The AWS IAM Identity Center allows companies to improve their security posture by avoiding the use of static credentials provided by IAM users. Instead, it enables the use of temporary credentials, which also allows for the same identity to be used across multiple accounts (SSO). However, there is still a challenge with the access level, which is permanent and requires security teams to restrict what developers can do. This slows down the development process and leads to bad practices such as role chaining, which makes it difficult to understand who has access and who does not. Imagine if we could make not only the credentials temporary but also the level of access. In this talk, we will explore how to implement just-in-time access for AWS IAM Identity Center. This approach simplifies the access model drastically, while still improving the security posture.

1. From Complexity to Clarity:
The Tale of AWS Access Evolution
AWS Summit AMS
2024-04-09

2. www.fivexl.io | hello@fivexl.io
What is the
problem?

3. www.fivexl.io | hello@fivexl.io
First day as a new CISO

4. www.fivexl.io | hello@fivexl.io
How did we get
there?
Those Who Do Not Learn History Are Doomed To Repeat It

5. www.fivexl.io | hello@fivexl.io
First day as a new CISO

6. www.fivexl.io | hello@fivexl.io
Authentication vs.
Authorization

7. www.fivexl.io | hello@fivexl.io
Andrey Devyatkin
Co-Host @ DevSecOps Talks
podcast
Principal AWS Consultant
AWS Community Builder
Security and Identity
Co-Founder @ FivexL
AWS User Group Leader
UG Las Palmas de GC

8. www.fivexl.io | hello@fivexl.io
Type of credentials Credentials TTL Permission duration

9. www.fivexl.io | hello@fivexl.io
https://aws.amazon.com/blogs/aws/happy-10th-birthday-aws-identity-and-access-management/
2011
IAM, users and
policies

10. www.fivexl.io | hello@fivexl.io

11. www.fivexl.io | hello@fivexl.io
Type of credentials Credentials TTL Permission duration
IAM user / root user Permanent Permanent

12. www.fivexl.io | hello@fivexl.io
How do we change
permanent nature of
access and permissions?
Profound question

13. www.fivexl.io | hello@fivexl.io
https://github.com/fivexl/terraform-aws-cloudtrail-to-slack

14. www.fivexl.io | hello@fivexl.io
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:root"
]
}
}
}
]
}
https://asecure.cloud/a/scp_root_account/

15. www.fivexl.io | hello@fivexl.io
Problems with IAM
users
Static

16. www.fivexl.io | hello@fivexl.io
Problems with IAM
users
Static
User per account

17. www.fivexl.io | hello@fivexl.io
Problems with IAM
users
Static
User per account
Require password
management / think
rotation and
revocation

18. www.fivexl.io | hello@fivexl.io
https://www.cisecurity.org/benchmark/amazon_web_services

19. www.fivexl.io | hello@fivexl.io
A good idea, not the best outcome

20. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary

21. www.fivexl.io | hello@fivexl.io
Problems with
Role chaining
Hard to get a big picture

22. www.fivexl.io | hello@fivexl.io
Problems with
Role chaining
Hard to get a big
picture
Hard to manage

23. www.fivexl.io | hello@fivexl.io
Problems with
Role chaining
Hard to get a big
picture
Hard to manage
Who did that?

24. www.fivexl.io | hello@fivexl.io
First day as a new CISO

25. www.fivexl.io | hello@fivexl.io
An alternative way - May 2015

26. www.fivexl.io | hello@fivexl.io

27. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent

28. www.fivexl.io | hello@fivexl.io

29. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent/Temporary
HashiCorp Vault + Foxpass Temporary Temporary

30. www.fivexl.io | hello@fivexl.io
Problems with
HashiCorp Vault
Self-hosted (before
HCP)

31. www.fivexl.io | hello@fivexl.io
Problems with
HashiCorp Vault
Self-hosted (before
HCP)
One more system to
audit

32. www.fivexl.io | hello@fivexl.io
Problems with
HashiCorp Vault
Self-hosted (before
HCP)
One more system to
audit
Gets pricy at scale

33. www.fivexl.io | hello@fivexl.io
https://aws.amazon.com/blogs/aws/happy-10th-birthday-aws-identity-and-access-management/
2017
AWS
Organizations
AWS SSO

34. www.fivexl.io | hello@fivexl.io

35. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent
HashiCorp Vault + Foxpass Temporary Temporary
SSO Temporary Permanent

36. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent
HashiCorp Vault + Foxpass Temporary Temporary
SSO Temporary Permanent
SSO + role chaining Temporary Permanent/Temporary

37. www.fivexl.io | hello@fivexl.io
Tools
aws sso
aws-vault
leapp
aws-sso-cli

38. www.fivexl.io | hello@fivexl.io
FivexL SSO Elevator (2020)
More info: https://github.com/fivexl/terraform-aws-sso-elevator

39. www.fivexl.io | hello@fivexl.io

40. www.fivexl.io | hello@fivexl.io
FivexL SSO Elevator goes Open Source (2023)

41. www.fivexl.io | hello@fivexl.io
https://aws.amazon.com/blogs/security/temporary-elevated-access-management-with-iam-identity-center/

42. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent
HashiCorp Vault + Foxpass Temporary Temporary
SSO Temporary Permanent
SSO + role chaining Temporary Permanent/Temporary
SSO + TEA Temporary Temporary

43. www.fivexl.io | hello@fivexl.io
First day as a new CISO

44. www.fivexl.io | hello@fivexl.io
How do we implement
Temporary Elevated
Access?

45. www.fivexl.io | hello@fivexl.io
AWS Organisations

46. www.fivexl.io | hello@fivexl.io
AWS IAM Identity Center + IDP

47. www.fivexl.io | hello@fivexl.io
Using any of those?

48. www.fivexl.io | hello@fivexl.io
Temporary elevated access management (TEAM)
More info: https://aws-samples.github.io/iam-identity-center-team/

49. www.fivexl.io | hello@fivexl.io
Not related but still important. Openid Connect for CI/CD
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
https://docs.gitlab.com/ee/ci/cloud_services/aws/

50. www.fivexl.io | hello@fivexl.io
Recap
Strive to avoid permanent
credentials
You can’t lose what you do not have
Avoid having permanent
high-privilege permission
assignments
Reduced risk allows for development
productivity

51. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent/Temporary
HashiCorp Vault + Foxpass Temporary Temporary
SSO Temporary Permanent
SSO + role chaining Temporary Permanent/Temporary
SSO + TEA Temporary Temporary

52. Thank you
https://www.linkedin.com/in/andreydevyatkin
https://andreydevyatkin.com
https://devsecops.fm
https://www.youtube.com/@fivexl/streams
https://www.meetup.com/aws-las-palmas-user-group