AWS System Requirements

The following tables summarize the recommended AWS EC2 instance size and software specifications for servers that are required when implementing CyberArk’s Privileged Access Manager - Self-Hosted solution. These specifications are based on the entry level industry standard for small-mid range servers. For other implementation sizes, requirements should be customized according to customer needs.

Recommended AWS EC2 instance size specifications

The following table lists the recommended specifications for standalone Vault servers, standalone DR Vault servers, PVWA, and CPM instances.

Vault servers and standalone DR Vault servers

Small
(<1,000 managed passwords)

Medium
(1,000-20,000 managed passwords)

Large
(20,000 – 100,000 managed passwords)

Very large
(more than 100,000 managed passwords)

m5.2xlarge
m5.4xlarge
m5.8xlarge
250GB storage
m5.16xlarge
500GB storage

Software requirements: See System Requirements.

 

PVWA

Small
(<1,000 managed passwords)

Medium
(1,000-20,000 managed passwords)

Large
(20,000 – 100,000 managed passwords)

Very large
(more than 100,000 managed passwords)

c5.xlarge
2x 80GB storage
c5.2xlarge
2x 80GB storage
c5.4xlarge
2x 80GB storage
c5.9xlarge
2x 80GB storage

Software requirements: See System Requirements.

CPM

Small
(<1,000 managed passwords)

Medium
(1,000-20,000 managed passwords)

Large
(20,000 – 100,000 managed passwords)

Very large
(more than 100,000 managed passwords)

c5.large
2x 80GB storage
c5.xlarge
2x 80GB storage
c5.2xlarge
2x 80GB storagec5
c5.4xlarge
2x 80GB storage

Software requirements: See System Requirements.

 

For specific system requirements of the different CPM plug-ins, see CPM plugins.

PTA

Small
(<300 syslogs per second)

Medium
(300-700 syslogs per second)

Large
(700-4000 syslogs per second)

m5.xlarge
250GB storage
c5.2xlarge
500GB storage
m5.2xlarge
500GB storage

Software requirements: See System Requirements.

PSM

Small
(1-5 concurrent RDP/SSH sessions)

Mid-Range
(6-30 concurrent RDP/SSH sessions)

Large
(31-60 concurrent RDP/SSH sessions)

c5.2xlarge
80GB storage
c5.4xlarge
80GB storage
c5.9xlarge
80GB storage

Software requirements: See System Requirements.

 
Do not exceed 60 concurrent sessions per PSM server.
Concurrent session ranges are based on RDP and SSH connections performance measurements.
Running resource-intensive applications like Toad, vSphere Client, etc. on the PSM server will result in lower concurrency.
Ranges of concurrent sessions assume that PSM is running on a dedicated server.
Ranges of concurrent sessions are based on performance measurements while video recording user’s activities in HD resolution (one screen). Note that video recording resolution is affected by the desktop resolution of the client machine from which the connection was made. This means that performing connections from client machines with more than one HD screen, or with a higher resolution screen, will result in lower concurrency.

PSM for SSH

Small implementation

(<100 concurrent sessions)

Mid-range implementation

(100-200 concurrent sessions)

Large implementation

(>200 concurrent sessions)

c5.xlarge

c5.2xlarge

c5.4xlarge

Software requirements: See System Requirements.

 
In large scale implementations, it is recommended to deploy the CPM, PVWA, and PSM on different instances.
For more information about other supported versions and requirements, see System Requirements by Product.

AWS EC2 cost estimations

The reference architecture illustrates the recommended architecture according to CyberArk best practices. Security and high availability are among the cornerstones of our best practices.

A minimum environment similar to the one illustrated in the reference architecture consists of the following:

  • 1 Vault
  • 1 DR Vault
  • 2 PVWA
  • 2 PSM
  • 2 PSM for SSH
  • 1 CPM
  • 1 PTA

To calculate the estimated cost, review the system requirements for the type of instances that are needed to support your project and AWS services that are being utilized, and follow the pricing according to the AWS pricing list, depending on the instance type and the region.

There are other services that you must take into consideration when calculating the cost, such as Data Transfer pricing and utilizing solutions, like the PTA solution, that use the AWS Lambda service for detecting suspected credential thefts and suspicious password changes.

Since CyberArk PAM - Self-Hosted is based on a Windows operating system, note that the cost varies depending on the license, either an AWS license or a bring your own license (BYOL) model.

 

You can calculate the cost of the environment by using the AWS Calculator or reviewing the EC2 pricing.