The AWS IAM Identity Center allows companies to improve their security posture by avoiding the use of static credentials provided by IAM users. Instead, it enables the use of temporary credentials, which also allows for the same identity to be used across multiple accounts (SSO). However, there is still a challenge with the access level, which is permanent and requires security teams to restrict what developers can do. This slows down the development process and leads to bad practices such as role chaining, which makes it difficult to understand who has access and who does not.
Imagine if we could make not only the credentials temporary but also the level of access. In this talk, we will explore how to implement just-in-time access for AWS IAM Identity Center. This approach simplifies the access model drastically, while still improving the security posture.
7. www.fivexl.io | hello@fivexl.io
Andrey Devyatkin
Co-Host @ DevSecOps Talks
podcast
Principal AWS Consultant
AWS Community Builder
Security and Identity
Co-Founder @ FivexL
AWS User Group Leader
UG Las Palmas de GC
20. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
49. www.fivexl.io | hello@fivexl.io
Not related but still important. Openid Connect for CI/CD
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
https://docs.gitlab.com/ee/ci/cloud_services/aws/
50. www.fivexl.io | hello@fivexl.io
Recap
Strive to avoid permanent
credentials
You can’t lose what you do not have
Avoid having permanent
high-privilege permission
assignments
Reduced risk allows for development
productivity
51. www.fivexl.io | hello@fivexl.io
Credentials TTL Permission duration
IAM user / root user Permanent Permanent
Static user + role chaining Permanent Permanent/Temporary
HashiCorp Vault Temporary Permanent/Temporary
HashiCorp Vault + Foxpass Temporary Temporary
SSO Temporary Permanent
SSO + role chaining Temporary Permanent/Temporary
SSO + TEA Temporary Temporary