Just-in-Time Protect

Assess and remediate standing access to improve your cloud security posture

Permanent, always-on permissions to resources (standing access) create security vulnerabilities and complicate access management. Just-in-Time Protect (JIT Protect) helps eliminate unnecessary standing access while ensuring your teams can efficiently request permissions when needed.

JIT Protect analyzes your environment and helps you manage access rights through a two-step process:

  • Assessment: Automatically identifies and categorizes standing access to reveal where high-risk permissions exist

  • Remediation: Provides instructions to create access flows and revoke unnecessary standing permissions to improve your security posture

For example, you can identify all production resources with standing access, create an access flow for temporary permissions, and safely revoke the permanent access. When team members need access, they can request it through the automated workflow, receive temporary permissions, and automatically have access revoked when their temporary permissions have expired.

Prerequisites

Item
Description

Cloud Environment Integration

At least one cloud environment integration set up with Apono:

  • Azure Management Group (coming soon)

  • GCP Organization (coming soon)

AWS Connector required permission

Create a new assessment

Follow these steps to assess an integration:

  1. On the JIT Protect page, click New Assessment. The New assessment page appears.

  2. Select a Cloud provider.

  3. (AWS Organization) Select an integration.

  4. Click Assess. The My Assessments page appears with a row for the integration's assessment.

Explore an assessment

Follow these steps to explore an assessment:

  1. On the JIT Protect page, in the row of an integration's assessment, click Explore. The View assessment page appears displaying the access posture and various remediation plans. The following table explains the details displayed for each entitlement.

Column
Description

Entitlements

AWS permission sets per account

Risk Score

Value (1-9) representing the level of risk associated with a specific resource, permission, or entitlement within your environment

Account

Account to which the entitlement is associated

Identities

Number of users assigned to the entitlement

Last Used

Number of days since an identity assigned to the entitlement used the permissions

Remediation Progress

Percentage completion of improving the security posture of the entitlement

  1. (Optional) Filter the listed entitlements by one or several of the following filters.

Accounts

Follow these steps to filter by account:

  1. Click the Accounts dropdown menu.

  2. (Optional) In the Search field, enter a value to filter the list of accounts.

  3. Select one or several accounts. Only the entitlements meeting the criteria will be shown.

  4. Click the top or outside of the dropdown menu to close it.

Entitlements

Follow these steps to filter by entitlement:

  1. Click the Entitlements dropdown menu.

  2. (Optional) In the Search field, enter a value to filter the list of entitlements.

  3. Select one or several entitlements. Only the entitlements meeting the criteria will be shown.

  4. Click the top or outside of the dropdown menu to close it.

Risk Score

Follow these steps to filter by risk score:

  1. Click the Risk Score dropdown menu.

  2. (Optional) In the Search field, enter a value to filter the list of risk scores.

  3. Select one or several risk scores. Only the entitlements meeting the criteria will be shown.

  4. Click the top or outside of the dropdown menu to close it.

In Access Flow

Follow these steps to display only entitlements in an access flow:

  1. Click the In Access Flow dropdown menu.

  2. Select Yes or No. Only the entitlements meeting this criterion will be shown.

  3. Click the top or outside of the dropdown menu to close it.

Revoked

Follow these steps to filter by revoked status:

  1. Click the Revoked dropdown menu.

  2. Select Yes or No. Only the entitlements meeting this criterion will be shown.

  3. Click the top or outside of the dropdown menu to close it.

  1. Click the row of the entitlement. The Entitlement Details panel opens. The following table explains the content displayed in the Identities section.

Column
Description

Identity

Name of the user

Relationship

Manner through which the identity is associated to the entitlement

An identity may be associated directly or through membership within a group

Last Used

Number of days since the identity used the entitlement

Step 1

Indicates the first step (access flow creation) of the remediation process has been completed

Step 2

Indicates the second step (standing access removal) of the remediation process has been completed

  1. Click the X in the top right corner of the panel to close the panel.

Remediate access

Follow these steps to remediate an entitlement:

  1. On the JIT Protect page, in the row of an integration's assessment, click Explore. The View assessment page appears displaying the access posture and various remediation plans.

Element
Description

Access Posture

Value between 0-100 representing the overall security state of your cloud environment, focusing on the prevalence of standing access across your resources

As you replace standing access with just-in-time access flow, your access posture improves.

Tiers Tiles

Tiles each representing a tier of risk

Each tile displays the following information:

  • Risk tier: Critical, High, Medium, or Low

  • Numerical impact on the access posture score

  • Number of affected entitlements

  • Button providing access to the remediation plan for the specific tier

  1. On one of the four tier cards, click Remediation Plan. The Remediation Plan popup window appears.

  2. In the Step 1 tile, click Create Now. The Create Access Flow page appears with a prepopulated access flow.

With the exception of the Grant for section, other sections in the access flow cannot be edited.

  1. Under Grant for, you can adjust the access duration and choose a different approver.

  2. Click Create Access Flow.

  3. Click Back To Assessment. The Remediation Plan popup window reappears with a checkmark indicator in the Step 1 tile.

  4. In the Step 2 tile, click Revoke Access. The Revoke standing access page appears.

  5. (Optional) Filter the entitlement list by one or several of the following filters.

Account

Follow these steps to filter by account:

  1. Click the Account dropdown menu.

  2. (Optional) In the Search field, enter a value to filter the list of accounts.

  3. Select one or several accounts. Only the entitlements meeting the criteria will be shown.

  4. Click the top or outside of the dropdown menu to close it.

Entitlement

Follow these steps to filter by entitlement:

  1. Click the Account dropdown menu.

  2. (Optional) In the Search field, enter a value to filter the list of entitlements.

  3. Select one or several entitlements. Only the entitlements meeting the criteria will be shown.

  4. Click the top or outside of the dropdown menu to close it.

Risk Score

Follow these steps to filter by risk score:

  1. Click the Risk Score dropdown menu.

  2. (Optional) In the Search field, enter a value to filter the list of risk scores.

  3. Select one or several risk scores. Only the entitlements meeting the criteria will be shown.

  4. Click the top or outside of the dropdown menu to close it.

  1. Select one or several entitlements.

  2. Click Revoke. The Revoke standing access popup window appears.

  3. Follow the instructions to revoke standing access for the selected entitlements with AWS CLI.

  4. On the Revoke standing access popup window, click Reassess. The View assessment page for the integration will appear and display your improved access posture score.

The rows of the select entitlements will have green bars in the Remediation Progress column indicating the completion of the remediation process.

  1. If other tiers need to be remediated, repeat steps 2-12.

PreviousGetting startedNextIntegrating with Apono

Last updated