AWS
Password Rotation in the AWS Environment
Overview
In this section, you will learn how to rotate user credentials within the AWS Cloud environment across various target systems and services.
AWS Credentials and their corresponding PAM Record Type
Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.
PAM Configuration records are encrypted in the vault just like other Keeper records
Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with Keeper Rotation and their corresponding PAM Record Type:
AWS Managed Resource | Corresponding Record Type |
---|---|
EC2 | PAM Machine |
RDS | PAM Database |
Directory Service | PAM Directory |
Configurations for directory users or IAM users are defined in the PAM User record type.
Prerequisites - Rotation on your AWS Environment
Prior to rotating user credentials within your AWS environment, you need to make sure you have the following information and configurations in place:
To successfully rotate IAM User accounts, an IAM Admin account needs to be created. An IAM Admin account is an IAM User account with the appropriate policy settings configured to access the target resource. For more information on the policy settings, visit this page.
To successfully rotate credentials of AWS Managed Resources attached to an EC2 instance, a role with the appropriate policy settings need to be configured and attached to the EC2 instance. For more information on the policy settings, visit this page.
To configure and setup Rotation within your AWS environment, the following values are needed in the PAM Configuration:
Field | Description |
---|---|
Access Key ID | This is the Access Key ID from the desired Access Key found in the IAM User account
Set this field to |
Secret Access Key | This is the Secret Access Key from the desired Access Key found in the IAM User account
Set this field to |
The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.
AWS Environment Setup
Visit the following section for more details on setting up your environment in AWS:
AWS Environment SetupSummary - Rotation on your AWS Environment
At a high level, the following steps are needed to successfully rotate passwords on your AWS network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:
Rotating AWS Directory Users:
Managed Microsoft AD UserRotating EC2 Virtual Machine Accounts:
EC2 Virtual Machine UserRotating IAM User Accounts:
IAM UserRotating AWS Managed Database Accounts:
Managed DatabaseLast updated