Your AWS credentials should not live forever.

Static keys rot security from the inside. They linger in config files for months or years. They’re copied, shared, forgotten, and sometimes leaked. Every AWS breach story starts the same way—an old key left unrevoked. The fix is simple: stop giving them a chance to exist beyond the moment you need them.

AWS CLI-style profiles with Just-In-Time (JIT) access cut off that threat at the root. Instead of storing long-lived credentials in ~/.aws/credentials, you request short-lived sessions when you need them—and they vanish when you’re done. The profile name stays the same. The credentials change every time.

With JIT access, your workflow barely changes:

1. Request a new session.
2. Use the CLI with your named profile.
3. Expire and forget.

There’s no manual cleanup. No leftover secrets. No exposure in git commits or CI logs. Credential rotation stops being a chore and becomes the default state.

For teams, this means a locked door policy for AWS accounts. New engineers can get access in minutes without a ticket queue. Access can be revoked as fast as it was granted. Audit logs show who had keys and for how long—so there’s no question when an incident occurs.

The setup mirrors what you’re already using. Profiles are defined exactly as in AWS CLI. The difference is they don’t hold permanent secrets. The profile acts as a handle to obtain a temporary token from a trusted broker when needed. Every command uses fresh, scoped, and expiring credentials.

This isn’t just security theater. It’s real, enforced security that doesn’t slow work down. You eliminate one of the highest-risk elements in cloud operations with almost no friction.

If you want AWS CLI-style profiles with true Just-In-Time access running in your org today, you can. See it live in minutes with hoop.dev.