AWS Installation Package

The installation package includes the following:

  • CyberArk AMIs

  • CloudFormation templates

  • Two copies of the Master CD

  • Two copies of the Operator CD

  • License

  • CyberArk Replication backup

CyberArk AMIs

To quickly deploy CyberArk as an automatic process, we have created Amazon Machine Images (AMI) that contain CyberArk Privileged Access Manager - Self-Hosted software installed, but not configured.

You can also create your own AMIs. For details, see Bring your own image (BYOI) - AWS.

The deployment contains separate AMIs for each component (Vault, CPM, PVWA, PSM, PSM for SSH, PTA) and an all-in-one AMI, which is called CyberArk PAS Components AMI, for small deployments or for POC purposes, including PVWA, CPM, and PSM.

The Vault, CPM, PSM, PVWA, and CyberArk PAS Components AMIs are based on Windows Server 2016 or 2019, the PSM for SSH and PTA AMIs are based on Red Hat Linux.

To share the CyberArk AMIs with your AWS account, go to the Share Image on Cloud folder in CyberArk Marketplace and click Share image on Cloud.

You can share the images with the following AWS regions:

af-south-1 - Africa (Cape Town) eu-north-1 - Europe (Stockholm)
ap-east-1 - Asia Pacific (Hong Kong) eu-south-1 - Europe (Milan)
ap-northeast-1 - Asia Pacific (Tokyo) eu-south-2 - Europe (Spain)
ap-northeast-2 - Asia Pacific (Seoul) eu-west-1 - Europe (Ireland)
ap-northeast-3 - Asia Pacific (Osaka) eu-west-2 - Europe (London)
ap-south-1 - Asia Pacific (Mumbai) eu-west-3 - Europe (Paris)
ap-south-2 - Asia Pacific (Hyderabad) il-central-1 - Israel (Tel Aviv)
ap-southeast-1 - Asia Pacific (Singapore) me-central-1 - Middle East (UAE)
ap-southeast-2 - Asia Pacific (Sydney) me-south-1 - Middle East (Bahrain)
ap-southeast-3 - Asia Pacific (Jakarta) sa-east-1 - South America (Sao Paulo)
ap-southeast-4 - Asia Pacific (Melbourne) us-east-1 - US East (N. Virginia)
ca-central-1 - Canada (Central) us-east-2 - US East (Ohio)
eu-central-1 - Europe (Frankfurt) us-west-1 - US West (N. California)

eu-central-2 - Europe (Zurich)

us-west-2 - US West (Oregon)

Vault AMI

We provide a Vault AMI that supports the Windows Server 2016 or Windows Server 2019 platform. This AMI supports a standalone Vault and Disaster Recovery Vault based on your configuration.

The Vault AMI includes the following:

  • Installed and hardened Vault and Disaster Recovery Vault


    The Disaster Recovery Vault service is disabled.

  • Expired license

  • Default password for the Administrator/Master user

  • Internal utility that finalizes the Vaultand DR Vault settings and can be used by the AWS CloudFormation

Component AMIs

The Component AMIs contain the following CyberArk PAM - Self-Hosted components: PVWA, CPM, and PSM. These components are installed and disabled. This means the Windows services for the CPM and PSM are disabled and the PVWA web application is turned off, including the application pool.

The following tasks are performed during the installation process:

The components are not registered to the Vault.

  • Installation and hardening of the PVWA

  • Installation and hardening of the CPM

    After the AMI is installed, you must harden the CPM. For more information, see Harden the CPM server.

  • Installation and hardening of the PSM

  • Installation of the PrivateArk client on each component AMI

  • Installation of the Remote Desktop Session Host feature on the PSM server

After you have launched the component AMI, verify that you have an RDS CAL License so that you can connect to the PSM server with Microsoft Remote Desktop Services (RDS) Session Host. PSM can work with any RDS CAL License scheme (either per user or per device). For more information about purchasing an RDS CAL, contact your Microsoft representative.


The PSM for SSH AMI contains an installed and hardened PSM for SSH.


The PTA AMI contains an installed PTA application.

CloudFormation templates

The CloudFormation templates are available in the public GitHub,