Standing AWS access is over. Get it just-in-time.
CloudGrant gives your developers time-boxed, approved, auto-expiring access to AWS — roles, accounts and permission sets granted on approval and automatically revoked the moment they expire. No more permanent admin. No more access that outlives the task.
CloudProof shows you who has too much access. CloudGrant takes it away — and hands it back, just-in-time, only when needed. CloudProof (our sister product) is read-only AWS compliance and audit evidence; its free "Access Review — by CloudGrant" surfaces over-privileged and standing access. CloudGrant is the product that fixes it: temporary, approved, self-expiring access.
Request. Approve. Auto-expire.
Least-privilege by default. Access exists only for the window it's needed, then it's gone — automatically, with a full record of who had what, when, and why.
Request
A developer requests access to a role, account or permission set — from Slack, the CLI, or the console — with a reason and a duration.
Approve
An approver gets a one-click request. Policy can auto-approve low-risk grants or require a human for sensitive ones.
Use
On approval, access is provisioned just-in-time — scoped to exactly what was asked for, nothing more.
Expire
When the window ends, CloudGrant revokes it automatically. No cleanup, no lingering privilege, no forgotten keys.
What we're building
An honest preview. We're building this in the open with our first teams — join the waitlist to help shape it.
Time-boxed accessbuilding
Every grant has an expiry. Access is provisioned on approval and revoked the moment its window closes — zero standing privilege.
Approval workflowbuilding
Policy-driven approvals: auto-approve the routine, route the sensitive to a human. Approvers act in one click.
Auto-revocationbuilding
Expiry is enforced server-side. Nothing is left behind in IAM, Identity Center, or your accounts.
Full audit trailbuilding
Every request, approval, grant and revocation is recorded — tamper-evident evidence your auditor will accept.
Slack & CLI requestsbuilding
Request access where you already work. A Slack command or a single CLI call — no portal context-switch required.
Break-glassbuilding
Emergency access with heightened logging and instant alerting, so an incident never means standing admin "just in case".
The same trust posture you expect from BuriCloud
Built for the platform/security engineer to adopt and the CISO to sign off on.
AWS-native
Works with IAM roles, AWS accounts and IAM Identity Center permission sets — no agents to install in your accounts.
Least-privilege
Default-deny. Access is the exception, scoped and time-boxed — never the standing baseline.
EU-hosted
Run in the EU with data residency that helps your own GDPR story — the same as our sister product.
Be first in line
We're onboarding the first teams soon. Leave your email and we'll reach out when early access opens.