All pages
Powered by GitBook
1 of 4

PAM Configuration

Creating a PAM Configuration in the Keeper Vault

Overview

In Keeper, the PAM Configuration contains essential information of your target infrastructure, settings and associated Keeper Gateway. We recommend setting up one PAM Configuration for each Gateway and network being managed.

Creating PAM Configuration

To create a new PAM Configuration:

  • Login to the Keeper Vault

  • Select Secrets Manager and the "PAM Configurations" tab

  • Click on "New Configuration"

PAM Configuration Fields

When setting up the PAM Configuration, you have the option of choosing one of the following environments:

The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:

Field
Description
Notes

Title

Name of PAM configuration record

Ex: US-EAST-1 Config

Gateway

The configured gateway

See docs for more info

Application Folder

The shared folder where the PAM Configuration data will be stored

Best practice is to create a folder with limited access to admins. See Security Note (1) below

PAM Settings

List of Zero-Trust KeeperPAM features that should be enabled

See this section for more info

Default Rotation Schedule

Specify frequency of Rotation

Ex: Daily

Port Mapping

Define alternative default ports

Ex: 3307=mysql See port mapping docs

Security Note (1) The PAM Configuration information is stored as a record in the vault inside the specified Application Folder and may contain secrets. Therefore, we recommend that the Application Folder should be limited in access to only privileged admins.

The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:

Local Network Environment

Field
Description
Notes

Network ID

Unique ID for the network

This is for the user's reference

Ex: My Network

Network CIDR

Subnet of the IP address

Ex: 192.168.0.15/24 Refer to this for more info

AWS Environment

Field
Description
Notes

AWS ID

A unique id for the instance of AWS

Required, This is for the user's reference Ex: AWS-US-EAST-1

Access Key ID

From an IAM user account, the Access key ID from the desired Access key.

Leave Empty when EC2 instance role is assumed.

Secret Access Key

The secret key for the access key.

Leave Empty when EC2 instance role is assumed.

Region Names

AWS region names used for discovery. Separate newline per region

Ex: us-east-2 us-west-1

Port Mapping

Any non-standard ports referenced. Separate newline per entry

Ex: 2222=ssh 3390=rdp

Azure Environment

Field
Description
Notes

Azure ID

A unique id for your instance of Azure

Required, This is for the user's reference Ex: Azure-1

Client ID

The application/client id (UUID) of the Azure application

Required

Client Secret

The client credentials secret for the Azure application

Required

Subscription ID

The UUID of the subscription (i.e. Pay-As-You-GO).

Required

Tenant ID

The UUID of the Azure Active Directory

Required

Resource Groups

A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.

Domain Controller Environment

This PAM Configuration type is not yet available, it will be launched in January 2025.

Field
Description
Required

DNS Domain Name

The FQDN domain used by the Domain Controller. For example, EXAMPLE.COM and not EXAMPLE.

Yes

Hostname and Port

Hostname and port for the domain controller.

Yes

Use SSL

If using LDAPS (default 636), check the box. If using LDAP (default 389), uncheck the box.

Yes

Scan Network

Scan the CIDRs from the domain controller. Default to False.

No

Network CIDR

Scan additional CIDRs from the field.

No

Port Mapping

Define alternative default ports

No

PAM Features on PAM Configuration

The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field
Description

Rotation

If enabled, allow rotations on privileged user users managed by this PAM configuration

Connections

If enabled, allow connections on resources managed by this PAM configuration

Remote Browser Isolation (RBI)

If enabled, allow RBI sessions on resources managed by this PAM configuration

Tunneling

If enabled, allow tunnels on resources managed by this PAM configuration

Graphical Session Recording

If enabled, visual playback sessions will be recorded for all connections and RBI sessions

Text Session Recording (TypeScript)

If enabled, text input and output logs will be logged for all connections and RBI sessions

AWS Environment Setup

Setting up your AWS environment to work with KeeperPAM

AWS Environment Overview

Resources in your AWS environment can be managed by a Keeper Gateway using EC2 instance role policy or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.

The role policy must be configured appropriately to enable access to the target AWS resources:

The following diagram shows the AWS environment hierarchy:

AWS Rotation Hierarchy

EC2 IAM Role Policy

To create a EC2 IAM policy which supports PAM features such as password rotation and discovery, a role with the appropriate policy settings should be configured then attached to the EC2 instance running the Keeper Gateway.

For KeeperPAM to have the authority to rotate IAM users and RDS databases, the following inline role policy should be modified to meet your needs and ensure least privilege.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

To ensure least privilege, the JSON policy should be modified based on which target resources that KeeperPAM will be managing through the "Action" and "Resource" attributes.

Follow these steps to create a new role and apply the policy:

  1. Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".

  2. Attach the policy JSON to the role.

  3. From EC2 > Instances, select the instance with the gateway and go to Actions > Security > Modify IAM Role > Select your new role.

Minimum AWS Policy to Manage IAM users

Managed User Type
IAM Policy

EC2 User

Rotation uses local credentials and no specific AWS permissions are needed.

Managed Database

Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances

For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.

Directory User

Rotation uses AWS APIs for PAM Directory records and requires:

iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers

IAM User

Rotation uses AWS APIs for PAM User records and requires:

iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser

IAM User Policy

Using EC2 instance role policy is preferred, however the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.

An sample policy is below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

To ensure least privilege, the JSON policy should be modified based on which target resources that KeeperPAM will be managing through the "Action" and "Resource" attributes.

The steps to create the access keys is below:

  1. Create a new IAM user or select an existing user

  2. Attach the policy to the user

  3. Open the IAM user > Security credentials > Create access key

  4. Select "Application running outside AWS"

  5. Save the provided Access Key ID / Secret Access Key into the PAM Configuration

In addition to these policies, we recommend protecting the Gateway Configuration secrets using the AWS KMS.

Azure Environment Setup

Setting up your Azure environment to work with KeeperPAM

Azure Environment Overview

In order to set up your Azure environment, the following steps must be taken:

  • Create an Azure application in the default Azure Active Directory.

  • Get values for the Keeper PAM Configuration from this new application.

  • Grant permissions to the application to access the Azure Active Directory.

  • Create a custom role to allow the application to access/perform actions on various Azure resources.

Create an Azure App Registration

Go to the Azure portal > Home and click on Microsoft Entra ID on the left side vertical menu. Select App Registrations, and then New Registration. Give the new application a name and select Single tenant. Then click the Register button at the bottom.

In the Overview of the application, the Application (client) ID UUID is shown. This is the Client Id field of the Keeper PAM Configuration record. The Directory (tenant) ID is also shown. This is the Tenant Id field of the Keeper PAM Configuration record. Save these values for later.

Create Application

Next, go to Home > General > Subscriptions and get your subscription ID. Copy the subscription ID into the Keeper PAM Configuration "Subscription ID" field. For more information on how to get your subscription ID, visit this page.

Next, click on the Add a certification or secret for Client credentials. On the next page, click on New client secret, give the client secret a Description, and select a desired Expires date, and click Add.

The page will refresh showing the secret Value. Copy the Value (not Secret ID) into the Keeper PAM Configuration "Client Secret" field. Save this value for later.

Client Secret

At this point, all the required the PAM Configuration fields should be filled in. You also have an Azure application that cannot do anything yet.

Assign Roles and Administrators

In order for the Azure tenant service principal/application to rotate Azure Active Directory users or Azure Active Directory Domain Service users, the application must be a assigned to an Administrative role.

From the Azure portal go to Home > Azure Active Directory > Roles and administrators, and click on the Administrative role to use (such as Privileged Authentication Administrator). The correct role depends on what privileges are needed for your use case. Custom roles can be used.

  • Global Administrator - It is not recommended to use a Global Administrator on a service principal. However, it will allow both administrator and user passwords to be rotated.

  • Privileged Authentication Administrator - Can change the password for any user, including a Global Administrator user.

  • Authentication Administrator - Can change the password for any user, except a Global Administrator user.

To add the application, click Add assignments and Search for the service principal/application that was created, click it, and then Add.

Assign Administrator Role to Keeper Application

Assign Azure Role

Roles need to be attached to the Azure Application (also called a Service Principle here) in order to rotate passwords of target resources. This is done in the Subscription section of the Azure portal.

Go to the Azure portal > Home > Subscriptions then select your subscription. Click on Access control (IAM), and then Roles.

Click Add on the top menu, and then Add custom role. Jump to the JSON tab. Click on Edit and paste the JSON object from below, modifying it according to your setup.

This is a complete list of all of the permissions that Keeper Gateway can use, if applicable. Only include those that are needed for your setup.

Change the following before you save:

  • <ROLE NAME>: Role Name, e.g. "Keeper Secrets Manager"

  • <DESCRIPTION>: Description, e.g. "Role for password rotation"

  • <SUBSCRIPTION ID>: Subscription ID of this Azure subscription

{
    "properties": {
        "roleName": "<ROLE NAME>",
        "description": "<DESCRIPTION>",
        "assignableScopes": [
            "/subscriptions/<SUBSCRIPTION ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.AAD/domainServices/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.Sql/servers/write",
                    "Microsoft.DBforPostgreSQL/servers/write",
                    "Microsoft.DBforMySQL/servers/write",
                    "Microsoft.DBforMySQL/flexibleServers/read",
                    "Microsoft.DBforPostgreSQL/flexibleServers/read",
                    "Microsoft.DBforPostgreSQL/flexibleServers/write",
                    "Microsoft.DBforMySQL/flexibleServers/write",
                    "Microsoft.DBforMariaDB/servers/read",
                    "Microsoft.DBforMariaDB/servers/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Click Save.

When done, click Review + create, and click Create.

Once the role is created, it needs to be assigned to the Application (Service Principle). Click View in the Details column.

Role

A panel will appear on the right side of the screen. Click Assignments, and then Add assignment.

Enter in the new role's name in the search bar on the Role tab, then double click it to select it. Move to the Members tab. Click Select members. In the panel that opens, enter the name of the Azure application, select the current application, and click Select.

Create Azure Custom Role
Assign Role to Keeper Secrets Manager application member

Go to the Review + assign tab click Review + assign.

At this point, you have created the necessary roles and applications within your Azure environment.

PAM Features

The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field
Description

Rotation

If enabled, allow rotations on privileged user users managed by this PAM configuration

Connections

If enabled, allow connections on resources managed by this PAM configuration

Remote Browser Isolation (RBI)

If enabled, allow RBI sessions on resources managed by this PAM configuration

Tunneling

If enabled, allow tunnels on resources managed by this PAM configuration

Graphical Session Recording

If enabled, visual playback sessions will be recorded for all connections and RBI sessions

Text Session Recording (TypeScript)

If enabled, text input and output logs will be logged for all connections and RBI sessions

Configuring PAM Features on PAM Record Types

After creating the PAM configuration, visit the following pages to:

Local Environment Setup

Setting up your Local environment to work with KeeperPAM

Local Environment Overview

The PAM Configuration contains critical information on your local infrastructure, settings and associated Keeper Gateway. This guide provides step-by-step instructions for configuring the PAM Configuration in your local environment, enabling the Keeper Gateway to manage all resources within it and allowing users to utilize KeeperPAM features on those resources.

Prerequisites

Prior to proceeding with this guide, make sure to install and configure your Keeper Gateway.

Creating PAM Configuration

To create a new PAM Configuration:

  • Login to the Keeper Vault

  • Select Secrets Manager and the "PAM Configurations" tab

  • Click on "New Configuration"

PAM Configuration Fields - Local Environment

The following tables provides more details on each configurable fields in the PAM Configuration record for the local environment:

Field
Description
Notes

Title (Required)

Name of PAM configuration record

Ex: Local Configuration

Environment (Required)

Your infrastructure's environment

For this guide, select "Local"

Gateway (Required)

The configured gateway

See docs for more info

Application Folder (Required)

The shared folder where the PAM Configuration data will be stored

Best practice is to create a folder with limited access to admins. See Security Note (1) below

PAM Settings (Required)

List of Zero-Trust KeeperPAM features that should be enabled

See this section for more info

Default Rotation Schedule

Specify frequency of Rotation

Ex: Daily

Port Mapping

Define alternative default ports

Ex: 3307=mysql See port mapping docs

For Discovery, the following fields are required, otherwise they are optional:

Field
Description
Notes

Network ID

Unique ID for the network

This is for the user's reference

Ex: My Network

Network CIDR

Subnet of the IP address

Ex: 192.168.0.15/24 Refer to this for more info

PAM Features

The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field
Description

Rotation

If enabled, allow rotations on privileged user users managed by this PAM configuration

Connections

If enabled, allow connections on resources managed by this PAM configuration

Remote Browser Isolation (RBI)

If enabled, allow RBI sessions on resources managed by this PAM configuration

Tunneling

If enabled, allow tunnels on resources managed by this PAM configuration

Graphical Session Recording

If enabled, visual playback sessions will be recorded for all connections and RBI sessions

Text Session Recording (TypeScript)

If enabled, text input and output logs will be logged for all connections and RBI sessions

Configuring PAM Features on PAM Record Types

After creating the PAM configuration, visit the following pages to: