CloudGuard Dome9 Help

Dynamic Access Leasing


Overview

Dynamic Access Leasing is a Dome9 feature that controls access to protected resources on AWS accounts. Access is granted to specific users, for a limited time, for to resources through specific Service Groups (for example, SSH, or Remote Terminal). It is an access contract for a designated user to a service for a given period of time.

Dynamic access leasing allows AWS cloud servers and other resources to be almost hermetically closed, opening tiny security "holes" for management activities only when necessary.

Note: Dynamic Access is available only for AWS cloud accounts.

Access Lease

An Access Leases is a grant of access to specific Services Groups on an AWS cloud entity, for a limited period of time. Leases can be assigned to any of the following recipients:

  • Yourself - the lease is for you, to access a selected service on a cloud entity, for a specific period of time, from the same device from which you are currently connected to Dome9

  • Specific IP/CIDR. - the lease is for a specific IP address (or CIDR), to access a cloud entity, for a specific period of time

  • An email recipient - the lease is for an email recipient (not necessarily a Dome9 user), to access a cloud entity, from the device from which the email is opened.

A lease is for a one-time access, for a specific period of time. An expired lease cannot be extended, but it can be renewed by sending a new invitation. It is also possible to terminate a current lease. A Terminate Access option appears for each lease on the Active Access Leases list.

How it works

  • Configure the AWS account and the Security Groups to be fully protected by Dome9

  • Dome9 admin users create Leases that, when activated, provide access to an AWS cloud resource (such as an EC2) via a specific Security Group, for a limited time period

  • Recipients activate Leases by clicking on a link; access to the cloud resource is from the same host (IP) from which the link was activated, and for the specific service(s) or port(s) specified in the lease

  • Recipient receives an email with a link to activate the Lease. Activation of the lease triggers the creation of one temporary Security Group Inbound Access Rule for each Inbound port or continuous port range that is selected for Dynamic Access.

  • At the end of the time period, access to the cloud entity is blocked

Configuring and managing access leases for access to a security group service is the primary function here. The administrative user can acquire leases for themselves and assign them to other users.

Note: Access is for specific services that are attached to security groups. Gaining access for that service means that a user can interact with all servers within the selected security group.

What you need

AWS account must be Fully Protected by Dome9 (see Onboard an AWS Account

The Security Groups on the AWS account to be managed by IAM Safety must be managed by Dome9 and configured not to be open to everyone

The Security Group in which the lease will be established must not already have the maximum number of Inbound Access Rules permitted by AWS at the time when the lease is activated. For Dome9 Customers who are subject to the default AWS "soft limit" of 50 Inbound Access Rules per Security Group, this means that a single Dynamic Access lease for a single protocol/port or continuous port range can be activated on any appropriately configured Security Group that contains 49 or fewer Inbound Access Rules.

Access Groups

You can define an Access Group to grant access to a number of services or ports with a single lease. This is useful if activities are performed on the group of services or ports together. In this case, the access lease will specify an access group instead of a specific service or port.

Methods of creating leases

An admin user can create access leases from the following applications:

  • the Dome9 console (admin user)

  • the Dome9 mobile app

  • the Dome9 Chrome add-on

Google Chrome Add-on for Dynamic Access

The Dome9 Chrome extension allows Dome9 users to create dynamic access leases on-demand from their Chrome browser, without being signed-in to the Dome9 console.

Value to customers

  • access to cloud services is normally BLOCKED, and only opened upon need, and then only for limited periods of time to particular individuals

  • access to several cloud services/resources with a single lease

  • full audit trail of all access and changes to the cloud resources (see Audit Trail)

  • admin users decide which services will be managed by IAM Safety

Use-cases

  • user needs to access a resource in a cloud VPC, for example to troubleshoot an issue

  • configure a Security Group for IAM Safety

Actions

See also

Dome9 Mobile App

Onboard an AWS Account

Security Groups