Temporary elevated access for AWS accounts
All access to your AWS account involves some level of privilege. Sensitive operations, such as changing the configuration for a high-value resource, for example, a production environment, require special treatment due to scope and potential impact. Temporary elevated access (also known as just-in-time access) is a way to request, approve, and track the use of a permission to perform a specific task during a specified time. Temporary elevated access supplements other forms of access control, such as permission sets and multi-factor authentication.
AWS IAM Identity Center provides the following options for temporary elevated access management in different business and technical environments:
-
Vendor-managed and supported solutions – AWS has validated the IAM Identity Center integrations of select partner offerings and assessed their capabilities against a common set of customer requirements. Choose the solution that best aligns with your scenario and follow the provider’s guidance to enable the capability with IAM Identity Center.
-
Self-managed and self-supported – This option provides a starting point if you are interested in temporary elevated access to AWS only and you can deploy, tailor, and maintain the capability by yourself. For more information, see Temporary elevated access management (TEAM)
.
Validated AWS Security Partners for temporary elevated access
AWS Security Partners use different approaches to address a common set of temporary elevated access requirements. We recommend that you review each partner solution carefully, so that you can choose one that best fits your needs and preferences, including your business, the architecture of your cloud environment, and your budget.
Note
For disaster recovery, we recommend that you set up emergency access to the AWS Management Console before a disruption occurs.
AWS Identity has validated the capabilities and integration with IAM Identity Center for the following just-in-time offerings by AWS Security Partners:
-
CyberArk Secure Cloud Access
– Part of the CyberArk Identity Security Platform, this offering provisions on-demand elevated access to AWS and multi-cloud environments. Approvals are addressed through integration with either ITSM or ChatOps tooling. All sessions can be recorded for audit and compliance. -
Tenable (previously Ermetic)
– The Tenable platform includes provisioning of just-in-time privileged access for administrative operations in AWS and multi-cloud environments. Session logs from all cloud environments, including AWS CloudTrail access logs, are available in a single interface for analysis and audit. The capability integrates with enterprise and developer tools such as Slack and Microsoft Teams. -
Okta Access Requests
– Part of Okta Identity Governance, enables you to configure a just-in-time access request workflow using Okta as an IAM Identity Center external identity provider (IdP) and your IAM Identity Center permission sets.
This list will be updated as AWS validates the capabilities of additional partner solutions and integration of these solutions with IAM Identity Center.
Note
If you are using resource-based policies, Amazon Elastic Kubernetes Service (Amazon EKS), or AWS Key Management Service (AWS KMS), see Referencing permission sets in resource policies, Amazon EKS Cluster config maps, and AWS KMS key policies before you choose your just-in-time solution.
Temporary elevated access capabilities assessed for AWS partner validation
AWS Identity has validated that the temporary elevated access capabilities
offered by CyberArk Secure Cloud Access
-
Users can request access to a permission set for a user-specified time period, specifying the AWS account, permission set, time period, and reason.
-
Users can receive approval status for their request.
-
Users can't invoke a session with a given scope, unless there is an approved request with the same scope and they invoke the session during the approved time period.
-
There is a way to specify who can approve requests.
-
Approvers can't approve their own requests.
-
Approvers have a list of pending, approved, and rejected requests and can export it for auditors.
-
Approvers can approve and reject pending requests.
-
Approvers can add a note explaining their decision.
-
Approvers can revoke an approved request, preventing future use of elevated access.
Note
If a user is signed in with elevated access when an approved request is revoked, their session remains active for up to one hour after the approval is revoked. For information about authentication sessions, see Authentication in IAM Identity Center.
-
User actions and approvals are available for audit.