Dynamic Access Leasing
Overview
Dynamic Access Leasing is a CloudGuard feature that controls access to protected resources on AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. accounts. Access is given to specific users for a limited time to resources through specific Service Groups (as in SSH or Remote Terminal).
Dynamic access leasing allows AWS cloud servers and other resources to be almost hermetically closed, opening tiny security "holes" for management activities only when necessary.
|
Note - Dynamic Access is available for AWS environments only. |
Access Lease
An Access Lease is a grant of access to specific Services Groups on an AWS cloud entity, for a limited period. Leases can be assigned to any of the following recipients:
-
Yourself - The lease is for you, to access a selected service on a cloud entity, for a specific period, from the same device from which you are currently connected to CloudGuard.
-
Specific IP/CIDR - The lease is for a specific IP address (or CIDR), to access a cloud entity, for a specific period.
-
An email recipient - The lease is for an email recipient not necessarily a CloudGuard user), to access a cloud entity from the device on which the recipient opens the email.
A lease is for one-time access during a specific period. An expired lease cannot be extended, but it can be renewed by sending a new invitation. In addition, it is possible to terminate a current lease. The option to Terminate Access option appears for each lease in the Active Access Leases list.
How it Works
-
Configure the AWS account and the Security Groups to be fully protected by CloudGuard
-
CloudGuard admin users create Leases that, when activated, provide access to an AWS cloud resource (such as an EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers.) through a specific Security Group A set of access control rules that acts as a virtual firewall for your virtual machine instances to control incoming and outgoing traffic., for a limited time period
-
Recipients activate Leases by clicking on a link; access to the cloud resource is from the same host (IP) from which the link was activated, and for the specific service(s) or port(s) specified in the lease
-
Recipient receives an email with a link to activate the Lease. Activation of the lease triggers the creation of one temporary Security Group Inbound Access Rule for each Inbound port or continuous port range that is selected for Dynamic Access.
-
At the end of the time period, access to the cloud entity is blocked
The configuration and management of access leases for access to a security group service is the primary function here. The administrative user can get leases for themselves and assign them to other users.
Main Features
-
Access to cloud services is usually blocked and only opened as necessary for limited periods to specific individuals.
-
Access to some cloud services or cloud resources with one lease.
-
Full audit trail of all access and changes to the cloud resources (see System Audit Logs).
-
Admin users make decisions about which services to manage with IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Safety.
|
Note - Access is for specific services that are attached to security groups. Gaining access to that service means that a user can interact with all servers in the selected security group. |
Prerequisites
AWS account must be Fully Protected by CloudGuard (see Unified Onboarding of AWS Environments).
The Security Groups on the AWS account to be managed by IAM Safety must be managed by CloudGuard and configured not to be open to everyone
The Security Group in which the lease is established must not already have the maximum number of Inbound Access Rules permitted by AWS at the time when the lease is activated. For CloudGuard Customers for whom the default AWS "soft limit" of 50 Inbound Access Rules apply for each Security Group, this means that one Dynamic Access lease for one protocol/port or continuous port range can be activated on any appropriately configured Security Group that contains 49 or fewer Inbound Access Rules.
Access Groups
You can configure an Access Group to grant access to a number of services or ports with one lease. This is useful if activities are done on the group of services or ports together. In this case, the access lease specifies an access group as an alternative to a specific service or port.
Methods of creating leases
An admin user can create access leases from the following applications:
-
the CloudGuard portal (admin user)
-
the CloudGuard mobile app
-
the CloudGuard Chrome add-on
Google Chrome Add-on for Dynamic Access
The CloudGuard Chrome extension allows CloudGuard users to create dynamic access leases on-demand from their Chrome browser without signing-in to the CloudGuard console.
Use Cases
-
User access a resource in a cloud VPC, for example, troubleshooting an issue, see Getting Access (How to Set Up a Lease).
-
Configuration of an Access Group for IAM Safety, see Setting up an Access Group.
Actions
Configuration of access leases begins with the assignment of leases. It all starts on the Access Leases page with the Get Access option.
To assign leases:
-
Navigate to the Access Leases page in the Network Security menu, and select the Get Access tab. This tab shows a list of your AWS cloud VPCs and the services groups for each that are fully protected by CloudGuard and, for each, the services that they control. These services can be accessed with Access Leases. Use the filter and search fields to filter the list or search for a specific asset or service.
-
Click Get Access next to the service you wish to access to create a lease to access the service. The default lease period is set in Settings (Configuration > Access Leases).
-
To open a lease for a different period, click and select the access period (1, 5, or 10 hours).
When the lease is opened, you can access the cloud asset with the service you selected (for example, SSH) from the same device from which you opened the lease.
An administrator can send an invitation to external (non-CloudGuard) users through the Get Access/Send Invitation option. This is useful for inviting contractors, support personnel, and more who do not have a CloudGuard account. The specified user is then notified of a pending invitation by e-mail that includes a lease activation link. Selecting the link initiates the lease.
|
Note - Access invitations are marked pending until accepted and activated, and can be terminated before they are activated. |
-
Navigate to the Access Leases page.
-
Click next to the service for which you wish to open a lease, and select Send Invitation.
-
Select the lease period and procedure of delivery for the invitation. You can send an email through CloudGuard to the recipient, with a link to activate the lease, or you can copy the link, and send it on your own (for example, by private email, or messaging).
-
The recipient receives an email (or message) with a link to activate the lease. The lease is activated when the link is followed. The user can access the cloud asset with the selected service during the lease from the device from which the lease was activated (that is, from which the link was followed). At the end of the lease period, access is closed.
-
Navigate to the Access Leases page, and select the Active Leases tab. This shows a list of active leases and leases which have not been activated.
-
To terminate immediately an active lease, click Terminate Lease.
Access Groups are groups of services. They can be from different service groups, and for different VPCs. Select an Access Group when creating a lease, to open access to all the services in the group with one lease.
-
Navigate to the Access Leases page.
-
Select the check box next to the services to be grouped, and then click Save as Access Group.
-
Enter a name for the group, and then click SAVE. You can select to make the group public (with access to other CloudGuard users) or private (only you can access it). When Access Groups are configured, a new tab, Access Groups, appears on the Dynamic Access primary page. This tab shows a list of access groups.
You can create Access Leases for services in an Access Group. These leases can only be assigned to you.
-
Navigate to the Access Leases page, and select the Access Groups tab (this tab only appears if there are Access Groups configured). The tab shows a list of all the Access Groups.
-
Select the Access Group to be used in the lease from the list of groups on the left. The services in the group are shown on the right.
-
Click Get Access for All n Services to create a lease for the group of services. As an alternative, click and select a different lease period.
You can modify the composition of an Access Group. This affects new leases that use the group.
-
Navigate to the Access Leases page, and select the Access Groups tab.
-
Click the edit icon next to the group to be modified. The Get Access tab is opened, showing the list of services. The services in the group are selected. Select or clear Access Groups from the list, to modify the composition of the group, and then click Update Group.
Follow these instructions to install the CloudGuard extension for the Chrome browser.
-
Visit the Chrome web store and search for CloudGuard extension or go directly to CloudGuard Chrome Extension.
-
On the extension's details page, click Add to Chrome and then click Add extension in the dialog.
-
A CloudGuard icon () appears in the browser menu bar. Click the icon to open the extension.
Use the CloudGuard Chrome extension to create a lease. The lease can only include Access Groups.
-
Click the CloudGuard icon () in your Chrome browser menu bar.
-
Select an Access Group for the lease. A lease is created (for the default period). A validation message shows.
You can create leases with the CloudGuard mobile app. You must install the app and pair it with your CloudGuard account first (see CloudGuard Mobile Application)
-
Open the CloudGuard mobile app and select Dynamic Access from the primary menu.
-
Tap on the Access Group to create a lease for it.