Identity and access management (IAM) features are standard in all major cloud platforms, including Amazon Web Services (AWS). These features give administrators control over who (or what) can take action on specific resources. The IAM user in AWS can be leveraged to assign permissions, and it can be configured to provide just-in-time (JIT) access, a foundational security feature that grants time-limited, as-needed access to specific cloud applications and services. But it’s not the best way to achieve JIT access in AWS. Let’s take a look at the connection between IAM users and JIT access, the limitations that come with relying on native AWS security tools, and how using a privileged access management (PAM) solution can provide significant advantages.
Identities in AWS
IAM users are one of three identities in AWS (along with user groups and roles). The IAM user provides the most specific way to assign access to an individual human or synthetic user.
IAM Users in AWS
In AWS, the IAM user is the most basic unit of permissioned access. An IAM user can either be a human or a service account that requires access to certain resources. Users are granted permissions by attaching a permissions policy to the user or by adding them to a user group where the group permission is automatically applied to each member of the group. In AWS IAM, policies define the permissions of the user, user group, or roles.
User Groups and Roles in AWS
A user group is a collection of users, most often made up of users with similar access needs. Groups are an easy way for admins to logically organize users based on similarities in the permissions they require, managing resource access for the group rather than individually. Common examples may include a group for developers or a group for system admins. IAM policies can be applied to user groups, with a maximum of ten policies per group.
Roles
Roles share many similarities with users, but roles aren’t connected to individuals. Instead, roles allow an AWS user or service to temporarily assume the permissions required to complete a specific task. They can be assigned to IAM users in AWS or external users. Roles are used to grant access to a trusted entity on a time-limited basis. Like IAM users and user groups, a permissions policy can be attached to a role, and is used to govern resource access for the user that has assumed the role.
Problems with Relying on AWS IAM Users, Groups, and Roles for JIT Access
AWS offers an impressive collection of security tools that, when configured correctly, can provide robust security for an organization’s cloud-based assets. But the sheer complexity of maintaining these configurations in AWS for a strong security stance can be overwhelming. Here are a few reasons why achieving JIT access via AWS IAM users, groups, and roles is such a heavy lift.
Requires using many services
Temporary elevated access (the AWS term for JIT access) can be achieved in AWS, but it requires using multiple services. AWS IAM is used to define fine-grained permissions for users, groups, and roles and to restrict access to specific resources based on the time of day or other conditions. AWS Security Token Service (STS) is used to create temporary, limited-privilege credentials that can be used to access specific resources. Other services that provide additional components for JIT access include AWS Certificate Manager (ACM), AWS Key Management Service (KMS), and AWS Directory Service.
Creating JIT access within AWS is a complex process. Although it’s possible to string together multiple services to achieve it, there are better options such as using a PAM solution that provides JIT access across an organization’s entire multi-cloud network.
Security settings do not extend to cross-cloud environments
Engineers relying on native IAM must fully understand the features and necessary IAM configuration for each cloud platform their organization uses — AWS, Google Cloud Platform (GCP), Microsoft Azure, etc. Although implementing a multi-cloud strategy has many benefits, operational complexity can pose a significant challenge for security teams.
A Better Way to Achieve JIT Access for AWS
A PAM solution effectively solves both challenges associated with setting up JIT access in AWS. PAM platforms reduce the complexity of managing permissioning in a multi-cloud environment, helping organizations properly secure their cloud-based assets in a streamlined manner. By automating security across AWS and other cloud platforms, a PAM platform ensures access policies and permissions are consistently enforced. Here are four core capabilities.
Dynamic permissioning for JIT access
When users have round-the-clock access to sensitive resources, an organization’s blast radius is much larger. Dynamic JIT permissioning addresses this problem by automatically granting users a specific set of permissions required to complete a task for the minimum amount of time required to complete it (and then revoking access), so inactive users don’t retain access to resources unnecessarily.
Align with least privilege in cross-cloud environments
When users have more permissions than those required to complete their work, they create an unnecessary security vulnerability. But discovering and eliminating these excess privileges is a difficult and time-consuming task. A PAM platform helps system admins quickly identify and eliminate unnecessary user privileges, right-sizing those privileges to minimize the risk they pose to organizational security.
Proactively monitoring for enhanced security
With resources spread across multiple cloud providers and applications, gaining a clear picture of who has access to which resources is incredibly difficult. A PAM platform helps security teams identify and resolve security vulnerabilities such as misconfigurations and high-risk permissions, across all of the organization’s SaaS, IaaS, PaaS, and DaaS solutions.
Strengthen cybersecurity stance by incorporating cloud privileges and activity data
A PAM platform proactively monitors access changes, and policy drift, and flags risky behaviors that create security vulnerabilities. This data can be fed into an organization’s UEBA/SIEM system or security data lake to provide centralized insight into cloud privileges and activity, offering deeper context for security teams. In addition, data gathered from the PAM platform can be used in post-incident, identity-based security investigations.
A Modern Approach to JIT Access for AWS
Although AWS provides an extensive collection of security tools, the complexity of configuring them properly can prove overwhelming. As more companies pivot to a multi-cloud strategy, achieving JIT access using native security settings in every cloud environment is simply not feasible. A PAM platform is a better way for applying JIT access across an organization’s entire cloud-based infrastructure with seamless integration and a powerful suite of cloud security tools.
Read Why Organizations are Leveraging Ready-Built JIT Temporary Access to Secure and Scale in AWS to learn more about achieving automated JIT access in AWS and multi-cloud environments.
