There are a couple of ways to get in touch with us:
Within the app you can access these FAQ questions, as well as leave feedback. Down the bottom of the main menu there is a Pocket Console section, and a feedback item.
You can find Pocket Console on twitter. Our account is @pocketaws.
At the moment we are focused on providing the best possible mobile console experience for AWS.
This is a large undertaking. We feel that attempting to support multiple cloud providers at this stage will require degrading the experience, preventing us from making it as good as it can be.
Editions of Pocket Console for other cloud providers may be considered in the future.
Our goal is to make Pocket Console the best mobile console for AWS. To do so, we are focusing our resources to ensure that we can deliver on this promise for iOS.
This does not mean an Android version will not be built, but for the moment it means that our limited resources are focused on providing the best app we can for iOS.
The official AWS Console mobile app is valid for any number of use cases. But for the most part it is also read-only.
You cannot run instances, or create auto scaling groups, or load balancers. You can’t effectively manage your AWS infrastructure using the official app alone.
Now, if your needs are fully met by the official AWS Console app, then Pocket Console is not for you. However, if you find yourself limited by the official app and need something more, then we believe Pocket Console is right up your alley, and certainly worth a modest investment to upgrade.
Short answer: maybe.
If the AWS Management Console feature is for an AWS product that is already supported by Pocket Console then there is usually a technical or feasibility consideration that is preventing it from being included in Pocket Console.
If it is for an AWS product that Pocket Console does not yet support, there is a very good chance the feature would be included when support is added.
Your best bet is to get in touch with us and we’ll see what we can do.
Short Answer: Yes.
Ultimately, we want you to be able to manage your entire AWS infrastructure in Pocket Console. It is only a matter of where in the roadmap each AWS product appears.
Right now, the roadmap is not set in stone. It is determined for the next two releases at a time. Beyond that, we offer our users the option to inform the roadmap by voting for the products you want to see. The most popular AWS product may not be the next one implemented though, as technical complexity and feasibility also need to be considered.
As of version 1.1, the following AWS products are fully supported:
There is also limited support for Amazon CloudWatch within these services through inline graphs and alarm status buttons. Full support for CloudWatch will be released soon.
When we implement a feature in Pocket Console we want to make sure it is done right. At the time we were finalizing the 1.0 release (around the time iOS 8 was released) there was no easy way for us to provide support for Key Pairs within Pocket Console.
This is not only from a security perspective, which we can now mediate with Touch ID, but also from a usability perspective. After you create a key pair in Pocket Console, how would you get it out to your terminal app so you could login?
Fortunately, this is something that we are able to address. File sharing apps such as Panic’s Transmit for iOS and others are appearing that integrate with the standard document share sheets in iOS 8, so you could easily upload the key pair to a bastion host or your local workstation for usage.
Similarly, we’re in discussion with a number of iOS SSH applications about being able to launch these directly while passing in the key pair.
Once we’re happy we can offer support for key pairs that we are satisfied with it will make its way into the next release.
There are some AWS Management Console features, such as the Limits and Reports section of the EC2 Management Console, that AWS do not provide API access for.
We have chosen not to support features that are not present in the API, as they are unstable, could change at any time, and may break without notice. We do not feel this provides the best experience for our users.
Pocket Console stores your AWS keys within the iOS Keychain. Items in the keychain are encrypted using your passcode and a device token and stored within a secure enclave on your iOS Device.
Pocket Console dictates to the keychain that your AWS keys can only be used if the device is unlocked (i.e. you’ve entered your passcode), so it is protected from tampering or theft as long as your device remains secure and locked.
As a further measure, if you are using iOS 8 or above, Pocket Console will flag your Administrator AWS keys as requiring the user’s presence. This means that operations against your AWS infrastructure will require your fingerprint before they can proceed. If your device does not support Touch ID you can use your passcode instead.
Pocket Console will require your fingerprint for access to your Administrator AWS keys no more than once every 5 minutes.
Like every application (both official AWS ones and third party ones), Pocket Console uses the AWS APIs to manage your resources. In 2014, AWS introduced a new service known as CloudTrail which records all calls to the AWS APIs and provides them to you in a log file.
You can consider CloudTrail as keeping an audit log of everything that happens on your AWS infrastructure and it is a very very good idea to enable it and then regularly review the logs either directly, or with third party CloudTrail analysis tools.
Every call that Pocket Console makes on your behalf will be logged in CloudTrail.
Firstly, do not enter your root AWS keys into Pocket Console as you cannot alter the permissions these keys have.
If you are using an IAM user’s keys within Pocket Console you can log in to the AWS Management Console and edit the permissions the user has. You can find this within IAM -> Users -> Manage User Policies.
Pocket Console does not require any specific permissions in order to be used, only those required for the features of Pocket Console you wish to use.
For example, if you wish to be able to launch instances you will need the EC2 RunInstances permission, but also several other permissions, such as creating tags, listing Key Pairs, IAM Users and images, etc.
If you wish to enable key rotation, you will need the IAM permissions CreateAccessKey, DeleteAccessKey and ListAccessKeys.
If you are using a Pocket Console created IAM user, you can find the username by editing the account information:
Hybrid accounts work by wrapping your administrator access key pair in additional security. When you are using Pocket Console we will use your read only key pair for everyday operations that do not modify your AWS infrastructure. When you attempt an operation that would modify your AWS infrastructure, Pocket Console will confirm your presence using Touch ID, either by fingerprint or passcode.
Once confirmed, we decrypt your administrator access keys and perform the operation as normal. You will not be prompted to confirm your presence more than once every 5 minutes.
Pocket Console can rotate your access keys on your behalf in order to improve the security of your account.
Key Rotation provides an additional level of protection by ensuring that your keys are short lived. So even if someone were to obtain your access keys, they would only be valid for a short period of time.
If enabled for an account, Pocket Console will rotate the keys for its associated IAM users every 48 hours. Only the keys that Pocket Console uses will be rotated, other IAM users will not be affected.
When creating IAM users on your behalf, Pocket Console will use the standard AWS sample policies.
Pocket Console uses the AWS-provided “Read Only Access” sample policy. You can view the sample policy by logging into the IAM Management Console and creating a user, group or role policy for an existing resource. Once there, you can also adjust the permissions that your Pocket Console IAM user has.
Pocket Console uses the AWS-provided “Administrator Access” sample policy. You can view the sample policy by logging into the IAM Management Console and creating a user, group or role policy for an existing resource. Once there, you can also adjust the permissions that your Pocket Console IAM user has.
Note that Pocket Console does not update the policies on accounts once they have been created. For example, when AWS introduced new services and features your account in Pocket Console may not automatically gain access to those services. Your best bet is to login to the IAM console, remove the existing policy from your Pocket Console IAM user, and create it again from the desired policy template.
TL/DR: only you.
Your access keys are stored encrypted in the iOS Keychain. They are never transmitted by Pocket Console to anywhere. Only the signatures that are required to access the AWS APIs leave your device.
We do not have any means of retrieving your access keys from the keychain and we are not able to access your AWS infrastructure on your behalf. Only the copy of Pocket Console on your iOS device has access to the keys, and then only when the device is unlocked.
We also recommend that you setup CloudTrail. CloudTrail will log all calls that are made on your AWS infrastructure, including those made by Pocket Console.
Hybrid accounts use a new feature within iOS 8 known as Local Authentication. It is a method which provides additional security to parts of the application, or additional layers of protection to items in the device Keychain.
When you attempt to perform an operation on a hybrid account that requires elevated privileges, Pocket Console will use the Local Authentication framework to verify your presence. This is typically achieved via Touch ID, if your iOS device supports it, or by asking you to re-enter your passcode.
Security and trust are very important to us. Our business and apps are built off the back of our reputation, and this requires that we expend every effort possible to ensure the security of the information you provide to Pocket Console.
Any access keys you provide to Pocket Console are stored securely within the iOS Keychain. Items within the keychain are encrypted using your passcode and are only available to Pocket Console to use when your device is unlocked. When you lock your device, or Pocket Console is in the background, it is unable to access the keychain and therefore your AWS infrastructure.
Your access keys never leave your device. At no time are they transmitted by Pocket Console anywhere. They are not sent to our servers. They are not sent to any third party services. And they are not even transmitted to AWS.
Your access and secret keys are used only to calculate the signatures required to access the AWS APIs. It is these signatures, and not your access keys, that are transmitted. The signature is transmitted only to AWS and is only valid for the API call that it was calculated for.
Your AWS access keys can only leave your device as part of encrypted iOS backups, and you should definitely back up your iOS devices. If you elect not to encrypt your iOS backups (it is a checkbox in iTunes), then your keychain is not backed up. This means that when you restore your iOS device from a backup, your accounts will appear in Pocket Console, but your access keys will not work and the accounts will need to be re-created.