Nailing the Security Audit with RRCU

ConductorOne docs

Getting started with JIT access for AWS (using Identity Center)

Follow this guide to get started with just-in-time (JIT) access to your Amazon Web Services (AWS) resources.

Before you begin

To complete this guide, you’ll need:

  • ConductorOne Super Administrator role
  • AWS with Identity Center configured
  • Ability to setup an AWS role trust

Estimated time: 30 minutes

Step 1: Integrate your AWS instance

Integrate your AWS instance with ConductorOne. Follow our instructions to set up the AWS v2 connector.

Make sure to select these configuration options on the connector setup screen:

  • Enable support for AWS Organizations
  • Enable support for AWS IAM Identity Center

Once connected, ConductorOne ingests all of the resources and entitlements for AWS. This includes accounts, roles within accounts, identity center users, identity center groups, and permission sets. You can see all the resources and entitlements by going to Applications > AWS and clicking the Entitlements tab.

Step 2: Configure AWS accounts for JIT access

Now that AWS is hooked up to ConductorOne, set AWS accounts as available for just-in-time access. To do this, we’ll configure access controls for each of the AWS accounts.

  1. Navigate to the Applications page, then select the “AWS” application that was created from Step 1.

  2. Click Edit in the Entitlement configuration rules in the Access Controls section.

  3. In the configuration rules pane, click the toggle to Enable configuration rules.

  4. Select the account resource type.

  5. Use the Access profiles dropdown to select Everyone.

  6. Finally, check the box at the bottom of the screen and click Apply.

    The access request configuration rules panel in ConductorOne showing the form filled out as described in the instructions above.

The new settings are applied, and a summary is shown in the Entitlement configuration rules section of the page.

Don’t worry, you can change who can request access, for how long, and the policy for approving access later.

Step 3: Request JIT access

Let’s go request AWS JIT access!

  1. In ConductorOne, click Manage access and make sure that Browse is selected.

  2. Click AWS. A panel opens with the account resources available for you to request.

  3. Click the account you want access to, then click Request on a specific role.

    The browse access page open to the AWS account resource, as described in the instructions above.

  4. On the Request access form that is shown, select the length of time you want access for.

  5. Click Submit request.

Success!

The request policy routes the request through the approval process. The new access will be automatically provisioned by the AWS connector, and then automatically removed upon expiration.