Skip to content

Rami's Wiki

JIT Cloud Access

JIT Cloud Access

Also known as "temporary access", see: Google's Building Security and Reliable Systems:

You can limit the risk of an authorization decision by granting temporary access to resources. This strategy can often be useful when fine-grained controls are not available for every action, but you still want to grant the least privilege possible with the available tooling.

You can grant temporary access in a structured and scheduled way (e.g., during on-call rotations, or via expiring group memberships) or in an on-demand fashion where users explicitly request access. You can combine temporary access with a request for multi-party authorization, a business justification, or another authorization control. Temporary access also creates a logical point for auditing, since you have clear logging about users who have access at any given time. It also provides data about where temporary access occurs so you can prioritize and reduce these requests over time.

Temporary access also reduces ambient authority. This is one reason that administrators favor sudo or “Run as Administrator” over operating as the Unix user root or Windows Administrator accounts—when you accidentally issue a command to delete all the data, the fewer permissions you have, the better!

Case Studies

Year	Company	CSP	Tool	Blog Post
2015	Coinbase	AWS	(OSS) self-service-iam	Self-Service Cloud Security with Amazon IAM
2017	Addepar	AWS	Internal ("Concierge")	(video) Access Control with Concierge: One Tool to Rule Them All
2018	Spotify	GCP	(OSS) gimme	Releasing Gimme: Managing time bound IAM conditions in Google Cloud Platform
2018, 2021	Segment	AWS, GCP	Internal	Secure access to 100 AWS accounts, Access Service: Temporary Access to the Cloud
2019	Riot	AWS	(OSS) key-conjurer	Key Conjurer: Our Policy of Least Privilege
2020	Mercari	GCP	Internal ("QRay")	Qray permissions - How temporary production environment permissions are granted to SRE
2021	Netflix	AWS	(OSS) consoleme	ConsoleMe: A Central Control Plane for AWS Permissions and Access
2021	Bryj	AWS	(OSS) consoleme	Achieving least-privilege at Bryj (former FollowAnalytics) with Repokid, Aardvark and ConsoleMe
2021	Picus	AWS	Internal (SlackOps + Lambda)	On-demand Server Access Management System at Picus
2022	AirBnb	AWS etc.	Internal ("Access Control Platform")	Airbnb’s Approach to Access Management at Scale
2023	Temporal	AWS	Common Fate	Rolling out access hours at Temporal
2023	Material Security	GCP	Internal	Reimagining Access Management: Part 1
2023	Ramp	AWS	ConductorOne	Finding the right balance of speed and security through just-in-time access to cloud resources / (video) How Ramp Manages Authorization in the Cloud and Achieves Least Privilege
2023	Rippling	AWS	(OSS) Common Fate glide	Streamlining AWS access with Rippling at scale — Integrating IAM Identity Center and Just-In-Time access
2023	Discord	AWS	(OSS) access	Access: A New Portal for Managing Internal Authorization / (video) BSidesSF 2024: Heard you liked access, so we built Access to manage your access for Access
2024	OpenAI	AWS	Internal ("AccessManager")	Securing Research Infrastructure for Advanced AI
2024	PicPay	AWS	(oss) AWS TEAM	AWS re:Inforce 2024 - How PicPay achieved temporary elevated access control on AWS
2024	Chime	AWS	Internal ("Access Service")	(video) BSidesSF 2024 - Temporary Access to the Cloud: A Case Study
2024	Instacart	AWS	ConductorOne + (oss) gadjit	JIT Happens: How Instacart Uses AI to Keep Doors Open and Risks Closed
2024	Cedar	AWS	Lumos	Building Data Driven Access with the tools you have

(Quality) Blogs about JIT Access

Open Source Tools (AWS)

Open Source Tools (GCP)

Vendor list

As a feature of IdP or PAM

Okta IGA
CyberArk Secure Cloud Access
Jumpcloud docs
Delinea

Based on ticketing system

ClearSkye (ServiceNow)
Multiplier (Jira Service Management)

Aquired

Defunct and Deprecated

Companies

Tools