Console Hero to IAM Zero: Learn from Temporal's Just-In-Time Journey
The most likely way your organization will get breached is via static credentials. An AWS API key, a GitHub PAT, a GCP API Key... all of these are risks. Datadog's State of Cloud Security for years now has called this out. What is the best way to prevent the leak or loss of static credentials? Never have any to lose.
This talk will cover the technical aspects of deploying JIT access to critical resources, eliminating all IAM Users, SCPs to apply, etc. That is the easy part! But if you want to have the same fame and success (or more!) I have experienced (it won't be hard!), you will need the rest of this talk: how to get an entire organization to buy in to a more complicated way of accessing the things they need to do their job. This is the hardest part of a JIT deployment, and one no vendor can completely solve, especially due to "fun" edges which exist within each cloud's permission models.
We will discuss approvals and audits, break-glass policies and access policies, verification and secure deployment, incidents and heartbreaks. Come and learn from my mistakes, go and make some new ones, and most importantly— eliminate static credentials. The less access you have, the better.
