Temporary elevated access - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Temporary elevated access

All access to your Amazon Web Services account involves some level of privilege. Sensitive operations, such as changing the configuration for a high-value resource, for example, a production environment, require special treatment due to scope and potential impact. Temporary elevated access (also known as just-in-time access) is a way to request, approve, and track the use of a permission to perform a specific task during a specified time. Temporary elevated access supplements other forms of access control, such as permission sets and multi-factor authentication.

Amazon IAM Identity Center provides the following options for temporary elevated access management in different business and technical environments:

  • Vendor-managed and supported solutions – Amazon has validated the IAM Identity Center integrations of select partner offerings and assessed their capabilities against a common set of customer requirements. Choose the solution that best aligns with your scenario and follow the provider’s guidance to enable the capability with IAM Identity Center.

  • Self-managed and self-supported – This option provides a starting point if you are interested in temporary elevated access to Amazon only and you can deploy, tailor, and maintain the capability by yourself. For more information, see Temporary elevated access management (TEAM).

Validated Amazon Security Partners for temporary elevated access

Amazon Security Partners use different approaches to address a common set of temporary elevated access requirements. We recommend that you review each partner solution carefully, so that you can choose one that best fits your needs and preferences, including your business, the architecture of your cloud environment, and your budget.


For disaster recovery, we recommend that you set up emergency access to the Amazon Web Services Management Console before a disruption occurs.

Amazon Identity has validated the capabilities and integration with IAM Identity Center for the following just-in-time offerings by Amazon Security Partners:

  • CyberArk Secure Cloud Access – Part of the CyberArk Identity Security Platform, this offering provisions on-demand elevated access to Amazon and multi-cloud environments. Approvals are addressed through integration with either ITSM or ChatOps tooling. All sessions can be recorded for audit and compliance.

  • Tenable (previously Ermetic) – The Tenable platform includes provisioning of just-in-time privileged access for administrative operations in Amazon and multi-cloud environments. Session logs from all cloud environments, including Amazon CloudTrail access logs, are available in a single interface for analysis and audit. The capability integrates with enterprise and developer tools such as Slack and Microsoft Teams.

  • Okta Access Requests – Part of Okta Identity Governance, enables you to configure a just-in-time access request workflow using Okta as an IAM Identity Center external identity provider (IdP) and your IAM Identity Center permission sets.

This list will be updated as Amazon validates the capabilities of additional partner solutions and integration of these solutions with IAM Identity Center.


If you are using resource-based policies, Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Key Management Service (Amazon KMS), see Referencing permission sets in resource policies, Amazon EKS, and Amazon KMS before you choose your just-in-time solution.

Temporary elevated access capabilities assessed for Amazon partner validation

Amazon Identity has validated that the temporary elevated access capabilities offered by CyberArk Secure Cloud Access, Tenable, and Okta Access Requests address the following common customer requirements:

  • Users can request access to a permission set for a user-specified time period, specifying the Amazon account, permission set, time period, and reason.

  • Users can receive approval status for their request.

  • Users can't invoke a session with a given scope, unless there is an approved request with the same scope and they invoke the session during the approved time period.

  • There is a way to specify who can approve requests.

  • Approvers can't approve their own requests.

  • Approvers have a list of pending, approved, and rejected requests and can export it for auditors.

  • Approvers can approve and reject pending requests.

  • Approvers can add a note explaining their decision.

  • Approvers can revoke an approved request, preventing future use of elevated access.


    If a user is signed in with elevated access when an approved request is revoked, their session remains active for up to one hour after the approval is revoked. For information about authentication sessions, see Authentication.

  • User actions and approvals are available for audit.