Intro: Permissions Firewall
© 2025 Sonrai Security. All rights reserved.
Overview
At a high level, Sonrai's Cloud Permissions Firewall provides you with recommended service and privileged permissions changes through a template you can deploy within your cloud.
With Sonrai's Cloud Permissions Firewall, you gain:
Immediate Visibility > into every service and permission used in your running cloud (and those unused or sparsely used)
Centralized Control > to enable/disable services and restrict privileged permissions to prevent misuse of any Account(s)
Managing Services and Privileged Permissions
How do I generate the template of recommended/desired changes?
-
Determine the scope for changes
-
Determine the service action:
- make an identity exemption for privileged permissions usage (i.e. break glass accounts, deployment identities)
- protect a service
- disable a service
-
Once the service action is complete, your changes move into 'pending changes' page for review
-
Review the CloudFormation template and deploy it to your cloud
We are not performing any service-related changes in your cloud on your behalf - your journey through the Cloud Permissions Firewall UI from end to end will produce a template of changes that you can review and deploy once you're ready
Best Practices - SCP Space Optimization
Total SCPs
On average, most customers use approximately 30 AWS services per account, which is well within the confines of the max number of Cloud Permissions Firewall protections you can implement (~50 protections).
Organization-wide Exemptions
Organization-wide scoped exemptions increase space taken within your SCPs, so it is best practice to limit those exemptions to only what is strictly necessary.
Permissions on Demand
Once service protections are in place, users within your organization can initiate Permissions on Demand requests for the ability to use privileged permissions.
Permissions on Demand is a permissions-granting workflow strategy that reduces requests to internal staff (i.e. DevOps, CloudOps, etc.) by focusing on privileged permissions access.
Traditional just-in-time (JIT) products focus on granting and revoking permissions from identities on an 'as needed' basis. Permissions on Demand (POD) puts the focus on determining permissions assigned versus permissions in use, pinpointing instances where privileged permissions are involved.
Delegation and Collaboration FAQ
Do Permissions on Demand Approvers have delegated access?
Yes!
Once you assign a Permissions on Demand Approver at a scope, they are empowered to approve/deny those incoming privileged service permissons requested by your users. These Approvers do NOT require permissions assignment within your cloud to enable this access, they are simply the gate which stands between your users and their access to privileged permissions for services to which they already have access.
Can Service level changes be delegated to Org Admins?
Yes!
A Cloud Permissions Firewall Admininistrator user can stage changes as needed, download the CloudFormation template, and provide it to your AWS Org Admin to deploy as per your business processes.