# Rotation Overview

## Prerequisites An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers. * [KeeperPAM Homepage](https://www.keepersecurity.com/privileged-access-management/) * [Request a Demo](https://www.keepersecurity.com/contact.html?t=b\&r=sales) * [Contact Support](https://www.keepersecurity.com/support.html) Prior to setting up password rotation, make sure to have the following set up: * Learn about KeeperPAM in the [Getting Started](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started) section * [Enable Enforcement Policies](#enable-enforcement-policies) * [Deploy a Keeper Gateway](#deploy-a-keeper-gateway) * [Create a PAM User record](#create-a-pam-user-record) * [Create a PAM Resource](#create-a-pam-resource) * [Configure rotation settings](#configure-rotation-settings) ### Enable Enforcement Policies Enforcement policies for KeeperPAM password rotation are managed in the Keeper Admin Console under **Admin** > **Roles** > **Enforcement Policies** > **Privileged Access Manager**.

For Password Rotation capabilities, enable the necessary policies:

Enforcement Policy	Commander Enforcement	Definition
Can create applications and manage secrets	`ALLOW_SECRETS_MANAGER`	Allow users to create a Secrets Manager Application
Can create, deploy and manage Keeper Gateways	`ALLOW_PAM_GATEWAY`	Allow users to deploy and manage a Keeper Gateway
Can configure rotation settings	`ALLOW_PAM_ROTATION`	Allow users to set up rotation on a PAM User record
Can configure rotation settings (legacy setting)	`ALLOW_CONFIGURE_ROTATION_SETTINGS`	This should be set the same as ALLOW_PAM_ROTATION
Can rotate credentials	`ALLOW_ROTATE_CREDENTIALS`	All users to perform a password rotation action

Rotation can also be enabled on the [Keeper Commander CLI](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/secrets-manager-commands#overview) using the `enterprise-role` command:

enterprise-role "Keeper Administrator" --enforcement "ALLOW_SECRETS_MANAGER":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_GATEWAY":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_ROTATION":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_ROTATE_CREDENTIALS":true

### Deploy a Keeper Gateway If you haven't yet created a Keeper Gateway yet, a new Gateway deployment can be created by clicking on **Create New** > **Gateway** from the Web Vault or Desktop App (version 17.1 or newer). We have also posted a page describing how to create a sandbox environment in [just a few steps](https://docs.keeper.io/en/keeperpam/privileged-access-manager/quick-start-sandbox): * [Quick Start: Sandbox](https://docs.keeper.io/en/keeperpam/privileged-access-manager/quick-start-sandbox)

### Create an Application When you use the Gateway using the **Create New** > **Gateway** feature, Keeper will automatically create the Secrets Manager Application, Shared Folders and PAM Configuration. In the Secrets Manager section of the vault, you'll see the Application assigned to Shared Folders and also assigned to the Gateway.

### Create a PAM User record A PAM user record holds a privileged account credential, password or private key. For steps on creating a PAM User, [follow this page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user). The example below shows a PAM User record for an admin password on a Windows server. The PAM User record is added to a Shared Folder containing user accounts.

### Create a PAM Resource A PAM Resource represents a Machine, Database or Directory.

Create new Machine, Database or Directory

### Configure rotation settings

### Password Rotation Settings

Field	Description	Required
Rotation Type	Specifies which type of rotation is being performed (and which protocol is utilized).	Required "General", "IAM User" or "Run PAM Scripts Only". See below for details.
PAM Resource	For General rotation type, specifies the PAM Resource record which can provide the necessary privilege. For IAM User rotation type, specifies the PAM Configuration utilizing cloud APIs.	Required only for "General" and "IAM User" rotation types
Rotation Schedule	Rotation can be performed on-demand or on a specific schedule.	For advanced scheduling, see the cron spec.
Password Complexity	Applies to password-based rotations, not PEM keys.	Select "Show More" to control special characters and symbols.

### Rotation Type Keeper supports 3 different types of rotation: * **General:** Uses native protocols for performing the rotation, such as LDAP, Databases, SSH keys, etc. * **IAM User:** Uses the cloud-specific APIs for performing rotation, such as AWS IAM users, Azure managed resources, and Google Workspace principals. In this case, only the PAM Configuration is required since it contains the necessary credentials. * **Run PAM scripts only:** Skips the standard rotation and only executes the attached PAM Scripts.

The rotation schedule can be set on a specific interval, or using a [cron spec](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/cron-spec).

### PAM Resource To complete the Rotation setup, you need to select a resource, which depends on the rotation type. For a "General" rotation, the Keeper Gateway uses a native protocol for performing the necessary rotation, and the rotation will be executed on the associated PAM Resource supplied. If necessary, the rotation will use the associated administrative credential on the PAM Resource. In the example below, a Windows service account password is going to be rotated on the associated Windows Server.

For an "IAM User" rotation type, the Keeper Gateway will use the referenced PAM Configuration to determine which APIs and methods are used to perform the rotation. In the example below, an IAM user in AWS will use the "AWS (US-WEST-1)" configuration. When using the IAM User rotation method, it is assumed that the Keeper Gateway either inherits its privilege from the instance role policy, or through explicit access keys that are provided on the PAM Configuration record.

### In Summary: * The PAM User record holds the credential that is being rotated. * The Rotation Settings of the PAM User record references a specific PAM Machine, PAM Database or PAM Directory resource. This is the target resource where the rotation is performed. * The Keeper Gateway uses the Admin Credential associated to the PAM Machine, PAM Database or PAM Directory resource to perform the rotation with native protocols. * For AWS, Azure and GCP managed resources, Keeper uses Instance Role permission of the Gateway, or specific PAM Configuration secrets to perform the rotation with APIs. * For Google Cloud managed resources, Keeper uses the Service Account permissions of the Gateway. ### Examples Below are some examples of PAM User records. * Windows Domain Admin

* Windows Domain User with post-rotation scripts

* AWS IAM User

* Database user

* Azure AD User

## Record Types for Rotation The rotation of credentials is restricted to the [PAM User](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user) record type. {% hint style="info" %} In previous versions of Keeper, rotation was permitted on PAM Machine, PAM Database and PAM Directory records. In the latest version of KeeperPAM, you will be prompted to separate the PAM Resources from the PAM User. See the [Record Linking](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/record-linking) documentation for more info. {% endhint %} When you have activated Keeper Secrets Manager or KeeperPAM, the following new record types will be available to users: * **PAM User**\ Contains a login / password, private key, or both. * **PAM Directory**\ Information about your on-prem or cloud-based directory * **PAM Database**\ Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc. * **PAM Machine**\ Windows, Linux, macOS machines on-prem or in the cloud * **PAM Remote Browser**\ Remote browser isolation to protect web-based applications All 5 record types can be added in the Vault, placed in folders, and shared like any other Keeper records. * See [PAM Resources](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources) ## PAM Configurations When rotation is activated, within the Secrets Manager screen of the vault you'll see a section called **PAM Configurations**. A PAM Configuration is an object which is contains the following: * **Environment**\ Local Network, AWS or Azure * **Keeper Gateway**\ Service which you install into your on-prem or cloud infrastructure * **Application Folder**\ Shared Folder which contains the Secrets Manager application and associated records * **Administrative Credentials**\ Keeper record which contains privileged credentials for performing rotation and discovery. Customers may have any number of PAM Configurations, Applications and Gateways. * More information on: [PAM Configuration](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration), [Applications](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/applications) and [Gateways](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) ## How to Rotate a Password The basic steps to rotation of passwords in any target environment are: * Add PAM User records to the Shared Folder * Add PAM Resource (Machine, Database, Directory) records to a Shared Folder * Configure rotation settings on each PAM User record * Create a Secrets Manager application * Assign the Secrets Manager application to the Shared Folders * Set the shared folder permissions containing the PAM Users from Read Only to Can Edit * Add a [Keeper Gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) to the Secrets Manager application * Create a [PAM Configuration](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration) which ties everything together * Assign rotation settings to the [PAM User](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user) records ## Rotation on Keeper Commander For automation of Rotation capabilities, [Keeper Commander](https://docs.keeper.io/en/keeperpam/commander-cli/overview) supports KeeperPAM rotation using the following commands: * [`pam action rotate`](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands) * [`pam action job-info`](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands) Example: ``` My Vault> pam action rotate -r 5NaygwI4LK1BDZmH3Ib Scheduled action id: MfKbPR3ac6A/oBDZpctpOg== My Vault> pam action job-info MfKbPR3ac6A/oBDZpctpOg== -g QPkRsR8KQm6_4vnHTcofZA Job id to check [MfKbPR3ac6A/oBDZpctpOg==] Execution Details ------------------------- Status : finished Duration : 0:00:17.525641 Response Message : Rotation completed for record uid 5NaygwI4LK1BDZmH3Ib My Vault> ``` ## Services and Scheduled Tasks Keeper Rotation can also update the "log on" credentials for Windows service accounts and scheduled tasks. See the [Service Management](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/service-management) documentation. ## Record Import Keeper supports importing in bulk from JSON format. See the [Importing PAM Records](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources) section for more details.