AWS Environment Setup
How to configure your AWS environment for Keeper Rotation
AWS Environment Overview
Resources in your AWS environment can be rotated either using EC2 instance roles or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.
The role policy must be configured appropriately to enable access to the target AWS resources:
EC2 Role Policy (Preferred)
The following diagram shows the AWS environment hierarchy:
EC2 IAM Role Policy
If you are running the Keeper Gateway on an EC2 instance in AWS, this method of configuration using EC2 IAM instance role policy is preferred.
To rotate credentials of AWS Managed Resources from an EC2 instance, a role with the appropriate policy settings can be configured and attached to the EC2 instance instead of using a static Access Key ID / Secret Access Key.
Below is a basic role policy:
To be configured for rotation, the following inline policy can be created with the following JSON:
The steps to create this in the AWS console are below:
Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".
Attach the above policy JSON to the role
In the EC2 instance view, go to Actions > Security > Modify IAM Role > Select this new role.
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance.
However iam:SimulatePrincipalPolicy
is required.
Minimum AWS Policy to Manage IAM users
IAM User Policy
Using EC2 instance role policy is preferred. Alternatively, the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.
An inline policy can be created for a user with the following JSON:
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance
However iam:SimulatePrincipalPolicy
is required.
The steps to create the access keys is below:
Create a new IAM user or select an existing user
Attach the inline policy specified above to the user
Open the IAM user > Security credentials > Create access key
Select "Application running outside AWS"
Save the provided Access Key ID / Secret Access Key into the PAM Configuration
Last updated