PAM on Cloud limitations

Vault limitations

  • The PAM on Cloud solution only applies to AWS and Microsoft Azure. To deploy the Vault on another cloud vendor, install the Vault manually as described in CyberArk Digital Vault installation.

  • Template deployments for DR Vault is supported for the first DR Vault installation using the built-in DR User.

  • GovCloud accounts in Azure are not supported.

  • Migrating an existing operating DR Vault from an existing Cloud Vendor key to a new key is not supported. See Troubleshoot Vault Registration for Hybrid and Cloud Deployments for more information.

  • High availability for the Vault is not supported.

  • A Distributed Vaults environment is not supported.

  • The following keys are supported:

    • Symmetric Server key that is AES-256

    • Asymmetric Recovery key that is RSA-2048

  • When deploying a Vault environment in hybrid mode, you can't use HSM to secure the server key of the Vault located on premise. For the Vaults located in the cloud, the KMS will serve as the means for securing the key.


To complete the hardening for CyberArk components, do the following:


The Components AMI does not come with the RemoteApp feature installed.

To install the RemoteApp feature at a later stage:

1. Add the machine to the domain.
2. Add the NT SERVICE\ALL SERVICES user to the Log on as a service GPO.
3. Re-Install RDS and Connection Broker.
4. Set up the RemoteApp feature with a custom session collection.
5. Publish PSMInitSession.exe.


Currently, AD bridge is not supported in PSM for SSH that is installed on AWS.


  • Due to AWS log replication between regions, PTA alerts are received up to 10 minutes after the original event.
  • Managed AWS Accounts must include the following file categories to be monitored by PTA:
    • AWSAccountID - Text field
    • Username - Text field
  • Excluding an AWS Account from PTA detections is not supported.
  • The AWS bind account configured for PTA must not have ticketing or a reason requirement on the policy, so that PTA can retrieve the account's secret access key.