Hello All, looking for approaches around authenticating AWS EC2 against corp AD using latest CA PAM solution...any pointers here. Thanks
It's pretty straight forward.
You must create an IAM account in AWS for PAM to use. Take the resultant Access Key ID and Secret Key and load them in the PAM credential vault.
Once loaded, you can use this credential to connect to any region with PAM via Config > 3rd Party for importing and accessing target instances as well as rolling passwords and keys for these targets in AWS.
Now that you have that done, you need to an an LDAP repository to PAM for Domain users to authenticate against. Once these user IDs are import to PAM from LDAP/AD, you can create policies to allow these domain users access to AWS target devices, or the AWS WEB UI.
All users login to PAM with their domain credentials, and PAM federates access to AWS via the Access ID and Secret Key that is stored in the PAM.
Here are a few screenshots showing an AD PAM user accessing AWS using the federated credential (no dedicated AWS IAM Accounts needed for individual users or apps).
Shawn W. Hank
Senior Principal Consultant, Presales
CA Technologies | 2291 Wood Oak Dr. | Herndon, VA 20171 |
Office: +1 703 709 4468 | Mobile: +1 571 409 3042 | Shawn.Hank@ca.com
Thanks Shawn...a clear explanation.
Whereas, have few more questions from the explanation,
1. When you say 'Federated Login'....is that at a domain level?
2. Also when you say 'create an IAM account in AWS for PAM to use' --> is this the only account (service account like) used to connect to AWS every time any user from AD access AWS via PAM?
One other question...
3. With this approach, do we also need to find a way to block direct access to AWS and enforce access only to AWS via CA PAM client or interface?
No need to block direct access.
There won't be other credentials available. Any existing AWS IAM credential/account should be revoked so that in the PAM federation is the only way to login to AWS.
2291 Wood Oak Dr., Herndon, VA 20171
Office: +1 703 709 4468
Mobile: +1 571 409 3042
Retrieving data ...