Console on twitter. Our account is @pocketaws.

Why doesn't Pocket Console Support Other Cloud Providers?

At the moment we are focused on providing the best possible mobile console experience for AWS.

This is a large undertaking. We feel that attempting to support multiple cloud providers at this stage will require degrading the experience, preventing us from making it as good as it can be.

Editions of Pocket Console for other cloud providers may be considered in the future.

Why is Pocket Console only for iOS?

Our goal is to make Pocket Console the best mobile console for AWS. To do so, we are focusing our resources to ensure that we can deliver on this promise for iOS.

This does not mean an Android version will not be built, but for the moment it means that our limited resources are focused on providing the best app we can for iOS.

Why should I pay for Pocket Console when there is an official AWS mobile app?

The official AWS Console mobile app is valid for any number of use cases. But for the most part it is also read-only.

You cannot run instances, or create auto scaling groups, or load balancers. You can’t effectively manage your AWS infrastructure using the official app alone.

Now, if your needs are fully met by the official AWS Console app, then Pocket Console is not for you. However, if you find yourself limited by the official app and need something more, then we believe Pocket Console is right up your alley, and certainly worth a modest investment to upgrade.

Supported Products

Can you add support for a specific AWS Management Console feature?

Short answer: maybe.

If the AWS Management Console feature is for an AWS product that is already supported by Pocket Console then there is usually a technical or feasibility consideration that is preventing it from being included in Pocket Console.

If it is for an AWS product that Pocket Console does not yet support, there is a very good chance the feature would be included when support is added.

Your best bet is to get in touch with us and we’ll see what we can do.

Can you add support for a specific AWS product?

Short Answer: Yes.

Ultimately, we want you to be able to manage your entire AWS infrastructure in Pocket Console. It is only a matter of where in the roadmap each AWS product appears.

Right now, the roadmap is not set in stone. It is determined for the next two releases at a time. Beyond that, we offer our users the option to inform the roadmap by voting for the products you want to see. The most popular AWS product may not be the next one implemented though, as technical complexity and feasibility also need to be considered.

What AWS products are supported by Pocket Console?

As of version 1.1, the following AWS products are fully supported:

There is also limited support for Amazon CloudWatch within these services through inline graphs and alarm status buttons. Full support for CloudWatch will be released soon.

Why can't I create or import EC2 key pairs in Pocket Console?

When we implement a feature in Pocket Console we want to make sure it is done right. At the time we were finalizing the 1.0 release (around the time iOS 8 was released) there was no easy way for us to provide support for Key Pairs within Pocket Console.

This is not only from a security perspective, which we can now mediate with Touch ID, but also from a usability perspective. After you create a key pair in Pocket Console, how would you get it out to your terminal app so you could login?

Fortunately, this is something that we are able to address. File sharing apps such as Panic’s Transmit for iOS and others are appearing that integrate with the standard document share sheets in iOS 8, so you could easily upload the key pair to a bastion host or your local workstation for usage.

Similarly, we’re in discussion with a number of iOS SSH applications about being able to launch these directly while passing in the key pair.

Once we’re happy we can offer support for key pairs that we are satisfied with it will make its way into the next release.

Why can't I view and manage my EC2 limits in Pocket Console?

There are some AWS Management Console features, such as the Limits and Reports section of the EC2 Management Console, that AWS do not provide API access for.

We have chosen not to support features that are not present in the API, as they are unstable, could change at any time, and may break without notice. We do not feel this provides the best experience for our users.

Security

How are my keys securely stored?

Pocket Console stores your AWS keys within the iOS Keychain. Items in the keychain are encrypted using your passcode and a device token and stored within a secure enclave on your iOS Device.

Pocket Console dictates to the keychain that your AWS keys can only be used if the device is unlocked (i.e. you’ve entered your passcode), so it is protected from tampering or theft as long as your device remains secure and locked.

Hybrid Accounts and Touch ID

As a further measure, if you are using iOS 8 or above, Pocket Console will flag your Administrator AWS keys as requiring the user’s presence. This means that operations against your AWS infrastructure will require your fingerprint before they can proceed. If your device does not support Touch ID you can use your passcode instead.

Pocket Console will require your fingerprint for access to your Administrator AWS keys no more than once every 5 minutes.

Further Reading

How can I audit what Pocket Console does?

Like every application (both official AWS ones and third party ones), Pocket Console uses the AWS APIs to manage your resources. In 2014, AWS introduced a new service known as CloudTrail which records all calls to the AWS APIs and provides them to you in a log file.

You can consider CloudTrail as keeping an audit log of everything that happens on your AWS infrastructure and it is a very very good idea to enable it and then regularly review the logs either directly, or with third party CloudTrail analysis tools.

Every call that Pocket Console makes on your behalf will be logged in CloudTrail.

Further Reading

How can I control what access Pocket Console has to my AWS account?

Firstly, do not enter your root AWS keys into Pocket Console as you cannot alter the permissions these keys have.

If you are using an IAM user’s keys within Pocket Console you can log in to the AWS Management Console and edit the permissions the user has. You can find this within IAM -> Users -> Manage User Policies.

Required Permissions

Pocket Console does not require any specific permissions in order to be used, only those required for the features of Pocket Console you wish to use.

For example, if you wish to be able to launch instances you will need the EC2 RunInstances permission, but also several other permissions, such as creating tags, listing Key Pairs, IAM Users and images, etc.

If you wish to enable key rotation, you will need the IAM permissions CreateAccessKey, DeleteAccessKey and ListAccessKeys.

Finding the IAM Username

If you are using a Pocket Console created IAM user, you can find the username by editing the account information:

  1. Open the left-hand drawer (main menu).
  2. Tap the edit button in the top navigation bar.
  3. Tap the account you wish to check.
  4. The IAM username(s) should be listed. They are not editable from within Pocket Console.
How do hybrid accounts work?

Hybrid accounts work by wrapping your administrator access key pair in additional security. When you are using Pocket Console we will use your read only key pair for everyday operations that do not modify your AWS infrastructure. When you attempt an operation that would modify your AWS infrastructure, Pocket Console will confirm your presence using Touch ID, either by fingerprint or passcode.

Once confirmed, we decrypt your administrator access keys and perform the operation as normal. You will not be prompted to confirm your presence more than once every 5 minutes.

How does key rotation work? Why is it best practice?

Pocket Console can rotate your access keys on your behalf in order to improve the security of your account.

Key Rotation provides an additional level of protection by ensuring that your keys are short lived. So even if someone were to obtain your access keys, they would only be valid for a short period of time.

If enabled for an account, Pocket Console will rotate the keys for its associated IAM users every 48 hours. Only the keys that Pocket Console uses will be rotated, other IAM users will not be affected.

Further Reading

What policies does Pocket Console use when creating IAM users?

When creating IAM users on your behalf, Pocket Console will use the standard AWS sample policies.

Read Only Access Keys

Pocket Console uses the AWS-provided “Read Only Access” sample policy. You can view the sample policy by logging into the IAM Management Console and creating a user, group or role policy for an existing resource. Once there, you can also adjust the permissions that your Pocket Console IAM user has.

Administrator Access Keys

Pocket Console uses the AWS-provided “Administrator Access” sample policy. You can view the sample policy by logging into the IAM Management Console and creating a user, group or role policy for an existing resource. Once there, you can also adjust the permissions that your Pocket Console IAM user has.

Keeping Policies Up to Date

Note that Pocket Console does not update the policies on accounts once they have been created. For example, when AWS introduced new services and features your account in Pocket Console may not automatically gain access to those services. Your best bet is to login to the IAM console, remove the existing policy from your Pocket Console IAM user, and create it again from the desired policy template.

When I give my AWS keys to Pocket Console, who can access my AWS account?

TL/DR: only you.

Your access keys are stored encrypted in the iOS Keychain. They are never transmitted by Pocket Console to anywhere. Only the signatures that are required to access the AWS APIs leave your device.

We do not have any means of retrieving your access keys from the keychain and we are not able to access your AWS infrastructure on your behalf. Only the copy of Pocket Console on your iOS device has access to the keys, and then only when the device is unlocked.

We also recommend that you setup CloudTrail. CloudTrail will log all calls that are made on your AWS infrastructure, including those made by Pocket Console.

Why do hybrid accounts require iOS 8?

Hybrid accounts use a new feature within iOS 8 known as Local Authentication. It is a method which provides additional security to parts of the application, or additional layers of protection to items in the device Keychain.

When you attempt to perform an operation on a hybrid account that requires elevated privileges, Pocket Console will use the Local Authentication framework to verify your presence. This is typically achieved via Touch ID, if your iOS device supports it, or by asking you to re-enter your passcode.

Why should I trust Pocket Console with my AWS credentials?

Security and trust are very important to us. Our business and apps are built off the back of our reputation, and this requires that we expend every effort possible to ensure the security of the information you provide to Pocket Console.

Secure Storage

Any access keys you provide to Pocket Console are stored securely within the iOS Keychain. Items within the keychain are encrypted using your passcode and are only available to Pocket Console to use when your device is unlocked. When you lock your device, or Pocket Console is in the background, it is unable to access the keychain and therefore your AWS infrastructure.

No Transmission

Your access keys never leave your device. At no time are they transmitted by Pocket Console anywhere. They are not sent to our servers. They are not sent to any third party services. And they are not even transmitted to AWS.

Your access and secret keys are used only to calculate the signatures required to access the AWS APIs. It is these signatures, and not your access keys, that are transmitted. The signature is transmitted only to AWS and is only valid for the API call that it was calculated for.

Backups

Your AWS access keys can only leave your device as part of encrypted iOS backups, and you should definitely back up your iOS devices. If you elect not to encrypt your iOS backups (it is a checkbox in iTunes), then your keychain is not backed up. This means that when you restore your iOS device from a backup, your accounts will appear in Pocket Console, but your access keys will not work and the accounts will need to be re-created.

Further Reading