Onboard an AWS account

This topic describes how to onboard an AWS account to DPA.

You can onboard an AWS account to DPA from the Platform management page.

To onboard an account to DPA:
  1. On the Platform management page, click Amazon AWS.

  2. On the AWS page, click Add an account.

  3. Follow the online instructions to configure DPA and your AWS environment.

Step 1: Account details

Provide the details described in the following table.

Account details



Account ID

The assigned account ID (available in the top right corner of the AWS console).

Account name (optional)

Give the account a name in DPA that provides some context.

Description (optional)

Provide additional useful information about the account. This description will appear in the Platforms page.

After you save the account details, the account ID is read only and can't be changed.

  • You can create a recurring access policy after you complete this part of adding accounts, but it won't work until you complete the configuration process.

  • It may be helpful to create a simple test policy so you can verify that your accounts are connected when you finish configuring them.

Step 2: Configuration

  1. Enable read-only access to your account metadata.

    To enable read-only access to your account metadata, download theCyberArk CloudFormation template from DPA and upload it to your AWS account. The template creates a stack in your cloud environment with the resources described in the following table.

    Stack resources




    A custom resource that notifies CyberArk that the template installation has started. This resource also notifies CyberArk if the template is removed.


    An IAM role with the read-only permissions required for DPA to read the necessary metadata (see below).


    A custom resource that notifies CyberArk that the template installation is finished.

    The CyberarkJitAccountProvisioningRole IAM role has the permissions described in the following table:

    IAM role permissions





    Retrieves information about EC2 instances



    Retrieves the list of regions enabled in the account


  2. Connector machine - install the DPA connector.

    Install the DPA connector on a host machine that sits within the network you're connecting to the service.

    For detailed instructions on how to install the DPA connector, see Install a connector.

  3. (Linux machines only) Target machine - for Linux configuration.

    1. The Add SSH host key validation slider is activated by default. This option enables DPA to save the fingerprint of the host key the first time a user signs in via an SSH client to a target instance. It is recommended to leave this activated, to add an extra layer of security when identifying the target.

      You can deactivate this option only after clicking Save below.

    2. Deploy an SSH CA public key on your target machines. If your platform resources don't have any certificate files already installed, you can copy and run the CyberArk script where its needed. If your platform resources already contain certificate files, you can download the SSH CA public key without the installation script and add it to the certificate files.

      The installation script automatically deploys a certificate file with the SSH CA public key on the machine where it is run. To deploy the CyberArk CA certificate manually, follow the instructions in Manage certificates on a Linux target machine.

  4. (Windows machines only) Configure a domain - for Windows configuration.

    1. Click Strong accounts.

    2. Configure a strong account (a user role with strong credentials, which can create ephemeral users on the target machines), as described in Add and manage strong accounts.