AWS JIT Permissions Crew

Streamline your AWS access management and implement a culture of least-privileged access and zero trust.

Just-in-time Access

Whether it's access to production, staging, an S3 bucket or any other AWS resources, allow developers to get the permissions they need on a just-in-time, as-needed basis.

Entire Elevated Access Flow from within Slack

From permissions request, to policy review and decision-making, and alerts – your entire flow for elevated access can be handled within Slack.

Permissions Requests in Simple, Natural Language

Allow developers to simply say what they need, and have your AI Teammates worry about creating formal requests.

Automatically revoked after TTL

When TTL expires, AI Teammates will automatically revoke the permissions and alert you so that you're in the loop.

Everything Logged

Kubiya provides you a log of all requests, decisions, permissions granted and revoked for you, your security and compliance teams.

Want to Get Started?

Prerequisites

• A Kubiya runner (local or hosted) with the Enforcer deployment

• An AWS integration

• A Slack integration (the Kubiya Slack app)

• A Slack channel in which Kubiya Slack app is added (permissions approvers should be in this channel)

• An OPA policy written in REGO language, stored in GitHub, GitLab, or Bitbucket

• Your org's Okta client ID and a private key for Okta authentication

Set up the AWS JIT Permissions Crew use case

1. Go to the New Use Cases page

2. Select AWS IAM JITSec and click Continue
3. Follow the on-screen instructions

   1. If you haven't created a runner yet, no problem. In the Select Runner drop-down, choose Create a Runner and follow the on-screen instructions.

   2. Make sure the Slack channel you provide is one in which the Kubiya Slack app has been added and has the permissions approvers as members of it

   3. Config JSON - Here you should define the specific AWS resources that you want to provide your developers the ability to request access to

4. Click Save and Continue. Behind the scenes this is running Terraform Plan.

5. If the plan is successful, you'll be brought to a screen showing a summary of the resources that will be created. To finish setup, click Delegate. This will run a Terraform Apply.

6. Refresh the screen and check that the use case's status is Active. If so, then the Terraform Apply was successful and you are ready to use your use case.

Permissions & Access

For this use case, Kubiya requires specific permissions in your AWS. To do so, make sure that your Kubiya AWS Integration includes all of the necessary permission sets in order to grant and revoke all of the necessary permissions on all of the AWS resources you defined in the Config JSON file.

How to use your AI Teammates

Now that you've set up the AWS JIT Permissions Crew, your developers in your organization can easily request permissions. To do so, they should simply go to the Kubi Jr. app in Slack and describe what they want.

Once a permissions request has been made, the approvers Slack channel will be notified of the request and its details, giving them the ability approve or reject from within Slack.

The requestor will receive a notification as to the decision regarding their request. If approved, then the permissions will be revoked once TLL expires and all parties notified.