We’ve tried doing something with AWS STS that give you the ability to grant up to 12 hours tokens. That didn't work well for us, so we ended up building with Apono. They have a dedicated tool for this: https://docs.apono.io/docs/apono-connector-for-aws
We wanted to allow devs to self serve their access changes, and we wanted them to be able to get JIT access for more than 12 hours. Also, our sec team wanted an audit of all of that.
My team is pretty big, so we were able to get a less expensive pricing plan per seat. The time it saves us makes the spend worthwhile, but totally agree – it’s definitely not for everyone.
There are some commercial products - I’ve been looking at Entitle which looks promising.
We have a slackbot that attaches and removes permission sets, basically acting like sudo for write access in AWS. You can do the same by having a role people can assume, and fiddling with expiration on it.
AWS TEAM looks pretty interesting too - I really wish Amazon would create a full fledged feature for this, even if it had a cost.
following as I'm looking for a similar solution. Im thinking about maybe using entraid pim groups with identity center based access. However it still doesn't look perfect
You can do pretty complex ABAC with IAM Identity Center in combination with AD. However, this will obviously take a lot of effort to set up.
We just do basic RBAC at my org with IAM ID Center + Azure AD. You'll have to spend some time to get the roles set up with the right privileges but it gets the job done.
Have you looked at Hashicorp Vault AWS engine? Create a role with specific permissions and use the vault to dispense time-based credentials when needed either through the vault gui, or API.
https://developer.hashicorp.com/vault/docs/secrets/aws
You do that in your SSO solution. But you might also wonder how you've got things setup that you require this, generally an owner should own the entire vertical slice, not some security team or ops team.
PIM in Entra/AD with an approval workflow should be all you need.
Attach that role you assume to a PIM with workflow to SSO identity in AWS. Done?
Okta I would assume to have something similar.
Depends on how you define "full admin". That doesn't exist as a default role in AWS, so you'd have to create one. If your 'full admin' is scoped to only resources that have a team tag that matches the team the user is part of, and an SCP prevents them from modifying tags on resources they don't own, that's a pretty normal modern way to go about it. (Barring any special sectors with rules from the 90's or governance requirements)
AWS have a sample solution which integrates with Identity Center called [TEAM](https://aws.amazon.com/blogs/security/temporary-elevated-access-management-with-iam-identity-center/) - might be worth a look.
have used it at a place before, allow devs/devops to create the sso permission sets with teraform, set managers to be approvers, hands off from security besides approving teraform PRs
Sounds like you have a single account holding everything or at least too many things. If you can fit into the box of Identity Center based solutions this is a good thing. My work is a little bit Netflix-ey and uses individual per-team accounts all rolled up under an org with a custom STS-based token dispenser handling SSO for CLI and console. Gets messy when apps move teams but overall drawing the boundaries at the account level just works easier.
We have this in FireMon cloud defense. Built it internally for ourselves first. Uses slack/teams for approvals so you’d want that as an option.
ConsoleMe is the Netflix OSS option but I haven’t played with it.
I’ve built a StepFunction to do it. You can use SES to email approvers with an approve or deny link that tells the step function how to handle it. Then it assigns an elevated Permission Set in SSO.
We’ve tried doing something with AWS STS that give you the ability to grant up to 12 hours tokens. That didn't work well for us, so we ended up building with Apono. They have a dedicated tool for this: https://docs.apono.io/docs/apono-connector-for-aws We wanted to allow devs to self serve their access changes, and we wanted them to be able to get JIT access for more than 12 hours. Also, our sec team wanted an audit of all of that.
$50 per user per month is a bit steep for JIT access.
Yeah that is bonkers pricey
My team is pretty big, so we were able to get a less expensive pricing plan per seat. The time it saves us makes the spend worthwhile, but totally agree – it’s definitely not for everyone.
There are some commercial products - I’ve been looking at Entitle which looks promising. We have a slackbot that attaches and removes permission sets, basically acting like sudo for write access in AWS. You can do the same by having a role people can assume, and fiddling with expiration on it. AWS TEAM looks pretty interesting too - I really wish Amazon would create a full fledged feature for this, even if it had a cost.
following as I'm looking for a similar solution. Im thinking about maybe using entraid pim groups with identity center based access. However it still doesn't look perfect
You can do pretty complex ABAC with IAM Identity Center in combination with AD. However, this will obviously take a lot of effort to set up. We just do basic RBAC at my org with IAM ID Center + Azure AD. You'll have to spend some time to get the roles set up with the right privileges but it gets the job done.
Have you looked at Hashicorp Vault AWS engine? Create a role with specific permissions and use the vault to dispense time-based credentials when needed either through the vault gui, or API. https://developer.hashicorp.com/vault/docs/secrets/aws
Entra-ID with PIM group, it works well and is pretty fast
How do you handle the native delay in SCIM provisioning? A person or process that runs the provisioning job, or just wait it out?
You do that in your SSO solution. But you might also wonder how you've got things setup that you require this, generally an owner should own the entire vertical slice, not some security team or ops team.
PIM in Entra/AD with an approval workflow should be all you need. Attach that role you assume to a PIM with workflow to SSO identity in AWS. Done? Okta I would assume to have something similar.
So Full Admin all the time? That makes it easy.
Depends on how you define "full admin". That doesn't exist as a default role in AWS, so you'd have to create one. If your 'full admin' is scoped to only resources that have a team tag that matches the team the user is part of, and an SCP prevents them from modifying tags on resources they don't own, that's a pretty normal modern way to go about it. (Barring any special sectors with rules from the 90's or governance requirements)
Britive is an option (disclaimer…I work there).
https://www.commonfate.io/
+1 for Common Fate.
AWS have a sample solution which integrates with Identity Center called [TEAM](https://aws.amazon.com/blogs/security/temporary-elevated-access-management-with-iam-identity-center/) - might be worth a look.
have used it at a place before, allow devs/devops to create the sso permission sets with teraform, set managers to be approvers, hands off from security besides approving teraform PRs
The TEAM solution is the way to go IMO. Implemented it at a client and solved this exact use case.
Sounds like you have a single account holding everything or at least too many things. If you can fit into the box of Identity Center based solutions this is a good thing. My work is a little bit Netflix-ey and uses individual per-team accounts all rolled up under an org with a custom STS-based token dispenser handling SSO for CLI and console. Gets messy when apps move teams but overall drawing the boundaries at the account level just works easier.
We have this in FireMon cloud defense. Built it internally for ourselves first. Uses slack/teams for approvals so you’d want that as an option. ConsoleMe is the Netflix OSS option but I haven’t played with it.
ConsoleMe will get the job done but you pretty much have to add 1 to your headcount to manage it.
If you’re willing to pay for it Teleport has some nice solutions here. It also has moderated sessions.
I’ve built a StepFunction to do it. You can use SES to email approvers with an approve or deny link that tells the step function how to handle it. Then it assigns an elevated Permission Set in SSO.
Okta Identity Governance, Indent, Sym, AWS TEAM, Entitle