> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-cloud.md).

# PAM Cloud

<figure><img src="/files/8e5FUi5u23z7zWNGoZRa" alt=""><figcaption></figcaption></figure>

## Overview

A PAM Cloud record is a type of KeeperPAM resource that represents a way to access cloud platform environments, such as an AWS account, Azure tenant, or GCP console. It also enables access to platforms that use a cloud identity provider (such as Snyk, Box, GitHub, etc...) to provide SAML and SCIM access to those platforms. Access can be granted through Just-In-Time (JIT) user elevation, and the record enables Remote Browser Isolation (RBI) access when permissions are granted.

<table><thead><tr><th width="215">PAM Record Type</th><th>Supported Assets</th></tr></thead><tbody><tr><td>PAM Cloud</td><td>AWS, GCP, Azure, and any application that uses SAML or SCIM from AWS IAM and Identity Center, Azure Entra ID, GSuite, Okta, and Active Directory.</td></tr></tbody></table>

### Accessing a Resource After Elevation

Once access has been approved, users can access the target resource using either Keeper's Remote Browser Isolation (RBI) capability or their organization's standard authentication workflow. When using RBI, the user launches the protected web application directly from the Keeper Vault, providing secure, isolated browser access without exposing credentials or requiring direct connectivity from the user's device.&#x20;

Alternatively, users may access the platform using the same login methods they normally use. For example, AWS IAM Identity Center users can sign in through their standard AWS access portal (Start URL), while users of AWS CLI, Terraform, or other SDK-based tools can authenticate through their existing workflows. Because KeeperPAM has temporarily elevated the user's privileges, the user will be able to select or assume the authorized elevated role during the approved access window. When the access duration expires, the elevated privileges are automatically removed.

### Remote Browser Isolation

When using RBI for accessing the cloud resource, PAM Cloud records provide a Remote Browser "Launch" capability which loads internal and cloud-based web applications through a protected browser, embedded within the vault. This browser is projected visually from the Keeper Gateway through the Keeper Vault, isolating the session and providing zero-trust access.

## Features Available

The PAM Cloud resource supports the following features:

* Privilege Elevation of any cloud resource through Workflow and Just-In-Time (JIT) elevation
* Zero-trust Connections over http\:// and https\:// websites through RBI
* Support for AWS, Azure, GCP, Okta and more
* Sharing cloud access without sharing credentials

{% hint style="info" %}
Connecting to the protected web application requires only that the Keeper Gateway has access to the target website. The Keeper Vault operates independently and does not require direct connectivity to the website, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the [network architecture diagram](/keeperpam/privileged-access-manager/getting-started/architecture/system-architecture.md) for more details.
{% endhint %}

## Creating a Cloud Record

Prior to creating a PAM Cloud Record, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Cloud record contains information about the target cloud platform and associated access rules.

To create a PAM Cloud Resource:

* Click on **Create New**
* Select "**Connection**"
* On the prompted window:
  * Select "**New Record**"
  * Select the Shared Folder you want the record to be created in
  * Specify the Title
  * Select "**Cloud Resource**" for the Target
* Click "**Next**" and complete all of the required information.

<figure><img src="/files/RL53ZPbrqKQUygpt5YFV" alt=""><figcaption></figcaption></figure>

## PAM **Cloud** Record Type Fields

The following table lists all the configurable fields on the PAM Remote Browser Record Type:

<table><thead><tr><th width="168">Field</th><th width="251">Description</th><th>Notes</th></tr></thead><tbody><tr><td>URL</td><td>IP or Website address</td><td><strong>Required</strong><br><br>The target URL only needs to be accessible from the Keeper Gateway</td></tr><tr><td>Account Identifier</td><td>An account identifier such as AWS Account ID, GCP Domain Name, etc...</td><td>This is just for sharing extra information to the users receiving a shared record</td></tr></tbody></table>

## PAM Settings

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection, JIT, KeeperAI, and Workflow settings.

<figure><img src="/files/GittpsMsz719Co7THJSM" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/keIm2rVS43ZURHGbwDvL" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AAN5yAeyAq3AcjGqSgOt" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/lXQ5PBI090JFq2Jtj4TA" alt=""><figcaption></figcaption></figure>

### PAM Settings Information

<table><thead><tr><th>Field</th><th width="233">Description</th><th>Required</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>Associated PAM Configuration record which defines the environment</td><td><strong>Required</strong></td></tr><tr><td>Browser Autofill Credentials</td><td>Linked PAM User credential used for autofill</td><td></td></tr><tr><td>Protocol</td><td>Native protocol used for connecting from the Gateway to the target</td><td><strong>Required</strong></td></tr><tr><td>Session Recording</td><td>Options for recording sessions and typescripts</td><td>See <a href="/pages/m19rR4xhfT5odwSgVjsZ">session recording</a></td></tr><tr><td>Browser Settings (multiple)</td><td>Browser-specific protocol settings</td><td>See <a href="/pages/zOFd8ti3gLBcoQ9ASEhv">RBI page</a></td></tr><tr><td>JIT Settings</td><td>Specifies target group for elevation for user within identity provider</td><td>See <a data-mention href="/pages/I6wk5E0TDTjtrnvuMdLO#pam-cloud-record">/pages/I6wk5E0TDTjtrnvuMdLO#pam-cloud-record</a></td></tr><tr><td>Workflow Settings</td><td>Provides access time and approvals for elevation (if configured)</td><td>See <a data-mention href="/pages/XxNCDDQtE3ysUWYD4fMk">/pages/XxNCDDQtE3ysUWYD4fMk</a></td></tr></tbody></table>

<figure><img src="/files/ynuuUoWvQ8v2TvlkTRFp" alt=""><figcaption></figcaption></figure>

Additional information on PAM Cloud Records can be accessed at [Keeper Privileged Cloud](/keeperpam/privileged-access-manager/just-in-time-access-jit/keeper-privileged-cloud.md#pam-cloud-record)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-cloud.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.