Use Case

Prevent lateral movement and unauthorized access to cloud resources with just-in-time, SSH access control to cloud infrastructure. Achieve granular least privilege access for users eliminating the pain of SSH keys and credentials management by using the identity provider of your choice (Okta, OAuth, Ping) to enable authenticated and authorized user Single sign-on (SSO). Aporeto then generates a token and provides users with an ephemeral certificate tied to enterprise identity, eliminating the need to share and store secrets for cloud-native resources. Security teams can now granularly manage cloud credentials and restrict access to critical infrastructure. Admins can track and audit individual user activity on any host, in any environment, and easily export logs for simplified proof of compliance.

Problem Statement

In any organization with multiple users and multiple servers, the number of SSH keys floating around can be several times greater than the number of employees. Untracked, unmanaged, and unmonitored usage of SSH keys can pose a serious cybersecurity risk. Obfuscation of a user’s true identity is even more problematic when hosts, and their adjacent systems, are accessed using accounts and keys which do not correlate with an authenticated identity. Additionally, audit logs to meet compliance requirements become difficult if not impossible to be correlated. InfoSec policy failures occur when access is not controlled, resulting in confidentiality, integrity, and availability of systems becoming compromised.

Customer Pain Points

Static keys are easily shared, lost, stolen and expose new threat vectors
from the cloud.


Static SSH credential management/secret vaults for cloud-native elastic infrastructure are complex and
error prone.

I’m not able to tie user identities to SSH activity using shared secrets and
shared accounts.


The Aporeto Solution


Granular least privilege access

Eliminates the pain of SSH credential management with ephemeral credentials tied to enterprise user identity.


Eliminate Secrets Management

Ephemeral certificates tied to enterprise identity eliminate sharing and storing secrets for cloud-native resources.



Audit and enforce least privilege access controls for user activity on any host, in any environment.


With Aporeto Cloud PAM, I have eliminated the need for SSH key management.

With Aporeto’s Cloud PAM, I have eliminated the need for SSH key management. I can leverage our identity provider to enable users with SSO authentication and authorization while maintaining control with just-in-time access to instances. All user activity is logged, simplifying Informatica’s ability to meet compliance, conduct audits and making my job a whole lot easier overall.

Alec Chattaway

Director Cloud Infrastructure Operations

Get Started with Aporeto Today!

Key Resources