Temporary elevated access for AWS accounts

All access to your AWS account involves some level of privilege. Sensitive operations, such as changing the configuration for a production environment, require special treatment due to scope and potential impact. Temporary elevated access (also known as just-in-time access) is a way to request, approve, and track the use of a permission to perform a specific task during a specified time. Temporary elevated access supplements other forms of access control, such as permission sets and multi-factor authentication.

Note

To ensure business continuity, we recommend that you set up emergency access to the AWS Management Console.

To address a range of customers' needs, AWS IAM Identity Center integrates with the solutions from AWS Security Competency partners. AWS validates that these solutions address a common set of temporary elevated access requirements. We recommend that you review each partner solution carefully so that you can choose one that best fits your unique needs and preferences, including your business, the architecture of your cloud environment, and your budget.

Validated solutions include Apono Access Management Platform, CyberArk Secure Cloud Access, Okta Access Requests, and Tenable (previously Ermetic).

Partners can nominate solutions using the AWS Security Competency application in Partner Center. For more information, see AWS Security Competency Partners.

Note

If you are using resource-based, Amazon Elastic Kubernetes Service or AWS Key Management Service, see Referencing permission sets in resource policies, Amazon EKS Cluster config maps, and AWS KMS key policies before you choose your just-in-time solution.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

View delegated administrator accounts

Single sign-on access to AWS accounts