Ensuring users have access to only the resources they need, aka least privilege is great. But have you considered granting users only needed access? This talk will introduce the concept of granting ‘Just-in-Time Access’. Securing an endpoint is more than patching and vulnerability management. Granting access to who, when and what also secures an endpoint. Only when a user needs to connect to a system, can access be granted. Ports such as SSH do not need to be open for the world to connect and probe. Database credentials do not need to last forever. This approach limits the damage that can be caused by an account -- privileged or otherwise -- by reducing the amount of time an attacker has to gain access to the account, as well as the time they have to move from a compromised account before losing access. The short explanation for Just-in-Time Access is providing short-term access in real time. It is a relatively new term in the industry and is another way to practice the least privileged best practice. Key Takeaways: • The benefits to Just-in-Time access for security and operations o Improved visibility o Minimize damage from compromised accounts o Operational efficiency • How SSH can be replaced with AWS SSM sessions o Direct SSH replacement o SSH reverse proxy • How Just in Time Access for database credentials can help o Example: Hashicorp Vault o Example: Akeyless • Resources for learning more

1. Introduction to Just in
Time Access
SSH and Database Credentials

2. WHOAMI
➜ Principal Security Analyst in a cool as team
➜ A security practitioner with 10 years experience (where did the time go)
➜ Pentester > blue teamer > security manager > Security Analyst > Growing towards cloud
➜ Big 4, and SMB
Linkedin
https://www.linkedin.com/in/haydnjohnson/
Twitter:
https://twitter.com/haydnjohnson

3. Outline
Just in Time Access?
The what, why and
how
How JIT benefits
Operations and
Security
Examples with:
➜ AWS SSM
Sessions
➜ Akeyless
➜ Hashicorp Vault
Resources for
learning more

4. All about Just
in Time Access

5. Just in Time access (JIT)
➜ provides short term access in real time / “as needed access”
➜ Different to providing open access
➜ It is a fundamental security best practice
➜ Also knowns as “true least privilege”

6. But securing the end point
How does this relate to securing the end point?

7. Securing the End point

8. JIT - From an Operations perspective
➜ Managing access can become complicated - very quickly
➜ Knowing when to rotate everyone’s secrets has to be tracked
➜ Different software for different systems

9. JIT - From a security perspective
Attackers are ALWAYS:
➜ searching
➜ scanning ports
➜ attempting to crack credentials
➜ are always .. doing something
Goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.
- Reduce open ports
- Reduce the time a password exists (preferably a whole account)

10. SSH and Just in Time Access

11. SSH
SSH is the protocol used mostly for command-line execution
Command-line execution is at the operating system level
➜ Used to manage servers and applications
➜ Apply OS updates
➜ Connect through port 22

12. SSH Continued

13. “
What are the risks with SSH?

14. Default state for SSH
Requires:
➜ port 22 OPEN on each system
➜ SSH credentials for a user to authenticate
credentials

15. SSH issues
From an Ops perspective:
➜ Can become difficult to manage at scale
➜ User accounts and credential sprawled everywhere
From an Security perspective:
➜ Many systems exposed via port 22
➜ Credentials can be difficult to rotate or revoke
➜ Once a pair of credentials are exposed, the attacker has access to multiple systems
How to improve these limitations?

16. ➜ This ➜ Tends to become this

17. SSH - Multiple Systems

19. Hence the Bastion host
Operations teams will use a bastion host aka jump host that forwards connections.
The bastion host is a hardened machine, used only to forward connections to the hosts behind it.

20. Bastion Hosts

21. AWS SSM
Sessions

22. AWS SSM

23. AWS Systems Manager (SSM)
AWS Systems Manager (SSM) can:
➜ View & control resources on AWS
➜ View operational data
➜ Automate tasks
➜ Help maintain security and compliance
A managed node is any machine configured for Systems Manager.
➜ Systems Manager supports EC2 instances, edge devices, and on-premises servers and virtual machines (VMs)

24. AWS SSM

25. AWS SSM Agent
➜ sits on an EC2 instances, virtual machines
➜ this agent can update, manage, and configure these systems

27. Example - AWS SSM Sessions
Removes the need for port 22
Removes the need for SSH keys

28. Bastion Host SSM Session

29. AWS SSM Configuration

30. AWS SSM Requirements

32. User permissions

33. EC2 Setup

36. Lab

37. “
AWS SSM Session - Demo Time
https://youtu.be/ytg9yfRWdQQ
2min

38. References
https://docs.aws.amazon.com/systems-
manager/latest/userguide/getting-started-restrict-
access-examples.html
https://docs.aws.amazon.com/systems-
manager/latest/userguide/getting-started-restrict-
access-quickstart.html
SSM Tutorial:
https://www.youtube.com/watch?v=QvcZ9ZXTV7Q

39. Database
Credentials

40. Database credentials
Database credentials allow a user to access a database
Databases hold data:
➜ Employee information
➜ Transactions
➜ Product listings

42. Database credentials
Database credentials allow a user to access a database.
A user can have different permissions in a database:
➜ Read only
➜ CRUD - Create, Read, Update, Delete
➜ Access certain tables and not others
➜ Others

44. Credential management
➜ Ideal Situation ➜ What tends to happen

45. Why does this happen
➜ It can become unmanageable
➜ It does not scale
➜ Easier to give a user the same credentials to access all the
databases
➜ Read only group
➜ CRUD only group
➜ Admin group

46. The impact of a credential compromise

48. Akeyless

49. Akeyless in its basic form

50. Akeyless User flow
** Can be connected directly in certain databases such as MSSQL

51. “
Akeyless - Demo Time!
https://youtu.be/Dgaz0ryvigE
5min

52. https://docs.akeyless.io/
Gateway installation:
https://docs.akeyless.io/docs/install-and-configure-the-gateway
https://www.akeyless.io/pricing/
References

53. Hashicorp Vault

54. Hashicorp Vault
Hashicorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern
computing.

55. Hashicorp Vault - setup
➜ Policy
- What users can
and cannot access
within Vault (not
the DB)
➜ Role
- What user is
created on the DB
when this role is
executed
➜ Config
- Which Database
to create a user on

56. Hashicorp Vault - Roles
vault write database/roles/ROLE_A db_name=config_A
creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED
BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';"
default_ttl="1h" max_ttl="24h"

57. Hashicorp Vault - Config
vault write database/config/my-mysql-database
plugin_name=config_A
connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
allowed_roles="ROLE_A"
username="user"
password="password"

58. Hashicorp Vault

59. “
Hashicorp Vault Demo
https://youtu.be/aWGo8E-4s0Q

60. To Wrap up
➜ Just in Time access is another way to secure an endpoint / database
➜ There are many operation and security benefits to Just in Time access
- Just requires the forethought and setup beforehand
Linkedin
https://www.linkedin.com/in/haydnjohnson/
Twitter:
https://twitter.com/haydnjohnson
Q&A

61. References
Just-in-Time Access
What is Just-in-Time (JIT) access?
https://thycotic.com/glossary/just-in-time-access/
Understanding just-in-time (JIT) VM access
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest