What is Just-In-Time Access Control and how does it work with Azure Active Directory and AWS Identity Center?
In a typical day, developers will always have access to non-production AWS environment, while access control to production AWS environment is much tighter, e.g. developers will need to apply for approval before accessing the AWS production environment for troubleshooting or emergency operation. However, we don’t want to let developers’ access dangling there after they finish their day and take the laptop home.
Traditionally, the production access is audited and revoked by the security team proactively or periodically. With just-in-time access control, we can tighten the control further.
What is access control? And what is Just-In-Time access?
There are two parts of access control: authentication, and authorization. Authentication is about identifying the person, while authorization is about what the user can do after being identified. Usually, authentication is managed by the identity provider, e.g. Azure AD, while authorization is controlled by the application, e.g. User Group in Azure AD.
The focus of this article is authorization, where just-in-time access control implies the user should only be allowed to access certain AWS accounts for a limited period of time, with approval.
Why do we need to worry about it?
In an ideal world, no one should access an AWS production account, not even get close to it. We build tools to collect metrics, events, and logs to get as much info about the production workload as possible and deploy it with the CICD pipeline. However, occasionally when something unforeseen happens, engineers will have to access the AWS production account to intervene or troubleshoot the workload.
From the IT security perspective, giving someone permanent access to AWS production environment is against many security best practices with huge risks.
It is also a common security audit requirement to only provide production access sparsely and then revoke it promptly, to minimize risks such as internal threats or exposure of privileged accounts to production data. This is a sample security audit opinion for one of our clients:
There is no process for granting just in time highly privileged access to AWS environments, privileged access is effectively ‘always on’ which increases the risk of a security incident or service interruption related to compromise or unplanned use of privileged credentials. (In Azure, the Microsoft Azure Privileged Identity Management service is used to manage just-in-time privileged access)
Now let’s move on to the solution.
How does authorization work with AWS Identity Center in Azure AD?
Once a user is created in Azure AD, it can be added to a specific AD group, e.g. AWS Production Readonly group, or AWS Production Admin group. The user info and its group membership are then synced via System for Cross-domain Identity Management (SCIM) to the AWS Identity Center. Then AWS Identity Center then decides if the user has access to the AWS production account based on its just-in-time group membership that synced from Azure AD.
How to allow users only to access AWS production for a limited period of time with Azure AD Privileged Identity Manager(PIM)?
Azure AD Privileged Identity Management (PIM) allows a user to be added to an AD group for a limited period of time before the user is automatically removed from the AD group. Then the AD group membership information is synced to AWS Identity Center via SCIM. With predefined permission set in AWS Identity Center, the user can be allowed to access certain AWS environment only when they have the correct AD group membership. Once the Azure AD group membership expires for the user, the user will no longer be able to access AWS without applying for temporary elevated access again.
Now let's put them into a diagram
The following picture summarizes the above mentioned workflow of Azure AD PIM, SCIM, and AWS Identity Center.
Demo time! Just-In-Time access control in action
Let’s have a look how does just-in-time access control work with Azure AD and AWS Identity Center
1. A user asking for access
First, the user will need to initiate the process requesting temporary access to the AWS production account. The max time allowed is restricted by the PIM configuration set by admin, and the user must provide a ticket number along with justification.
2. Admin approves the access
PIM administrators will be notified and approval can be granted with justification.
3. User access the AWS management console, or login via AWS CLI
After approval, the user can access the AWS production account via AWS Identity Center. The lifespan of the AWS access is limited by the Azure AD PIM.
4. The user refused access to AWS once the temporary elevated access expires.
Once the prod access expires, the user can no longer access the AWS production account without applying for just-in-time access again.
How does it compare to other solutions regarding just-in-time access control?
AWS Identity Center depends on the upstream identity providers to manage the just-in-time access control. Azure PIM provides this functionality, along with many other identity providers. We explored the concept as well as the user experience of Azure PIM in this article.
What’s the benefit of engaging the Mantel Security team?
Our security team has been helping clients proactively improve their security posture by mapping threats, addressing and mitigating risks, and implementing solutions that adhere to clients’ needs, aiming to balance their requirements to keep developing new products and features with security best practices.
To find more about Mantel Group’s security capabilities, access: