It's pretty straight forward.
You must create an IAM account in AWS for PAM to use. Take the resultant Access Key ID and Secret Key and load them in the PAM credential vault.
Once loaded, you can use this credential to connect to any region with PAM via Config > 3rd Party for importing and accessing target instances as well as rolling passwords and keys for these targets in AWS.
Now that you have that done, you need to an an LDAP repository to PAM for Domain users to authenticate against. Once these user IDs are import to PAM from LDAP/AD, you can create policies to allow these domain users access to AWS target devices, or the AWS WEB UI.
All users login to PAM with their domain credentials, and PAM federates access to AWS via the Access ID and Secret Key that is stored in the PAM.
Here are a few screenshots showing an AD PAM user accessing AWS using the federated credential (no dedicated AWS IAM Accounts needed for individual users or apps).
//Shawn
Shawn W. Hank
Senior Principal Consultant, Presales
CA Technologies | 2291 Wood Oak Dr. | Herndon, VA 20171 |
Office: +1 703 709 4468 | Mobile: +1 571 409 3042 | Shawn.Hank@ca.com