Approver Guide
If you are an account owner, SSO Admin, or Admin in Prism, you have the ability to review and act on JIT access requests. This guide covers everything you need to know about your responsibilities as an approver and how to use the approver tools in the JIT Portal.
Who Is an Approver?
Approvers are users who can approve JIT Requests for the accounts they own. To become an approver for a specific AWS account, you must be designated as an JIT owner by an administrator. Account ownership is managed in the Admin Portal.
Approver Navigation
When you have an Approver-level role or above, additional items appear in the sidebar below a divider:
| Menu Item | Description |
|---|---|
| Pending Approvals | Requests waiting for your review, with a badge showing the count |
| Request History | Complete history of all requests with status filtering |
| Manage Sessions | Active sessions you can monitor and revoke |
| Owned Accounts | AWS accounts you own, with request and session counts |
The Pending Approvals badge in the sidebar updates in real time. A red badge with a number indicates there are requests waiting for your action.
Approver Responsibilities
As an approver, you are responsible for:
Reviewing Requests Promptly
Requests have an approval window. If not acted upon in time, they expire and the requester must resubmit. Check your pending approvals regularly to avoid unnecessary delays.
Evaluating Business Justification
For every request, assess whether:
- The requester has a legitimate need for the requested access
- The target AWS account is appropriate for the stated task
- The requested duration is reasonable for the work described
Validating Custom Permissions
For custom permission set requests, you also need to evaluate:
- Whether the selected AWS managed policies are appropriate and follow least-privilege
- Whether any inline policies are scoped correctly (specific actions and resources rather than wildcards)
- Whether the custom permissions could be replaced by an existing standard permission set
Managing Active Sessions
Monitor sessions for accounts you own. If a session is no longer needed or a security concern arises, you can revoke it immediately.
Approval Workflow Overview
Standard Permission Sets
Standard requests require a single approval. Any account owner, SSO Admin, or Admin can approve or reject.
Request (Pending) → Approve or Reject → Session Created (if approved)
Custom Permission Sets
Custom requests require two approvals: first from an account owner, then from an SSO Admin.
Request (Pending Owner) → Owner Approve → (Pending Admin) → Admin Approve → Session Created
→ Owner Reject → Admin Reject
Pending Approvals
The Pending Approvals page is your primary approval queue. It shows all JIT access requests that are waiting for your review. This is typically the first page you should check when you log in as an approver.
Accessing Pending Approvals
Click Pending Approvals in the approver section of the sidebar. The sidebar badge shows the number of requests currently awaiting your action.
Viewing Request Details
Click View Details on any request to open a dialog with comprehensive information:
- Requester -- Name and email of the person requesting access
- AWS Account -- Account name and ID
- Permission Set -- Name and type (standard or custom)
- Duration -- Requested access duration
- Justification -- The requester's explanation for why they need access
- Requested At -- Exact submission timestamp
For custom permission set requests, the details also include:
- Permission Set Name -- The custom name (with
JIT-prefix) - Session Duration -- The configured IAM session duration
- AWS Managed Policies -- List of selected managed policies
- Inline Policy -- The full JSON inline policy (if provided)
For custom permission set requests, carefully review the managed policies and inline policy JSON before approving. Verify that the permissions are scoped appropriately for the stated justification.
Request History
The Request History page provides a comprehensive view of all JIT access requests across the accounts you manage. Unlike the Pending Approvals section (which only shows requests awaiting action), Request History shows requests in all statuses, giving you a complete audit trail.
Use the status filter to quickly find specific types of requests. For example, filtering by Rejected helps you see patterns in what kinds of requests are being denied, which can inform team guidance or policy changes.
Request Table
The Request History table displays the same columns as the Pending Approvals table:
| Column | Description |
|---|---|
| Requester | The name of the user who submitted the request |
| Account | The target AWS account name |
| Permission Set | The permission set requested |
| Status | The current status of the request (color-coded badge) |
| Duration | The requested access duration |
| Requested | The date and time the request was submitted |
| Actions | Available actions (primarily View Details) |
Viewing Request Details
Click View Details on any request to open the details dialog. The dialog shows:
- Status -- Current status with badge
- Requester -- Name and email
- AWS Account -- Account name and ID
- Permission Set -- Name and type
- Duration -- Requested access duration
- Justification -- The requester's reason
- Requested At -- Submission timestamp
- Reviewed By -- Name of the approver(s) who acted on the request
- Reviewed At -- Timestamp of the review
- Reviewer Comment -- Any comment provided by the approver
For custom permission set requests, additional details include the custom policies, managed policy list, and inline policy JSON.
For custom permission set requests that went through both approval stages, you may see review information for both the owner approval and the admin approval.
Use Cases for Request History
Auditing
Request History serves as an audit trail. You can:
- Review who requested access to which accounts and when
- See which approvers approved or rejected requests
- Verify that appropriate justifications were provided
- Track patterns of access across your accounts
Identifying Trends
By reviewing historical requests, you can identify:
- Frequently requested accounts -- May benefit from a standard permission set to streamline future requests
- Common rejection reasons -- Indicates areas where user guidance or training could help
- Expired requests -- Suggests approval response times may need improvement
Compliance
For compliance audits, the Request History provides a complete record of:
- Every access request made to your accounts
- The approval or rejection decision and who made it
- The justification provided for each request
- The duration of access granted
Manage Sessions
The Manage Sessions page allows approvers to view and manage all active JIT sessions for the AWS accounts they own. Unlike the user-facing Active Sessions page (which shows only your own sessions), this page shows sessions belonging to all users who have been granted access to your accounts.
Accessing Manage Sessions
Click Manage Sessions in the approver section of the sidebar.
Sessions Table
The table displays all active sessions for accounts you own:
| Column | Description |
|---|---|
| User | The name of the user who has the active session |
| Account | The AWS account the session grants access to |
| Permission Set | The permission set used for the session |
| Granted At | The date and time the session was created |
| Time Remaining | A progress bar showing remaining access time |
| Status | The current session status |
| Actions | Available management actions |
Revoking a Session
As an approver, you can revoke any active session for accounts you own. This immediately terminates the user's access to the AWS account.
When to Revoke
Consider revoking a session when:
- Security incident -- A compromised credential or suspicious activity requires immediate access removal
- User error -- The user requested more access than they need and has not self-revoked
- Task completion -- You know the user's task is complete and they no longer need access
- Policy change -- Organizational policy changes require immediate access revocation
- Personnel change -- The user's role has changed and access is no longer appropriate
Steps to Revoke
- Find the session in the Manage Sessions table.
- Click the Revoke action button in the Actions column.
- A confirmation dialog appears showing:
- A warning that revoking the session will immediately remove the user's access
- Session details: user name, AWS account, permission set, and time remaining
- An optional Reason field to document why you are revoking the session
- Optionally enter a reason for the revocation (recommended for audit purposes).
- Click Confirm Revoke.
Revoking a session is immediate and irreversible. The user's access is removed as soon as you confirm.
Always provide a revocation reason. This creates an audit trail that explains why access was terminated early, which is valuable for compliance and for the affected user's understanding.
After Revocation
- The session status changes to Revoked.
- The user can see the revoked status on their Active Sessions page.
- The revocation is recorded in Request History.
Monitoring Best Practices
Regular Reviews
Check the Manage Sessions page periodically to:
- Verify that active sessions align with known work activities
- Identify long-running sessions that may no longer be needed
- Spot any unusual patterns (e.g., access during off-hours)
Proactive Communication
If you notice a session that seems unnecessary:
- Consider reaching out to the user before revoking to confirm whether they still need access
- If there is no security urgency, a quick message can avoid disrupting active work
Session Count Monitoring
Use the Owned Accounts section to see aggregate session counts per account. A high number of active sessions on a single account may indicate a need for a broader standard permission set or a group-based assignment.
Owned Accounts
The Owned Accounts page provides a centralized view of all AWS accounts for which you are a designated owner. As an account owner, you are responsible for reviewing JIT access requests targeting these accounts and managing active sessions.
Searching Accounts
Use the search bar at the top of the page to filter accounts. You can search by:
- Account name -- The friendly name assigned to the account (e.g., "Production", "Staging")
- Account ID -- The 12-digit AWS account identifier
- Owner name -- The name of any owner associated with the account
The search filters the table in real time as you type.
Accounts Table
The table displays all accounts you own with the following columns:
| Column | Description |
|---|---|
| Account | The friendly name of the AWS account |
| Account ID | The 12-digit AWS account identifier |
| Owners | All designated owners of the account, displayed as chips |
| Pending | The number of JIT requests currently pending approval for this account |
| Active | The number of currently active JIT sessions on this account |