IAM Identity Center
Temporary elevated access management (TEAM)
Automated, approval based workflow for managing time-bound elevated access to your multi-account AWS environment
TEAM is an open source solution that integrates with AWS IAM Identity Center and allows you to manage and monitor time-bound elevated access to your multi-account AWS environment at scale.
The solution is a custom application that allows users to request access to an AWS account only when it is needed and only for a specific period of time. Approvers can review requests before deciding whether to grant access. Once the time period has elapsed, elevated access is automatically removed.
Benefits
Temporary elevated access management (TEAM) enables organizations to implement the principle of least privilege in a more effective and granular way, reducing the need for persistent, always-on access. By providing temporary access, organizations can ensure that users are only given access to resources when they need it and for the minimum amount of time required, thereby reducing the risk of unauthorized access and improving overall security posture.
Features
- Ease of deployment - Straightforward deployment with AWS Amplify.
- Centralized management - Centralized management console for creating, approving, managing and monitoring elevated access requests.
- Rich authorization model - Enhanced application security with Amazon Cognito group-based authorization and SAML Integration with AWS IAM Identity Center.
- Ability to use managed user identities and groups. User identities, groups, and group memberships can be managed directly in IAM Identity Center or synced from an external identity provider into IAM Identity Center, which allows you to use your existing access governance processes and tools.
- Auditing and visibility - Session logs recording enables auditing and easy correlation of elevated request justification with session activity.
- Monitoring and Reporting - Single dashboard for centralized monitoring and reporting of all elevated access request and approval history.
- Alert and notification - Automatic notification of TEAM request, approval and session status.
- Solution autonomy - TEAM solution is agnostic and has no dependence on third party integrations with external applications or identity providers.
Security and resiliency considerations
Review the security and resiliency considerations section before deploying the TEAM solution.
Getting started
The best way to get started with TEAM is to deploy the solution in your environment and follow the end-to-end example scenario which will take you through all functionalities from requesting access to auditing the session logs.
Authors
TEAM was created by Taiwo Awoyinfa and has been enhanced with major contributions from Varvara Semenova and James Greenwood and technical inputs from Jeremy Ware and Abhishek Pande.
Additional contributors can be seen on GitHub.
License
Temporary Elevated Access Management (TEAM) is distributed by an MIT-0 License.
Contributing
Thank you for your interest in contributing to our project. Whether it’s a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community.
Please read through this document before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your bug report or contribution.
Code of Conduct
This project has adopted the Amazon Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opensource-codeofconduct@amazon.com with any additional questions or comments.