AWS Environment Setup

How to configure your AWS environment for Keeper Rotation

AWS Environment Overview

Resources in your AWS environment can be rotated either using EC2 instance roles or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.

The role policy must be configured appropriately to enable access to the target AWS resources:

The following diagram shows the AWS environment hierarchy:

EC2 IAM Role Policy

If you are running the Keeper Gateway on an EC2 instance in AWS, this method of configuration using EC2 IAM instance role policy is preferred.

To rotate credentials of AWS Managed Resources from an EC2 instance, a role with the appropriate policy settings can be configured and attached to the EC2 instance instead of using a static Access Key ID / Secret Access Key.

Below is a basic role policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "http://ec2.amazonaws.com "
                ]
            }
        }
    ]
}

To be configured for rotation, the following inline policy can be created with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

The steps to create this in the AWS console are below:

  • Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".

  • Attach the above policy JSON to the role

  • In the EC2 instance view, go to Actions > Security > Modify IAM Role > Select this new role.

The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances and rds:ModifyDBInstance. However iam:SimulatePrincipalPolicy is required.

Minimum AWS Policy to Manage IAM users

IAM User Policy

Using EC2 instance role policy is preferred. Alternatively, the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.

An inline policy can be created for a user with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances and rds:ModifyDBInstance

However iam:SimulatePrincipalPolicy is required.

The steps to create the access keys is below:

  • Create a new IAM user or select an existing user

  • Attach the inline policy specified above to the user

  • Open the IAM user > Security credentials > Create access key

  • Select "Application running outside AWS"

  • Save the provided Access Key ID / Secret Access Key into the PAM Configuration

Last updated