Okta and AWS Identity Center enforce JIT-privileged access

One risk IAM administrators are very familiar with is having a lack of control over credentials. Once credentials that grant privileged operations are lost or shared without permissions, they can be used to give unauthorised people elevated access to resources. A reasonable prevention strategy is to use a Just-in-Time (JIT) access model to make all access temporary by default, and reduce overall time access is granted to mission-critical systems. 

For organisations that use AWS and Okta, Okta administrators can leverage the power of Okta Access Requests to grant JIT access before anyone can access AWS resources.

Adding a layer of defense with JIT

One way of adding protection against unintended credential use is by using AWS’s IAM Identity Center combined with Okta to ensure AWS access is only granted by using a strong identity coupled with MFA authentication, such as Okta FastPass, WebAuthN, and device posture. 

Beyond enforcing strong MFA policies, administrators can prevent long-term access and limit the time frame to which assignments are active. Taking AWS resource access as an example, we can use a developer IAM role to grant access and make that access just-in-time for a limited time conditional on an approval. The just-in-time access pattern acts as a second layer of defense to strong authentication. 

Okta Access Requests provides the governance to implement an access request and manage approval workflow for granting AWS access to your workforce users. 

Okta’s integration with AWS

Okta’s integration with AWS IAM Identity Center enables customers to provision and use their Okta users and groups to access AWS resources. Once these groups are provisioned in AWS, the groups will be assigned to AWS accounts and configured with Permission Sets. Okta Access Requests are used to control membership in the Okta Groups that are provisioned to AWS, populating groups associated with AWS Permission Sets only after a requestor has been approved by an approver to join an Okta Group.

Learn more

Limiting human access to cloud resources is a key element of an effective security strategy. Leveraging Otka’s integration with AWS minimises the use of long-term access assignments and ensures that access is granted just-in-time to perform specific operational functions and is then automatically revoked. 

To see the step-by-step configuration, visit the AWS Partner Network blog. To learn more about how your organisation can reduce risk by using time-bound access control, fill out this form.