Why This Matters Now

GitHub’s OAuth token leak last week exposed over 100,000 repositories, highlighting the risks associated with permanent access tokens. If your startup is still relying on static, long-lived credentials, you’re vulnerable to similar breaches. The urgency to adopt just-in-time (JIT) access controls has never been greater.

🚨 Breaking: Over 100,000 repositories potentially exposed. Check your token rotation policy immediately.
100K+
Repos Exposed
72hrs
To Rotate

Introduction

At our startup, we started with the typical approach—permanent access tokens for services and applications. As we grew, so did the complexity of managing these credentials. We faced numerous challenges, including credential sprawl, increased risk of unauthorized access, and difficulty in auditing and revoking permissions.

The recent GitHub incident made it clear that we needed a more secure approach. We decided to transition to just-in-time access controls, which grant temporary permissions based on the principle of least privilege. This shift not only enhances security but also simplifies our IAM processes.

Understanding Just-In-Time Access

Just-in-time access provides temporary permissions to resources based on specific criteria, such as time, location, or user activity. This approach minimizes the attack surface and ensures that access is granted only when necessary.

Benefits of JIT Access

  • Reduced Risk: Temporary access tokens reduce the window of opportunity for attackers.
  • Compliance: Easier to meet regulatory requirements by minimizing long-lived credentials.
  • Auditability: Simplifies tracking and auditing of access requests.
  • Cost Efficiency: Resources are utilized more effectively by granting access only when needed.

Our Journey to JIT Access

Step 1: Assessing Current IAM Setup

Before implementing JIT access, we conducted a thorough assessment of our existing IAM setup. This included inventorying all access tokens, roles, and permissions across our infrastructure.

Common Pitfalls

  • Credential Sprawl: Too many access tokens with overlapping permissions.
  • Lack of Documentation: Poorly documented access policies and token usage.
  • Manual Processes: Manual token management and revocation.

Step 2: Identifying Use Cases

We identified specific use cases where JIT access could be beneficial, such as:

  • Developer Access: Granting temporary access to development environments.
  • API Access: Limiting access to sensitive APIs.
  • Third-Party Integrations: Controlling access to third-party services.

Step 3: Choosing the Right Tools

We evaluated several tools and platforms to support JIT access, including AWS IAM, Azure AD, and Okta. Each tool offers unique features and capabilities, so it’s crucial to choose one that aligns with your organization’s needs.

Example: AWS IAM with SSO

AWS IAM with Single Sign-On (SSO) provides a robust platform for managing JIT access. We used AWS IAM Roles and SSO to automate the process of granting and revoking access.

graph LR A[User Requests Access] --> B[AWS SSO] B --> C{Approved?} C -->|Yes| D[Assign IAM Role] C -->|No| E[Deny Request] D --> F[Temporary Access Token]

Step 4: Implementing JIT Access

We implemented JIT access by configuring AWS IAM roles and policies to grant temporary permissions. Here’s a step-by-step guide:

Create IAM Roles

Create IAM roles with the necessary permissions for each use case.

Configure SSO Permissions

Set up AWS SSO to assign these roles to users based on their access requests.

Automate Token Issuance

Use AWS STS (Security Token Service) to issue temporary access tokens.

Example Code: Issuing a Temporary Token

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/DeveloperAccess --role-session-name MySession
Terminal
$ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/DeveloperAccess --role-session-name MySession { "Credentials": { "AccessKeyId": "ASIA...", "SecretAccessKey": "wJalrXUtnFEMI...", "SessionToken": "IQoJb3JpZ2luX2VjEJP//////////wEaCXVzLWVhc3QtMSJHMEUCIGG...", "Expiration": "2024-01-15T17:00:00Z" }, "AssumedRoleUser": { "AssumedRoleId": "AROAJRS3J2N56K4J5PQZI:MySession", "Arn": "arn:aws:sts::123456789012:assumed-role/DeveloperAccess/MySession" } }

Step 5: Testing and Validation

After implementing JIT access, we conducted extensive testing to ensure that the system worked as expected. We simulated various scenarios to verify that permissions were granted and revoked correctly.

Common Issues

  • Incorrect Role Configurations: Ensure that IAM roles are configured with the correct permissions.
  • Token Expiry: Verify that tokens expire as expected.
  • User Experience: Ensure that the process is seamless for users.

Step 6: Monitoring and Auditing

We set up monitoring and auditing to track access requests and token usage. This helps us identify any suspicious activities and ensures compliance with our security policies.

Example: CloudTrail for Auditing

AWS CloudTrail provides detailed logs of all actions taken within your AWS account. We configured CloudTrail to capture events related to IAM roles and access tokens.

aws cloudtrail create-trail --name MyCloudTrail --s3-bucket-name my-cloudtrail-bucket --is-multi-region-trail
Terminal
$ aws cloudtrail create-trail --name MyCloudTrail --s3-bucket-name my-cloudtrail-bucket --is-multi-region-trail { "Name": "MyCloudTrail", "S3BucketName": "my-cloudtrail-bucket", "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": true, "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/MyCloudTrail", "LogFileValidationEnabled": false, "CreatedTime": 1673748000.0 }

Challenges and Solutions

Challenge 1: User Adoption

One of the biggest challenges was getting users to adopt the new JIT access system. Many users were accustomed to permanent access tokens and found the new process cumbersome.

Solution

  • Training and Documentation: Provide comprehensive training and documentation.
  • Feedback Loop: Encourage feedback and continuously improve the process.

Challenge 2: Technical Complexity

Implementing JIT access requires a good understanding of IAM concepts and tools. It can be technically challenging, especially for smaller teams.

Solution

  • Tool Selection: Choose tools that are easy to integrate and manage.
  • Automation: Automate as much as possible to reduce manual overhead.

Challenge 3: Balancing Security and Usability

Striking the right balance between security and usability is crucial. Overly restrictive policies can hinder productivity, while too lenient policies increase risk.

Solution

  • Risk Assessment: Conduct regular risk assessments to determine appropriate access levels.
  • Iterative Approach: Start with a pilot program and iterate based on feedback.

Conclusion

Transitioning from permanent access to just-in-time access is a significant step towards enhancing your startup’s security posture. By following our journey, you can implement JIT access effectively and mitigate the risks associated with long-lived credentials.

🎯 Key Takeaways

  • Assess your current IAM setup to identify areas for improvement.
  • Choose the right tools and platforms that align with your organization's needs.
  • Implement JIT access through automated token issuance and role-based access control.
  • Monitor and audit access requests to ensure compliance and detect suspicious activities.

Get this right and you’ll sleep better knowing your startup’s data is secure. That’s it. Simple, secure, works.