AWS Environment Setup

How to configure your AWS environment for Keeper Rotation

AWS Environment Overview

Resources in your AWS environment can be rotated either using EC2 instance roles or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.

The role policy must be configured appropriately to enable access to the target AWS resources:

EC2 Role Policy (Preferred)
IAM User Policy

The following diagram shows the AWS environment hierarchy:

EC2 IAM Role Policy

If you are running the Keeper Gateway on an EC2 instance in AWS, this method of configuration using EC2 IAM instance role policy is preferred.

To rotate credentials of AWS Managed Resources from an EC2 instance, a role with the appropriate policy settings can be configured and attached to the EC2 instance instead of using a static Access Key ID / Secret Access Key.

Below is a basic role policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "http://ec2.amazonaws.com "
                ]
            }
        }
    ]
}

To be configured for rotation, the following inline policy can be created with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

The steps to create this in the AWS console are below:

Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".
Attach the above policy JSON to the role
In the EC2 instance view, go to Actions > Security > Modify IAM Role > Select this new role.

The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances and rds:ModifyDBInstance. However iam:SimulatePrincipalPolicy is required.

Minimum AWS Policy to Manage IAM users

Managed User Type	IAM Policy
EC2 User	Rotation uses local credentials and no specific AWS permissions are needed.
Managed Database	Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.
Directory User	Rotation uses AWS APIs for PAM Directory records and requires: iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers
IAM User	Rotation uses AWS APIs for PAM User records and requires: iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser

Managed User Type

IAM Policy

EC2 User

Rotation uses local credentials and no specific AWS permissions are needed.

Managed Database

Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances

For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.

Directory User

Rotation uses AWS APIs for PAM Directory records and requires:

iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers

IAM User

Rotation uses AWS APIs for PAM User records and requires:

iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser

IAM User Policy

Using EC2 instance role policy is preferred. Alternatively, the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.

An inline policy can be created for a user with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:SimulatePrincipalPolicy",
                "ec2:DescribeInstances",
                "rds:DescribeDBInstances",
                "ds:DescribeDirectories",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateLoginProfile",
                "rds:ModifyDBInstance",
                "ds:ResetUserPassword",
                "ds:DescribeLDAPSSettings",
                "ds:DescribeDomainControllers"
            ],
            "Resource": "*"
        }
    ]
}

The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances and rds:ModifyDBInstance

However iam:SimulatePrincipalPolicy is required.

The steps to create the access keys is below:

Create a new IAM user or select an existing user
Attach the inline policy specified above to the user
Open the IAM user > Security credentials > Create access key
Select "Application running outside AWS"
Save the provided Access Key ID / Secret Access Key into the PAM Configuration

PreviousAWS NextManaged Microsoft AD User

Last updated 8 months ago