AWS has long been missing a solution to provide time-bound privileged access management. While they don’t offically have a service yet, they do provide a SaaS solution you can deploy to achieve the same functionality as you can get with GCP PAM (privileged access management).
AWS TEAM (Temporary Elevated Access Management) has been a game-changer for me and my customers. I’ve been using it for many months now and I can’t believe more people aren’t talking about it.
Let me walk you through why I think every AWS shop should be running this, how to actually implement it (it’s easier than you think), and share some real-world scenarios where it’s saved my skin.
Look, we’ve all been there. You start with the best security intentions, but then reality hits. Your dev team needs admin access to debug that production issue. Your ops folks need elevated perms to deploy that critical patch. Third-party vendors need access for maintenance. Before you know it, your “least privilege” environment looks like Swiss cheese.
I’ve seen every hack job in the book:
The Shared Admin Account
The Persistent God Mode
The Email-Driven Access Process
The Break-Glass Account
All of these approaches make security folks cry and create operational headaches. That’s exactly why I fell in love with TEAM - it actually solves these problems instead of just moving them around.
TEAM sits in the middle as your access broker. It’s the bouncer at a exclusive club, except this bouncer is automated, never gets tired, and keeps detailed notes about everyone who comes and goes.
The architecture is simple and uses services you’re likely already familiar with:
AWS IAM Identity Center is your identity foundation. If you’re already using this (and you should be), TEAM just plugs right in. No duplicate user management nonsense.
Amazon Cognito handles the login stuff and MFA. Users get a nice web portal instead of having to email someone or fill out a ticket.
AWS Amplify hosts the actual web app. It’s surprisingly polished - your users won’t hate using it, which is half the battle with security tools.
AWS Lambda does all the heavy lifting behind the scenes - processing requests, sending approvals, automatically revoking access when time’s up.
Amazon DynamoDB stores everything - who requested what, when it was approved, what they actually did. Your audit folks will love you.
Thanks to this architecture - it’s fully serverless. So it cost’s very little to own and operate!
Here’s why this setup actually works in the real world:
No More Standing Privileges
Everything’s Logged
It Actually Saves Time
Scales With Your Chaos
TEAM cannot be used to perform the following tasks:
Read the security considerations section for more information.
TEAM handles emergency scenarios by implementing conditional approval workflows based on severity levels. For critical incidents, configure auto-approval for designated responder groups with short time limits (typically 2 hours). Non-critical requests still require standard manager approval.
Configuration approach:
This eliminates the tension between rapid incident response and security controls while maintaining full audit trails.
External vendor access becomes manageable through time-bounded, role-specific permissions. Instead of creating permanent accounts with manual cleanup processes, TEAM provides self-expiring access with comprehensive logging.
Implementation pattern:
No manual cleanup required, and detailed activity logs provide transparency into vendor actions.
TEAM enables developer productivity without bypassing security controls through streamlined, time-limited production access. Development teams can request specific access levels for debugging and troubleshooting with appropriate approval workflows.
Typical configuration:
This eliminates central IT bottlenecks while maintaining proper oversight and control.
Regulatory environments benefit from TEAM’s comprehensive logging and automated access management. Compliance-specific roles can be configured with appropriate approval chains and automatic documentation.
Key features for compliance:
Every action is logged with sufficient detail for audit purposes, simplifying compliance reporting and reducing manual documentation overhead.
git clone https://github.com/YOUR-USERNAME-OR-ORG/REPO-NAME.git
cd REPO-NAME
We need an Access Token (classic) to authenticate and get the code in Amplify from GitHub.
After creation, keep the access token in a safe place. You will need it later.
AWS Organizations managed multi account environment with AWS IAM Identity Center federated account access
This account will also be configured as a delegated administrator for:
It is not necessary to manually delegate those services to the TEAM account. A script will handle the delegation process later in this guide.
TEAM uses AWS CloudTrail Lake for querying, auditing, and logging API activities and actions performed by a user during elevated access. Create a Cloudtrail Lake organization event datastore in the dedicated TEAM account that stores all log events for all AWS accounts in your organization.
You need to complete this step manually on the Organization Management Account.
Navigate to: CloudTrail → Lake → Event data stores → Create event data store.
After creating the event data store, copy their ARN and keep it in a safe place. You will need it later.
TEAM requires you to deploy the solution using an external GitHub repository. Create a secret in AWS Secret Manager containing your repository URL and Access Token (both of which you created before), as shown below.
{
"url":"https://github.com/YOUR-USERNAME-OR-ORG/REPO-NAME.git",
"AccessToken":"ACCESS_TOKEN"
}
Replace YOUR-USERNAME-OR-ORG
, REPO-NAME
, and ACCESS_TOKEN
with your own information.
You need to complete this step manually on the TEAM Account.
Navigate to: Secrets Manager → Store a new secret.
After creating the secret, copy their name and keep it in a safe place. You will need it later.
Set up groups within AWS IAM Identity Center for TEAM Admins and TEAM Auditors. These groups can be created locally within the Identity Center or synchronized from an external identity provider per your organization’s group membership review and attestation process.
Refer to the solution overview for more information on TEAM personas and groups.
Setup a named profile for AWS CLI with sufficient permissions for the Organization Management Account.
Setup a named profile for AWS CLI with sufficient permissions for the TEAM Account.
TEAM deploys through AWS Amplify, which automates the infrastructure provisioning and application hosting. The deployment process creates all necessary backend resources automatically.
Create a new file named parameters.sh in the deployment
directory.
cd deployment
cp -n parameters-template.sh parameters.sh
Update the parameters in the parameters.sh file as follows:
Required:
Optional:
For example:
IDC_LOGIN_URL=https://d-12345678.awsapps.com/start
REGION=us-east-1
TEAM_ACCOUNT=123456789101
ORG_MASTER_PROFILE=OrganizationManagementAccount_AWSAdministratorAccess
TEAM_ACCOUNT_PROFILE=TEAMAccount_AWSAdministratorAccess
TEAM_ADMIN_GROUP="TEAM_Administrators"
TEAM_AUDITOR_GROUP="TEAM_Auditors"
TAGS="department=devsecops environment=prod"
CLOUDTRAIL_AUDIT_LOGS=arn:aws:cloudtrail:us-east-1:123456789101:eventdatastore/e646f20d-7959-4682-be84-6c5b8a37cf15
UI_DOMAIN=portal.example.com
SECRET_NAME=TEAM-IDC-APP
The init.sh
bash script in the deployment
folder configures the following prerequisites required for deploying the TEAM application:
Execute the following command in the deployment directory to deploy the script.
./init.sh
Ensure that the named profile for the Organization Management Account has sufficient permissions before executing the deploy.sh script.
The deploy.sh
bash script in the deployment
folder performs the following actions within the TEAM_ACCOUNT:
Ensure that the named profile for the TEAM Account has sufficient permissions before executing the deploy.sh script.
Execute the following command in the deployment directory to deploy the script.
./deploy.sh
Once the deployment script has completed execution and the CloudFormation stack has been created successfully, go to the AWS Amplify console to monitor the status of the TEAM application deployment.
TEAM Amplify application TEAM Amplify deployment
It takes about 20 minutes to complete the build and deployment of the Amplify application stack.
[Optional] Custom Domain Registration
This step is optional and required only if you have included a UI_DOMAIN parameter and intend to use a custom domain for your TEAM deployment instead of the default Amplify generated domain name.
Navigate to: AWS Amplify → All Apps → TEAM-IDC-APP → Domain Management → Add domain.
Follow instructions in Amplify Documentation.
Okay, this is where it gets a bit more involved, but stick with me. We need to set up TEAM as a SAML application in Identity Center so users can actually log in.
First, run this script to get the parameters you’ll need:
./integration.sh
This spits out three important values:
Write these down - you’ll need them in a minute.
Now hop over to your Identity Center console (in your org master account) and:
Go to Application assignment → Applications → Add application
Select Add custom SAML 2.0 Application and click Next
Name it “TEAM IDC APP” or whatever makes sense to you
IMPORTANT: Copy and save the AWS IAM Identity Center SAML metadata file URL - you’ll need this later. It looks like: https://portal.sso.{region}.amazonaws.com/saml/metadata/{id}
Under Application properties, paste your applicationStartURL value Application start URL
Under Application Metadata, choose “Manually type your metadata values” Application metadata
Paste your applicationACSURL and applicationSAMLAudience values in the respective fields
Click Submit to save it.
Click Actions → Edit attribute mappings and add:
Under Assigned Users, click Assign users and add your TEAM admin and auditor groups, plus any other users who should have access to TEAM.
Don’t forget to assign your TEAM_Administrators and TEAM_Auditors groups here - these are what give people admin and auditor privileges within TEAM itself.
Almost there! Now we need to tell Cognito how to authenticate against Identity Center.
Create a details.json
file in your deployment directory:
cp details-template.json details.json
Edit details.json
and replace the MetadataURL with the SAML metadata URL you copied earlier:
{
"MetadataURL": "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/YOUR-ACTUAL-ID-HERE"
}
Then run the Cognito configuration script:
./cognito.sh
This configures Cognito to use Identity Center as a SAML provider and updates the TEAM application client to use it.
That’s It - You’re Done!
If everything went right, users should now be able to access TEAM through the Identity Center access portal. They’ll see a “TEAM IDC APP” tile they can click to access the application.
The deployment part is honestly the hardest bit. Once you’ve got TEAM running, the real fun begins - configuring it to work the way your organization actually operates.
This is where you can either make your life easy or create a nightmare for yourself. Start simple - figure out the minimum permissions people actually need for common tasks, then build from there.
Time limits should make sense for what people are actually doing. Debugging a production issue? Maybe 4 hours. Running a compliance report? Probably 1 hour. Emergency response? Could be 8 hours, depending on how bad your incidents typically get.
Approval workflows should match how your organization actually works, not how you think it should work. If your team leads approve everything anyway, don’t force requests through the CTO first. Keep it simple and it’ll actually get used.
TEAM provides REST APIs for comprehensive integration with existing tooling.
Some possibilities include:
Change Management Integration:
Monitoring System Integration:
TEAM supports multiple notification channels:
Here’s what I wish someone had told me before my first TEAM deployment:
Start Small
Train Your Users
Watch the Patterns
Test Your Emergency Procedures
Document Who Approves What
AWS TEAM represents a fundamental shift in how organizations approach privileged access management. By eliminating the traditional trade-off between security and operational efficiency, TEAM enables true zero standing privileges without sacrificing productivity.
For organizations serious about zero trust architecture and least privilege principles, TEAM provides the missing piece that makes these security models actually practical to implement and maintain.
If you’re ready to move beyond shared admin accounts and email-driven access requests, TEAM offers a proven path forward that scales with your organization’s growth and complexity.