Sold by: Sonrai Security
Deployed on AWS
Free Trial
Vendor Insights
AWS Free Tier
The Sonrai Cloud Permissions Firewall brings cloud access under control by automating least privilege enforcement through AWS-native policies, including Service Control Policies (SCPs) and Resource Control Policies (RCPs). It continuously analyzes permission usage to apply centralized, default-deny guardrails without slowing DevOps. With one click, unused sensitive permissions are restricted across your cloud environment, while just-in-time permission exceptions are automatically granted as new needs arise-keeping teams productive and secure.
4.6
Overview
Get control of your cloud access by removing excessive permissions and unused services. The Sonrai Cloud Permissions Firewall transforms your cloud into a platform-wide state of least privilege and continuously maintains that state as usage expands across teams and cloud providers. Using AWS-native control plane policies-including Service Control Policies (SCPs) and Resource Control Policies (RCPs)-the solution enforces centralized, default-deny guardrails without slowing DevOps. With the Cloud Permissions Firewall, you significantly reduce the opportunity for attackers to steal sensitive data, disrupt business operations, or hijack your cloud once they gain a foothold.
How does it work?
The Cloud Permissions Firewall is powered by deep permission usage intelligence that understands how human and machine identities actually operate-and which sensitive permissions they truly need.
Using AWS-native policies such as SCPs and RCPs, Sonrai applies sweeping, global default-deny controls across your cloud environment. Excessive permissions are restricted, unused services are locked down, and dormant zombie identities are quarantined-without impacting workloads that rely on active access.
When access needs arise, a frictionless Just-in-Time workflow automatically routes a request to the appropriate approver. Once approved, the underlying AWS policy is updated in real time to allow access, ensuring developers and operators get what they need quickly while maintaining least privilege and zero trust.
The Cloud Permissions Firewall enables you to secure with confidence, accelerate productivity, and eliminate the time and risk associated with manually designing and managing cloud policies.
Note: AWS customers must use AWS Organizations to deploy the Cloud Permissions Firewall, as enforcement relies on organization-level AWS-native policies such as SCPs and RCPs.
Highlights
- Instant Risk Reduction: After your teams deploy the global policies in one-click, your attack surface is immediately reduced with quarantined zombie identities, restricted excessive permissions, and disabled unused services and regions.
- Global Default Deny Without Disruption: Receive large-scale protection without restricting anything your identities actually need. As new identities appear in your cloud, the deny policy applies by default making least privilege continuous and sustainable.
- ChatOps and ITSM Integration: No need to learn new tools or change your pre-existing workflows. The Cloud Permissions Firewall integrates with Slack, Google Teams, Email, Jira, ServiceNow, and more.
Details
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Skip the manual risk assessment. Get verified and regularly updated security info on this product with Vendor Insights.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free according to the free trial terms set by the vendor.
Pricing is based on the duration and terms of your contract with the vendor, and additional usage. You pay upfront or in installments according to your contract terms with the vendor. This entitles you to a specified quantity of use for the contract duration. Usage-based pricing is in effect for overages or additional usage not covered in the contract. These charges are applied on top of the contract price. If you choose not to renew or replace your contract before the contract end date, access to your entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months | Overage cost |
|---|---|---|---|
Sonrai Cloud Permissions Firewall - Enterprise Annual [Standard Support] | Enterprise Edition Standard Support - 25 Account Bundle | $37,500.00 | |
Sonrai Cloud Permissions Firewall - Enterprise Annual [Premium Support] | Enterprise Edition Premium Support - 25 Account Bundle | $45,000.00 | |
Sonrai Cloud Permissions Firewall - Starter Annual [Basic Support] | Starter Edition - 10 Account Bundle | $10,690.00 |
Dimension | Description | Cost/unit |
|---|---|---|
Sonrai Cloud Permissions Firewall | Sonrai Cloud Permissions Firewall - Enterprise Monthly Overage | $200.00 |
Vendor refund policy
All fees are non-cancellable and non-refundable except as required by law.
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
Vendor support
The Sonrai Cloud Permissions Firewall - Starter Edition Support
Sonrai shall provide customer support to Company by email and the Sonrai support portal. Email: support@sonraisecurity.com Sonrai support is available during the hours of 9am-5pm ET, Monday through Friday and excluding public holidays. Customer response time is up to one (1) business day.
The Sonrai Cloud Permissions Firewall - Enterprise Edition Support
Standard Support for Enterprise (included) Sonrai shall provide customer support to Company by email, phone, chat, and the Sonrai support portal. Email: support@sonraisecurity.com Sonrai support is available during the hours of 9am-5pm ET, Monday through Friday and excluding public holidays. Customer response time varies from (1) hour to (1) business day depending on severity of ticket.
Premium Support for Enterprise (additional fee) Sonrai shall provide 24x7 customer support to Company by email, phone, chat, and the Sonrai support portal. Email: support@sonraisecurity.com . Sonrai support is available 24/7, 365 days per year through Jira Service Desk and Slack(when enabled). Normal response time to tickets is within four (4) hours during business hours (9am-5pm ET), 12 hours on evenings, 24 hours on weekends. Severity 1 issues are prioritized 24/7 and are escalated immediately when reported.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Sonrai Security
By BeyondTrust Corporation
By CyberArk
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Permission Management
"Automated least privilege enforcement using AWS-native policies including Service Control Policies (SCPs) and Resource Control Policies (RCPs)"
Identity Analysis
"Continuous deep analysis of permission usage across human and machine identities to understand actual operational requirements"
Access Control
"Default-deny guardrails that dynamically restrict excessive permissions and unused services without disrupting active workloads"
Just-in-Time Access
"Frictionless workflow for automatically routing and approving access requests with real-time AWS policy updates"
Security Governance
"Centralized policy enforcement mechanism that quarantines dormant identities and eliminates manual cloud policy management"
Identity Threat Detection
Advanced discovery and intelligence system for detecting identity-based threats across infrastructure
Privileged Access Management
Comprehensive control and management of privileged passwords, accounts, credentials, and sessions for human and machine identities
Remote Access Security
Granular control, management, and auditing of privileged remote access for employees, vendors, developers, and cloud operations engineers
Endpoint Privilege Control
Dynamic least privilege enforcement across Windows, macOS, Linux, and mobile platforms to prevent malware and unauthorized access
Cloud Entitlement Management
Cross-cloud visibility of access permissions, detection of account permission anomalies, and guidance for privilege optimization
Zero Standing Privileges
Dynamically provisions temporary, session-based access across multi-cloud environments without persistent permissions
Attribute-Based Access Control
Implements granular permission management based on identity, role, and contextual attributes for secure access
Multi-Cloud Integration
Supports unified access management across AWS, Azure, and GCP cloud environments with native tool compatibility
Just-in-Time Access Model
Enables on-demand, time-limited access to cloud resources with automated entitlement and approval workflows
Identity Security Framework
Provides layered identity-based controls to prevent unauthorized access and reduce credential exposure risks
Standard contract
No
No
No
Customer reviews
Information Technology and Services
A fix for untamed privileges in AWS
Reviewed on Aug 12, 2025
Review provided by G2
What do you like best about the product?
Sonrai's analytics, policies, and quarantine workflows let us lock down excessive permissions in a controlled, risk-aware way. It’s different from our other visibility tools, it’s enforcement. The ability to target unused or risky privileges and act instantly is a huge leap forward for cloud IAM.
What do you dislike about the product?
There’s a learning curve if you want to go deep on advanced configuration, but the Sonrai team supports you well through onboarding.
What problems is the product solving and how is that benefiting you?
We needed a way to implement least privilege, remove unused permissions, and secure high-risk identities in AWS. Sonrai replaces what AWS and traditional PAM tools can’t do. We now have automated control over everything from human users to machine identities to third-party access.
It’s real cloud PAM—not a bolt-on or a siloed tool. It helps our team address identity risks in AWS at scale without slowing down developers. It’s fast, clean, and flexible.
It’s real cloud PAM—not a bolt-on or a siloed tool. It helps our team address identity risks in AWS at scale without slowing down developers. It’s fast, clean, and flexible.
Insurance
AWS IAM Controls made Easy
Reviewed on Aug 11, 2025
Review provided by G2
What do you like best about the product?
The overall workflow was amazing start to finish when it was protecting services and identities, it made sense what/how/when things were happening.
The Setup was clear and well thought out, can deploy a top to bottom protection in a few hours.
The Customer Service was always top notch and would quickly evaluate the issue with a zoom call within a quick SLA.
The Setup was clear and well thought out, can deploy a top to bottom protection in a few hours.
The Customer Service was always top notch and would quickly evaluate the issue with a zoom call within a quick SLA.
What do you dislike about the product?
The UI was a bit tricky to navigate, when mass updating settings, it would reset or clear filters and reload the screen constantly. Future versions or deployments can easy fix that issue.
Deploying changes took a long time, would have to iterate the whole stack versus the one item you were updating, but I believe that was already on a release branch.
Deploying changes took a long time, would have to iterate the whole stack versus the one item you were updating, but I believe that was already on a release branch.
What problems is the product solving and how is that benefiting you?
From my perspective, it was controlling Identity with 1 plane of glass. Roles/Users/Policies all being controlled for all of the AWS Accounts. Made changes and updates simple. Easy to lock down a service/Account very quick and effective. With the ability to revert just as easy.
Muthuraj G.
Cloud PAM That Actually Works
Reviewed on Aug 11, 2025
Review provided by G2
What do you like best about the product?
Sonrai’s Cloud Permissions Firewall delivered the speed and simplicity we were looking for—along with real, immediate results. Deployment was quick, and within minutes, we saw it in action, automatically cleaning up thousands of unused privileges across our AWS environment. The interface is user-friendly, the controls are powerful, and it’s easy to navigate and master. We especially appreciate how fast it was to get started and how it simplifies securing our environment without requiring manual effort. It’s the first PAM solution we've encountered that truly matches the speed and agility that cloud teams demand.
What do you dislike about the product?
There were a couple of minor display bugs during early testing, though the Sonrai team responded with speed and delivered fixes. They’ve been transparent and proactive in regard to resolving any edge cases.
What problems is the product solving and how is that benefiting you?
Our biggest challenge was managing privileged human access—users were accessing resources and permissions we couldn’t fully see or control. Sonrai’s Cloud Permissions Firewall addressed this by removing unused privileges and replacing always-on access with just-in-time access. Now, access is granted only when needed and only after proper approval. As a result, our attack surface has been significantly reduced by eliminating unnecessary privileges and identities.
We also appreciate the flexibility Sonrai offers—it can be deployed broadly or targeted precisely where needed, thanks to its granular controls and customizable enforcement levels. Integration with Teams makes it easy for users and approvers to manage access in real time, while detailed session summaries give us visibility into activities we previously missed.
We also appreciate the flexibility Sonrai offers—it can be deployed broadly or targeted precisely where needed, thanks to its granular controls and customizable enforcement levels. Integration with Teams makes it easy for users and approvers to manage access in real time, while detailed session summaries give us visibility into activities we previously missed.
Brendan P.
IAM simplified
Reviewed on Aug 08, 2025
Review provided by G2
What do you like best about the product?
I discovered Sonrai Security at AWS re:inforce 2024, and within 15 minutes, I had a full POC set up in AWS and running—nothing fancy, just smooth and effective. From day one, it’s filled a critical gap in our access protections.
Here’s what sticks out:
Effortless Least Privilege via Cloud Permissions Firewall: One click and it quarantines zombie roles, disables unused services and regions, and tightens permissions across the entire cloud estate—without breaking anything.
Third-party Tracking and Management: In a single screen, I can track every ISV with access to my cloud, understand if their roles use best practice protections, and disable them with a single click for later cleanup. Better is that I can prevent unapproved new access by setting the default action to block.
Super-simple Permissions-on-Demand — When someone needs access, it’s a seamless ChatOps workflow that grants just what is required, only when it’s needed. No more standing permissions, no Jira tickets for role increase, and a simple audit trail of yes/no approvals with time constraints sent easily directly to the people who need to approve.
Just-in-Time (JIT) Access with AI-powered summaries: This is the next level. Pulling temporary elevated access only when needed, policy-enforced, and fully auditable. With integration into Amazon Bedrock, each privileged session generates a concise, human-readable summary. For businesses in regulated industries, it's the perfect auditing solution for user access.
Genuine usability and visibility: G2 users say it best: “Sonrai gave us unparalleled visibility and control over identity governance and cloud permissions,” and “the solution is very easy to use and implementation was also quick.”
In short, what I appreciate most is how Sonrai simplifies complex security challenges (and how I never have to write another SCP!). It’s powerful and intelligent, but never heavy. It just works.
Here’s what sticks out:
Effortless Least Privilege via Cloud Permissions Firewall: One click and it quarantines zombie roles, disables unused services and regions, and tightens permissions across the entire cloud estate—without breaking anything.
Third-party Tracking and Management: In a single screen, I can track every ISV with access to my cloud, understand if their roles use best practice protections, and disable them with a single click for later cleanup. Better is that I can prevent unapproved new access by setting the default action to block.
Super-simple Permissions-on-Demand — When someone needs access, it’s a seamless ChatOps workflow that grants just what is required, only when it’s needed. No more standing permissions, no Jira tickets for role increase, and a simple audit trail of yes/no approvals with time constraints sent easily directly to the people who need to approve.
Just-in-Time (JIT) Access with AI-powered summaries: This is the next level. Pulling temporary elevated access only when needed, policy-enforced, and fully auditable. With integration into Amazon Bedrock, each privileged session generates a concise, human-readable summary. For businesses in regulated industries, it's the perfect auditing solution for user access.
Genuine usability and visibility: G2 users say it best: “Sonrai gave us unparalleled visibility and control over identity governance and cloud permissions,” and “the solution is very easy to use and implementation was also quick.”
In short, what I appreciate most is how Sonrai simplifies complex security challenges (and how I never have to write another SCP!). It’s powerful and intelligent, but never heavy. It just works.
What do you dislike about the product?
Nothing. Not only is Sonrai a fantastic product that plugs a unique gap, but the team is incredibly dedicated and responsive to their customers. They take our feedback, and the next thing we know, they deliver those features.
What problems is the product solving and how is that benefiting you?
Sonrai security took what would have been an extremely complex challenge for my team of just even observing access controls in my AWS organization and provided a way for me to easily resolve those issues. Its literally a problem I wouldnt have been able to solve without significantly increased headcount and probably a year of dedicated effort. Instead I was able to scope AWS services and regions, quarantine zombie roles, identify and clean overly permissioned roles, and manage my third-party ISV access with literally a few clicks in their UI. Its that powerful while also allowing me to scope at various levels for Org, OU, and Account.
To accomplish the same thing of just the cleanup would have been somewhere between monumental and insurmountable, but not only have i solved the cleanup issue, its ongoing protection without my team having to worry about writing AWS SCPs and potentially breaking production.
To accomplish the same thing of just the cleanup would have been somewhere between monumental and insurmountable, but not only have i solved the cleanup issue, its ongoing protection without my team having to worry about writing AWS SCPs and potentially breaking production.
Prashanth G.
A significant breakthrough in fixing privileges in the cloud.
Reviewed on Aug 07, 2025
Review provided by G2
What do you like best about the product?
Sonrai's Cloud Permissions Firewall is purpose-built for cloud environments, avoiding the limitations of legacy access management solutions retrofitted for cloud use. It delivers low-latency performance with minimal deployment overhead and enables rapid, just-in-time provisioning for high-sensitivity roles.
What do you dislike about the product?
The only challenge we encountered was aligning initial permission set mappings within AWS Identity Center. Fortunately, the support team was highly responsive and quickly provided clear guidance to resolve the issue.
What problems is the product solving and how is that benefiting you?
Standing privileges, stale admin roles, and zombie accounts have consistently posed challenges for us. These common issues were quickly eliminated with Sonrai’s PAM approach. Access is now governed through policy-based controls, with approval workflows integrated directly into Microsoft Teams—our existing collaboration platform. This allows us to maintain agility without compromising auditability, control, or visibility.