Files
Anthropic-Cybersecurity-Skills/skills/implementing-just-in-time-access-provisioning/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

133 lines
5.0 KiB
Markdown

---
name: implementing-just-in-time-access-provisioning
description: Implement Just-In-Time (JIT) access provisioning to eliminate standing
privileges by granting temporary, time-bound access only when needed. This skill
covers JIT architecture design, approval workflo
domain: cybersecurity
subdomain: identity-access-management
tags:
- iam
- identity
- access-control
- jit
- provisioning
- zero-trust
- least-privilege
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.AA-01
- PR.AA-02
- PR.AA-05
- PR.AA-06
mitre_attack:
- T1078
- T1110
- T1556
- T1098
---
# Implementing Just-In-Time Access Provisioning
## Overview
Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound access only when needed. This skill covers JIT architecture design, approval workflows, automatic expiration, integration with PAM and IGA platforms, and alignment with zero trust principles.
## When to Use
- When deploying or configuring implementing just in time access provisioning capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Familiarity with identity access management concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Objectives
- Design JIT access request and approval workflows
- Implement time-bound access grants with automatic expiration
- Configure risk-based approval routing (auto-approve low-risk, multi-approval for high-risk)
- Integrate JIT with PAM for privileged access elevation
- Monitor and audit all JIT access grants and usage
- Reduce attack surface by eliminating standing privileges
## Key Concepts
### JIT Access Models
1. **Broker and Remove**: Grant access through approval, auto-remove after time window
2. **Elevation on Demand**: User has base access, elevates to privileged upon request
3. **Account Creation/Deletion**: Temporary account created, destroyed after use
4. **Group Membership Toggle**: Add to privileged group temporarily, auto-remove
### Zero Standing Privilege (ZSP) Principle
- No user has permanent privileged access
- All privileged access requires explicit request with business justification
- Access automatically expires after defined time window
- All access events logged and auditable
## Workflow
### Step 1: Identify Eligible Access Types
- Privileged admin access (domain admin, root, DBA)
- Production environment access
- Sensitive data access (PII, financial, healthcare)
- Emergency/break-glass access
- Third-party vendor access
### Step 2: Design Approval Workflows
- Self-service request portal with justification requirement
- Auto-approve for pre-authorized low-risk access (< 1 hour)
- Single approver for medium-risk (manager or resource owner)
- Dual approval for high-risk (manager + security team)
- Emergency bypass with post-facto review
### Step 3: Implement Time-Bound Access
- Configure maximum access duration per resource type
- Implement countdown timer with extension request capability
- Auto-revoke at expiration regardless of session state
- Grace period notification (15 min before expiry)
- Automatic session termination on access expiry
### Step 4: Integration Architecture
- Connect to IAM/IGA platform for provisioning/de-provisioning
- Integrate with PAM for privileged credential checkout
- Connect to ITSM for ticket correlation
- Forward events to SIEM for monitoring
- API integration for programmatic access requests
### Step 5: Monitoring and Compliance
- Log all JIT requests, approvals, grants, and revocations
- Alert on access used beyond approved scope
- Track access not used (request but never connected)
- Measure mean time to access (request to grant)
- Report on access patterns for baseline optimization
## Security Controls
| Control | NIST 800-53 | Description |
|---------|-------------|-------------|
| Temporary Access | AC-2(2) | Automated temporary account management |
| Least Privilege | AC-6 | Time-bound minimum access |
| Access Enforcement | AC-3 | Automated access grant/revoke |
| Audit | AU-3 | Complete JIT access audit trail |
| Risk Assessment | RA-3 | Risk-based approval routing |
## Common Pitfalls
- Setting time windows too long, negating JIT benefits
- Not implementing automatic revocation at expiration
- Complex approval workflows causing access delays for legitimate needs
- Not providing emergency bypass for critical incidents
- Failing to audit approved but unused JIT access
## Verification
- [ ] JIT request workflow functional end-to-end
- [ ] Access automatically revoked at expiration
- [ ] Approval routing correct for all risk levels
- [ ] Emergency access bypass works with post-review
- [ ] All JIT events logged to SIEM
- [ ] Standing privileges reduced by measurable percentage
- [ ] Mean time to access meets business SLA