Images

Azure and AWS both use images to launch instances. CyberArk provides the images needed to install PAM - Self-Hosted in a cloud environment. For details on the provided images, see:

Bring your own image (BYOI)

AWS users can also create their own Amazon Machine Images (AMI) for installing PAM - Self-Hosted.

Prerequisites

Following are the required prerequisites for running your AMI.

Controller node

The following software must be on the machine:

Software Version
Packer 1.8.6 or higher
Ansible 6.7.0
Python 3.8.1 or higher
jq 1.6 or higher
pywinrm 0.4.3 or higher
AWS CLI 2.10.4 or higher

You must have network connectivity to the instances used for the image-creation process, on the following ports:

  • Windows machines - 5986 (WinRM)

  • Linux machines - 22 (SSH)

After you install AWS CLI, enter your AWS access key to get permissions on the AWS account.

Images

Configure your controller node instance, where you create CyberArk images, according to the requirements in AWS System Requirements. Also, see PAM on Cloud limitations.

Supported OS:

  • Windows - Windows 2016 / 2019

  • Linux - Red Hat 8

The following actions are executed as part of the User Data execution on the remote host, based on the OS:

  • Linux:

    • Python3

    • Boto3

    • AWS CLI

    • AWS CloudFormation Helper Scripts (aws-cfn-bootstrap)

  • Windows:

    • WINRM

    • Ansible Remoting

Create your AMIs

  1. Download the PAM Self-Hosted on AWS.zip file from the CyberArk Marketplace to the controller node.

  2. Unzip the file to access the scripts for creating AMIs.

  3. Go to aws > defaults > *component*.json to edit the following script properties for each component:

    Property Description
    ami_name The unique name of the AMI that appears when managing AMIs in the AWS console
    ami_description The AMI description.
    region The name of the region, such as us-east-1, where you launch the instance to create the AMI
    ami_users A list of account IDs that can launch the AMI. By default, only the account ID creating the AMI has launch permissions
    ami_regions A list of regions where you can copy the AMI
    instance_type The instance type to use when building the AMI
    source_ami_name_filter Name filter for the source_ami field
    source_ami_owners Owner filter for the source_ami field. You can specify one or more AWS account IDs, self (the account whose credentials you are using to run Packer), or an AWS owner alias. This option is required for security reasons
    block_device_size The volume size
    block_device_type The volume type
    block_device_auto_delete  
  4. Provide the AWS IAM policy with the necessary permissions for the AWS account. Following is a sample policy that you can use:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowEC2RequiredPerms",
    "Effect": "Allow",
    "Action": [
    "ec2:DescribeInstances",
    "ec2:DescribeInstanceStatus",
    "ec2:RunInstances",
    "ec2:StopInstances",
    "ec2:TerminateInstances",
    "ec2:DescribeImages",
    "ec2:CreateImage",
    "ec2:CopyImage",
    "ec2:ModifyImageAttribute",
    "ec2:DeregisterImage",
    "ec2:DescribeSnapshots",
    "ec2:CreateSnapshot",
    "ec2:ModifySnapshotAttribute",
    "ec2:DeleteSnapshot",
    "ec2:DescribeTags",
    "ec2:CreateTags",
    "ec2:DescribeRegions",
    "ec2:DescribeSecurityGroups",
    "ec2:CreateSecurityGroup",
    "ec2:DeleteSecurityGroup",
    "ec2:AuthorizeSecurityGroupIngress",
    "ec2:CreateKeyPair",
    "ec2:DeleteKeyPair",
    "ec2:DescribeVolumes",
    "ec2:CreateVolume",
    "ec2:DeleteVolume",
    "ec2:GetPasswordData"
    ],
    "Resource": "*"
    },
    {
    "Sid": "AllowKMSRequiredPerms",
    "Effect": "Allow",
    "Action": [
    "kms:ReEncryptTo",
    "kms:ReEncryptFrom",
    "kms:GenerateDataKey*",
    "kms:CreateGrant",
    "kms:DescribeKey"
    ],
    "Resource": "*"
    }
    ]
    }

  5. For each component you want to use, run the script on your machine to create that component's AMI. For example, to create the Vault AMI:

    $ python3 ./packer-build.py vault

    You can also run the script with the debug flag. If the image creation process fails, the created instance is not terminated and the encryption key is stored locally for troubleshooting purposes. For example:

    $ python3 ./packer-build.py vault -debug