AWS

Password Rotation in the AWS Environment

Overview

In this section, you will learn how to rotate user credentials within the AWS Cloud environment across various target systems and services.

AWS Credentials and their corresponding PAM Record Type

Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.

PAM Configuration records are encrypted in the vault just like other Keeper records

Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with Keeper Rotation and their corresponding PAM Record Type:

AWS Managed ResourceCorresponding Record Type

EC2

PAM Machine

RDS

PAM Database

Directory Service

PAM Directory

Configurations for directory users or IAM users are defined in the PAM User record type.

Prerequisites - Rotation on your AWS Environment

Prior to rotating user credentials within your AWS environment, you need to make sure you have the following information and configurations in place:

  1. To successfully rotate IAM User accounts, an IAM Admin account needs to be created. An IAM Admin account is an IAM User account with the appropriate policy settings configured to access the target resource. For more information on the policy settings, visit this page.

  2. To successfully rotate credentials of AWS Managed Resources attached to an EC2 instance, a role with the appropriate policy settings need to be configured and attached to the EC2 instance. For more information on the policy settings, visit this page.

  3. To configure and setup Rotation within your AWS environment, the following values are needed in the PAM Configuration:

FieldDescription

Access Key ID

This is the Access Key ID from the desired Access Key found in the IAM User account Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles

Secret Access Key

This is the Secret Access Key from the desired Access Key found in the IAM User account Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles

The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.

AWS Environment Setup

Visit the following section for more details on setting up your environment in AWS:

AWS Environment Setup

Summary - Rotation on your AWS Environment

At a high level, the following steps are needed to successfully rotate passwords on your AWS network:

  1. Create Shared Folders to hold the PAM records involved in rotation

  2. Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials

  3. Create PAM User records that contain the user's information

  4. Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records

  5. Install a Keeper Gateway and add it to the Secrets Manager application

  6. Create a PAM Configuration with the AWS environment setting

  7. Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records

The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:

Rotating AWS Directory Users:

Managed Microsoft AD User

Rotating EC2 Virtual Machine Accounts:

EC2 Virtual Machine User

Rotating IAM User Accounts:

IAM User

Rotating AWS Managed Database Accounts:

Managed Database

Last updated