AWS singlesignon documentation change
Summary
Updated temporary elevated access documentation to streamline content, add Apono as a validated partner, remove detailed capability requirements list, and emphasize emergency access recommendations.
Security assessment
The changes primarily update partner listings (adding Apono) and restructure content without addressing specific vulnerabilities. While temporary elevated access is a security feature, there's no evidence this change fixes a security flaw. The addition of a new validated security partner expands security-related documentation.
Diff
diff --git a/singlesignon/latest/userguide/temporary-elevated-access.md b/singlesignon/latest/userguide/temporary-elevated-access.md index defa79691..0b1f994d5 100644 --- a//singlesignon/latest/userguide/temporary-elevated-access.md +++ b//singlesignon/latest/userguide/temporary-elevated-access.md @@ -5,2 +4,0 @@ -Validated AWS Security Partners for temporary elevated accessTemporary elevated access capabilities assessed for AWS partner validation - @@ -9,31 +7 @@ Validated AWS Security Partners for temporary elevated accessTemporary elevated -All access to your AWS account involves some level of privilege. Sensitive operations, such as changing the configuration for a high-value resource, for example, a production environment, require special treatment due to scope and potential impact. Temporary elevated access (also known as just-in-time access) is a way to request, approve, and track the use of a permission to perform a specific task during a specified time. Temporary elevated access supplements other forms of access control, such as permission sets and multi-factor authentication. - -AWS IAM Identity Center provides the following options for temporary elevated access management in different business and technical environments: - - * Vendor-managed and supported solutions – AWS has validated the IAM Identity Center integrations of select partner offerings and assessed their capabilities against a common set of customer requirements. Choose the solution that best aligns with your scenario and follow the provider’s guidance to enable the capability with IAM Identity Center. - - * Self-managed and self-supported – This option provides a starting point if you are interested in temporary elevated access to AWS only and you can deploy, tailor, and maintain the capability by yourself. For more information, see [Temporary elevated access management (TEAM)](https://aws-samples.github.io/iam-identity-center-team/). - - - - -## Validated AWS Security Partners for temporary elevated access - -AWS Security Partners use different approaches to address a common set of temporary elevated access requirements. We recommend that you review each partner solution carefully, so that you can choose one that best fits your needs and preferences, including your business, the architecture of your cloud environment, and your budget. - -###### Note - -For disaster recovery, we recommend that you [set up emergency access to the AWS Management Console](https://docs.aws.amazon.com/singlesignon/latest/userguide/emergency-access.html) before a disruption occurs. - -AWS Identity has validated the capabilities and integration with IAM Identity Center for the following just-in-time offerings by AWS Security Partners: - - * [CyberArk Secure Cloud Access](https://www.cyberark.com/products/secure-cloud-access/) – Part of the CyberArk Identity Security Platform, this offering provisions on-demand elevated access to AWS and multi-cloud environments. Approvals are addressed through integration with either ITSM or ChatOps tooling. All sessions can be recorded for audit and compliance. - - * [Tenable (previously Ermetic)](https://ermetic.com/solution/just-in-time/) – The Tenable platform includes provisioning of just-in-time privileged access for administrative operations in AWS and multi-cloud environments. Session logs from all cloud environments, including AWS CloudTrail access logs, are available in a single interface for analysis and audit. The capability integrates with enterprise and developer tools such as Slack and Microsoft Teams. - - * [Okta Access Requests](https://help.okta.com/en-us/Content/Topics/identity-governance/access-requests/ar-overview.htm) – Part of Okta Identity Governance, enables you to [configure a just-in-time access request workflow using Okta](https://aws.amazon.com/blogs/apn/just-in-time-least-privileged-access-to-aws-administrative-roles-with-okta-and-aws-identity-center/) as an IAM Identity Center external identity provider (IdP) and your IAM Identity Center permission sets. - - - - -This list will be updated as AWS validates the capabilities of additional partner solutions and integration of these solutions with IAM Identity Center. Partners can nominate their solutions through the AWS Partner Network (APN) Security Competency. For more information, see [AWS Security Competency Partners](https://aws.amazon.com/security/partner-solutions/). +All access to your AWS account involves some level of privilege. Sensitive operations, such as changing the configuration for a production environment, require special treatment due to scope and potential impact. Temporary elevated access (also known as just-in-time access) is a way to request, approve, and track the use of a permission to perform a specific task during a specified time. Temporary elevated access supplements other forms of access control, such as permission sets and multi-factor authentication. @@ -43,9 +11 @@ This list will be updated as AWS validates the capabilities of additional partne -If you are using resource-based policies, Amazon Elastic Kubernetes Service (Amazon EKS), or AWS Key Management Service (AWS KMS), see [Referencing permission sets in resource policies, Amazon EKS Cluster config maps, and AWS KMS key policies](./referencingpermissionsets.html) before you choose your just-in-time solution. - -## Temporary elevated access capabilities assessed for AWS partner validation - -AWS Identity has validated that the temporary elevated access capabilities offered by [CyberArk Secure Cloud Access](https://lp.cyberark.com/impact-secure-cloud-access-information.html), [Tenable](https://ermetic.com/solution/just-in-time/), and [Okta Access Requests](https://help.okta.com/en-us/Content/Topics/identity-governance/access-requests/ar-overview.htm) address the following common customer requirements: - - * Users can request access to a permission set for a user-specified time period, specifying the AWS account, permission set, time period, and reason. - - * Users can receive approval status for their request. +To ensure business continuity, we recommend that you [set up emergency access to the AWS Management Console](https://docs.aws.amazon.com/singlesignon/latest/userguide/emergency-access.html). @@ -53 +13 @@ AWS Identity has validated that the temporary elevated access capabilities offer - * Users cannot invoke a session with a given scope, unless there is an approved request with the same scope and they invoke the session during the approved time period. +To address a range of customers' needs, AWS IAM Identity Center integrates with the solutions from AWS Security Competency partners. AWS validates that these solutions address a common set of temporary elevated access requirements. We recommend that you review each partner solution carefully so that you can choose one that best fits your unique needs and preferences, including your business, the architecture of your cloud environment, and your budget. @@ -55 +15 @@ AWS Identity has validated that the temporary elevated access capabilities offer - * There is a way to specify who can approve requests. +Validated solutions include [Apono Access Management Platform](https://www.apono.io/), [CyberArk Secure Cloud Access](https://www.cyberark.com/products/secure-cloud-access/), [Okta Access Requests](https://help.okta.com/en-us/Content/Topics/identity-governance/access-requests/ar-overview.htm), and [Tenable](https://ermetic.com/solution/just-in-time/) (previously Ermetic). @@ -57,9 +17 @@ AWS Identity has validated that the temporary elevated access capabilities offer - * Approvers cannot approve their own requests. - - * Approvers have a list of pending, approved, and rejected requests and can export it for auditors. - - * Approvers can approve and reject pending requests. - - * Approvers can add a note explaining their decision. - - * Approvers can revoke an approved request, preventing future use of elevated access. +Partners can nominate solutions using the AWS Security Competency application in Partner Center. For more information, see [AWS Security Competency Partners](https://aws.amazon.com/security/partner-solutions/). @@ -69,6 +21 @@ AWS Identity has validated that the temporary elevated access capabilities offer -If a user is signed in with elevated access when an approved request is revoked, the user will immediately lose access. For information about authentication sessions, see [Authentication in IAM Identity Center](./authconcept.html). - - * User actions and approvals are available for audit. - - - +If you are using resource-based, Amazon Elastic Kubernetes Service or AWS Key Management Service, see [Referencing permission sets in resource policies, Amazon EKS Cluster config maps, and AWS KMS key policies](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html) before you choose your just-in-time solution.