Why use JIT access?

JIT access grants temporary, least-privilege permissions to resources just when needed, reducing attack surfaces and boosting security. JIT access offers a range of security and organizational benefits, including:

• Reduced threat: JIT grants access only when needed, minimizing attack windows and privilege misuse.

• Enhanced compliance: JIT aligns with data security regulations and builds trust with partners and customers.

• Improved efficiency: JIT automates access provisioning and reduces manual work for IT teams, freeing up time for other tasks.

• Agility boost: JIT lets organizations quickly grant access for new projects, enabling a faster response to changing business needs.

ConductorOne makes it easy to set up JIT access to AWS and realize these benefits.

📋 Before you begin

A ConductorOne user with the Super Admin user role must complete this process. Go to Assign user roles to learn more.

Before you begin, make sure you’ve completed these setup tasks:

1. Sign up for ConductorOne using your SSO provider, connect your user directory, and map key user attributes.

2. If you want to create and approve requests for AWS access in Slack, follow the instructions to Set up the ConductorOne Slack app.

Step 1: Integrate your AWS instance with ConductorOne

Follow the instructions to set up the AWS v2 integration. This updated version of the ConductorOne AWS integration supports provisioning by direct assignment of PermissionSets to a user in the account.

Step 2: Create JIT request policies

Policies are sets of instructions for how an access request should proceed and the reviewers involved.

Create one or more JIT request policies that follow your organization’s access control rules and best practices. Follow the instructions in Create policies, and make sure to choose the Request policy type when prompted.

Conditional request policies, in which a certain reviewer flow or action (like auto-approval of a request) is triggered if the requestor meets the criteria you specify, are especially helpful for JIT access requests. For an introduction to conditional policies and more information on using them, see Add conditional policy rules.

Step 3: Configure AWS access controls

Next, we’ll configure the details of JIT access.

1. In the navigation panel, open Apps and click Applications.

2. Select AWS v2 and click Access controls.

3. For each entitlement your colleagues will request JIT access to, perform the following steps:

   1. Click the actions (…) menu and select Edit access requests.

   2. In the Policy dropdown, select your JIT policy.

   3. If you want this entitlement to be available to request for emergency access, enable the toggle and select the relevant emergency access policy.

   4. If you want this entitlement to be granted for a limited amount of time, enable the toggle and select the max grant duration.

   5. In the Request catalogs dropdown, add the entitlement to the relevant catalog. Catalogs gate which users or groups can request each resource. To learn more about setting up and using request catalogs, see Create request catalogs.

   6. Click Save.

Adding the entitlement to a catalog automatically sets the entitlement’s provisioning strategy to “connector” by default. This means that the AWS integration we set up in Step 1 will be used to automatically provision new access. This is the setting we want, so you do not have to manually set up provisioning.

Success!

That’s it! Now when your colleagues need access to AWS resources, they will submit a request through the ConductorOne web app or Slack app (if enabled). The JIT request policy you’ve put in place will route their request through the appropriate approval process. The new access will be automatically provisioned by the AWS connector, and then automatically removed upon expiration.

Thanks for joining us in this how-to guide!