What is Prism?
CloudKeeper Prism is a multi-tenant Identity and Access Management (IAM) platform that centralizes how your organization manages users, groups, permissions, and AWS account access. Prism provides a unified interface for identity governance across your AWS environment.
The Three Portals
Prism is organized into three portals, each serving a different audience and purpose. After logging in, you select which portal to access from the Application Selection screen:
Admin Portal
The Admin Portal is the central management console for Customer Admins. From here you can:
- Create and manage users and groups
- Define permission sets with AWS managed policies or custom inline IAM policies
- Create assignments that grant users or groups access to specific AWS accounts
- Onboard and manage AWS accounts in your organization
- Configure identity providers (Google, Microsoft, or custom OIDC) for single sign-on
- Set up SCIM provisioning for automatic user and groups synchronization
- Replicate your IAM Identity Center configuration to Prism
- View audit logs and access logs
- Manage API tokens and log export settings
JIT Access Portal
The JIT (Just-In-Time) Access Portal enables end users to request temporary, time-bound AWS access without permanent standing permissions. Key features include:
- Request access to AWS accounts using standard or custom permission sets
- Track request status through the approval workflow
- View active sessions and their remaining time
- Approver dashboard for account owners and admins to review, approve, or reject requests
- Multi-level approval workflow — account owners approve first, then admins (for custom permission set requests only)
CloudTrail
The CloudTrail provides a centralized interface for managing AWS CloudTrail trails across multiple accounts. Features include:
- Create trails using a guided 4-step wizard
- Manage trail configuration — event types, S3 bucket settings, account selection
- Monitor trail status across your organization
- Configure management events, data events, insight events, and network activity events
Key Concepts
| Concept | Description |
|---|---|
| Realm | An isolated tenant environment. Each customer organization has its own realm. |
| Permission Set | A collection of AWS IAM policies that define what actions a user can perform. |
| Assignment | A mapping of a user or group to a permission set on a specific AWS account. |
| Replication | The process of synchronizing your IAM Identity Center configuration to Prism. |
| JIT Access | Just-In-Time access — temporary, time-bound AWS permissions granted through an approval workflow. |
| SCIM | System for Cross-domain Identity Management — a protocol for automatic user and group provisioning. |
| Trail | An AWS CloudTrail configuration that logs API activity to an S3 bucket. |
Role Hierarchy
Prism uses a four-level role hierarchy:
| Role | Level | Description |
|---|---|---|
| Viewer | 0 | Can view resources and request JIT access |
| Approver | 1 | Can approve/reject JIT requests for owned accounts |
| SSO Admin | 2 | Full access excluding admin management |
| Admin | 3 | Full access — can manage all platform settings |
Each role inherits the permissions of all roles below it. For example, an Approver can do everything a Viewer can, plus approve requests.
Your organization accesses Prism through a dedicated subdomain (e.g., yourcompany.prism.cloudkeeper.com).
Next Steps
- Getting Started — Set up your organization
- Quick Start: Admin — Create your first user and assignment
- Quick Start: JIT User — Request your first JIT access
- Quick Start: CloudTrail — Create your first trail