JIT Cloud Access

Also known as "temporary access", see: Google's Building Security and Reliable Systems:

You can limit the risk of an authorization decision by granting temporary access to resources. This strategy can often be useful when fine-grained controls are not available for every action, but you still want to grant the least privilege possible with the available tooling.

You can grant temporary access in a structured and scheduled way (e.g., during on-call rotations, or via expiring group memberships) or in an on-demand fashion where users explicitly request access. You can combine temporary access with a request for multi-party authorization, a business justification, or another authorization control. Temporary access also creates a logical point for auditing, since you have clear logging about users who have access at any given time. It also provides data about where temporary access occurs so you can prioritize and reduce these requests over time.

Temporary access also reduces ambient authority. This is one reason that administrators favor sudo or “Run as Administrator” over operating as the Unix user root or Windows Administrator accounts—when you accidentally issue a command to delete all the data, the fewer permissions you have, the better!

Case Studies

Year	Company	CSP	Tool	Blog Post
2015	Coinbase	AWS	(OSS) self-service-iam	Self-Service Cloud Security with Amazon IAM
2017	Addepar	AWS	Internal ("Concierge")	(video) Access Control with Concierge: One Tool to Rule Them All
2018, 2021	Segment	AWS, GCP	Internal	Secure access to 100 AWS accounts, Access Service: Temporary Access to the Cloud
2019	Riot	AWS	(OSS) key-conjurer	Key Conjurer: Our Policy of Least Privilege
2021	Netflix	AWS	(OSS) consoleme	ConsoleMe: A Central Control Plane for AWS Permissions and Access
2021	Bryj	AWS	(OSS) consoleme	Achieving least-privilege at Bryj (former FollowAnalytics) with Repokid, Aardvark and ConsoleMe
2023	Temporal	AWS	Common Fate	Rolling out access hours at Temporal
2023	Material Security	GCP	Internal	Reimagining Access Management: Part 1
2023	Ramp	AWS	ConductorOne	Finding the right balance of speed and security through just-in-time access to cloud resources / (video) How Ramp Manages Authorization in the Cloud and Achieves Least Privilege
2023	Rippling	AWS	(OSS) Common Fate glide	Streamlining AWS access with Rippling at scale — Integrating IAM Identity Center and Just-In-Time access
2023	Discord	AWS	(OSS) access	Access: A New Portal for Managing Internal Authorization

(Quality) Blogs about JIT Access

• Identity Crisis: The Biggest Prize in Security
• Entitle - Common uses of just-in-time access in the cloud
• Firemon - On Least Privilege, JIT, and Strong Authorization
• Evervault - A security paradigm for 2024: ATAF—Access To, Access From
• Sym - Just-in-Time Access: A Comprehensive Introduction

Open Source Tools (AWS)

• DEPRECATED common-fate/glide
• discord/access
• aws-samples/iam-identity-center-team, blog

Vendor list

• Entitle
• ConductorOne
• Lumos
• Opal
• Indent
• Sym
• Common Fate
• Leapp
• CloudYali
• p0
• SGNL
• Zilla Security
• AccessOS
• abbey
• Ermetic
• Apono
• Britive

As a feature of IdP or PAM

• Okta IGA
• CyberArk Secure Cloud Access
• Jumpcloud docs
• Delinea

Based on ticketing system

• ClearSkye (ServiceNow)
• Multiplier (Jira Service Management)