I am safe with Dome9 IAM Ad-Hoc Permission Elevation for AWS Environments

If you work in the cloud, you probably know how many security risks there are out there these days. Hackers are always praying, or someone from your team can misconfigure the environment and expose it to the internet. One of the top 3 Cloud Security Threats, according to the Cybersecurity Insiders 2018 Cloud Security Report, is Unauthorized Access. Yes, identity management and access control are a real pain.

If you are a cloud security pro, you feel the pain every day. But you don’t want much, do you? You just want to provide your cloud users with the least privileges possible to perform their job, and make sure they can only access the resources they need at the time they need it. Oh, and you want your security team to be able to authorize everything. Sounds too fantastic?! Well, Dome9 thinks it’s precisely the way things should work, and we provide the right tools for the job!

IAM security made easy with Dome9 IAM Safety

Dome9 IAM safety allows you to lock down the permission in your cloud environments. The security team needs to define a “lockdown policy” that defines the list of risky and sensitive actions (for example – delete a keypair) using a Dome9 wizard. An IAM deny policy is created, denying the specified operations. The risk of unauthorized access is significantly lowered.

The next step is to select which IAM users are permanently denied of these operations, and which would be allowed to be “elevated” – granted the privileges when needed. Using the Dome9 mobile application those privileged users can “elevate” their IAM permissions. Dome9 users are coupled with their cloud IAM user. When a user is required to perform one of the sensitive actions he opens the mobile app and an authorization window is opened. Dome9 lifts the deny policy for the specific IAM user for a limited time frame, and when the time expires – locks down the account again. For tracking and auditing, an audit entry is also created. Both simple and safe, isn’t it?

Security admins can authorize permission elevations

In large organizations there can be many IAM users. In some cases, you don’t want to mandate all these users to also be Dome9 users. Also, some organizations prefer that the users would not authorize permission elevation for themselves. These organizations prefer to implement a workflow: the owner of the IAM user requests permission elevation (by submitting a ticket in an organizational system, via email or any other way); then a security admin approves it and opens an elevation window.

With Dome9 such a workflow is now supported. We recently introduced (link) an elevation from the Dome9 web console. Dome9 Super Users can elevate an IAM user permission, even for non-Dome9 users. Only a small group of security admins need to be Dome9 users, controlling a larger amount of Amazon accounts and IAM users, and elevating their permission only when needed. That’s the power of Dome9 ad-hoc permission elevation.

Power to the (security) people

With IAM safety ad-hoc permission elevation the attack surface is reduced. Sensitive operations can be performed only when needed. By using Dome9 IAM safety the chance of accidental operation is reduced, as well as unauthorized access, by keeping the cloud account is always locked down. Permission to sensitive operations is granted via Dome9 only.

It is possible to choose the preferred way of doing so: by using out-of-band authorization from the users’ mobile device; or by security admin approving the operation from the Dome9 web console as seen below.

IAM Safety in action below:


Your cloud access management was never safer. Checkout a demo or play with a free trial to learn more!