Skip to content

JIT Cloud Access

Also known as "temporary access", see: Google's Building Security and Reliable Systems:

You can limit the risk of an authorization decision by granting temporary access to resources. This strategy can often be useful when fine-grained controls are not available for every action, but you still want to grant the least privilege possible with the available tooling.

You can grant temporary access in a structured and scheduled way (e.g., during on-call rotations, or via expiring group memberships) or in an on-demand fashion where users explicitly request access. You can combine temporary access with a request for multi-party authorization, a business justification, or another authorization control. Temporary access also creates a logical point for auditing, since you have clear logging about users who have access at any given time. It also provides data about where temporary access occurs so you can prioritize and reduce these requests over time.

Temporary access also reduces ambient authority. This is one reason that administrators favor sudo or “Run as Administrator” over operating as the Unix user root or Windows Administrator accounts—when you accidentally issue a command to delete all the data, the fewer permissions you have, the better!

Case Studies

Year Company CSP Tool Blog Post
2015 Coinbase AWS (OSS) self-service-iam Self-Service Cloud Security with Amazon IAM
2017 Addepar AWS Internal ("Concierge") (video) Access Control with Concierge: One Tool to Rule Them All
2018 Spotify GCP (OSS) gimme Releasing Gimme: Managing time bound IAM conditions in Google Cloud Platform
2018, 2021 Segment AWS, GCP Internal Secure access to 100 AWS accounts, Access Service: Temporary Access to the Cloud
2019 Riot AWS (OSS) key-conjurer Key Conjurer: Our Policy of Least Privilege
2020 Mercari GCP Internal ("QRay") Qray permissions - How temporary production environment permissions are granted to SRE
2021 Netflix AWS (OSS) consoleme ConsoleMe: A Central Control Plane for AWS Permissions and Access
2021 Bryj AWS (OSS) consoleme Achieving least-privilege at Bryj (former FollowAnalytics) with Repokid, Aardvark and ConsoleMe
2021 Picus AWS Internal (SlackOps + Lambda) On-demand Server Access Management System at Picus
2022 AirBnb AWS etc. Internal ("Access Control Platform") Airbnb’s Approach to Access Management at Scale
2023 Temporal AWS Common Fate Rolling out access hours at Temporal
2023 Material Security GCP Internal Reimagining Access Management: Part 1
2023 Ramp AWS ConductorOne Finding the right balance of speed and security through just-in-time access to cloud resources / (video) How Ramp Manages Authorization in the Cloud and Achieves Least Privilege
2023 Rippling AWS (OSS) Common Fate glide Streamlining AWS access with Rippling at scale — Integrating IAM Identity Center and Just-In-Time access
2023 Discord AWS (OSS) access Access: A New Portal for Managing Internal Authorization / (video) BSidesSF 2024: Heard you liked access, so we built Access to manage your access for Access
2024 OpenAI AWS Internal ("AccessManager") Securing Research Infrastructure for Advanced AI
2024 PicPay AWS (oss) AWS TEAM AWS re:Inforce 2024 - How PicPay achieved temporary elevated access control on AWS
2024 Chime AWS Internal ("Access Service") (video) BSidesSF 2024 - Temporary Access to the Cloud: A Case Study
2024 Instacart AWS ConductorOne + (oss) gadjit JIT Happens: How Instacart Uses AI to Keep Doors Open and Risks Closed
2024 Cedar AWS Lumos Building Data Driven Access with the tools you have

(Quality) Blogs about JIT Access

Open Source Tools (AWS)

Open Source Tools (GCP)

Vendor list

Aquired

As a feature of IdP or PAM

  • Okta IGA
  • CyberArk Secure Cloud Access
  • Jumpcloud docs
  • Delinea

Based on ticketing system

Defunct