6 mins to read
Sonrai Security has launched Just-in-Time (JIT) Access, a new capability in our Cloud Permissions Firewall that eliminates the need for standing privileges in AWS environments.
Standing privileges create unnecessary risk, but removing them has traditionally meant either compromising operational speed during break-glass scenarios or implementing cumbersome solutions.
Our JIT Access capability eliminates this trade-off by providing temporary, on-demand access through cloud-native controls. No jump boxes. No proxies. No friction.
What is Standing Access and Why is it a Security Risk?
Standing access refers to constant or ‘always on’ privilege granted to cloud identities. This means the privilege remains permanent regardless of whether it is being used or not.
Most security teams recognize that persistent standing access is a significant risk, especially when it comes to highly privileged roles in sensitive environments. Coming across a cloud identity with broad and excessive privilege is like striking gold for an attacker. It offers significant opportunities for further exploitation and damage across your environment.
Using the standing access approach:
- Creates an unnecessarily large permissions attack surface
- Violates Zero-Trust security principles
- Provides attackers with persistent pathways during a breach
- Makes compliance with least privilege mandates virtually impossible
Yet the reality remains: Engineers often retain admin-level permissions they rarely use “just in case” or long after a project ends. These over-privileged identities leave your environment vulnerable and introduce significant compliance risk.
AWS recommends that production environments be the domain of exclusively non-human identities from inception to execution. Sonrai now makes that recommendation achievable without sacrificing operational efficiency.
What is Just-in-Time (JIT) Access in Cloud Security?
Just-in-Time (JIT) access is the concept of granting cloud permissions for finite periods of time and revoking that privilege when it is no longer needed. Think of JIT as the counter approach to standing access. It offers an alternative way of granting access that significantly reduces the permissions attack surface.
Consider the following scenario of implementing JIT: a database admin receives an alert that there is a slow query performance in a prod database. The admin can request JIT access that allows them to access the prod database and specifically leverage the read and query permissions needed to fix the issue. This access is approved for only 3 hours after which it is revoked. This whole process leaves an audit trail detailing each step.
This process is the gold standard for achieving least privilege. If this database admin’s user was ever compromised by an attacker, the window of opportunity is dramatically reduced compared to if standing access existed.
Cloud-Native Just-In-Time Access for Modern Cloud Operations
Sonrai’s JIT capability extends our Cloud Permissions Firewall to control permissions used in your running cloud–when and how sensitive access is granted.
What Makes Sonrai’s JIT Access Different
- Built for AWS: Leverages customer-managed IAM policies rather than requiring external proxies or jump boxes
- True cloud-native enforcement: Permission controls operate through native AWS IAM. No network rerouting, no proxies
- Frictionless workflows: Integrates with Slack, Teams, and your existing SSO, right where your teams already work
- Part of a complete solution: JIT operates within our comprehensive Cloud Permissions Firewall, not as a disconnected tool
How JIT Access Works: Practical, Powerful, Precise
1. Flexible Permission Set Enrollment
Security teams can designate specific permission sets (like production admin roles) for JIT control at any level of the AWS hierarchy—organization-wide, at the OU level, or for specific accounts. Enrollment takes seconds, and controls are instantly enforced.
2. Streamlined Request and Approval Workflows
Just-in-Time Access integrates directly with your ChatOps tools, so teams can manage access in the platforms they already use.
When access is needed, users have two options:
- Reactive requests: A user attempts an action in AWS, is blocked by the Cloud Permissions Firewall, and receives an automated prompt in Slack or Microsoft Teams to request access.
- Proactive requests: A user initiates access ahead of time using a simple Slack command. The system displays eligible permission sets, allowing the user to select the access needed, specify duration, and include justification.
Approvers review requests, determine session lengths, and require context such as a JIRA ticket or business reason. Once approved, access is granted immediately and automatically removed when the session ends.
All access activity is tracked and logged, ensuring auditability without slowing down operations.
3. Real-Time Session Monitoring and Control
Administrators gain complete visibility into all active JIT sessions directly from the Cloud Permissions Firewall dashboard:
- See who has active elevated access
- Monitor time remaining on each session
- Terminate sessions instantly if needed
4. AI-Powered Session Summaries
Traditional Privilege Access Management (PAM) tools rely on cumbersome screen recordings that nobody actually watches. Sonrai takes a modern approach, analyzing logs and generating AI-powered summaries of session activities. This provides full auditability without the storage overhead or privacy concerns of screen recording.
5. Deny-First Security by Default
Sonrai enforces a default deny stance on enrolled permission sets. This prevents the creation of new permission sets as a workaround, ensuring complete coverage without manual maintenance.
How to Set Up JIT Access in Your Cloud Environment
Setting up JIT access in Sonrai’s Cloud Permissions Firewall is easy.
Enroll a scope into JIT. JIT is configured per cloud scope (e.g., an AWS account or GCP project). The deny-first policy must be active or pending on that scope before JIT can be enabled. This is the prerequisite as JIT is a control layer on top of the permissions firewall, not a standalone feature.
Define permission sets. You create or designate the permission sets or resources controlled by JIT elevation in that scope. Each permission set specifies what access is granted during the session. These can be scoped narrowly (e.g., read-only access to a specific S3 bucket) or more broadly (e.g., break-glass admin access).
Configure approval workflows. You can require approvals before a JIT session activates. This is handled within the platform and can integrate with your existing ticketing or notification tooling.
The setup process takes minutes and works instantly.
This is What a Credential Breach Looks like With and Without JIT Access
| Without JIT Access | With Sonrai JIT Access | |
| How attacker gets in | Steals credentials via phishing; inherits all standing privileges immediately | Steals credentials, but hits a default deny wall — no standing access exists |
| Access at entry | Broad, persistent permissions already attached to the identity | No privileged access; any request requires approval through Slack or Teams |
| What attacker can do | Move laterally, exfiltrate data, escalate privileges freely | Almost nothing — can’t reach production without an approved JIT session |
| Does it look normal? | Yes — access blends in with legitimate activity, no automatic flag | No — blocked attempts are logged; unexpected requests surface in real time |
| How org finds out | Weeks later via audit or after a breach is reported | Immediately — blocked attempts are flagged |
Without JIT access, a single set of stolen credentials can give an attacker immediate, unrestricted access to your most sensitive cloud environments and because that access looks identical to normal activity, organizations often don’t find out until significant damage is done.
With Sonrai’s JIT access, that same attack is stopped cold. There’s no standing access to exploit and every privileged request requires approval. The difference isn’t just faster detection — it’s whether an attacker can do anything meaningful in the first place.
Real-World Use Cases for JIT Access in AWS
Sonrai’s JIT Access is designed for critical, high-value scenarios where temporary elevated access is necessary:
- Developer troubleshooting: When engineers need temporary access to logs or systems in production to diagnose issues
- Break-glass emergency access: For those rare but critical situations where immediate intervention is required
- Time-limited projects: When teams need elevated access for short-term initiatives
- Controlled environment transitions: When moving changes between staging and production environments
In each case, access is precise, fully audited, and automatically time-bound. Without JIT access these critical use cases would need to be granted standing access, leaving sensitive environments at standing risk.
Get Started
Ready to take control of sensitive access without slowing down your teams? Sonrai’s Just-in-Time Access makes it easy to grant elevated permissions only when they’re needed, with full visibility, auditability, and policy-backed enforcement.
See how fast you can improve access controls and reduce operational overhead.
Sonrai Security’s Cloud Permissions Firewall with Just-in-Time Access is available now for AWS environments.
Frequently Asked Questions
How does Just-in-Time access remove standing privileges in cloud environments?
JIT access removes standing privileges by enforcing a default deny on all permissions, meaning no elevated permissions exist until they are explicitly requested and approved. Once the session ends, access is automatically revoked — leaving no persistent foothold for an attacker to exploit.
How is JIT access different from traditional privileged access management (PAM)?
Traditional PAM tools manage and vault standing credentials, meaning privileged access still exists — it’s just locked behind a door. JIT takes a more fundamental approach by eliminating standing access entirely, so compromised credentials, if exist, are useless.
How do approval workflows work in Just-in-Time access systems?
When a user needs elevated access, they submit a request through a tool like Slack, Teams, or email, specifying what they need and why. That request is either auto-approved based on predefined policies or routed to a manager or security reviewer, and access is granted only for the duration needed.
Can developers request temporary production access using JIT workflows?
Yes — JIT is designed with developer workflows in mind, allowing engineers to request temporary production access on demand without logging into a separate security tool. The process is lightweight enough that it doesn’t disrupt day-to-day work, while still maintaining a full audit trail of who accessed what and when.
How long does JIT access remain active after approval?
Access duration is set at the time of the request or defined by policy, and once that window expires the permissions are automatically revoked with no manual intervention required. If more time is needed, users can request an extension, which goes through the same approval process.
