Skip to main content

Enable JITNA using Infrastructure-as-Code (IaC)

The following section describes how to deploy just-in-time node access using CloudFormation in an AWS Organization. To deploy just-in-time node access, you must first enable just-in-time node access for your environment and then you can deploy just-in-time node access resources which include approval policies, session preferences, and notification configurations.

info

The Systems Manager unified console and just-in-time node access can also be enabled on a per account/Region basis by performing local deployments rather than by enabling the features within the delegated administrator account.

Enable just-in-time node access

  1. In the AWS management account for your organization, specify a delegated administrator account for Systems Manager.
  2. Deploy the Systems Manager unified console.
  3. Deploy Just-in-time node access.

Below is an example architecture diagram for deploying Quick Setup configuration managers for the unified console and just-in-time node access.

Example architecture diagram for deploying Quick Setup configuration managers for the unified console and just-in-time node access

  1. Create a CloudFormation stack within the delegated administrator account for Systems Manager.
  2. The CloudFormation stack creates Quick Setup configuration managers.
  3. The Quick Setup configuration manager for the unified console is deployed to all OUs in the organization, A, B, and C.
  4. The Quick Setup configuration manager for JITNA is deployed into OUs A and B.
info

Just-in-time node access can either be enabled across your AWS Organization or for specific Organizational Units (OUs) within the organization. Deployable Regions for just-in-time node access include all Regions you have enabled for the Systems Manager unified console. You cannot enable JITNA for Regions where the unified console is not enabled.

Deploy Quick Setup configuration managers

To enable just-in-time node access using infrastructure-as-code (IaC), you need to:

  1. Deploy Quick Setup IAM service roles.
    info

    For more information on IAM service roles for Quick Setup, see Manual onboarding for working with Quick Setup API programatically.

  2. Deploy two Quick Setup Configuration Managers:
    1. Systems Manager unified console.
    2. Systems Manager just-in-time-node access.

The following example CloudFormation template includes creating the two required Quick Setup IAM service roles and deploys the two Quick Setup configuration managers for the Systems Manager unified console and JITNA.

Sample CloudFormation template

Just-in-time node access sample CFN template - Quick Setup configuration managers

CloudFormation template parameters
Parameter NameDescriptionExample value
AgentUpdateSchedule(Optional) The interval at which the agent update association runs. To opt-out, enter none.rate(14 days)
DelegatedAdminAccountIdAWS Account ID for the Systems Manager delegated administrator account.123456789012
EnableDHMCSchedule(Optional) The interval at which the DHMC association runs. To opt-out, enter none.rate(1 day)
HomeRegionAWS Region where the Systems Manager unified console is deployed.us-east-1
IdentityProviderSettingSpecifies identity provider IAM Identity Access Management (IAM) or Single Sign-On (SSO) used for determining who is the current access control template approver.IAM
InventoryCollectionSchedule(Optional) The interval at which inventory collection runs. To opt-out, enter none.rate(24 hours)
JITNATargetOrganizationalUnitsComma-separated list of AWS Organization Unit IDs where just-in-time node access is set up.ou-a1b2-abcd1234,ou-a1b2-efgh1234,ou-a1b2-hijk1234
JITNATargetRegionsThe Regions where you want to enable just-in-time node access. The Regions specified must either match the Regions specified in the parameter UnifiedConsoleTargetRegions or must be a subset of Regions specified in the parameter UnifiedConsoleTargetRegions.us-east-1,us-east-2,us-west-2
UnifiedConsoleRootOrganizationUnitIDThe root AWS Organization unit ID.r-abcd
UnifiedConsoleTargetRegionsComma-separated list of AWS Regions where the Systems Manager unified console is set up. Data is aggregated from these Regions and replicated to your home Region.us-east-1,us-east-2,us-west-2

Configure just-in-time node access

After you have enabled just-in-time node access for your environment, you can then begin deploying approval policies, session preferences, and notification configurations.

Deploy approval policies for your nodes

Below is an example architecture diagram for deploying just-in-time node access approval policies and session preferences.

Example architecture diagram for deploying just-in-time node access approval policies and session preferences

  1. Create a CloudFormation StackSet to deploy an auto-approval policy, manual approval policy (or policies), and session preferences as Systems Manager documents.
  2. In each target account and Region, CloudFormation stacks deploy the required resources.
  3. Create a CloudFormation Stack in the delegated administrator account for Systems Manager to deploy the deny-only access policy.
info

You can only have one deny-access policy per organization. You can only have one auto-approval policy per account and Region.

You can create up to 50 manual approval policies per AWS account and AWS Region. However, when multiple manual approval policies apply to a node, this results in a conflict and users are unable to request access to the node. Keep this in mind when creating your manual approval policies since some instances might have multiple tags depending on your case.

The following example CloudFormation template creates:

  1. An auto-approval policy to allow automatic access to development managed nodes identified by the resource tag key-value pair ENV:DEV.
  2. Two manual approval policies:
    1. One manual approval policy for the E-commerce application which applies to managed nodes with the resource tag key-value pair Workload:Ecommerce.
    2. One manual approval policy for the Finance application which applies to managed nodes with the resource tag key-value pair Workload:Finance.
  3. A session preferences document to be used during just-in-time node access sessions.

Sample CloudFormation template - JITNA Configuration

Just-in-time node access sample CFN template - Approval policies and Session preferences