Request Access
The Request Access page is where you submit a new JIT access request to gain temporary permissions on an AWS account. You can choose between a standard permission set (pre-defined by your administrator) or a custom permission set (defined by you at request time).
Before You Begin
- You must be authenticated to the JIT Portal
- You need to know which AWS account you require access to
- You should have a clear justification for why you need access (required field, minimum 10 characters)
Opening the Request Form
- Click Request Access in the sidebar navigation, or
- Click the Request Access quick action on the Dashboard
Request Form Fields
AWS Account
Select the target AWS account from the autocomplete dropdown. You can type to search by account name or account ID. The dropdown displays all accounts available to your organization.
If you do not see the account you need, contact your administrator. The account may not yet be onboarded to Prism, or you may not have visibility into it.
Permission Set Type
A toggle controls whether you are requesting a standard or custom permission set:
| Mode | Toggle State | Description |
|---|---|---|
| Standard | Off (default) | Select from pre-defined permission sets configured by your administrator |
| Custom | On ("Create custom permission set") | Define a new permission set with your own policy selections |
See Standard Permission Set and Custom Permission Set below for detailed instructions on each mode.
Access Duration
Choose how long you need access. Available options:
| Duration | Description |
|---|---|
| 1 hour | Shortest available window |
| 2 hours | Short task |
| 4 hours | Half-day session |
| 8 hours | Full work day |
| 12 hours | Extended session |
| 1 day | 24-hour access |
| 2 days | Multi-day access |
| 3 days | Multi-day access |
| 1 week | Sprint-length access |
| 2 weeks | Extended project access |
| 1 month | Longest available window |
Request the shortest duration that meets your needs. Longer durations may face greater scrutiny from approvers and take longer to be approved. You can always submit a new request if you need additional time.
Justification
A free-text field where you explain why you need this access. This field is required and must contain at least 10 characters.
Good justifications include:
- The specific task you need to perform (e.g., "Investigating elevated error rates in the payment service CloudWatch logs")
- A reference to a ticket or incident (e.g., "JIRA-1234: Deploying hotfix for authentication timeout")
- The business context for the request
A clear, specific justification helps approvers make faster decisions. Vague justifications like "need access" or "testing" may be questioned or rejected.
Submitting the Request
After filling in all required fields, click Submit Request. On success:
- A confirmation dialog appears showing that your request was submitted.
- The dialog displays the list of approvers who can review your request, including their email addresses.
- The request appears in your My Requests list with a pending status.
Standard Permission Set
A standard permission set is a pre-defined collection of AWS IAM policies configured by your organization's administrator. When you request access using a standard permission set, you are selecting from an existing, vetted set of permissions rather than defining your own.
When to Use Standard Permission Sets
Use a standard permission set when:
- Your organization has pre-configured permission sets that match your needs (e.g., "ReadOnly", "DeveloperAccess", "DatabaseAdmin")
- You need a common set of permissions that has already been approved for use
- You want a faster approval process (single-step approval rather than two-step)
Step-by-Step Instructions
- In the AWS Account field, type to search for the target account by name or ID. Select the account from the autocomplete dropdown.
- Ensure the "Create custom permission set" toggle is in the off position (this is the default). The form will display the standard permission set selector.
- Click the Permission Set dropdown to browse available permission sets. Each permission set in the list displays:
- Permission set name -- The human-readable name (e.g., "ReadOnlyAccess", "PowerUserAccess")
- Policy badges -- Visual indicators showing the types of policies attached:
- Managed badge -- Indicates the permission set includes one or more AWS managed policies
- Inline badge -- Indicates the permission set includes a custom inline IAM policy
- Choose how long you need access from the duration dropdown. Options range from 1 hour to 1 month.
- Enter a clear explanation of why you need this access. The justification must be at least 10 characters long.
- Click Submit Request. A confirmation dialog appears showing a success message and the list of approvers.
If you are unsure which permission set to choose, consult your administrator or check your organization's access policy documentation. Choosing the most restrictive permission set that still allows you to complete your task follows the principle of least privilege.
Approval Process
Standard permission set requests follow a single-step approval process:
- Your request is placed in the approval queue for the account's owners and SSO admins.
- Any one of these approvers can approve or reject the request.
- Once approved, your session is created automatically.
You do not need to take any additional action after submitting. The approver will be notified through the Pending Approvals queue. You will see the status update on your My Requests page.
Custom Permission Set
A custom permission set allows you to define your own set of AWS IAM policies at request time, rather than selecting from pre-defined options. This is useful when existing standard permission sets do not cover the specific permissions you need for your task.
Custom permission set requests require two-level approval -- first from an account owner, then from an SSO admin. This means they typically take longer to be approved than standard permission set requests. Use standard permission sets when possible.
When to Use Custom Permission Sets
Use a custom permission set when:
- No existing standard permission set provides the specific permissions you need
- You need a unique combination of managed and inline policies for a one-off task
- You need to define fine-grained IAM policies tailored to a specific operation
Step-by-Step Instructions
- In the AWS Account field, type to search for the target account by name or ID. Select the account from the autocomplete dropdown.
- Turn on the "Create custom permission set" toggle. The form expands to show the custom permission set configuration fields.
- Enter a Permission Set Name. The name will be automatically prefixed with
JIT-(e.g., entering "S3ReadAccess" createsJIT-S3ReadAccess). - Set the Session Duration for the IAM Identity Center session. This controls how long each individual console/CLI session lasts within your overall access window. Available values range from 1 hour to 12 hours.
- Add AWS Managed Policies by browsing or searching the full catalog. You can search by policy name (e.g., typing "S3" shows policies like
AmazonS3ReadOnlyAccess,AmazonS3FullAccess) and add multiple policies. - Optionally, add an Inline Policy in JSON using the built-in editor. The editor provides real-time validation with errors, warnings, and suggestions.
- Choose how long you need access from the duration dropdown. Options range from 1 hour to 1 month.
- Enter a clear explanation of why you need this access and why existing standard permission sets are not sufficient. The justification must be at least 10 characters long.
- Click Submit Request. A confirmation dialog appears showing a success message and the list of approvers.
Session duration is different from access duration. Access duration controls how long you can initiate new sessions to the AWS account. Session duration controls how long each individual login session lasts. For example, with a 1-day access duration and a 4-hour session duration, you can log in multiple times over the day, but each login session will end after 4 hours.
Use a descriptive permission set name that reflects the purpose of the permissions. This helps approvers quickly understand what the permission set is intended for.
Inline Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Inline policies with broad permissions (e.g., "Action": "*" or "Resource": "*") are more likely to be rejected by approvers. Define the most specific actions and resources possible.
Two-Level Approval Process
Custom permission set requests go through a two-stage approval process:
Stage 1: Owner Approval
- Your request enters Pending Owner status.
- The owners of the target AWS account review the request.
- An owner can approve (moving the request to the next stage) or reject (ending the process).
Stage 2: Admin Approval
- After owner approval, the request moves to Pending Admin status.
- An SSO Admin reviews the request, including the custom policies you defined.
- The SSO Admin can approve (creating the session) or reject (ending the process).
The two-stage process exists because custom permission sets have not been vetted in advance by administrators. The account owner validates the business need, and the SSO admin validates the technical permissions.
Next Steps
- My Requests -- Tracking your request after submission