Azure and AWS both use images to launch instances. CyberArk provides the images needed to install PAM - Self-Hosted in a cloud environment. For details on the provided images, see:
Bring your own image (BYOI)
AWS users can also create their own Amazon Machine Images (AMI) for installing PAM - Self-Hosted.
Following are the required prerequisites for running your AMI.
The following software must be on the machine:
|Packer||1.8.6 or higher|
|Python||3.8.1 or higher|
|jq||1.6 or higher|
|pywinrm||0.4.3 or higher|
|AWS CLI||2.10.4 or higher|
You must have network connectivity to the instances used for the image-creation process, on the following ports:
Windows machines - 5986 (WinRM)
Linux machines - 22 (SSH)
After you install AWS CLI, enter your AWS access key to get permissions on the AWS account.
Windows - Windows 2016 / 2019
Linux - Red Hat 8
The following actions are executed as part of the User Data execution on the remote host, based on the OS:
AWS CloudFormation Helper Scripts (aws-cfn-bootstrap)
Create your AMIs
Download the PAM Self-Hosted on AWS.zip file from the CyberArk Marketplace to the controller node.
Unzip the file to access the scripts for creating AMIs.
Go to aws > defaults > *component*.json to edit the following script properties for each component:
Property Description ami_name The unique name of the AMI that appears when managing AMIs in the AWS console ami_description The AMI description. region The name of the region, such as us-east-1, where you launch the instance to create the AMI ami_users A list of account IDs that can launch the AMI. By default, only the account ID creating the AMI has launch permissions ami_regions A list of regions where you can copy the AMI instance_type The instance type to use when building the AMI source_ami_name_filter Name filter for the source_ami field source_ami_owners Owner filter for the source_ami field. You can specify one or more AWS account IDs, self (the account whose credentials you are using to run Packer), or an AWS owner alias. This option is required for security reasons block_device_size The volume size block_device_type The volume type block_device_auto_delete
Provide the AWS IAM policy with the necessary permissions for the AWS account. Following is a sample policy that you can use:
For each component you want to use, run the script on your machine to create that component's AMI. For example, to create the Vault AMI:
$ python3 ./packer-build.py vault
You can also run the script with the debug flag. If the image creation process fails, the created instance is not terminated and the encryption key is stored locally for troubleshooting purposes. For example:
$ python3 ./packer-build.py vault -debug