Setting up KeeperPAM for Discovery
In this guide, you will learn how to discover resources within your target infrastructure using Discovery.
Prior to using Discovery, make sure to have the following:
An active license of KeeperPAM
Activate on the Admin Console to enable discovery
Deploy a using the latest version
On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs.
Discovery can also be enabled on the using the enterprise-role command:
The is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.
Before running a Discovery job, it is recommended to create records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.
To get started with Discovery, you need a set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.
Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.
AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
The basic workflow for running Discovery jobs is the following:
Set up a Keeper Gateway with associated Shared Folders
Populate the shared folders with any administrative credentials as PAM User record types
Run a discovery job on the target infrastructure
Process the results to discover PAM Machine, PAM Databases and PAM Directory resources
Keeper will discover Resources and associated user accounts in the following resources:
PostgreSQL
MySQL
MariaDB
Microsoft SQL Server
Linux
Windows
Active Directory
LDAP
Local users
Domain users
Virtual Machines
Directories and directory users
IAM users
Databases
Virtual Machines
Directories and directory users
IAM users
Databases
When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.
To learn more and set up this capability, see the page.
After a Discovery process has been completed, you can edit the vault records to activate advanced features such as , , and .
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.
Run additional discovery jobs to locate user accounts within each found resource, utilizing credentials provided to the job.
MongoDB
Can run discovery
Allow users to run discovery jobs
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
Network CIDR
Subnet of the IP address
Ex: 192.168.0.15/24
learn more about CIDR
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
AWS ID
Identifier selected by user
This is just used for reference.
Access Key ID
Access Key only when required
If instance role is applied to the Gateway, this is not required.
Secret Access Key
Secret Key only when required
If instance role is applied to the Gateway, this is not required.
Region Names
A list of AWS region names separated by newlines. Discovery will only find resources that match.
Example: us-west-1 us-east-2
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
ALLOW_PAM_DISCOVERYenterprise-role "My Role" --enforcement "ALLOW_PAM_DISCOVERY":true