PAM on Cloud limitations
The PAM on Cloud solution only applies to AWS and Microsoft Azure. To deploy the Vault on another cloud vendor, install the Vault manually as described in CyberArk Digital Vault installation.
Template deployments for DR Vault is supported for the first DR Vault installation using the built-in DR User.
GovCloud accounts in Azure are not supported.
Migrating an existing operating DR Vault from an existing Cloud Vendor key to a new key is not supported. See Troubleshoot Vault Registration for Hybrid and Cloud Deployments for more information.
High availability for the Vault is not supported.
A Distributed Vaults environment is not supported.
The following keys are supported:
Symmetric Server key that is AES-256
Asymmetric Recovery key that is RSA-2048
When deploying a Vault environment in hybrid mode, you can't use HSM to secure the server key of the Vault located on premise. For the Vaults located in the cloud, the KMS will serve as the means for securing the key.
CPM and PVWA
To complete the hardening for CyberArk components, do the following:
|Set a complex password for the cpmsrv user.
|Open Microsoft Services, and modify the CPM and the Scanner services to run with the cpmsrv user, instead of the SYSTEM account. Provide the password that you set in the previous step.
|Restart the CPM and Scanner services.
|Set a complex password for the schedtasksrv user
|Open Microsoft Services, and modify the Task Scheduler service to run with the schedtasksrv user, instead of the SYSTEM account. Provide the password that you set in the previous step.
|Restart the Task Scheduler service.
The Components AMI does not come with the RemoteApp feature installed.
To install the RemoteApp feature at a later stage:
|Add the machine to the domain.
|Add the NT SERVICE\ALL SERVICES user to the Log on as a service GPO.
|Re-Install RDS and Connection Broker.
|Set up the RemoteApp feature with a custom session collection.
PSM for SSH
Currently, AD bridge is not supported in PSM for SSH that is installed on AWS.
- Due to AWS log replication between regions, PTA alerts are received up to 10 minutes after the original event.
- Managed AWS Accounts must include the following file categories to be monitored by PTA:
- AWSAccountID - Text field
- Username - Text field
- Excluding an AWS Account from PTA detections is not supported.
- The AWS bind account configured for PTA must not have ticketing or a reason requirement on the policy, so that PTA can retrieve the account's secret access key.