Dynamic Access Leasing
Dynamic Access Leasing is a CloudGuard feature that controls access to protected resources on AWS accounts. Access is granted to specific users, for a limited time, for to resources through specific Service Groups (for example, SSH, or Remote Terminal). It is an access contract for a designated user to a service for a given period of time.
Dynamic access leasing allows AWS cloud servers and other resources to be almost hermetically closed, opening tiny security "holes" for management activities only when necessary.
Note: Dynamic Access is available only for AWS cloud accounts.
An Access Leases is a grant of access to specific Services Groups on an AWS cloud entity, for a limited period of time. Leases can be assigned to any of the following recipients:
Yourself - the lease is for you, to access a selected service on a cloud entity, for a specific period of time, from the same device from which you are currently connected to CloudGuard
Specific IP/CIDR. - the lease is for a specific IP address (or CIDR), to access a cloud entity, for a specific period of time
An email recipient - the lease is for an email recipient (not necessarily a CloudGuard user), to access a cloud entity, from the device from which the email is opened.
A lease is for a one-time access, for a specific period of time. An expired lease cannot be extended, but it can be renewed by sending a new invitation. It is also possible to terminate a current lease. A Terminate Access option appears for each lease on the Active Access Leases list.
How it works
Configure the AWS account and the Security Groups to be fully protected by CloudGuard
CloudGuard admin users create Leases that, when activated, provide access to an AWS cloud resource (such as an EC2) via a specific Security Group, for a limited time period
Recipients activate Leases by clicking on a link; access to the cloud resource is from the same host (IP) from which the link was activated, and for the specific service(s) or port(s) specified in the lease
Recipient receives an email with a link to activate the Lease. Activation of the lease triggers the creation of one temporary Security Group Inbound Access Rule for each Inbound port or continuous port range that is selected for Dynamic Access.
At the end of the time period, access to the cloud entity is blocked
Configuring and managing access leases for access to a security group service is the primary function here. The administrative user can acquire leases for themselves and assign them to other users.
Note: Access is for specific services that are attached to security groups. Gaining access for that service means that a user can interact with all servers within the selected security group.
What you need
AWS account must be Fully Protected by CloudGuard (see Onboard an AWS Account
The Security Groups on the AWS account to be managed by IAM Safety must be managed by CloudGuard and configured not to be open to everyone
The Security Group in which the lease will be established must not already have the maximum number of Inbound Access Rules permitted by AWS at the time when the lease is activated. For CloudGuard Customers who are subject to the default AWS "soft limit" of 50 Inbound Access Rules per Security Group, this means that a single Dynamic Access lease for a single protocol/port or continuous port range can be activated on any appropriately configured Security Group that contains 49 or fewer Inbound Access Rules.
You can define an Access Group to grant access to a number of services or ports with a single lease. This is useful if activities are performed on the group of services or ports together. In this case, the access lease will specify an access group instead of a specific service or port.
Methods of creating leases
An admin user can create access leases from the following applications:
the CloudGuard console (admin user)
the CloudGuard mobile app
the CloudGuard Chrome add-on
Google Chrome Add-on for Dynamic Access
The CloudGuard Chrome extension allows CloudGuard users to create dynamic access leases on-demand from their Chrome browser, without being signed-in to the CloudGuard console.
Value to customers
access to cloud services is normally BLOCKED, and only opened upon need, and then only for limited periods of time to particular individuals
access to several cloud services/resources with a single lease
full audit trail of all access and changes to the cloud resources (see Audit Trail)
admin users decide which services will be managed by IAM Safety
user needs to access a resource in a cloud VPC, for example to troubleshoot an issue
configure a Security Group for IAM Safety
Configuration of access leases begins with the assignment of leases. It all starts at the Dynamic Access page, using the Get Access option. To assign leases:
Navigate to the Dynamic Access page in the Network Security menu, and select the Get Access tab. This tab shows a list of your AWS cloud VPCs and the services groups for each that are fully protected by CloudGuard and, for each, the services that they control. These services can be accessed with Access Leases. Use the filter and search pane on the left to filtered the list, or search for a specific asset or service.
Click GET ACCESS next to the service you wish to access to create a lease for yourself to access the service. The default lease period is set in your Settings (seeAccount Settings).
To open a lease for a different period of time, click and select the access period (1, 5, or 10 hours).
Once the lease is opened, you can access the cloud asset with the service you selected (for example, SSH) from the same device from which you opened the lease.
An administrator can send an invitation to external (non-CloudGuard) users through the Get Access/Send Invitation option. This is useful for inviting contractors, support personnel, etc. who do not have a CloudGuard account. The specified user is then notified of a pending invitation by e-mail that includes a lease activation link. Selecting the link initiates the lease.
Note: access invitations are marked pending until accepted and activated, and may be terminated before they are activated.
Navigate to the Dynamic Access page.
Click next to the service for which you wish to open a lease, and select Send Invitation.
Select the lease period, and method of delivery for the invitation. You can send an email through CloudGuard to the recipient, with a link to activate the lease, or you can copy the link, and send it on your own (for example, by private email, or messaging).
The recipient will receive an email (or message) with a link to activate the lease. The lease is activated when the link is followed. The user can access the cloud asset with selected service for the duration of the lease from the device from which the lease was activated (that is, from which the link was followed). At the end of the lease period, access will be closed.
Access Groups are groups of services. They can be from different service groups, and for different VPCs. Select an Access Group when creating a lease, to open access to all the services in the group with a single lease.
Navigate to the Dynamic Access page.
Select the check box next to the services to be grouped together, and then click SAVE AS ACCESS GROUP.
Enter a name for the group, and then click SAVE. You can choose to make the group public (accessible to other CloudGuard users) or private (accessible only to you). When Access Groups are defined, a new tab, Access Groups, appears in the Dynamic Access main page. This tab shows a list of access groups.
You can create Access Leases for services in an Access Group, similar to the way you create leases for individual services. These leases can be only be assigned to you.
Navigate to the Dynamic Access page, and select the Access Groups tab (this tab only appears if there are Access Groups defined). The tab shows a list of all the Access Groups.
Select the Access Group to be used in the lease from the list of groups on the left. The services in the group are shown on the right.
Click GET ACCESS FOR ALL n SERVICES to create a lease for yourself for the group of services. Alternatively, click and select a different lease period.
You can modify the composition of an Access Group. This will affect new leases using the group.
Navigate to the Dynamic Access page, and select the Access Groups tab.
Click the edit icon () next to the group to be modified. The Get Access tab is opened, showing the list of services. The services in the group are selected. Select or clear Access Groups from the list, to modify the composition of the group, and then click UPDATE GROUP.
Follow these instructions to install the CloudGuard extension for the Chrome browser.
Visit the Chrome web store and search for CloudGuard or go directly to Dome9 Chrome Extension.
On the extension's details page, click +ADD TO CHROME and then click Add in the dialog;
A CloudGuard icon () will appear in the browser menu bar. Click the icon to open the extension.
Use the CloudGuard Chrome extension to create a lease to yourself. The lease can only include Access Groups.
Click the CloudGuard icon () in your Chrome browser menu bar.
Select the Access Group for the lease. A lease is created (for the default duration). A message is shown to confirm this.
You can create leases for yourself using the CloudGuard mobile app. You must install the app and pair it with your CloudGuard account first (see CloudGuard (Dome9) Mobile App)