Managed Microsoft AD User

Rotating AWS Managed Microsoft AD Service accounts with Keeper

Overview

In this guide, you will learn how to rotate Admin and User Accounts of an AWS Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are defined in the PAM Directory record type and the configurations of the AD Users are defined in the PAM User record type.

For Amazon Managed Active Directory Services, the AWS SDK will be used to rotate the password of Directory Admins. User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the PAM Directory record type, must be using a SSL Connection.

For a high-level overview on the rotation process in the AWS Environment, visit this page.

Prerequisites

This guide assumes the following tasks have already taken place:

Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS Directory Services
Your AWS environment is configured per our documentation

1. Set up a PAM Directory Record

Keeper Rotation will use the Directory admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.

The following table lists all the required fields on the PAM Directory Record:

Field Description

Field	Description
Title	Name of the Record i.e. `AD Domain Service`
Hostname or IP Address	The Directory DNS Name i.e. `ad.pam.test`
Port	`636` for LDAPS, for default ports see port mapping
Use SSL (checkbox)	Must be checked
Login	Directory Service Admin Account i.e. `Admin` Note: Either Login and Domain Name or Distinguished Name is required. Distinguished Name is preferred.
Password	Directory Service Admin Password
Distinguished Name	Directory Service Admin Account's Distinguished Name (DN). Note: If DN is not provided, the following format will be used: Given domain name is `example.com`: `CN=<user>,CN=Users,DC=example,DC=com`
Domain Name	The Directory DNS Name Note: This is required if using Login instead of Distinguished Name
Directory ID	Directory Service's Identifier i.e `d-##########`
Directory Type	Directory Service Directory type, defaults to `Active Directory` if left blank.
Provider Region	AWS region name i.e. `us-east-1`

Title

Name of the Record i.e. AD Domain Service

Hostname or IP Address

The Directory DNS Name i.e. ad.pam.test

Port

636 for LDAPS, for default ports see port mapping

Use SSL (checkbox)

Must be checked

Login

Directory Service Admin Account i.e. Admin Note: Either Login and Domain Name or Distinguished Name is required. Distinguished Name is preferred.

Password

Directory Service Admin Password

Distinguished Name

Directory Service Admin Account's Distinguished Name (DN). Note: If DN is not provided, the following format will be used: Given domain name is example.com: CN=<user>,CN=Users,DC=example,DC=com

Domain Name

The Directory DNS Name Note: This is required if using Login instead of Distinguished Name

Directory ID

Directory Service's Identifier i.e d-##########

Directory Type

Directory Service Directory type, defaults to Active Directory if left blank.

Provider Region

AWS region name i.e. us-east-1

Note: Adding Provider Region and Directory ID will enable managing the PAM Directory Record through the AWS SDK, which is preferred.

This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.

2. Set up PAM Configuration

If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating directory users to the existing PAM Configuration.

If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

Field Description

Field	Description
Title	Configuration name, example: `AWS AD Configuration`
Environment	Select: `AWS`
Gateway	Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites
Application Folder	Select the Shared folder that contains the PAM Directory record in Step 1
Admin Credentials Record	Select the PAM Directory record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials
AWS ID	A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short Ex: `AWS-1`
Access Key ID	Set this field to `USE_INSTANCE_ROLE` if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key	Set this field to `USE_INSTANCE_ROLE` if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Region Names	List of AWS region names, one per line Example: `us-east-1 us-east-2`

Title

Configuration name, example: AWS AD Configuration

Environment

Select: AWS

Gateway

Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites

Application Folder

Select the Shared folder that contains the PAM Directory record in Step 1

Admin Credentials Record

Select the PAM Directory record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials

AWS ID

A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short Ex: AWS-1

Access Key ID

Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.

Access Secret Key

Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.

Region Names

List of AWS region names, one per line Example: us-east-1 us-east-2

For more details on all the configurable fields in the PAM Network Configuration record, visit this page.

3. Set up one or more PAM User Records

Keeper Rotation will use the credentials in the PAM Directory record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

Field Description

Field	Description
Title	Keeper record title i.e. `AWS Directory User1`
Login	Username of the Directory Service's user account
Password	Account password is optional, rotation will set one if blank
Distinguished Name	Directory Service User Account's Distinguished Name (DN)

Title

Keeper record title i.e. AWS Directory User1

Login

Username of the Directory Service's user account

Password

Account password is optional, rotation will set one if blank

Distinguished Name

Directory Service User Account's Distinguished Name (DN)

4. Configure Rotation on the Record - Directory User

Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.

5. Configure Rotation on the Record - Directory Admin

Select the PAM Directory record from Step 1, edit the record and open the "Password Rotation Settings".

Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.

Troubleshooting

Getting the Distinguished Names of AWS Managed Directory Service Users

The following windows command can be used to get the distinguished name of the Directory user:

Get-ADUser -Identity "username" | Select-Object -ExpandProperty DistinguishedName

If the command does not exist, you need to import the appropriate module with:

Import-Module ActiveDirectory

PreviousAWS Environment Setup NextEC2 Virtual Machine User

Last updated 8 months ago