Sym and Jellyfish: Reducing AWS Access for SOC 2 Compliance

Sandy Kwon
May 2, 2023

About Jellyfish

Jellyfish is an Engineering Management Platform that enables engineering leaders to align engineering work with strategic business objectives. By analyzing engineering signals and contextual business data, Jellyfish provides complete visibility into engineering organizations, the work they do, and how they operate.

To-date, they’ve raised $114.5M from investors like Accel, Tiger Global, and Insight Partners. Their customers include PagerDuty, Salsify, Session M (A Mastercard Company), and Toast.

Meet the team





Phil Kelly, Head of IT

Leading up to Phil’s roles as an IT leader, he built his experience in functions including IT operations, Systems Administration, and Infrastructure Engineering for organizations like C Space, Battery Ventures, and the Gillette Stadium.  





James Kirk, Head of Security and Privacy

Prior to Jellyfish, James held various Information Systems Security Manager and Security Consultant roles for organizations like DataDog, Rapid7, The U.S Department of Defense, The U.S Navy, and Microsoft.  





David Liming, IT Engineer

As a long standing Cloud Engineer, David has focused on security, infrastructure as code, and automation at companies like C Space and NGP VAN.  

The Opportunity: Reducing overly permissive AWS access

When Jellyfish first connected with Sym, they had wrapped up a SOC 2 audit and an exception came back asking who had production access. At the time, everyone on the engineering team had more access than necessary to complete their day-to-day tasks. Anyone who requested admin access to the AWS console would get it permanently. It was a growing problem that they were aware of and that they needed to fix.

The team urgently needed a tool that would allow them to provision access to users on a temporary basis, but also wanted a tool that would eliminate overhead by managing revocation automatically.

Phil Kelly joined Jellyfish shortly after Sym was officially brought on as a vendor partner. His short-term solution to managing access requests was to have employees send requests in Slack, and then manage those requests via a manual ticketing system. “It just created a lot more work for myself for the sake of documentation.”

The Solution: Automated approval and revocation requests in AWS

Once Phil was given the keys to Sym, he and David Liming got to work on implementation. Their organization already worked in Terraform so he knew that Sym would be a natural solution.

Their primary use case was to manage their organization’s overly permissive AWS access. This effort was two-fold: 1. They needed to eliminate broad-admin access from the whole organization and 2. Restrict role permissions that were outside of the necessary scope. To do this, their team reviewed all of the IAM policies that have been used by the team in the past year and set a wildcard admin role that would only enable access to things that were looked on, and gated it with Sym.

Adoption from their Engineering and Success organizations was initially met with skepticism. Going from broad access to gated access appeared like a forfeiture of privileges. However, once the team realized that they were able to continue maintaining requests in Slack and that the approval also gave them access, the company experienced near-immediate adoption. Within 3 months of launching Sym, David and Phil handled over 1000 approvals with a majority of the request durations being under an hour. The team assimilated quickly to the new culture of on-demand access and revocation on an as-needed basis.

Upon seeing the successful adoption of the initial workflow, they got started on a second use case to enable admin access to a custom admin portal for data used by their engineers, success team, and sales engineers. This process would automate a workflow that was being done manually, saving time for all parties involved.

The impact: Fast moving engineering and success teams with reduced security risks and overhead

Since implementing Sym, Phil has seen observed a number of immediate benefits for the organization and for himself personally:

  • Speed: Now that approval, access, and revocation is all handled with the click of a Slack button, Phil and his team have been able to handle an exponential number of requests at a faster speed, giving teams immediate access they need to do work that impacts customers. “It really helps our engineering teams and our success teams move fast while staying secure.”
  • Security: With the growing number of breaches, he now has the peace of mind that he’s able to lock down infrastructure and protect the organization even more from breaches. “It came up in a customer request to our security team. ‘If you have an incident and you give production access to an engineer, how do you know that that access is being revoked?’ Our security engineer was able to say ‘Oh yea, we use Sym.’”
  • Compliance: The team feels much more prepared for their upcoming SOC 2 Type 2 audit and have high confidence around their newly implemented access policies for production based access. In addition to having a full log of evidence in Slack, the team is also able to send channel logs to a data warehouse using AWS Kinesis - which is beneficial in any instances of access investigation.

As for what’s next, Phil and David are looking to expand adoption of their customer-data access use case to include the entire organization, including Sales and Marketing teams. Additionally, they’re eyeing Sym’s PagerDuty integration as their next major workflow to enable fast-tracked approvals using on-call schedules.

Recommended Posts