AWS Environment Setup
How to configure your AWS environment for Keeper Rotation
Last updated
How to configure your AWS environment for Keeper Rotation
Last updated
Resources in your AWS environment can be rotated either using EC2 instance roles or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.
The role policy must be configured appropriately to enable access to the target AWS resources:
EC2 Role Policy (Preferred)
The following diagram shows the AWS environment hierarchy:
This method requires that you are running the Keeper Gateway on an EC2 instance in AWS.
To rotate credentials of AWS Managed Resources from an EC2 instance:
First, a role with the appropriate policy settings will be configured and then attached to the EC2 instance (instead of using a static Access Key ID / Secret Access Key).
To be configured to have the authority for rotation, the following inline role policy needs to be created with the following JSON:
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance.
However iam:SimulatePrincipalPolicy
is required.
Follow these steps to create a new role and apply the policy:
Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".
Attach the policy JSON to the role.
From EC2 > Instances, select the instance with the gateway and go to Actions > Security > Modify IAM Role > Select your new role.
Rotation uses local credentials and no specific AWS permissions are needed.
Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances
For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.
Rotation uses AWS APIs for PAM Directory records and requires:
iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers
Rotation uses AWS APIs for PAM User records and requires:
iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser
Using EC2 instance role policy is preferred. Alternatively, the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.
An inline policy can be created for a user with the following JSON:
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance
However iam:SimulatePrincipalPolicy
is required.
The steps to create the access keys is below:
Create a new IAM user or select an existing user
Attach the inline policy specified above to the user
Open the IAM user > Security credentials > Create access key
Select "Application running outside AWS"
Save the provided Access Key ID / Secret Access Key into the PAM Configuration