AWS Temporary elevated access management (TEAM)

Automated, approval based workflow for managing time-bound elevated access to your multi-account AWS environment

TEAM, an open-source solution, seamlessly integrates with AWS IAM Identity Center. It empowers you to efficiently oversee and regulate time-limited elevated access across your expansive multi-account AWS infrastructure.

Benefits for the Organization:

Temporary Elevated Access Management (TEAM) enhances organizational implementation of the principle of least privilege with greater effectiveness and granularity. This approach minimizes the reliance on persistent, continuous access. By granting temporary access, organizations can guarantee that users only have access to resources when necessary and for the shortest duration needed, thereby diminishing the likelihood of unauthorized access and enhancing the overall security stance.

Features:

Seamless Deployment: Straightforward deployment facilitated by AWS Amplify.
Centralized Management: A unified console for creating, approving, managing, and tracking elevated access requests.
Advanced Authorization Model: Augmented application security through Amazon Cognito group-based authorization and SAML Integration with AWS IAM Identity Center.
Managed User Identities and Groups: Utilize managed user identities and groups, which can be administered directly within IAM Identity Center or synchronized from an external identity provider. This flexibility allows integration with existing access governance processes and tools.
Auditing and Visibility: Session logs record-keeping enables easy auditing and correlation of elevated request justifications with session activities.
Monitoring and Reporting: A single dashboard offers centralized monitoring and reporting of all elevated access requests and approval histories.
Alerts and Notifications: Automatic notifications regarding TEAM request, approval, and session statuses.
Solution Autonomy: TEAM solution remains agnostic and independent, devoid of dependencies on third-party integrations with external applications or identity providers.

Architecture

Temporary elevated access management (TEAM) solution is a full stack, Single Page Application (SPA) that is based on React JS and powered by AWS serverless services.

Solution Components

TEAM comprises the following elements:

1. Web Interface: Accessible as a Custom SAML 2.0 application on the IAM Identity Center portal, enabling TEAM users to effortlessly create, approve, monitor, and manage elevated requests through the web application’s intuitive UI.
2. GraphQL API Layer: Supported by AWS Appsync, this layer responds to actions executed on the web UI, facilitating the retrieval, updating, and storage of data within TEAM’s data stores.
3. DynamoDB Datastore: Utilized for storing TEAM requests, eligibility criteria, and approval statuses.
4. AWS Lambda-Backed Middleware: Houses the logic for routing TEAM elevated access requests to the orchestration layer.
5. AWS Step Functions Orchestration Workflow: Automates the notification, granting, and revocation processes associated with elevated access.
6. Auditing and Visibility Component: Leverages AWS CloudTrail Lake to provide visibility into elevated access session activity logs.
7. Security Component: Supported by Amazon Cognito, responsible for managing group and user-based authentication, as well as application authorization.

The TEAM application is constructed, deployed, and hosted on AWS Amplify.

TEAM workflow

A common use case for TEAM involves executing operational tasks that necessitate elevated access to your AWS environment. For instance, you might need to repair a malfunctioning deployment pipeline or carry out specific operational activities as part of a planned change.

The following steps below describes a walkthrough of the TEAM solution workflow:

Step 1: Access the AWS access portal in IAM Identity Center

To access the TEAM application, a requester needs to login to the IAM Identity Center AWS access portal.

Step 2: Access the TEAM application

The TEAM application is integrated as a Custom SAML 2.0 application within IAM Identity Center. Requesters can use single sign-on to access the TEAM application by selecting the TEAM SAML application.

Step 3: Request elevated access

The requester completes a request form listing eligible accounts and permissions, selects an account and role with sufficient permissions, enters a start date, time, duration, and valid business justification, and then submits the elevated access request.

Step 4: Approve elevated access

Once the requester submits the request, a group of approvers is notified. These approver groups for an account or groups of accounts are defined by an approval policy set by the admin persona.

Step 5: Activate elevated access

Once a request is approved, the TEAM application waits until the specified start date and time, then automatically activates access.

Step 6: Invoke elevated access

While elevated access is active, the requester can initiate sessions to access the AWS target environment with the scope (permission set and AWS account) approved in the request.

Step 7: Log session activity

Actions performed by the requester during the period of elevated access in the AWS target environment are recorded and logged as auditable events based on the log delivery times provided by AWS CloudTrail.

Step 8: End elevated access

Elevated access ends when the requested duration elapses or is explicitly revoked in the TEAM application. Both the requester and an approver can revoke elevated access within the specified duration.

Step 9: Review request details and session activity logs

Within the TEAM application, you can view request details and session activity logs for both current and historical requests.

TEAM Demo

Special thanks to TEAM for providing valuable insights on this topic.