Discover machines, databases, accounts and services across your on-prem and cloud infrastructure
Keeper Discovery empowers DevOps, IT Security, and software development teams with complete visibility into all privileged accounts and IT assets within your organization. Through the Keeper Gateway, Keeper Discovery can identify assets across your infrastructure in the following target configurations:
Local Environment
AWS
Azure
Organizations often struggle with maintaining visibility over privileged accounts and IT assets across increasingly complex infrastructures, including on-premises environments and multi-cloud setups. This lack of visibility can lead to unmanaged accounts, misconfigurations, and potential security vulnerabilities.
Keeper Discovery solves these challenges by:
Providing Centralized Visibility: Automatically discovering and cataloging privileged accounts and IT assets across local environments, AWS, and Azure.
Strengthening Security Posture: Identifying unmanaged accounts, misconfigurations, and security risks to proactively address vulnerabilities.
Streamlining Discovery: Simplifying the process of asset discovery using the Keeper Gateway, enabling seamless integration into your infrastructure.
Empowering Teams: Equipping DevOps, IT Security, and software development teams with actionable insights to manage and secure accounts and assets effectively.
Enhancing Compliance: Ensuring an accurate inventory of privileged accounts and assets for audit and reporting, helping meet regulatory requirements.
Keeper Discovery operates on a zero-knowledge model, ensuring that neither Keeper's infrastructure nor its employees can view, access, or decrypt any discovered assets. All discovery tasks are executed by the Keeper Gateway within the customer's environment. The gateway encrypts findings and securely exchanges data with the Keeper Vault and privileged users via the Keeper Secrets Manager APIs.
For more information, see the Architecture section
Keeper Discovery is part of the Zero-Trust KeeperPAM Platform. Keeper Discovery has the following features:
Create a discovery job to scan assets through any Keeper Gateway
View the status of running discovery jobs
Kill discovery jobs
Automatically apply rules to either Add, Ignore or Prompt for saving a record
Rules are constructed through a customizable Rules Engine
Found resources can be added to a specified Shared Folder
Keeper's Discovery system first performs a scan of resources, based on the Keeper Gateway capabilities and the defined PAM Configuration.
After locating resources, a rules engine converts the findings into Keeper records and adds those resources to Shared Folders. The types of Keeper Records that can be created are:
Once resources are discovered, the interactive discovery process enables users to link administrative credentials, such as username/password combinations or SSH keys, to the identified resources. After the initial discovery and credential association, users can initiate a deeper discovery to identify local users and services within each target resource.
Keeper's encrypted data storage model organizes these associations—environments, Gateways, Resources, Accounts, and Services—into a Graph structure. This PAM Graph represents the environment as a hierarchical set of parent-child relationships, allowing KeeperPAM to map and visualize the environment effectively.
Discovery can be managed through the Keeper Commander CLI and the Vault UI.
The next section covers the basics on performing discovery with KeeperPAM.
Performing resource discovery through Keeper Commander CLI
In this guide, you will learn how to discover resources within your target infrastructure using Discovery with Keeper Commander.
Prior to using Discovery on Commander, make sure to review the Discovery Basics documentation.
Login to Keeper Commander CLI using the keeper shell command.
Run the command pam gateway list or pam g l command to list all gateways
The Gateway UID is required to start the discovery process.
Run the pam action discover start command to start a discovery job. The Gateway UID must be provided with the -g option.
View the status of the active discovery job by with pam action discover status
After a discovery job is complete, the detailes status information can be viewed by running:
Proceed to the next step once the Discovery job's status is COMPLETE. Depending on how big your environment is, this may take a few minutes.
Once the discovery job is completed, you can process the findings with the provided Job ID.
An interactive CLI session will start where you will be shown information on discovered assets and will be able to provision them as PAM Record types in your vault.
During the Discovery process, you may be prompted to provide a PAM User record or create one on the fly to associate administrative credentials with the target resource.
Once the initial process is complete and administrative credentials have been supplied, you can run another Discovery job. This subsequent job leverages the provided credentials to delve deeper into the target resources, identifying local user accounts, services, and scheduled tasks.
Keeper Commander provides many advanced capabilities for managing gateways, configurations, rotations and discovery. See the KeeperPAM Commands for a list of all available options.
Setting up KeeperPAM for Discovery
In this guide, you will learn how to discover resources within your target infrastructure using Discovery.
Prior to using Discovery, make sure to have the following:
An active license of KeeperPAM
Activate Enforcement Policies on the Admin Console to enable discovery
Deploy a Keeper Gateway using the latest version
On the Admin Console, the following Enforcement Policies affect the user's ability to run Discovery jobs.
Can run discovery
Allow users to run discovery jobs
Discovery can also be enabled on the Keeper Commander CLI using the enterprise-role command:
The Keeper Gateway is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.
Before running a Discovery job, it is recommended to create PAM User records for any administrative credentials you expect to use. Save these credentials as PAM User record types within the Shared Folder that is associated with your Application and Keeper Gateway.
To get started with Discovery, you need a PAM Configuration set up for your target infrastructure. The PAM Configuration directs the discovery process where to locate resources.
Local network discovery utilize a CIDR for scanning. In order for discovery to locate a resource, it must be listening on the required port. Below is the PAM Configuration data required for a successful discovery.
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
Network CIDR
Subnet of the IP address
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
AWS discovery makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an AWS resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your security groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
AWS ID
Identifier selected by user
This is just used for reference.
Access Key ID
Access Key only when required
If instance role is applied to the Gateway, this is not required.
Secret Access Key
Secret Key only when required
If instance role is applied to the Gateway, this is not required.
Region Names
A list of AWS region names separated by newlines. Discovery will only find resources that match.
Example: us-west-1 us-east-2
Port Mapping
If non-standard ports are being used, this ensures that discovery will find the resources.
Example: ssh=2222 rdp=3390
Azure discovery makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to discover resources. The PAM Configuration filters against the provided region names to limit the findings.
In order for the Keeper Gateway to discover an Azure resource, it must be able to communicate to the target over standard ports (e.g. port 22 for SSH, 3389 for RDP, etc). If a non-standard port is being used, this needs to be specified in the PAM Configuration. Discovery will only add the resources to the Keeper vault if it can successfully communicate over the port. Adjust your Network Security Groups as necessary to allow this.
Below is the PAM Configuration data required for a successful discovery.
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.
The basic workflow for running Discovery jobs is the following:
Set up a Keeper Gateway with associated Shared Folders
Populate the shared folders with any administrative credentials as PAM User record types
Run a discovery job on the target infrastructure
Process the results to discover PAM Machine, PAM Databases and PAM Directory resources
Run additional discovery jobs to locate user accounts within each found resource, utilizing credentials provided to the job.
When discovery is performed on a Windows machine, Keeper will automatically determine if a PAM User should be directly associated with any running services or scheduled tasks. When rotation is performed on any user accounts, Keeper will then update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.
To learn more and set up this capability, see the Service Management page.
After a Discovery process has been completed, you can edit the vault records to activate advanced features such as Rotation, Connections, and Tunnels.
Ex: 192.168.0.15/24
about CIDR
Running Discovery using the Keeper Vault user interface
In this guide, you will learn how to discover resources within your target infrastructure using Discovery with the Keeper Vault and Desktop App.
Prior to using Discovery, make sure to review the Discovery Basics documentation.
From the Keeper Vault, click on the Discovery section. Click on "Create Discovery Job" to start a discovery process.
When discovery jobs are either running, failed, or completed states, the jobs will display on the Discovery screen.
To create a discovery job, select the Keeper Gateway which will perform the discovery. The Gateway is associated to a PAM Configuration, which tells the gateway what type of environment is being scanned.
If the PAM Configuration is lacking details about the environment such as CIDR or cloud secrets, the user is prompted to enter this information.
If prior discovery jobs have created discovery rules, the rules can be viewed and managed. A Discovery Rule saves time in the discovery process by ignoring certain findings. For example, if you want to ignore a certain resource.
Discovery jobs can be run in parallel across Keeper Gateways, but a single gateway can only run a single job at a time. If a job on a particular gateway is still running, you will receive an error message and you are giving the opportunity to cancel the job.
After a discovery job is in a "Completed" state, clicking the Job will allow you to process the findings interactively. You can multi-select or iterate through the findings, and add the findings to a queue before it is finalized.
When iterating through the discovery results, you can either Ignore, Skip or Queue the result to the final batch of results.
Ignore: Skip the resource now and for future jobs, creating a Rule for this resource
Skip: Only skips the resource during this session, but will be found again in subsequent scans
Queue to Folder: Add the resource to the queue, and finalize all findings at the end
When iterating through the results, you can select the location in the vault where the resource will be stored, and you can immediately assign the Admin Credentials associated to the resource. The Admin Credentials which are linked to the resource server several purposes:
Finding user accounts: Subsequent discovery jobs will be able to use the Admin Credentials to remotely access the target resource and discover local user accounts.
Password Rotation: The Admin Credential is used for performing on-demand and scheduled password rotations on any found accounts.
Just-In-Time Access: Keeper JIT enables role and group elevation for the duration of privileged sessions.
Ephemeral Accounts: Keeper JIT capabilities include creation of temporary accounts under a certain role or group, for the duration of privileged sessions.
PAM Resources can have Connections and Tunneling activated to simplify the process of establishing access to the targets. PAM Users found during discovery can be enabled for automatic rotation.
After processing through the findings, the queued resources can be published to the vault in the specified Shared Folder locations.
Now that the Discovery is complete, additional resources can be found by running another job against the same Gateway and PAM Configuration. If Admin Credentials have been linked to KeeperPAM Resources, these credentials will be used to discover local user accounts within each resource.
