Difference Between Policy Types

What Are EZSSH Policies

EZSSH makes it easy to manage access to your SSH endpoints by using your corporate identity to seamlessly create SSH Certificates and connect you to the desired endpoint without any changes to the endpoint or input from the user. However, to create this great experience, EZSSH needs to know who in your organization has access to those endpoints. We do this by creating Access Policies. These policies allow you to say who has auto approved access, who needs someone else to approve the access, and who is authorized to approve requests.

EZSSH offers two types of policies: Hybrid Policies and Azure Policies. The main difference between the two of them is that Azure Policies are assigned an Azure scope and can automatically detect new Azure VMs in the scope and add them to the policy.

Hybrid Policy

Hybrid Policies are great for all your endpoints that are not in Azure. The policy lets you manually add the endpoints that you want to to grant access to using the policy and lets you download a cloud-init script to set up your cloud endpoints to accept the policy certificates, or a bash script to run on existing SSH endpoints to add the policy’s CA as a trusted SSH Certificate issuer. This Policy let’s you give access to Azure Active Directory objects through adding groups or adding the user or service principal directly. Learn more

Azure Policy

Azure Policy requires EZSSH to have access to your Azure subscription or resource group and will automatically detect the endpoints in the scope and add them to the policy. This policy type also offers the option of automatically adding the policy’s certificate to the existing endpoints Click here to learn more about this feature. This policy offers the same access management as the Hybrid Policy. However, we understand that organizations might already have complex identity management systems to manage their access to Azure resources using tools such as Azure PIM. That is why Azure Policies also have the option of granting access based on the RBAC roles found ACLed to that resource. Making Azure and EZSSH access management work together. Learn more