Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Password Rotation in the AWS Environment
In this section, you will learn how to rotate user credentials within the AWS Cloud environment across various target systems and services.
Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.
PAM Configuration records are encrypted in the vault just like other Keeper records
Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with Keeper Rotation and their corresponding PAM Record Type:
Configurations for directory users or IAM users are defined in the PAM User record type.
Prior to rotating user credentials within your AWS environment, you need to make sure you have the following information and configurations in place:
To successfully rotate IAM User accounts, an IAM Admin account needs to be created. An IAM Admin account is an IAM User account with the appropriate policy settings configured to access the target resource. For more information on the policy settings, visit this page.
To successfully rotate credentials of AWS Managed Resources attached to an EC2 instance, a role with the appropriate policy settings need to be configured and attached to the EC2 instance. For more information on the policy settings, visit this page.
To configure and setup Rotation within your AWS environment, the following values are needed in the PAM Configuration:
The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.
Visit the following section for more details on setting up your environment in AWS:
At a high level, the following steps are needed to successfully rotate passwords on your AWS network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:
How to configure your AWS environment for Keeper Rotation
Resources in your AWS environment can be rotated either using EC2 instance roles or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.
The role policy must be configured appropriately to enable access to the target AWS resources:
EC2 Role Policy (Preferred)
The following diagram shows the AWS environment hierarchy:
If you are running the Keeper Gateway on an EC2 instance in AWS, this method of configuration using EC2 IAM instance role policy is preferred.
To rotate credentials of AWS Managed Resources from an EC2 instance, a role with the appropriate policy settings can be configured and attached to the EC2 instance instead of using a static Access Key ID / Secret Access Key.
Below is a basic role policy:
To be configured for rotation, the following inline policy can be created with the following JSON:
The steps to create this in the AWS console are below:
Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".
Attach the above policy JSON to the role
In the EC2 instance view, go to Actions > Security > Modify IAM Role > Select this new role.
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance.
However iam:SimulatePrincipalPolicy
is required.
Using EC2 instance role policy is preferred. Alternatively, the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.
An inline policy can be created for a user with the following JSON:
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance
However iam:SimulatePrincipalPolicy
is required.
The steps to create the access keys is below:
Create a new IAM user or select an existing user
Attach the inline policy specified above to the user
Open the IAM user > Security credentials > Create access key
Select "Application running outside AWS"
Save the provided Access Key ID / Secret Access Key into the PAM Configuration
Rotating AWS EC2 Virtual Machine accounts with Keeper
In this guide, you will learn how to rotate AWS EC2 Virtual Machine (VM) Accounts on your AWS Environment using Keeper Rotation. The EC2 VM is an AWS managed resource where the EC2 VM Admin Credentials are defined in the PAM Machine record type and the configurations of the EC2 VM Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should contain an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated. The PAM Machine record itself can also be rotated.
Keeper will use the referenced admin credential to rotate the password or SSH key of AWS Virtual Machine users in your AWS environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of these user accounts.
If you are running a rotation on a PAM Machine record which also happens to be the same machine running the Keeper Gateway, Keeper will attempt to rotate the password or SSH key for the account using the keeper-gw user. Assuming that keeper-gw has sudoers privilege, it will be able to perform rotations on the local Gateway machine.
The following table lists all the required fields on the PAM Machine record:
This PAM Machine Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
The PAM Machine record can also be set up for rotation.
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
Make sure the following items are completed first:
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
Add all of the Administrative Resource Credentials to your PAM Configuration required for performing rotation on the target machines. For example, if you are rotating 3 different PAM Machines, those needed to be added as Resource Credentials on the PAM Configuration.
Keeper will use the credentials in the PAM Machine record to rotate the PAM User records in your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
If rotation of the PAM Machine credential is desired, select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:
If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.
For Linux user rotations, password-encrypted PEM files are not currently supported.
Rotating AWS Managed Microsoft AD Service accounts with Keeper
In this guide, you will learn how to rotate Admin and User Accounts of an AWS Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are defined in the PAM Directory record type and the configurations of the AD Users are defined in the PAM User record type.
For Amazon Managed Active Directory Services, the AWS SDK will be used to rotate the password of Directory Admins. User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the PAM Directory record type, must be using a SSL Connection.
This guide assumes the following tasks have already taken place:
Keeper Rotation will use the Directory admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.
The following table lists all the required fields on the PAM Directory Record:
Note: Adding Provider Region and Directory ID will enable managing the PAM Directory Record through the AWS SDK, which is preferred.
This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating directory users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Directory record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Directory record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
The following windows command can be used to get the distinguished name of the Directory user:
If the command does not exist, you need to import the appropriate module with:
AWS Managed Resource | Corresponding Record Type |
---|---|
Field | Description |
---|---|
Managed User Type | IAM Policy |
---|---|
For EC2 VM Accounts, the AWS SDK is not used to rotate the password. Instead, the normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created.
A Keeper Rotation is already installed, running, and is able to or with your target AWS Virtual Machine(s).
Your AWS environment is per our documentation
Field | Description |
---|
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
For a high-level overview on the rotation process in the AWS Environment, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS Directory Services
Your AWS environment is per our documentation
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
EC2
PAM Machine
RDS
PAM Database
Directory Service
PAM Directory
Access Key ID
This is the Access Key ID from the desired Access Key found in the IAM User account
Set this field to USE_INSTANCE_ROLE
if the gateway is deployed to an EC2 Instance that supports instance roles
Secret Access Key
This is the Secret Access Key from the desired Access Key found in the IAM User account
Set this field to USE_INSTANCE_ROLE
if the gateway is deployed to an EC2 Instance that supports instance roles
Rotation uses local credentials and no specific AWS permissions are needed.
Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances
For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.
Rotation uses AWS APIs for PAM Directory records and requires:
iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers
Rotation uses AWS APIs for PAM User records and requires:
iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser
Title | Name of the Record i.e |
Hostname or IP Address | Machine hostname or IP as accessed by the Gateway |
Port | Typically 5985 or 5986 for WinRM, 22 for SSH. |
Login | Username of the Admin account |
Password | Required for WinRM Optional for SSH if your admin user logs in with a password, otherwise the PEM key is utilized.
Note: The following chars are restricted: |
Private PEM Key | Required for SSH if not using a password |
Operating System | The VM Operating System, i.e |
SSL Verification | For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH. |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the prerequisites |
Application Folder | Select the Shared folder that contains the PAM Machine record in Step 1 |
Admin Credentials Record | Select the PAM Machine record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
AWS ID | A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Access Key ID | Set this field to |
Secret Access Key | Set this field to |
Title | Keeper record title i.e. |
Login | Case sensitive username of the user account being rotated, e.g. |
Password | This is only required if the user logs in with a password. If the password is left blank, performing a rotation will set one. |
Private PEM Key | This is only required if you are planning to rotate the PEM key instead of rotating a password. |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Directory record in Step 1 |
Admin Credentials Record | Select the PAM Directory record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
AWS ID | A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Access Key ID | Set this field to |
Access Secret Key | Set this field to |
Region Names | List of AWS region names, one per line
Example:
|
Title | Keeper record title i.e. |
Login | Username of the Directory Service's user account |
Password | Account password is optional, rotation will set one if blank |
Distinguished Name | Directory Service User Account's Distinguished Name (DN) |
Title | Name of the Record i.e. |
Hostname or IP Address | The Directory DNS Name i.e. |
Port |
Use SSL (checkbox) | Must be checked |
Login | Directory Service Admin Account i.e. |
Password | Directory Service Admin Password |
Distinguished Name | Directory Service Admin Account's Distinguished Name (DN).
Note: If DN is not provided, the following format will be used:
Given domain name is |
Domain Name | The Directory DNS Name Note: This is required if using Login instead of Distinguished Name |
Directory ID | Directory Service's Identifier i.e |
Directory Type | Directory Service Directory type, defaults to |
Provider Region | AWS region name i.e. |
Rotating AWS RDS accounts with Keeper
In this section, you will learn how to rotate DB User or Admin credentials on the following AWS Managed Databases:
If you are running a database directly on an EC2 instance in your AWS environment instead of using a managed service, refer to the Local Network > Database documentation for rotating passwords.
Rotating AWS IAM account passwords with Keeper
In this guide, you will learn how to rotate passwords for AWS IAM users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the AWS IAM user accounts to be rotated are stored in the PAM User record.
For a high-level overview on the rotation process in the AWS cloud environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed and running
Your AWS environment is configured per our documentation
The Keeper Gateway uses AWS APIs to rotate the credentials defined in the PAM User records.
In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.
Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Note: You can skip this step if you already have a PAM configuration set up.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field is not needed
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
636
for LDAPS, for default ports see
Field | Description |
---|---|
Field | Description |
---|---|
Title
Keeper record title i.e. AWS user: TestUser
Login
Case sensitive username of the account being rotated.
This is the last section of the ARN: ...:user/TestUser
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Distinguished Name
This is the full ARN of the user identity, e.g: arn:aws:iam::123456789:user/TestUser
Title
Configuration name, example: AWS IAM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder from Step 1 that contains the PAM User record(s) which will be rotated.
Admin Credentials Record
This is not required for IAM User rotations. It may be required for other use cases.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Rotating Admin/Regular AWS SQL Server Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS SQL Server Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for SQL Server is an AWS managed resource where the SQL Server Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Server Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS SQL Server Database
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the SQL Server RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular AWS SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MySQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MySQL is an AWS managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS MySQL Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MySQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular AWS PostgreSQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS PostgreSQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for PostgreSQL is an AWS managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the PostgreSQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular AWS MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MariaDB Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MariaDB is an AWS managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the MariaDB RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MariaDB RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS PostgreSQL Database
Your AWS environment is per our documentation
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS MariaDB Database
Your AWS environment is per our documentation
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
Title
Keeper record title Ex: RDS SQL Server Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master
.
Database ID
The AWS DB instance ID
Database Type
mssql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your SQL Server RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master
.
Title
Keeper record title Ex: AWS MySQL Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Database ID
The AWS DB instance ID
Database Type
mysql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL RDS Instance |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts |
AWS ID | A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Access Key ID | Set this field to |
Access Secret Key | Set this field to |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Connect Database | Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1 |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB RDS Instance |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts |
AWS ID | A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Access Key ID | Set this field to |
Access Secret Key | Set this field to |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Title | Keeper record title Ex: |
Hostname or IP Address | The RDS Endpoint i.e. |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation |
Password | Admin account password |
Connect Database | Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to |
Database ID | The AWS DB instance ID |
Database Type |
|
Provider Region | The region your Amazon RDS instance is using. i.e |
Title | Keeper record title Ex: |
Hostname or IP Address | The RDS Endpoint i.e. |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation |
Password | Admin account password |
Database ID | The AWS DB instance ID |
Database Type |
|
Provider Region | The region your Amazon RDS instance is using. i.e |
Rotating Admin/Regular AWS Oracle Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS Oracle Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for Oracle is an AWS managed resource where the Oracle Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS Oracle Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the Oracle RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Oracle RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
The RDS Port, for default ports see
i.e. 5432
The RDS Port, for default ports see
i.e. 3306
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Title
Keeper record title Ex: AWS Oracle Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
Database ID
The AWS DB instance ID
Database Type
oracle
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1