AWS access keys

This topic describes the AWS access keys plugin.


Target devices

The CPM supports the management of AWS Access Keys which are used by applications to connect to AWS API.


The CPM supports account management for the following accounts:

  • Amazon Web Services (AWS) Access Keys


In AWS, the default region is global, which does not include China. To support AWS China, you need to make configuration changes. For more information, see Configure AWS China.


In the Platform Management page, make sure that the following target account platform is displayed:

  • Amazon Web Services – AWS – Access Keys

Connection Methods

This plugin supports the following connection methods to the remote machine:

  • Rest API


The following table lists the supported password management actions for this platform.






Connect to AWS



Allow users to change their own access key either globally or by group.









This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

Import platform

AWS Access Keys is part of the CPM out-of-the-box version contents. If you are using the AWS Access Keys out-of-the-box version, you do not need to import the platform, and can proceed to Account Parameters.

If you need a later AWS Access Keys version, download it from the marketplace, and then import the platform. (The platform is not included in installation.)

Account Parameters





The username of the IAM user.

Acceptable value: username

AWS Account ID

The account ID on the AWS console.

This is a 12-digit number such as 123456789012 It is used to construct Amazon Resource Names (ARNs). When referring to resources such as an IAM user or a Glacier vault, the account ID distinguishes these resources from those in other AWS accounts.

Acceptable value: Account ID

AWS Access Key ID

The unique ID of the Amazon Web Services (AWS) access key that is used by APIs to access the AWS console.

Acceptable value: AWS key ID




AWS Account Alias Name

A friendly identifier of your AWS account ID that can be used for your sign-in page to contain your company name, instead of your AWS account ID.


The access key secret.


The AWS service endpoint code of the region that you want. For more information, see AWS service endpoints.

Acceptable value: One of the AWS service endpoint codes:

  • us-east-1

  • us-west-1

  • us-west-2

  • eu-west-1

  • eu-central-1

  • ap-northeast-1

  • ap-southeast-1

  • ap-southeast-2

  • sa-east-1

  • us-gov-west-1

Configure AWS China

To support AWS China, you must make changes to the configuration.


If you apply this configuration, multi-region capability will not be available. Only one region or mode can be supported at one time. When you change the region from global to one of the regions in China, only the Chinese region is supported.

  1. In the CPM bin folder, create a configuration file called, CANetPluginInvoker.exe.config.

  2. Copy the following content into the file:

    <?xml version="1.0" encoding="utf-8"?>
         <add key="AWSRegion" value="<specificRegionName>"/>
  3. In the value field, replace the<specificRegionName> placeholder with the relevant Chinese region. For example:

    • China (Beijing) - <cn-north-1>

    • China (Ningxia) - <cn-northwest-1>

    For a list of all the available regions, see

Access Keys that are used on the Credential Provider

When AWS access keys are managed by the CPM and the Credential Provider, it is recommended to implement the Dual Accounts solution. This solution uses two privileged accounts that have identical privileges to the system, database or application. One account is tagged as “active” while the other is “inactive”. The rotation of credentials is done on the “inactive” account, which leaves the “active” account untouched until the rotation process has finished. The application will continue to use the “active” account until credential rotation has finished, and will then will go on to use the newly changed account.

For more information, see Set up dual control for connecting to a target device.


Reduce excessive cloud IAM permissions

Implement CyberArk Cloud Entitlements Manager to detect excessive permissions and generate recommendations to remediate risky access on your cloud platform. Only risky permissions are removed, resulting in least privilege for all human and machine identities while maintaining valid access for Cloud and DevOps teams.

CEM also detects unmanaged credentials for cloud entities with administrative access, enabling organizations to on-board cloud admin and Shadow Admin to Privilege Cloud