1. Preparation.

• Assessment
  ‍Start by identifying who needs AWS access, the resources they require, and the reasoning behind it. Document existing permissions and see if they can be minimized or removed. To have better visibility, consider using an entitlement discovery tool.
• Policy design
  Create clear policies for granting and revoking AWS access. Clearly state who can request access, the conditions required, and the time limit they can hold it. Especially for privileged roles, set time-bound rules.
• Identity Provider
  Sync your JIT access system with an Identity Provider (e.g., Okta, Google Workspace, Azure AD, OneLogin) to serve as the final reference for identities. Prioritizing individual identities over shared accounts can offer superior authorization control and budgeting accuracy.

2. Implementation.

• Self-serve access requests
  Streamline the process by letting users request access through the system rather than through a person. Increase adoption rates by integrating with IM platforms like Slack or MS Teams. Ensure detailed requests specifying the requester, necessary service/resource/role, time limit, and reasoning behind the request.

‍

‍

• Approval process
  Outsourcing approvals to people with business understanding presents a perfect chance for organizations. Resource owners and department managers typically have more context than IT helpdesks. Leverage messaging platforms for fast responses, providing approvers with all the necessary data for an informed decision.

‍

‍

• Conditional approval workflows
  Create workflows implementing your predefined policies that dictate access permissions. Place them in workflows specifying who can access what, and under which conditions. Assigning if-then conditions to workflows facilitates this process.

‍

‍

• Integrations
  Integrate JITA with other IT and security systems for added flexibility; For instance, connect with IT ticketing systems for automated access based on ticket status. Link with data classification systems to adjust policies based on data sensitivity. Ideally, you should tag resources and bundle them together for more manageable and streamlined access control.
• Automated provisioning and depovisioning
  Familiarize yourself thoroughly with AWS to efficiently grant and revoke access automatically within the service. This is crucial for JIT Access as it reduces dependency on personnel availability. It allows for automated deprovisioning of access which is an integral aspect of JIT access and the principle of least privilege access (POLP). Ideally, all permissions should be managed in one place, eliminating the need to create or manage an environment for every application in your organization.
• Access methods
  For AWS JIT Access, APIs are preferred due to their flexibility and real-time capabilities. However, a combination of methods may be required. For instance, using SAML for authentication, SCIM for user provisioning, and APIs for precise access control decisions.

3. Preservation.

• Regular audits
  Regularly check access logs to make sure that JIT access is functioning as anticipated. Look for any unusual patterns or behaviors either directly or through your SIEM. Automate the user access review process to speed up evidence compilation, delegate reviewers, and ensure your system complies with relevant industry standards and regulations.
• User training
  Teach users, particularly those with privileges, about the principle of least privilege, JIT Access, and its functionality. Ensure users know how to request access when necessary.
• Feedback loop
  Maintain a consistent review of your JIT access policies. Encourage feedback from users and IT staff to identify areas for improvement.

By adhering to this systematic approach, you can effectively implement a robust Just-in-Time Access system for AWS.