AWS Partner Network (APN) Blog

StrongDM’s Just-in-Time Access Is Key for Zero Trust Security in AWS

By Jason Patterson, Sr. WW Security Partner Solutions Architect – AWS
By John Martinez, Technical Evangelist – StrongDM

StrongDM partner logo
 
Connect with StrongDM

Cloud operations demand both speed and security in access management. Organizations must strike a balance, giving users immediate access to complete their work while maintaining robust security controls. Zero Trust forms the foundation of this approach. Unlike traditional systems that grant permanent access, Zero Trust continuously monitors and validates every user’s credentials against real-time threat data. When the system detects a security threat, it immediately cuts off access, protecting valuable resources and data. This dynamic, always-on security model represents modern cloud security in action.

StrongDM’s Just-in-Time (JIT) access and approval secures cloud resources by providing access only when it’s needed, for as long as it’s required, and under the right conditions. This approach offers security while optimizing workflows, especially for HAQM Web Services (AWS) data plane resources such as HAQM Redshift, HAQM EC2 instances, and HAQM Elastic Kubernetes Service (EKS).

Why Just-in-Time Access Matters for Zero Trust Security

The security model Zero Trust operates on the principle of trusting no user or device inherently. Every access request must be continuously verified based on several factors, such as user identity, device health, and session context. StrongDM’s approach to Implementing Zero Trust in AWS requires a balance between user productivity and strict access controls—a balance that StrongDM’s JIT access makes possible.

In a Zero Trust context, JIT access ensures users receive permissions exactly when they need them. Access is temporary, automatically expiring after a predefined period or when no longer in use, minimizing the risk of compromised credentials or excessive permissions.

In StrongDM, JIT access is managed through approval requests, allowing highly specific, time-bound access. StrongDM secures AWS data plane resources such as databases, servers, and Kubernetes clusters with a Zero Trust approach. As depicted in Figure 1, implementing Just-in-Time (JIT) access controls is essential for achieving a Zero Trust Access Management approach.

The Secure Access Maturity ModelFigure 1 – The Secure Access Maturity Model

Key Elements of StrongDM’s Just-in-Time Access

Session Management from Endpoint to Resource

Zero Trust requires detailed insight into every interaction between users and resources. In StrongDM, every access request starts and ends with comprehensive session management, logging every session detail from the user’s endpoint to the AWS resource. This end-to-end visibility lets security teams see exactly who accessed what, when, and for how long – a fundamental requirement in Zero Trust environments. These session logs track activities across all AWS data plane resources, whether it’s SSH sessions for EC2 instances, queries to RDS databases, or commands executed in Kubernetes clusters, providing valuable data for auditing and anomaly detection.

StrongDM JIT Access and Authorized ResourcesFigure 2 – StrongDM JIT Access and Authorized Resources

Session Revocation for Real-Time Threat Response

In a Zero Trust model with Continuous Verification, any active sessions can be terminated and contained as threats are detected. StrongDM’s session revocation capabilities allow admins to revoke access immediately. If a security alert or unusual activity is detected, active sessions can be automatically terminated in real time through policy enforcement, or manually through the Admin UI. This real-time revocation adds a critical layer of control and security in AWS data plane sessions (database connections, SSH Linux sessions, Kubernetes commands, etc.) where Zero Trust principles are automatically applied to quickly contain potential breaches or suspicious behaviors. Time-bound JIT sessions to those data plane resources are also terminated in real-time, reducing the risk of lingering, persistent threats.

Figure 3 shows how authenticated and authorized user session data between the StrongDM client and the destination AWS control plane resource, is transmitted through a secure, encrypted, protocol and identity-aware tunnel.

The StrongDM Architecture on AWSFigure 3 – The StrongDM Architecture on AWS

Figure 4 demonstrates how to revoke JIT sessions before they expire.

Sessions can be revoked by administrators before expirationFigure 4 – Sessions can be revoked by administrators

Right Amount of Friction with MFA and Device Trust

One core tenet of Zero Trust is to “Never trust, Always verify” the user, device, or application. StrongDM JIT access integrates multi-factor authentication (MFA) and device trust as core verifications, adding the right amount of friction to ensure security without hindering productivity. Using StrongDM Policy-based Access Controls (PBAC), sessions can require MFA, whether a TOTP or push notification, ensuring that users accessing resources are who they claim to be. This adds a continuous verification layer, a crucial element in a Zero Trust model, where user identity must be continuously verified.

StrongDM’s device trust features extend this verification, checking the security posture of the user’s endpoint itself before access is granted, and during an active session. For instance, if a device does not meet security standards, access to AWS resources is denied, reducing the risk of unauthorized access. If device posture deteriorates during a session, that session is terminated and access is revoked. This combined approach creates a minimal, intentional “speed bump” reinforcing security, aligning with Zero Trust tenets.

Comprehensive Audit Capabilities for Zero Trust Visibility and Compliance

A crucial component of Zero Trust is comprehensive visibility and accountability over all access activities. StrongDM’s audit capabilities fulfill this requirement by providing detailed logs and insights into every access request, revocation, session, and user action as seen in Figure 6.

These logs allow security teams to trace each user’s journey from request to resource, documenting every command, query, and modification made during a session. By preserving a full historical record, StrongDM’s auditing reinforces Zero Trust tenets such as continuous verification, least privilege, and incident response readiness.

Figure 5: Comprehensive logging and auditing capabilities for all sessions.Figure 5: Comprehensive logging and auditing capabilities for all sessions.

Customer Success Story

As Seismic worked to consolidate and streamline its infrastructure over two years, access management was a critical hurdle. The company needed a way to enforce security policies, automate provisioning, and eliminate access bottlenecks—without introducing friction for engineers. StrongDM provided the answer, enabling Seismic to centralize access controls, enforce least-privileged access dynamically, and gain real-time visibility into access events.

With StrongDM’s JIT access solution and AWS IAM integration, Seismic automated access, dynamically provisioning it only as needed and eliminating persistent credentials and standing privileges. Before StrongDM, engineers often waited days for access to essential resources. With StrongDM’s automated access workflows, provisioning now happens in minutes, dramatically reducing downtime and manual overhead. StrongDM’s contextual access policies based on AWS Cedar, device trust verification, and complete audit logs helped Seismic meet stringent security requirements while maintaining operational agility.

With StrongDM, Seismic didn’t just integrate access management into its cloud strategy—it turned access into a competitive advantage. By eliminating friction and improving security simultaneously, StrongDM empowered Seismic’s teams to move faster while keeping access secure.

“Getting us to a place where we could have Just-in-Time, Least Privileged Access [made all the difference], we really couldn’t do it without a solution like StrongDM,” Tom Wojtalewicz, Senior Manager Site Reliability Engineering, Seismic

Seismic’s journey with StrongDM and AWS highlights how modern cloud organizations can scale securely, automate access management, and ensure teams stay productive—all while meeting the highest security and compliance standards

Conclusion

Zero-trust models must implement rigorous security without slowing productivity. StrongDM’s Just-in-Time access model addresses this challenge by delivering targeted, time-bound access under secure, controlled conditions when needed. By requiring access only as necessary and verifying every session, StrongDM ensures adherence to Zero Trust principles while empowering users to work efficiently.

In AWS environments, managing resources like HAQM Redshift databases, HAQM EC2 instances, and HAQM Elastic Kubernetes Service clusters, StrongDM’s JIT access balances security and usability. It integrates security checks into the experience, providing access only for the duration required and under precise conditions, ensuring secure, streamlined cloud operations.

See Zero Trust PAM in action with a demo of StrongDM.
.Connect with StrongDM

StrongDM – AWS Partner Spotlight

StrongDM is an AWS Validated Technology Partner delivering a Zero Trust Privileged Access Management (PAM) platform built for today’s modern infrastructure. Designed to support the way teams work, StrongDM gives engineers and admins frustration-free, secure access to the critical systems they need without bottlenecks, brittle policies, or outdated tools. StrongDM simplifies least privilege enforcement, continuous compliance, and team productivity across all systems, from AWS to legacy, on your terms.

Contact StrongDM | Partner Overview | AWS Marketplace