AWS Environment Setup

AWS Environment Overview

Resources in your AWS environment can be managed by a Keeper Gateway using EC2 instance role policy or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.

The role policy must be configured appropriately to enable access to the target AWS resources:

• EC2 Role Policy

• IAM User Policy

The following diagram shows the AWS environment hierarchy:

EC2 IAM Role Policy

To create a EC2 IAM policy which supports PAM features such as password rotation and discovery, a role with the appropriate policy settings should be configured then attached to the EC2 instance running the Keeper Gateway.

For KeeperPAM to have the authority to rotate IAM users and RDS databases, the following inline role policy should be modified to meet your needs and ensure least privilege.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

To ensure least privilege, the JSON policy should be modified based on which target resources that KeeperPAM will be managing through the "Action" and "Resource" attributes.

Follow these steps to create a new role and apply the policy:

1. Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".

2. Attach the policy JSON to the role.

3. From EC2 > Instances, select the instance with the gateway and go to Actions > Security > Modify IAM Role > Select your new role.

Minimum AWS Policy to Manage IAM users

IAM User Policy

Using EC2 instance role policy is preferred, however the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.

An sample policy is below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

To ensure least privilege, the JSON policy should be modified based on which target resources that KeeperPAM will be managing through the "Action" and "Resource" attributes.

The steps to create the access keys is below:

1. Create a new IAM user or select an existing user

2. Attach the policy to the user

3. Open the IAM user > Security credentials > Create access key

4. Select "Application running outside AWS"

5. Save the provided Access Key ID / Secret Access Key into the PAM Configuration

In addition to these policies, we recommend protecting the Gateway Configuration secrets using the AWS KMS.