SSH · AWS ECS Fargate · Browser-Native

Warden

Terminal access that knows who’s watching.

A self-hosted, browser-based terminal for SSH servers and AWS ECS containers. Passkey auth, time-boxed access approvals, encrypted session recording, and live session sharing — no browser extensions required.

Get a Demo Quick Start
Passkey Auth No Browser Extensions Your Infra, Your Data Written in Go
WARDEN
prod dev +
Running
ubuntu@prod-01
Saved
▸ Prod Server
▸ Dev Server
▸ Staging DB
—— New ——
SSH · ECS
ubuntu@prod-01.internal:22 — session id a3f9c
alice@acme.com is viewing this session

1

Docker Compose File to Deploy

0

Passwords — Passkey Auth

AES-256

Encrypted Session Recording

100%

Self-Hosted on Your Infrastructure

What Is Warden

A controlled access layer for production infrastructure.

Warden isn’t a terminal stapled to a login page. It’s a self-hosted access layer between your team and your servers — one Docker Compose file and a PostgreSQL database. Sessions, recordings, and credentials never leave your network. No SaaS, no callbacks, no phone-home.

Fully Self-Hosted Passkey Authentication Zero Client Requirements
access grant · audit trail ● live
# environment: prod-cluster · restricted

[09:12:01] REQUEST  alice@acme.com · 2h · "deploy hotfix"
[09:12:18] APPROVED by joe@agilesecops.com
[09:12:20] CONNECT  ubuntu@prod-01 · session a3f9c
[11:12:20] EXPIRED  grant window closed
[11:12:20] KILLED   1 active session terminated

# every request, decision & connection is auditable

Everything Your Security Team Actually Asked For

Time-Boxed Access Approvals

Gate environments behind approver-granted, time-limited grants. Users submit justification; approvers approve or deny. The gate re-validates on every reconnect — and terminates sessions the moment a grant expires.

full audit trail
Encrypted Session Recording

Opt-in per environment. Sessions captured as asciicast v2, AES-256-GCM encrypted on disk. Admins get full playback with speed control and scrubbing in the admin UI, plus the option to download.

asciicast v2 · aes-256-gcm
Resumable Sessions

Close the tab, shut the laptop — the session keeps running server-side. Reattach from any browser and the full scrollback replays. Sessions idle out after a configurable window if no one reconnects.

configurable idle timeout
Live Session Sharing

Share a running terminal as view-only or give full control. Viewers can request control and be upgraded live by the session owner — for incident response, pair debugging, and onboarding walkthroughs.

view-only or full control
AWS ECS Exec

Exec into Fargate containers without handing AWS credentials to users. Admin-managed accounts are stored AES-256-GCM encrypted; users pick by name. Browse running tasks in-UI before connecting.

Fargate · SSM · least privilege
Multi-Tab, Tile & Broadcast

Many connections at once, side-by-side in tile layout. Optional broadcast mode sends keystrokes to all open terminals simultaneously — useful for coordinated deploys and fleet operations.

broadcast input

Access Approvals

Least privilege, enforced automatically.

Define environments — a prod cluster, an SSH host pattern, an ECS account — mark them restricted, and attach approvers. Warden handles every step from request banner to grant expiry.

01
User Requests Access

From the terminal page, the user selects an environment, specifies a duration and justification, and submits.

02
Approver Is Notified

Approvers see a live banner on their terminal page. Admins can also grant directly from the Access Grants table.

03
Grant Issued

An approved, time-boxed grant is recorded — who approved, when, for how long, and the original justification.

04
Gate Checked at Connect

Warden validates the grant before every new connection and on every reattach. No stale access persists.

05
Grant Expires → Session Killed

When the grant window closes, running sessions in that environment are terminated automatically — no exceptions.

06
Everything Is Auditable

Admin → Access Grants shows every request, decision, and connection against each grant, exportable at any time.

Quick Start

Up in three commands.

Docker Compose bundles the Go binary, PostgreSQL, and the AWS CLI + session-manager-plugin needed for ECS connections.

Docker + Compose Recommended — AWS CLI and SSM plugin bundled automatically in the image.
An Encryption Key openssl rand -base64 32 — set in .env before first run; guards stored credentials and recordings.
PostgreSQL 14+ Included in the Compose stack — or point DATABASE_URL at your own instance.
docker compose · recommended
# 1. Configure your environment
cp .env.example .env

# 2. Generate ENCRYPTION_KEY
ENCRYPTION_KEY="$(openssl rand -base64 32)"

# 3. Start Warden + PostgreSQL
docker compose up --build

# Warden prints a setup link on first run:
# → http://localhost:8080/setup/…
# Open it to create the initial admin account.

For production: put TLS in front with the included Caddyfile and set SECURE_COOKIES=true + TRUST_PROXY=true. The Docker image runs as non-root user warden (UID 1000) with a read-only root filesystem.

Put Warden in front of your infrastructure.

Runs entirely on your own infrastructure — a single Go binary and a static UI, with no build step. Get in touch with the AgileSecOps team for a walkthrough and a deployment plan tailored to your environment.

Get a Demo

info@agilesecops.com