Symantec Privileged Access Management

  • 1.  Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks

    Posted Jun 17, 2016 10:39 AM

    Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks



  • 2.  Re: Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks
    Best Answer

    Broadcom Employee
    Posted Jun 30, 2016 11:10 AM

    It's pretty straight forward.

     

    You must create an IAM account in AWS for PAM to use. Take the resultant Access Key ID and Secret Key and load them in the PAM credential vault.

     

    Once loaded, you can use this credential to connect to any region with  PAM via Config > 3rd Party for importing and accessing target instances as well as rolling passwords and keys for these targets in AWS.

     

    Now that you have that done, you need to an an LDAP repository to PAM for Domain users to authenticate against. Once these user IDs are import to PAM from LDAP/AD, you can create policies to allow these domain users access to AWS target devices, or the AWS WEB UI.

     

    All users login to PAM with their domain credentials, and PAM federates access to AWS via the Access ID and Secret Key that is stored in the PAM.

     

    Here are a few screenshots showing  an AD PAM user accessing AWS using the federated credential (no dedicated AWS IAM Accounts needed for individual users or apps).

     

    //Shawn

     

    Shawn W. Hank

    Senior Principal Consultant, Presales

    CA Technologies | 2291 Wood Oak Dr. | Herndon, VA 20171 |

    Office: +1 703 709 4468 | Mobile: +1 571 409 3042 | Shawn.Hank@ca.com

     

     

    1.png

    2.png

    3.png

     

    4.png



  • 3.  Re: Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks

    Posted Jun 30, 2016 02:49 PM

    Thanks Shawn...a clear explanation.

    Whereas, have few more questions from the explanation,

     

    1. When you say 'Federated Login'....is that at a domain level?

     

    2. Also when you say 'create an IAM account in AWS for PAM to use' --> is this the only account (service account like) used to connect to AWS every time any user from AD access AWS via PAM?

     

    Thanks!



  • 4.  Re: Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks

    Posted Jun 30, 2016 02:52 PM

    One other question...

    3. With this approach, do we also need to find a way to block direct access to AWS and enforce access only to AWS via CA PAM client or interface?



  • 5.  Re: Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks

    Broadcom Employee
    Posted Jun 30, 2016 03:09 PM

    No need to block direct access.

     

    There won't be other credentials available. Any existing AWS IAM credential/account should be revoked so that in the PAM federation is the only way to login to AWS.

     

     

    //Shawn

     

     

    Shawn W. Hank

     

    Senior Principal Consultant, Presales

     

    CA Technologies

     

    2291 Wood Oak Dr., Herndon, VA 20171

     

    Office: +1 703 709 4468

     

    Mobile: +1 571 409 3042

     

    Email: Shawn.Hank@ca.com<mailto:Shawn.Hank@ca.com>



  • 6.  Re: Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks

    Broadcom Employee
    Posted Jun 30, 2016 02:55 PM

    See below...

     

     

    //Shawn

     

     

    Shawn W. Hank

     

    Senior Principal Consultant, Presales

     

    CA Technologies

     

    2291 Wood Oak Dr., Herndon, VA 20171

     

    Office: +1 703 709 4468

     

    Mobile: +1 571 409 3042

     

    Email: Shawn.Hank@ca.com<mailto:Shawn.Hank@ca.com>