Revoking Access

How to automate access revocation to maintain least privilege for DevOps

Intro

A big, often overlooked, part of access management is revoking access; de-provisioning access, removing group membership and deleting orphaned accounts.

Apono helps automate this process as part of its access lifecycle:

Benefits of working with Apono

Automated grant & revoke

Apono helps automate the entire access lifecycle:

  1. The admin defines the access lifetime per app, environment, resource and permission
  1. The user requests access with Slack, Teams or CLI
  2. According to each Access Flow, access is approved automatically or by approver(s)
  3. When the access lifetime ends, Apono revokes the access for you automatically
  1. All requests, approvals, grants and revocations are fully audited

πŸ‘

Congratulations! You just automated the complete access lifecycle, saving time and resources and reducing standing access :)

Panic button

Apono serves as your central control tower for shut-down - in case of emergency or incident, you can revoke all active access directly from Apono:

  1. Admins can use the Apono UI to find and revoke all active access
    Revoke active access to S3 buckets with Apono
  2. Approvers (managers, resource owners, developers on duty, DevOps, DevSecOps, SRE, IAM Ops, CISO or anyone else you want) can revoke access
  3. End users can revoke their own access

Admin and approver control

With Apono, admins and approvers have full control over who can access what:

  1. Admins can define Access Flows with automatic revocation
  2. Admins can find all active access and revoke it
  1. Approvers (managers, resource owners, developers on duty, DevOps, DevSecOps, SRE, IAM Ops, CISO or anyone else you want) can revoke all the active access they approved

Access visibility

It's hard to keep track of all the active access in the organization. Access can be granted in the IdP for users and groups, users can be granted access directly from apps' IAM portals, using roles, permission sets or users (personal or shared).

This causes access drift, shadow admins, orphaned accounts, partial offboarding, and unused access which increases downtime and attack risks.

Apono lets you find out who has access to what in the organization:

BEFORE

Who has access to your Kubernetes K8 clusters?

Take standing access for users and groups and turn into dynamic, just-in-time, on-demand, temporary access. It's dynamic, easy to manage and fully audited.

AFTER