AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS
Cloud JIT · powered by Cloudanix Agentic JIT

Prod cloud-console access.
without standing AdministratorAccess, without temporary becoming permanent, without cross-account role sprawl, in the same AWS, Azure or GCP console you already use

Today, an engineer joins → IDP group → AWS permission set / Azure RBAC role / GCP IAM binding → forever, across a dozen accounts. Cloud JIT flips that: request a role in Cloudanix or Slack, single- or multi-approver workflow, Cloudanix flips the assignment in AWS IAM Identity Center / Entra ID / Google Cloud Identity for the granted window — then you SSO into the same console you always do, assume the role, and you're in. Timer expires, role is removed, CloudTrail closes the audit. Zero new tool for engineers.

✓ AWS · Azure · GCP · multi-account, multi-subscription, multi-project ✓ AWS IAM Identity Center · Entra ID · Okta · JumpCloud · Google Cloud Identity ✓ Same SSO portal · zero new tool for engineers
Request role access Production
Role AdministratorAccess
Account Cloudanix · AWS
Approvers DI GA PU SA SU
When Now Scheduled
Duration 30 min 1 hr 2 hr 4 hr 8 hr
Reason INC-7741 · 5xx debug
Cloudanix · provisioning access
grant · req-7c81f2a · sujay@cloudanix.com → AWS · AdministratorAccess · 4hr
Cloudanix JIT engine · v3.4
Approval 5/5 · divyansh, ganesh, purusottam, sahil, sukaina
Connected to AWS IAM Identity Center
Assigned AdministratorAccess · account: Cloudanix (4hr)
Role assumption available via SSO
CloudTrail ready · identity-stamped to sujay
→ valid for 4:00:00 · auto-revoke at 18:00
console.aws.amazon.com · signed in via SSO
sujay @ AdministratorAccess
EC2142 instances · 12 in alarm
S384 buckets · 2.4 TB
IAMIdentity Center · 12 permission sets
access via Cloudanix JIT · expires 3:58 not a permanent role mapping
The problem

Every team running multi-account cloud owns four compromises.

You moved every account into AWS IAM Identity Center / Entra ID / Google Cloud Identity. You wrote permission sets. You still can't answer the simple question: who has AdministratorAccess on prod right now, and why?

👑

AdministratorAccess by default

Granting Admin is one click. Crafting a least-privilege permission set takes thirty minutes and four iterations. Guess which one happens 95% of the time. The result — every engineer ends up with admin on accounts they touch once a quarter.

“Temporary” that becomes permanent

Granted for “a quick prod debug” eighteen months ago. Still has it. The quarterly access review flagged nothing, because nobody can tell the access apart from the legitimate baseline. The clock that was supposed to end this was a Jira ticket.

🧮

Cross-account role sprawl

12 AWS accounts × 8 permission sets × 50 engineers = 4,800 standing entitlements. Nobody can map who has what where. The CSV your auditor asks for is generated by a script someone wrote and nobody's touched in two years.

🧾

CloudTrail stops at the federated role

The audit says AWSReservedSSO_AdministratorAccess did X. Which human? The CloudTrail event ends at the role name. You're cross-referencing Okta logs against IAM Identity Center logs against your ticketing system to answer one auditor question.

How it works

One request. One (or many) approvers. One assignment flip. Your existing SSO.

No agent inside AWS, Azure or GCP. No new portal for engineers. We don't replace IAM Identity Center / Entra ID / Google Cloud Identity — we tighten what hangs off them.

  1. 1

    Ask, don't lobby

    Pick a role, pick an account, set a duration, add a reason (or a ticket ref). One click in the Cloudanix console or /cloudanix request in Slack · Teams. No three-day ticket queue, no DM to a director.

  2. 2

    Multi-approver where it matters

    Auto-approve ReadOnlyAccess. Send PowerUserAccess to Slack · Teams for one human. Send AdministratorAccess on a production account to a quorum of approvers — manager · security · account owner. All audited, all timed.

  3. 3

    Cloudanix flips the IDP assignment

    We call your IDP — AWS IAM Identity Center, Microsoft Entra ID, Okta, JumpCloud, Google Cloud Identity, OneLogin, Ping — and assign the permission set / RBAC role / IAM binding for the granted window. No standing role survives the timer.

  4. 4

    Same SSO. Same console. Same bookmark.

    The engineer opens their normal AWS SSO portal · Entra ID portal · Google Cloud Identity tile, clicks the role they just got, and lands in the AWS, Azure or GCP console. Zero learning curve. Bookmarks still work. CLI sessions still work via aws sso login.

  5. 5

    TTL expires · access revokes itself

    When the window ends, Cloudanix removes the assignment. The next SSO denies the role — the existing console session expires on the IDP's normal cadence. The full lifecycle — request, approvals, assignment, console login (CloudTrail), API calls, revoke — lands in your S3 bucket as one correlated audit trail.

Real-world scenarios

Same JIT. Every cloud account your team touches.

Incident response, low-risk debugging, third-party consultants, SOC 2 auditors — one flow for everyone who needs the AWS · Azure · GCP console, with the guardrails tuned per role, per account, per requester.

scenario · AWS · AdministratorAccess · 4hr · incident-policy
sujay (on-call SRE) Prod 5xx alert from PagerDuty — INC-7741. Need AdministratorAccess on the prod AWS account to inspect ECS services and roll back a bad deploy. Four hours, then off.
Sujay · on-call
🚨
incident-policy auto-approve
Cloudanix JIT
IAM Identity Center flip
AWS · AdminAccess
scope granted role: AdministratorAccess · account: prod · 4h · auto · ref: INC-7741 
◎ assigned sujay@cloudanix.com → AdministratorAccess (prod)
✓ ConsoleLogin captured at 14:00:14 · CloudTrail
✓ Activity: ecs:UpdateService · rollback to v2.4.1
✓ TTL hit at 18:00 · assignment removed
✓ CloudTrail stamped to sujay@cloudanix.com · audit → S3 ⛔ Access ended · 18:00:02
scenario · AWS · ReadOnlyAccess · 30min · auto-approve
priya (backend eng.) Need to peek at a CloudWatch metric on the prod account — just to confirm the timeline of a customer-reported slowness. Thirty minutes, read-only.
Priya · request
🔎
policy auto-approve
Cloudanix JIT
permission set flip
AWS · ReadOnly
scope granted role: ReadOnlyAccess · account: prod · 30m · auto · low-risk 
◎ assigned priya@cloudanix.com → ReadOnlyAccess (prod)
✓ ConsoleLogin captured at 11:14:02 · CloudTrail
✓ Activity: cloudwatch:GetMetricData · 17 calls
✓ TTL hit at 11:44 · assignment removed
✓ Every API call stamped · priya@cloudanix.com ⛔ Access ended · 11:44:00
scenario · vendor · custom IAM role · 3 days
alex (vendor · data-platform partner) Implementation engineer needs a scoped IAM role to finish the Glue · S3 pipeline build. Three days, scoped to the data-staging account only, no prod.
Alex · vendor
🤝
Entra ID flip
Cloudanix JIT
SSO into AWS staging
AWS · DataPipelineBuilder
scope granted role: DataPipelineBuilder · account: staging · 3d · SOW-204 · expires Fri 
◎ assigned alex@partner-co.com → DataPipelineBuilder (staging)
✓ ConsoleLogin captured · 6 sessions over 3 days
✓ Activity: glue:CreateJob · s3:PutObject
✓ TTL hit Fri 17:00 · assignment removed
✓ Every API call stamped · alex@partner-co.com ⛔ Access ended · Fri 17:00 · no access next week
scenario · SOC 2 · ReadOnlyAccess · 12 accounts
nadia (auditor) Need ReadOnly across all 12 AWS accounts for Q4 SOC 2 evidence — prod, staging, dev, sandbox, the acquired-company estate. Five business days, then gone everywhere at once.
Nadia · auditor
📋
fan-out to 12 assignments
Cloudanix JIT
SSO via IAM Identity Center
12 accounts · ReadOnly
scope granted role: ReadOnlyAccess · accounts: 12 · 5 business days · SOC2-AUD-22 
◎ assigned nadia@auditfirm.com → 12 × ReadOnlyAccess
✓ ConsoleLogin captured · 47 sessions over 5 days
✓ Activity: List · Describe · Get-only
✓ TTL hit · 12 assignments removed in one batch
✓ Evidence bundle exported · signed ⛔ All 12 accounts revoked atomically
runs the same flow on AWS Azure GCP Oracle Cloud IBM Cloud DigitalOcean Alibaba Cloud …any cloud account in your IDP catalog
The model

Your engineer sees the same SSO portal. You keep the entitlement.

What the engineer sees
  • A one-click request in the Cloudanix console or Slack · Teams — no Jira ticket queue
  • The same SSO portal in AWS IAM Identity Center / Entra ID / Google Cloud Identity they've always opened
  • A normal role-switcher, normal console, normal CLI via aws sso login — bookmarks still work
  • A clean revoke when the window ends — no awkward “please remove me from AdminAccess” Slack DM
same SSO. same console. zero new tool.
What security keeps
  • Zero standing AdministratorAccess on every account — prod, staging, sandbox, all of them
  • Per-role, per-account JIT policies — auto-approve ReadOnly, escalate Admin to a quorum
  • Automatic role-cleanup the moment the TTL hits — no more 4,800-entitlement spreadsheet
  • Identity-stamped CloudTrail / Activity Log / Cloud Audit Logs — you know which human had AdminAccess at every moment
  • One unified audit across every cloud — request → approve → IDP event → ConsoleLogin → API calls → revoke, all in your S3
Governance & audit stay in your account.
Unified access timeline

One audit trail across every account. Scrub any past grant end to end.

Every JIT grant becomes one correlated timeline — request, approvals (with names), IDP assignment, SSO ConsoleLogin, the API calls CloudTrail captured during the window, TTL hit, revoke. Watch it in the Cloudanix console, download it for evidence, or send a signed URL to your auditor.

access timeline · req-7c81f2a · AWS · sujay@cloudanix.com 
[14:00:14]  REQUESTED    sujay@cloudanix.com → AWS · AdministratorAccess · 4h
[14:00:42]  APPROVED     5/5 · divyansh, ganesh, purusottam, sahil, sukaina
[14:00:43]  IDP EVENT    IAM Identity Center · AdministratorAccess (Cloudanix)
[14:01:14]  CONSOLE      ConsoleLogin · sujay → AWS Console (us-east-1)
[14:03:08]  API          ecs:UpdateService · prod-api-svc → v2.4.1 (rollback)
[14:14:22]  API          cloudwatch:GetMetricData · 17 calls
[17:58:00]  WARNING      access expires in 2 minutes
[18:00:00]  REVOKED      AdministratorAccess removed · CloudTrail closed
[18:00:01]  AUDIT        written to s3://your-bucket/jit-cloud/
1:14 / 4:00
stamped · sujay@cloudanix.com cloud · AWS idp · IAM Identity Center AdministratorAccess · 1 grant

  • End-to-end lifecycle, one view

    Request, approvals, IDP assignment, ConsoleLogin, every CloudTrail API call inside the window, TTL, revoke — one timeline per grant. No more correlating six tabs to answer “who, what, when, in which account.”

  • 🧾

    Evidence-grade for SOC 2 · ISO · PCI · HIPAA

    Pull a quarterly report of every grant on every account — with approvers, justification, and exact-second revoke time. The privileged-access evidence section of your audit, in a download.

  • 🔗

    Share with a signed URL

    Send your auditor timed access to one specific grant — or a whole quarter. The link expires. The audit stays in your S3 bucket. Nothing copied, nothing leaked.

Plugs in · doesn't replace

Your cloud. Your IDP. Our JIT in between.

Cloudanix sits between your identity provider and the cloud accounts that hang off it. AWS IAM Identity Center / Entra ID / Google Cloud Identity stays the source of truth. The SSO portal stays the engineer's front door. We just make the role assignments behind it temporary by default.

Every major cloud

AWS
Microsoft Azure
Google Cloud
Oracle Cloud
IBM Cloud
DigitalOcean
Any cloud with SAML / OIDC SSO

Any identity provider

AWS IAM Identity Center
Microsoft Entra ID
Google Cloud Identity
Okta
JumpCloud
OneLogin
Ping Identity
Auth0
Any SAML / OIDC IDP
What you get

Everything a compliant cloud-access program requires — none of the cross-account spreadsheet hell.

Zero standing AdminAccess

Every permission set assignment is granted on request and revoked on the clock. No more “Pat still has AdministratorAccess on prod from the 2023 migration.”

🪟

Same SSO · zero new tool

Engineers keep opening the same AWS SSO portal / Entra ID portal / Google Cloud Identity tile they've always used. CLI still works via aws sso login. No new portal, no new password, no training.

🌐

Multi-cloud · multi-account

AWS, Azure, GCP — one JIT engine across hundreds of accounts, subscriptions and projects. Federated through your existing IDP, no per-cloud reinvention.

👥

Multi-approver workflows

Auto-approve ReadOnly. One-human Slack approval for PowerUser. Five-approver quorum for AdministratorAccess on regulated accounts. Tune per role, per account.

Time-boxed, auto-revoking

Grant 30 minutes, 4 hours, an incident window, a 3-day SOW. Cloudanix removes the IDP assignment the second the clock runs out.

🆔

CloudTrail · identity-stamped

Every API call in the window is tied to a real human — not AWSReservedSSO_AdministratorAccess. Same for Azure Activity Log and GCP Cloud Audit Logs. The auditor finally gets a name.

🚪

Automatic role-cleanup

No more 4,800-entitlement spreadsheet to maintain. JIT grants expire on their own — standing assignments simply never accumulate.

🧾

Unified audit in your S3

Request → approvals → IDP event → ConsoleLogin → every API call → revoke — one correlated trail per grant, across every account, in your bucket.

🤖

One JIT for humans, CI/CD & agents

Same policy engine, same approval flow, same audit — whether the requester is a full-time engineer, a vendor, a CI/CD pipeline, or an AI agent acting on behalf of a person.

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo