AWS Environment Setup
Setting up your AWS environment to work with KeeperPAM
Last updated
Was this helpful?
Setting up your AWS environment to work with KeeperPAM
Last updated
Was this helpful?
Resources in your AWS environment can be managed by a Keeper Gateway using EC2 instance role policy or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.
The role policy must be configured appropriately to enable access to the target AWS resources:
The following diagram shows the AWS environment hierarchy:
To create a EC2 IAM policy which supports PAM features such as password rotation and discovery, a role with the appropriate policy settings should be configured then attached to the EC2 instance running the Keeper Gateway.
For KeeperPAM to have the authority to rotate IAM users and RDS databases, the following inline role policy should be modified to meet your needs and ensure least privilege.
To ensure least privilege, the JSON policy should be modified based on which target resources that KeeperPAM will be managing through the "Action" and "Resource" attributes.
Follow these steps to create a new role and apply the policy:
Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".
Attach the policy JSON to the role.
From EC2 > Instances, select the instance with the gateway and go to Actions > Security > Modify IAM Role > Select your new role.
EC2 User
Rotation uses local credentials and no specific AWS permissions are needed.
Managed Database
Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances
For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.
Directory User
Rotation uses AWS APIs for PAM Directory records and requires:
iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers
IAM User
Rotation uses AWS APIs for PAM User records and requires:
iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser
Using EC2 instance role policy is preferred, however the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.
An sample policy is below.
To ensure least privilege, the JSON policy should be modified based on which target resources that KeeperPAM will be managing through the "Action" and "Resource" attributes.
The steps to create the access keys is below:
Create a new IAM user or select an existing user
Attach the policy to the user
Open the IAM user > Security credentials > Create access key
Select "Application running outside AWS"
Save the provided Access Key ID / Secret Access Key into the PAM Configuration
In addition to these policies, we recommend protecting the Gateway Configuration secrets using the AWS KMS.