AWS Cloud Services Management

AWS provides AWS Security Token Service (AWS STS) as a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

PSM includes an out-of-the-box Amazon Web Services (AWS) Console connection component that integrates with AWS Secure Token Service (STS), and enables an administrator to configure accounts with specific AWS roles or policies.

The AWS STS connection component enables an end user to log in to the AWS platform using a secured connection from an internet browser via a PSM monitored session. The internet browser must be one of CyberArk's Web-application infrastructure supported browsers.

Once the user is connected to the AWS management console, they assume the specific AWS role and policy and can perform authorized operations on the AWS platform.

The PSM Connection Component for AWS Console with STS can be downloaded from the Marketplace.

 

  • This PSM connector is not supported for the following users:

  • This PSM connector cannot run when PSM is installed on Windows that is FIPS-enabled.

Prerequisites

Make sure you have met the following requirements:

  • .NET Framework 4.8

    If you are using an older version of PSM, .NET Framework 4.8 must be installed on the PSM machine as well.

  • Google Chrome installed on the PSM machine.

Configure the AppLocker rules to enable Google Chrome

  1. Remove the read-only permission from the PSMConfigureAppLocker.xml file.

  2. In the Hardening subfolder of PSM installation folder, open the PSMConfigureAppLocker.xml configuration file and edit the AllowedApplications section:

    At the beginning of the Google Chrome processes section, remove the following line:

      
    <!-- If relevant, uncomment this part to allow Google Chrome webform based connection clients

    At the end of the Google Chrome processes section, remove the following line:

      
    End of Google Chrome process comment -->

    Specifically, make sure that the following lines are uncommented:

      
    <Application Name="PSM-WebAppDispatcher" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.PSM.WebAppDispatcher.exe" Method="Hash" />
<Application Name="chromedriver" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\chromedriver.exe" Method="Hash" />
<Application Name="PSM-ProgressBar" Type="Exe" SessionType="*" Path="C:\Program Files (x86)\CyberArk\PSM\Components\CyberArk.ProgressBar.exe" Method="Hash" />

<Application Name="GoogleChrome" Type="Exe" Path="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Method="Hash" />
    <Application Name="IExplore32" Type="Exe" Path="c:\Program Files (x86)\Internet Explorer\iexplore.exe" Method="Publisher" />
<Application Name="IExplore64" Type="Exe" Path="c:\Program Files (x86)\Internet Explorer\iexplore.exe" Method="Publisher" />

    Verify that the path specified in the xml matches the browser installation path.

  3. Save the PSMConfigureAppLocker.xml configuration file and close it.

  4. Use the following command to run PowerShell and start the script:

     

    CD “C:\Program Files (x86)\CyberArk\PSM\Hardening” PSMConfigureAppLocker.ps1

For details, see Run AppLocker rules.

PVWA Connection Component settings

The AWS STS connection component uses the general parameters that are common to all connection components. For more information about the general parameters, see Connection Component Configuration.

Create the PSM connection component account

Configure a PSM connection component for AWS Console with STS

Step 1: Create a privileged account that contains the secret access key and access key ID

This account is used as the logon account for the AWS console.

This account holds the secret access key and access key ID that are used to generate the temporary credentials. These keys must be attached to an AWS policy that grants permission to call the AssumeRole AWS API command.

  1. In the PVWA Accounts page, click Add Account.

  2. Select Cloud Service as the system type.

  3. Select the Amazon Web Services (AWS) Access Keys platform.

  4. Select the Safe where the account will be stored.

  5. Define the account properties:

    Property

    Description

    AWS Access Key ID

    The access key ID.

    AWS IAM Username

    The user of the AWS IAM account of the access key.

    AWS Access Key Secret

    The secret access key.

  6. Click Add.

Step 2: Create a privileged account that contains the AWS role definition or AWS policy

This account defines the user on the remote machine.

  1. In the PVWA Accounts View page, click Add Account.

  2. Select Cloud Service as the system type.

  3. Select the Amazon Web Services (AWS) platform.

  4. Select the Safe where the account will be stored.

  5. Define the account properties:

    Property

    Description

    (Optional) Username

    The account's user name.

    If you are using the AWS CPM plug-in to change or reconcile credentials, you must specify a user name.

    Password

    The account's password.

    Address

    The account's address.

    Enter aws.amazon.com.

    (Optional) AWS ARN Role

    The role amazon resource name (ARN) defined in AWS.

    This is a globally unique identifier for roles which includes the AWS account ID and role name:

    - arn:aws:iam::<aws_account_id>:role/<AWS_Role_Name>

    Even though this parameter is optional, either the AWS ARN Role or the AWS policy must be defined.

    (Optional) AWS Policy

    The AWS set of permissions policy. You can define a set of permissions in a JSON format (without carriage return) for the user. The user permissions in AWS console are derived from that policy or are unified with the AWS role permissions if the AWSARNRole attribute is populated.

    For more information about generating the AWS policy, see the AWS website.

    Even though this parameter is optional, either the AWS ARN Role or the AWS policy must be defined. If you choose to define the AWS Policy parameter instead of the AWS ARN Role parameter during the component connection, you must modify the PreConnectParameters property of the component to reflect the change.

    To modify the PreConnectParameters property, in the PVWA, go to Administration > Configuration Options, and select Options. Under PIM Suite Configuration > Connection Components > PSM-AWSSTSWebApplication > Target Settings > Client Specific locate the PreConnectParameters property, and replace AWSARNRole with AWSPolicy.

  6. Click Add.

Step 3: Link the logon account that you created in Step 1 with the account that contains the AWS role definition or AWS policy

  1. In the Accounts View page, select the account that contains the AWS role definition or AWS policy.

  2. In the account's details pane, click the Details tab.

  3. Under Linked Accounts > Logon Account, click the more information button, and click Link.

    A list of accounts appears. If the logon account that you want does not appear in this list, search for the account.

  4. Select the logon account from Step 1, and click OK.

Configure a PSM connection component for AWS GovCloud Console with STS

A PSM connection component for AWS GovCloud Console with STS can be configured manually after PSM installation.

Step 1: Create a new account property for the AWS govcloud address

  1. Log on to the PrivateArk Client as an Administrator.

  2. From the File menu, select Server File Categories and click New.

    The Add File Category dialog box appears.

  3. In the Name edit box, enter AWSAddress.

  4. From the Type drop-down list, select LIST.

    The Valid values section of the dialog box becomes active.

  5. In the Value edit box, enter the address of the AWS govcloud console to access through the PSM connection component, and then click Add.

  6. Click OK.

    The new File Category appears in the File Categories window. For more information about creating account properties, see Define custom account properties.

Step 2: Configure the target account platform in the PVWA

  1. Log on to the PVWA as an Administrator.

  2. Go to Administration > Platform Management.

  3. In the Targets tab, locate the Amazon Web Services – AWS platform, click the more information button, and then click Edit.

  4. Expand UI & Workflows > Properties > Optional.

  5. Create a new optional platform property called AWSAddress.

  6. Do one of the following actions:

    • Click Apply to save the new configurations and apply them immediately.

    • Click OK to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.

Step 3: Create the account that will be used to access the AWS govcloud console

  1. In the PVWA Accounts page, click Add Account.

  2. Select Cloud Service as the system type.

  3. Select the Amazon Web Services (AWS) platform.

  4. Select the Safe where the account will be stored.

  5. Define the account properties:

    Property

    Description

    (Optional) Username

    The account's user name.

    If you are using the AWS CPM plug-in to change or reconcile credentials, you must specify a user name.

    Address

    The account's address.

    Enter aws.amazon.com.

    (Optional) AWS ARN Role

    The role amazon resource name (ARN) defined in AWS.

    This is a globally unique identifier for roles which includes the AWS account ID and role name:

    - arn:aws:iam::<aws_account_id>:role/<AWS_Role_Name>

    Even though this parameter is optional, either the AWS ARN Role or the AWS policy must be defined.

    (Optional) AWS Policy

    The AWS set of permissions policy. You can define a set of permissions in a JSON format (without carriage return) for the user. The user permissions in AWS console are derived from that policy or are unified with the AWS role permissions if the AWSARNRole attribute is populated.

    For more information about generating the AWS policy, see the AWS website.

    Even though this parameter is optional, either the AWS ARN Role or the AWS policy must be defined. If you choose to define the AWS Policy parameter instead of the AWS ARN Role parameter during the component connection, you must modify the PreConnectParameters property of the component to reflect the change.

    To modify the PreConnectParameters property, in the PVWA, go to Administration > Configuration Options, and select Options. Under PIM Suite Configuration > Connection Components > PSM-AWSSTSWebApplication > Target Settings > Client Specific locate the PreConnectParameters property, and replace AWSARNRole with AWSPolicy.

    AWS Address

    The address of the AWS govcloud console.

  6. Click Add.

Step 4: Modify the PreConnectParameters property of the PSM-AWSSTSWebApplication connection component

  1. Log on to the PVWA as an Administrator.

  2. Go to Administration > Configuration Options, and select Options. Under PIM Suite Configuration > Connection Components > PSM-AWSSTSWebApplication > Target Settings > Client Specific locate the PreConnectParameters property, and add ,AWSAddress to the PreConnectParameters value.

 

Reduce excessive cloud IAM permissions.

Implement CyberArk Cloud Entitlements Manager to detect excessive permissions and generate recommendations to remediate risky access on your cloud platform. Only risky permissions are removed, resulting in least privilege for all human and machine identities while maintaining valid access for Cloud and DevOps teams.

CEM also detects unmanaged credentials for cloud entities with administrative access, enabling organizations to on-board cloud admin and Shadow Admin to PAM - Self-Hosted