Dynamic Access Leasing


Dynamic Access Leasing is a CloudGuard feature that controls access to protected resources on AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. accounts. Access is given to specific users for a limited time to resources through specific Service Groups (as in SSH or Remote Terminal).

Dynamic access leasing allows AWS cloud servers and other resources to be almost hermetically closed, opening tiny security "holes" for management activities only when necessary.

Note - Dynamic Access is available for AWS environments only.

Access Lease

An Access Lease is a grant of access to specific Services Groups on an AWS cloud entity, for a limited period. Leases can be assigned to any of the following recipients:

  • Yourself - The lease is for you, to access a selected service on a cloud entity, for a specific period, from the same device from which you are currently connected to CloudGuard.

  • Specific IP/CIDR - The lease is for a specific IP address (or CIDR), to access a cloud entity, for a specific period.

  • An email recipient - The lease is for an email recipient not necessarily a CloudGuard user), to access a cloud entity from the device on which the recipient opens the email.

A lease is for one-time access during a specific period. An expired lease cannot be extended, but it can be renewed by sending a new invitation. In addition, it is possible to terminate a current lease. The option to Terminate Access option appears for each lease in the Active Access Leases list.

How it Works

The configuration and management of access leases for access to a security group service is the primary function here. The administrative user can get leases for themselves and assign them to other users.

Main Features

Note - Access is for specific services that are attached to security groups. Gaining access to that service means that a user can interact with all servers in the selected security group.


AWS account must be Fully Protected by CloudGuard (see Unified Onboarding of AWS Environments).

The Security Groups on the AWS account to be managed by IAM Safety must be managed by CloudGuard and configured not to be open to everyone

The Security Group in which the lease is established must not already have the maximum number of Inbound Access Rules permitted by AWS at the time when the lease is activated. For CloudGuard Customers for whom the default AWS "soft limit" of 50 Inbound Access Rules apply for each Security Group, this means that one Dynamic Access lease for one protocol/port or continuous port range can be activated on any appropriately configured Security Group that contains 49 or fewer Inbound Access Rules.

Access Groups

You can configure an Access Group to grant access to a number of services or ports with one lease. This is useful if activities are done on the group of services or ports together. In this case, the access lease specifies an access group as an alternative to a specific service or port.

Methods of creating leases

An admin user can create access leases from the following applications:

  • the CloudGuard portal (admin user)

  • the CloudGuard mobile app

  • the CloudGuard Chrome add-on

Google Chrome Add-on for Dynamic Access

The CloudGuard Chrome extension allows CloudGuard users to create dynamic access leases on-demand from their Chrome browser without signing-in to the CloudGuard console.

Use Cases