{"id":14155833,"url":"https://github.com/SSHcom/privx-on-aws","last_synced_at":"2025-08-06T01:33:49.552Z","repository":{"id":36699341,"uuid":"227072410","full_name":"SSHcom/privx-on-aws","owner":"SSHcom","description":"PrivX - Just-in-time Access Management","archived":false,"fork":false,"pushed_at":"2024-08-23T14:33:35.000Z","size":4340,"stargazers_count":21,"open_issues_count":7,"forks_count":7,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-12-09T03:36:08.398Z","etag":null,"topics":["access-control","authentication","bastion","iam","identity","jumphost","pam","passwordless","passwordless-authentication","rdp","rdp-gateway","ssh","ssh-gateway","zero-trust"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SSHcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-10T08:58:59.000Z","updated_at":"2024-08-23T14:33:39.000Z","dependencies_parsed_at":"2024-02-16T11:31:42.251Z","dependency_job_id":"2ea9c928-6a04-4c92-8c6e-dbef1a877459","html_url":"https://github.com/SSHcom/privx-on-aws","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SSHcom/privx-on-aws","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fprivx-on-aws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fprivx-on-aws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fprivx-on-aws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fprivx-on-aws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SSHcom","download_url":"https://codeload.github.com/SSHcom/privx-on-aws/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SSHcom%2Fprivx-on-aws/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269005371,"owners_count":24343375,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-05T02:00:12.334Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","authentication","bastion","iam","identity","jumphost","pam","passwordless","passwordless-authentication","rdp","rdp-gateway","ssh","ssh-gateway","zero-trust"],"created_at":"2024-08-17T08:05:02.197Z","updated_at":"2025-08-06T01:33:49.065Z","avatar_url":"https://github.com/SSHcom.png","language":"TypeScript","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"# PrivX - Just-in-time Access Management\n\n\n\u003e Available as Infrastructure as a Code on AWS for fast deployment.\n\nPrivX is a lean and modern privileged access management solution to automate your AWS, Azure and GCP infrastructure access management in one multi-cloud solution. While it offers super great cloud experience, you can also easily connect your on-prem infrastructure to it for a single pane of glass access control and monitoring. This project further simplifies PrivX on-boarding experience with deployment automation using infrastructure as a code tooling.\n\n[![Build Status](https://api.travis-ci.org/SSHcom/privx-on-aws.svg?branch=master)](http://travis-ci.org/SSHcom/privx-on-aws)\n[![Coverage Status](https://coveralls.io/repos/github/SSHcom/privx-on-aws/badge.svg?branch=master)](https://coveralls.io/github/SSHcom/privx-on-aws?branch=master)\n[![Git Hub](https://img.shields.io/github/last-commit/SSHcom/privx-on-aws.svg)](http://github.com/SSHcom/privx-on-aws)\n[![Community](https://img.shields.io/badge/community-join-blue)](https://join.slack.com/t/privx-community/shared_invite/enQtNjM0NjYzMjU1NzkyLWJkYjNkYjViYTkyMjRjYWU0ZTM0MTQ5ZGIzODc5ZjNkNWU0ZmE5YjQ5ZDVhMmMxMmQyNGRlMGMyZTE0M2Y5NGE)\n\n\n## Inspiration\n\nHaving seen how permanent passwords and left-behind and forgotten SSH keys enable access to critical environments years after they were actually created and needed, we started the PrivX project in order to get rid of the passwords and keys – to get rid of any permanent access altogether. We wanted to build a solution that only grants access when it's needed \u0026 on the level needed. Later on this approached was coined Just-in-Time-Access and the method as Zero Standing Privileges (ZSP) by industry analysts while part of the larger Zero Trust trend of always (re-)verifying a user before any access is granted.\n\nPrivX automates the process of granting and revoking access by integrating \u0026 fetching identities and roles from your identity management system (LDAP, AD etc) and ensures your engineering and admin staff have one-click access to the right infrastructure resources at the right access level. You will also get full audit trail and monitoring - vital if you are handling sensitive data or for example open access for third parties to your environment.\n\nLearn more about PrivX and **[get your trial license](https://www.ssh.com/products/privx/try-buy)**.\n\nTo learn how PrivX works, please check out this **[video](https://www.youtube.com/watch?v=Atps1AiATVs)**.\n\n**SSH experience**\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"./doc/privx-ssh-session.gif\" width=\"600\" /\u003e\n\u003c/p\u003e\n\n**RDP experience**\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"./doc/privx-rdp-session.gif\" width=\"600\" /\u003e\n\u003c/p\u003e\n\n## Getting Started\n\nThe latest version of Infrastructure as a Code is available at `master` branch of the repository. All development, including new features and bug fixes, take place on the `master` branch using forking and pull requests as described in contribution guidelines.\n\n\n### Requirements\n\n1. We are using [AWS CDK](https://github.com/aws/aws-cdk) and [TypeScript](https://github.com/microsoft/typescript) to code PrivX infrastructure components. You have to configure your environment with [node and npm](https://nodejs.org/en/download/) version 10.x or later and install required components.\n\n```bash\n## with brew on MacOS\nbrew install node\n\n## then install CDK\nnpm install -g typescript ts-node aws-cdk\n```\n\n2. Obtain [access to target AWS Account](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html). You shall have ability to create/delete AWS resources.\n\n3. Obtain `subdomain`, `domain` name(s) and [configure AWS Route53 HostedZone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html). If you have a fresh AWS Account or missing domain name, you can [request one from AWS](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html).\n\n\n### Deployments\n\nUse AWS CDK command line tools to deploy PrivX to your AWS Account. **Please note**, the process consists of multiple stages:\n\n```bash\n##\n## 1. clone privx-on-aws repository locally\ngit clone https://github.com/SSHcom/privx-on-aws\ncd privx-on-aws\n\n##\n## 2. pre-config deployment process by configure environment and\n## installing dependent components \nexport AWS_ACCESS_KEY_ID=Your-Access-Key\nexport AWS_SECRET_ACCESS_KEY=Your-Secret-Key\nexport CDK_DEFAULT_ACCOUNT=Your-Account-Id\nexport CDK_DEFAULT_REGION=eu-west-1\nexport AWS_DEFAULT_REGION=eu-west-1\nnpm install\n\n##\n## 3. configure and bootstrap target AWS region with AWS CDK.\n## Please note, the process requires domain name here.\n## the corresponding hosted zone must be properly configured otherwise\n## deployment fails.\ncdk bootstrap aws://${CDK_DEFAULT_ACCOUNT}/${CDK_DEFAULT_REGION} \\\n -c domain=example.com\n\n##\n## 4. deploy PrivX, you need to define a few variables here\n## subdomain unique name of your privx instance. \n## DO NOT USE any non-alphabet characters including \n## punctuation in the subdomain name\n##\n## cidr allocate unique class A network `cidr` block for AWS VPC\n## default value 10.0.0.0/16 fits to majority of deployments\n##\n## email address to deliver CloudWatch alerts\n##\n## sshkey AWS SSH key pair to access PrivX instance for debugging \n## purpose, keep empty to disable ssh access \n## See more about ssh key from AWS documentation\n## https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html\n##\ncdk deploy privx-on-aws \\\n -c cidr=10.0.0.0/16 \\\n -c subdomain=privx \\\n -c domain=example.com \\\n -c email=my.email@company.com \\\n -c sshkey=aws-keypair-name\n```\n\nIn few minutes, your own instance of PrivX solution is available. Please check [**our playbook**](doc/playbook.md) or raise [**GitHub issue**](https://github.com/SSHcom/privx-on-aws/issues) if you have **any troubles with deployment** process. The deployment build entire [PrivX architecture](https://help.ssh.com/support/solutions/articles/36000205951-privx-architecture) in your AWS account.\n\n![architecture](doc/privx.png)\n\nOpen a Web browser with your fully qualified domain name, e.g. `https://privx.example.com`.\n\n\nThe login credentials for `superuser` is available in your AWS Account:\n1. Choose right region\n2. Goto AWS Secrets Manager \u003e Secrets \u003e KeyVault...\n3. Scroll to Secret value section\n4. Click Retrieve secret value\n\nIn the final step, please obtain a [**license code**](https://info.ssh.com/privx-free-access-management-software) to activate your environment.\n\n\n## Next Steps\n\n* [Getting Started with PrivX](https://help.ssh.com/support/solutions/articles/36000194728-getting-started-with-privx)\n* Learn more about [PrivX Users and Permissions](https://help.ssh.com/support/solutions/articles/36000194730-privx-users-and-permissions)\n* Check [Online Administrator Manual](https://help.ssh.com/support/solutions/folders/36000185818)\n* Read [our playbook](doc/playbook.md) for advanced deployment and configuration use-cases.\n\n## Bugs\n\nIf you experience any issues with the library, please let us know via [GitHub issues](https://github.com/SSHcom/privx-on-aws/issues). We appreciate detailed and accurate reports that help us to identity and replicate the issue.\n\n* **Specify** the configuration of your environment. Include which operating system you use and the versions of runtime environments.\n\n* **Attach** logs, screenshots and exceptions, in possible.\n\n* **Reveal** the steps you took to reproduce the problem, include code snippet or links to your project.\n\n\n## How To Contribute\n\nThe project is [Apache 2.0](LICENSE) licensed and accepts contributions via GitHub pull requests:\n\n1. Fork it\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Commit your changes (`git commit -am 'Added some feature'`)\n4. Push to the branch (`git push origin my-new-feature`)\n5. Create new Pull Request\n\nThe development requires TypeScript and AWS CDK\n\n```bash\nnpm install -g typescript ts-node aws-cdk\n```\n\n```bash\ngit clone https://github.com/SSHcom/privx-on-aws\ncd privx-on-aws\n\nnpm install\nnpm run build\nnpm run test\nnpm run lint\n```\n\n## License\n\n[![See LICENSE](https://img.shields.io/github/license/SSHcom/privx-on-aws.svg?style=for-the-badge)](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSSHcom%2Fprivx-on-aws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSSHcom%2Fprivx-on-aws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSSHcom%2Fprivx-on-aws/lists"}