Symantec Privileged Access Management

  • Private Community

  • 1.  Question about Account list when configure auto-login to EC2 in AWS

    Broadcom Employee
    Posted Jan 18, 2018 01:37 AM

    We have 3 EC2 instances in AWS and each instance has different key pair associated with it. And 3 accounts are created for each instance. So have total of 9 accounts are added to PAM.

     

     

    Then configure auto-login to one of EC2 instance, when add account to the target application, only 3 of accounts appear not total of 9.

     

     My assumption is that PAM will only list account associated with that EC2 instance. 

     

    Use above example, we have A,B,C EC2 instances and have corresponding AKey,BKey,CKey key-pairs.

    1,2,3 accounts created for each instance. So there will be total 9 accounts.

     

    1-AKey, 2-AKey, 3-AKey;

    1-BKey, 2-BKey, 3-BKey;

    1-CKey, 2-CKey, 3-CKey.

     

    And configure auto-login to A instance, PAM will list only 1-AKey, 2-AKey, 3-AKey accounts that are associated with this A instance not all 9 of them.

     

    Can anyone confirm it is how PAM works currently or is it a bug?

     

     

    Best Regards

     

    Jerry

     

     



  • 2.  Re: Question about Account list when configure auto-login to EC2 in AWS
    Best Answer

    Broadcom Employee
    Posted Jan 18, 2018 09:19 AM

    Hi Jerry, Yes, that is working as designed. Only target accounts for the target device that you create an access policy for will be listed, and for most users that is expected behavior. If you have a credential source that works for multiple devices, you create a device group and associate the credential source with the device group. Then all devices in the group can use any credential from the common credential source.