# Deploying KeeperPAM in Air-Gapped Environments

#### Overview 

Keeper Privileged Access Management (KeeperPAM) provides centralized management of privileged credentials and access to protected systems.

This document describes how KeeperPAM can be deployed in environments with restricted network connectivity, including environments commonly described as air-gapped. It also outlines the infrastructure requirements necessary for KeeperPAM to operate within supported parameters.

At the current state of the product, **KeeperPAM requires AWS cloud infrastructure** to function.

#### Air-Gapped Environment Considerations

An air-gapped environment is typically defined as an environment with limited or controlled connectivity to external networks.

KeeperPAM does not support fully disconnected or offline deployments. Network connectivity between customer-deployed PAM components and Keeper-managed cloud services is required for normal operation.

Environments with restricted or tightly controlled network access may be supported, provided required connectivity is available.

#### Architecture Overview

KeeperPAM uses a cloud-based architecture where core services are hosted and managed by Keeper Security.

Customer environments deploy PAM components that interact with protected systems and communicate with Keeper cloud services.

At this time, AWS is the only supported cloud provider for KeeperPAM backend services.

<div data-with-frame="true"><figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FFRe0tPjrgvBiqT3leJVX%2FAirgappedEnv.drawio.svg?alt=media&#x26;token=12a493bb-27ab-453c-9ede-901434eacdf7" alt=""><figcaption><p>Architecture Overview</p></figcaption></figure></div>

#### Infrastructure Requirements

**Keeper Cloud Services**

KeeperPAM relies on Keeper Security cloud services hosted in AWS. These services are required for the operation of the product and are managed by Keeper Security. Customers do not deploy or manage these cloud services.

**Customer-Deployed PAM Components**

Customer environments deploy KeeperPAM components that:

* Interact with protected systems within the environment
* Communicate with Keeper cloud services hosted in AWS

These components must have network connectivity to the Keeper cloud in order to function.

**Network Connectivity Requirements**

For KeeperPAM to operate within supported parameters, the following connectivity requirements must be met:

* Network connectivity from customer-deployed PAM components to Keeper cloud services hosted in AWS
* Connectivity sufficient to allow required communication between PAM components and Keeper cloud services

Fully offline or disconnected environments are not supported.

**Deployment in Restricted Network Environments**

KeeperPAM may be deployed in environments with restricted or controlled network access, provided that required connectivity to AWS-hosted Keeper services is available.

Deployments that prohibit all external network connectivity are not supported at this time.&#x20;