North American Healthcare SaaS Company

Auditable Just-in-Time access in AWS—with user buy-in

As a cloud-based healthcare technology company operating under stringent compliance requirements, the organization had previously earned HITRUST certification. With it came the need for tighter access controls in AWS—ensuring that even authorized users couldn’t access sensitive data continuously—and full auditability of elevated access.

To meet this requirement, the team sought a way to grant time-limited, as-needed elevated access for employees working in AWS, along with the ability to audit all activity.

Their AWS environment included two primary accounts: a legacy account managed by a service provider and a newer, internally managed account supporting cloud growth, with multiple sub-accounts and data stored in EC2.

Having already implemented Azure Privileged Identity Management (PIM) in their Microsoft environment, the team aimed to replicate that kind of automated, role-based control in AWS.

User adoption, however, was essential. The team needed a solution that AWS users would readily accept. While evaluating familiar tools like Azure PIM, a turning point came during a security event where they discovered Tenable’s Just-in-Time (JIT) access capability. The team immediately recognized it as a strong fit for their AWS security and compliance objectives.

JIT, Permissions, CSPM & IaC in action

The healthcare cloud security team deployed Tenable Cloud Security in their AWS growth account, beginning with JIT access and expanding to additional use cases.

Use Case: Just-in-Time access for sensitive resources

Tenable’s temporary elevated access capability enabled the organization to meet HITRUST requirements while improving usability. It integrated easily with AWS Identity Center and aligned with their use of AWS Organizations. Internal users now elevate access through Tenable to reach sensitive workloads or PII—faster and more smoothly than the identity tool used in their other cloud environment. To streamline the experience, Tenable JIT was deployed via Microsoft Teams, allowing requests and approvals directly within the app. All elevated access is logged, including user, approver, timestamp, account, and role.

JIT access spans more than ten AWS sub-accounts, including QA, Dev, Staging, and production environments with PII. Users elevate access by selecting a role—such as power user (generated through Tenable’s custom role feature), identity group-level eligibility, or read-only. Inappropriate requests are automatically blocked. Sensitive resources require approval and are limited to two hours; less sensitive ones are pre-approved and capped at eight.

The team applies Tenable’s least privilege recommendations based on actual usage, adding permissions only when necessary.

Workflow:

• One-step approval by one of three authorized approvers
• Requests for services like Lambda, S3, or DynamoDB are auto-approved or manually reviewed based on sensitivity
• The AWS infrastructure lead reviews the request and Tenable findings, then collaborates with a security analyst to approve appropriate access

Implementing Tenable JIT has helped the team maintain compliance, adopt best practices, and advance toward a zero-trust security model.

Use Case: Role-Based identity and permissions management

Building on their Just-in-Time access controls, the security engineering team uses Tenable to manage role-based permissions with a least-privilege approach from the start. The platform automatically flags unused permissions—such as roles granting access to 300 services when only 12 are actively used—enabling the team to tighten access controls and reduce unnecessary exposure. With a lean team, staying on top of permissions can be a challenge. Tenable helps streamline this effort by identifying permissions risk insights early that are passed to developers for remediation.

Use Case: Cloud Security Posture Management (CSPM)

The cloud operations team had previously used another CSPM tool but found Tenable significantly more insightful. “Tenable Cloud Security gave us deeper visibility and exposed permissions risks we hadn’t seen before, such as admin access granted in Dev via a domain-joined role.” The team now accesses AWS exclusively through Tenable, which has become central to their daily operations. Tenable’s platform is integrated with JIRA to help track and manage security issues. As the cloud infrastructure lead noted, “It’s the first dashboard I check every morning.”

Use Case: Infrastructure as Code (IaC) scanning

The DevOps and engineering teams integrated Tenable into their CI/CD pipeline to scan both CloudFormation and custom-built Infrastructure as Code (IaC) templates before deployment. Previously, they had limited visibility into IaC risks until after resources were built—making remediation more time-consuming and disruptive. Now, Tenable flags issues early in the development process, with alerts set for findings above low severity. Developers quickly adopted the tool, incorporating it into their workflow to avoid costly rework. As the team noted, “Now, using Tenable’s IaC capabilities, our developers are confident in the security of their builds.”

Stronger visibility, ROI and standardization on Tenable

The company is seeing clear benefits from Tenable Cloud Security:

ROI. By replacing their prior CSPM tool, they saved over $10,000/year, with more savings expected as they grow AWS usage, expanding to new AWS Organizations accounts.

Onboarding and customer support. Onboarding took just one to two days, with single sign-on integration the most involved step. Since deployment, issues have been rare—and when they arise, Tenable typically responds within 24 hours. Regular bi-weekly check-ins maintain alignment and ensure ongoing support. Noted the team, “Some vendors set you up and come back only at renewal time. Tenable customer support is probably the best I've seen.”

Usability and prioritization. A smooth user experience and prioritized insights are streamlining operations. Said the infrastructure head, “Tenable presents information well, breaking down alert severity and open findings, and provides a clear work path. It puts what’s important at the top and guides us, sparing the need to go into accounts and figure out what to trim.”

Security maturity and DevOps collaboration. The company has grown very fast. Noted the team, “Many in the organization now realize that security is a business requirement. Putting Tenable’s prioritized findings and remediation in front of DevOps has been very useful to pursuing our security goals.”

Summed up by the lead security engineer: “Our Tenable solution is here to stay for its many capabilities, especially compliance and visibility. We just enabled workload protection and plan to consolidate even more. Eventually, we’ll manage all AWS security through a single pane of glass.”