Intro: Permissions on Demand

One-Click Least Privilege. Zero Disruption.

© 2025 Sonrai Security. All rights reserved.

Overview

Permissions on Demand is a permissions-granting workflow strategy that reduces requests to internal staff (i.e. DevOps, CloudOps, etc.) by focusing on privileged permissions access.

Traditional just-in-time (JIT) products focus on granting and revoking permissions from identities on an 'as needed' basis. Permissions on Demand puts the focus on determining permissions assigned versus permissions in use, pinpointing instances where privileged permissions are involved.

warning

Permissions on Demand (PoD) requests are not currently triggered from denied actions in the following regions:

• ap-southeast-4
• ap-southeast-5
• ap-southeast-7
• ca-west-1
• il-central-1

If permissions are required for any of these regions, either:

a) add the identity to the exemptions list within a protected service (the exemption will apply to all regions)

b) have the user attempt the same activity from a supported region, triggering the Permissions on Demand flow to generate an approval request for all regions

---

The Permissions on Demand (PoD) Request Lifecycle

The base lifecycle of a Permissions on Demand request, resulting in an approval or denial:

tip

For more information on approving/denying Permissions on Demand Requests, and other relevant Request statuses, see here

Example Scenario

A common scenario where a Permissions on Demand request would be initiated is:

1. When a service protection has been implemented using the Cloud Permissions Firewall

• Example: -ing AWS WAF

2. AWS Console or CLI interaction by a non-exempt user

a) [Non-exempt] user navigates to the service within the AWS console and attempts to use one of the privileged permissions

• Example: Deleting a Web ACL

b) [Non-exempt] user leverages AWS CLI to run a command associated with one of the defined privileged permissions

• Example: Running the delete-web-acl command

3. A Permissions on Demand request becomes present within the Requests page and an email is sent to the applicable list of Approvers

4. The Permissions on Demand request is approved/denied

a) If the request is approved, the [now exempt] user becomes listed as an exemption to use privileged permissions for the service

b) If the request is denied, the [still non-exempt] user remains unable to use privileged permissions for the service

Permissions on Demand (PoD) Request Architecture

There are several factors that contribute to the determination of a Permissions on Demand Request to run it through its full lifecycle in the appropriate way:

Is the identity a zombie? Is this zombie quarantined?

Is this a human or machine identity?

Is the service enabled or disabled?

Is ChatOps (Slack, Teams, etc. integration) configured for your cloud?

These questions are all integral to understanding how and where the Permissions on Demand Request is sent and who exactly needs to review and action it.

Are we dealing with a zombie or an active identity?

Zombies

Zombies

Zombie Requests

By now, you understand what a zombie is and how identities qualify for this designation.

This PoD Request is the result of a zombie reanimation! This may sound scary, and in some cases where the behavior is wholly unexpected, it is! But for the most part, zombies reanimate for benign reasons like annual reporting scripts, developers testing builds of long forgotten code branches, and more.

Zombies come in all shapes and sizes:

Are we dealing with a human identity or machine identity?

Human Identity

Example: A developer has returned from six months of paternal leave and is using their usual AWS role, attempting to create an EC2 VPC in an account.

In this case, the Cloud Permissions Firewall Permissions on Demand functionality would send the developer identity a Request to justify via ChatOps.

Once the request is justified, it is then forwarded to applicable Approvers to approve/deny.

Machine Identity

For non-person identities, where there is no email address available, the request justification step is skipped and it is forwarded to the Cloud Permissions Firewall Approvers list automatically.

Active Identities

Active Identities

Identity Access Requests

The service status is also a factor here:

Is the service disabled?

Requests for Enabled Services

Human Identity

A Permissions on Demand message is sent via ChatOps to the requesting identity to justify the reasoning for their access request.

Once the request is justified, it is then forwarded to applicable Approvers to approve/deny.

Machine Identity

The request justification step will be skipped and the request will be automatically forwarded to the Approvers list.

Requests for Disabled Services

Human Identity

The requesting identity receives the AWS console error and receives a Slack/Teams message, as applicable.

info

No Permissions on Demand request is generated for disabled services.

A ChatOps message is sent to the requesting identity to inform them of the service's disabled status.

Machine Identity

The requesting identity receives the AWS console error, as applicable.

info

No Permissions on Demand request is generated for disabled services.

---

FAQ

What is a Permissions on Demand request?

This is a request a user initiates for the use of specific risky/privileged permissions within some portion of your cloud.

When will I see a Permissions on Demand request come through?

Generally, a request will be triggered by an identity attempting to use the permission while Sonrai's Cloud Permissions Firewall has a block in place for use of that specific service.

If a user repeatedly attempts an action within the AWS console, am I going to get spammed by ChatOps with multiple requests?

No!

• PoD request submissions are checked against the last received request for the activity
  • if there has been an identical request within the past 15 minutes, we do not send an additional PoD request to the Approvers

Does every Permissions on Demand Request need justification?

No!

• For a request to qualify for justification, there needs to be an email address available/associated to the requesting identity
  • For non-person identities, where there is no email address available, we skip the justification and forward the request to the Approvers automatically

If my organization does not have ChatOps (Slack, Teams, etc. integration) configured, will my users undergo the request justification process?

No!

The request justification step will be skipped and the request will be automatically forwarded to the Approvers list.

What happens if our Approvers do not approve/deny this request within one hour?

The request continues up the Approvers tree by being forwarded to the next level of Approvers. If the request is not actioned within the 24 hours, it is then expired.

Currently, escalation notifications are ChatOps only.

Why didn't I receive a Permissions on Demand request when a zombie identity tried to wake up?

Some zombie identities (usually automated machine identities) can trigger a silent reanimation attempt if the specific action they attempt isn't tracked in your audit logs. The action will still be blocked, but Cloud Permissions Firewall only sends a Permissions on Demand request when there is an audit log entry created.

Avoid this by creating a zombie detection exemption for such identities, or increasing the frequency that your automated tools run to prevent them from being flagged as potential zombies.