Just-in-Time Access Without a PAM Tool: AWS, Azure, and GCP Native Options
Just-in-time (JIT) access replaces permanent privileged credentials with temporary, on-demand grants that expire automatically. AWS, Azure, and GCP all provide native JIT capabilities that cover the core use case without requiring a commercial PAM tool. This guide walks through the implementation for each cloud platform and covers two open-source alternatives for multi-cloud environments.
AWS: Time-Bounded Permission Sets with IAM Identity Center
IAM Identity Center (formerly AWS SSO) manages human access to AWS accounts centrally. The JIT approach: create a high-privilege permission set (e.g., AdministratorAccess) and assign it on-demand using a workflow, then revoke the assignment when the window closes.
Grant access via CLI:
aws sso-admin create-account-assignment \
--instance-arn [instance-arn] \
--target-id [account-id] \
--target-type AWS_ACCOUNT \
--permission-set-arn [admin-permission-set-arn] \
--principal-type USER \
--principal-id [user-id]
Schedule automatic revocation after 1 hour using EventBridge and a Lambda function that calls delete-account-assignment with the same parameters.
Open-source option with Granted:
granted request \
--role AdministratorAccess \
--account 123456789012 \
--duration 1h
Granted wraps IAM Identity Center with Slack-based approval workflows. The access grant is created only after the approver responds, and it is automatically removed when the duration expires.
Azure: Privileged Identity Management (PIM)
PIM is included in Azure AD P2 and Entra ID P2 licenses, which come with Microsoft 365 E5 and EMS E5. If your organization has either, you have PIM available today.
Converting a standing assignment to eligible:
- Azure Portal: Privileged Identity Management > Azure AD roles
- Select the role > Assignments > Add assignments
- Assignment type: Eligible (not Active)
- Set maximum activation duration (default 1 hour, max 24 hours)
Requiring MFA and justification on activation:
- PIM > Role settings > Edit
- Activation: require MFA, require justification, require approval (optional)
List eligible assignments with PowerShell:
Get-AzureADMSPrivilegedRoleAssignment `
-ProviderId "aadRoles" `
-ResourceId [tenant-id] `
| Where-Object {$_.AssignmentState -eq "Eligible"} `
| Select DisplayName, RoleDefinitionId
Activation audit: PIM > Audit shows who activated, when, what justification was provided, and how long the session ran. This log satisfies most audit requirements for privileged access review.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
GCP: Privileged Access Manager (PAM)
GCP PAM (generally available as of 2024) grants temporary IAM bindings with optional approval workflows. It operates at the project, folder, or organization level.
Create an entitlement (what role, on what resource, for how long):
gcloud beta pam entitlements create prod-admin-access \
--project=[project-id] \
--location=global \
--privileged-access='gcpIamAccess.resourceType=cloudresourcemanager.googleapis.com/Project,gcpIamAccess.resource=//cloudresourcemanager.googleapis.com/projects/[project-id],gcpIamAccess.roleBindings.role=roles/editor' \
--requester-justification-config='notMandatory={}' \
--max-request-duration=3600s
Developer self-service request:
gcloud beta pam grants create \
--entitlement=prod-admin-access \
--project=[project-id] \
--location=global \
--reason="Deploying hotfix for incident #1234" \
--requested-duration=1800s
The IAM binding is created only after the grant is approved (if approval is required) and is automatically removed when the duration expires. GCP Cloud Audit Logs capture every grant request, approval, and revocation.
Open-Source Options: Teleport and HashiCorp Boundary
Teleport provides JIT access for SSH, Kubernetes, databases, and internal applications with full session recording.
Access request workflow:
# Developer requests elevated access
tsh request create \
--roles=prod-db-admin \
--reason="Investigating outage #4521"
# Approver reviews and approves in Teleport web UI or Slack integration
# Credentials are granted for the configured duration (default 8h, configurable to 1h)
# Every command is recorded and searchable
Self-hosted or Teleport Cloud. The open-source (Community) edition includes all core JIT features.
HashiCorp Boundary provides JIT access for any TCP target (SSH, RDP, databases) without exposing the network. No agent is required on target hosts -- Boundary uses credential brokering and SSH certificate injection. Vault integration enables dynamic, short-lived credentials.
Choose OSS over cloud-native when:
- You need JIT across multiple clouds in a unified interface
- You need JIT for on-premises SSH and RDP
- You need session recording for compliance (SOC 2, FedRAMP)
- Your team prefers a single tool over three separate cloud consoles
Building an Approval Workflow Without Tooling
Minimum viable JIT for small teams: Slack slash command plus Lambda plus AssumeRole.
Pattern:
- Developer types
/access-request prod-admin 2h incident: database migration - Lambda posts an approval request to #infra-approval Slack channel with Approve and Deny buttons
- Approver clicks Approve
- Lambda calls IAM Identity Center API to grant the permission set
- Lambda creates an EventBridge rule to call delete-account-assignment in 2 hours
- Lambda notifies the developer in Slack DM (or they log in via SSO with the new permission set)
All access requests, approvals, grants, and revocations are logged in DynamoDB for audit and compliance reporting. This pattern can be built in a day and satisfies most SOC 2 access control requirements without purchasing a commercial PAM tool.
The bottom line
Standing privileged access is a persistent attack surface. Every organization with AWS, Azure, or GCP has native JIT capability available today, most without additional cost. Start by identifying your top 5 standing privilege assignments (permanent admin accounts, shared root keys, always-on service accounts) and convert them to time-bounded access using the cloud-native tools. The entire process takes a day to implement and eliminates a significant proportion of your credential risk.
Frequently asked questions
What is just-in-time access and why does it matter?
JIT access means privileged credentials are granted on-demand for a defined window (e.g., 1 hour) and automatically revoked afterward. Standing privilege -- permanent admin access -- means any credential compromise gives attackers persistent access. JIT eliminates that persistence.
Do I need a PAM tool to implement just-in-time access?
No. AWS, Azure, and GCP all have native JIT capabilities. AWS IAM Identity Center supports time-bounded permission sets. Azure PIM provides eligible role assignments with approval workflows. GCP PAM grants temporary IAM bindings. These cover the core JIT use case without additional cost for most organizations.
What is the difference between eligible assignment and active assignment in Azure PIM?
Eligible assignment: user can request activation, goes through approval/MFA, gets time-bounded access. Active assignment: user has the role permanently (the traditional standing privilege model). PIM lets you convert standing active assignments to eligible assignments to implement JIT.
How do I implement JIT for AWS without IAM Identity Center?
Use IAM role assumption with short-lived credentials: aws sts assume-role --role-arn [admin-role] --role-session-name [user]-[timestamp] --duration-seconds 3600. The credentials expire after 1 hour. For workflow enforcement, build an approval process in Slack or ServiceNow that calls the AssumeRole API and returns the credentials.
What is Teleport and when should I use it instead of cloud-native JIT?
Teleport is an open-source access plane that provides JIT SSH, Kubernetes, database, and application access with full audit logging. Use it when you need JIT across multiple clouds or for infrastructure types not covered by cloud-native tools (SSH, on-prem systems, databases).
How do I enforce JIT access without breaking developer productivity?
Set a 4-hour default session for read-only elevated access and 1-hour for write access. Pre-approve common request types automatically (routine deployments, standard DB reads). Require approval only for destructive or unusual access. Use pre-seeded request templates so developers don't have to write free-text justifications.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.