Temporary Elevated Access Management

NOTA: Aún no se completó la actualización de la versión en español a v2, sugerimos usar la versión en Inglés por ahora.

Do not provision perpetual access for temporary esporadical actions, such as troubleshooting. When a task requires temporary elevated access your employees should be able to request that temporary access, ideally passing through an approval workflow, and the temporary permissions should be audited and controlled by a different employee.

Temporary elevated access management with IAM Identity Center

One approach to implement this recommendation is to use a solution that AWS published, called Temporary Elevated Access Management (TEAM) that allows you to grant temporary access, and to monitor activity of the privileged session in CloudTrail, and if needed you can revoke the session.

Once access is revoked or time expires, the session ends and all further action is denied.

Temporary elevated access with solutions from our partners - Privileged Access Management (PAM)

Privileged Access Management (PAM) solutions store credentials for temporary access that can be requested when needed.

CyberArk, Okta and Ermetic provide integration with IAM identity center for temporary access using temporary credentials.

If using another 3rd party PAM Solution it’s recommended to analyze how they integrate, if they are granting temporary credentials or and not using durable credentials such as Access Keys, or sharing the actual credentials to the user.

Risk Mitigation

  • The impact of compromised credentials of principals who have perpetual access to ALL the resources that will potentially need to access in the future, is much more significant than a compromise to a principal with limited access that can request temporary access when needed.
  • Adversaries compromising credentials of admins in Managed Service Providers could gain access to their multiple customers if access is assigned to that admin. If that admin doesn’t need to regularly access with privileged access to their customers accounts, using temporary elevated access mechanisms

Guidance for assessments

  • Are you leveraging TEAM or a PAM solution to grant temporary elevated access ? If you’re using a PAM solution:
  • What are you using ? is it integrated with IAM Identity Center ?
  • Are your users able to see a durable credential when using it ? if so, is it rotated after usage automatically ?
  • Is it granting a temporary credential ? or hidden to the user using a secure session where the user enters and is already logged in.

Additional info in the following Blogpost

https://aws.amazon.com/blogs/security/temporary-elevated-access-management-with-iam-identity-center/