AWS

Password Rotation in the AWS Environment

Overview

In this section, you will learn how to rotate user credentials within the AWS Cloud environment across various target systems and services.

KeeperPAM Record Types

Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.

Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with KeeperPAM and their corresponding PAM Record Type:

AWS Managed Resource
Corresponding Record Type

EC2

PAM Machine

RDS

PAM Database

Directory Service

PAM Directory

Configurations for directory users or IAM users are defined in the PAM User record type.

Prerequisites

To successfully rotate IAM User accounts or EC2 local user accounts, the Keeper Gateway needs to have the necessary AWS role policies with the permissions for performing the password rotation.

If you are not using EC2 instance role policies, the following values are needed in the PAM Configuration:

Field
Description

Access Key ID

This is the Access Key ID from the desired Access Key found in the IAM User account Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles

Secret Access Key

This is the Secret Access Key from the desired Access Key found in the IAM User account Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles

The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.

Setup Steps

At a high level, the following steps are needed to successfully rotate passwords on your Azure network:

  1. Create Shared Folders to hold the PAM records involved in rotation

  2. Create PAM Machine, PAM Database and PAM Directory records representing each resource

  3. Create PAM User records that contain the necessary account credentials for each resource

  4. Link the PAM User record to the PAM Resource record.

  5. Assign a Secrets Manager Application to all of the shared folders that hold the PAM records

  6. Install a Keeper Gateway and add it to the Secrets Manager application

  7. Create a PAM Configuration with the AWS environment setting

  8. Configure Rotation settings on the PAM User records

Use Cases

PreviousAzure App Secret RotationNextIAM User Password

Last updated

Was this helpful?