Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Do we need to configure plugin for AWS console credential less sessions?

Dheeraj_Reddy
New Contributor III
New Contributor III

Hello Team

Remote access server for PAM is setup in our environment.

We have 12 AWS tenants (AWS individual accounts) and we are planning to establish trust between EIC and these 12 AWS tenants individually.

Now, we need clarity whether we need to configure plugin for AWS console credential less sessions or not ? If yes, what information we need to provide to the Saviynt CloudOps team.

Do we need to provide all the 12 AWS tenants accountID's to Saviynt ? 

 

12 REPLIES 12

UVP
New Contributor II
New Contributor II

@NageshK  : Do you have any idea on this, we really appreciate your Input on this.

Thanks,

Umesh

 

NageshK
Saviynt Employee
Saviynt Employee

@Dheeraj_Reddy @UVP You do not need to configure plugin. Once you create the AWS Connections (one connection for each account), Import Accounts and Access to Saviynt, you will have to trigger Bootstrap job on each of those to onboard the IAM Accounts for console access. Once the Bootstrap is complete, you will be able to select the "AWS Console" option while submitting privilege request against the AWS Endpoint. Please check the below article and let us know for any additional questions. 


https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/E-Onboard-Target-Endpoint/Co...

Thanks @NageshK for the information,

We have a requirement to filter AWS accounts before importing it to Saviynt. As you know AWS connector doesn't have any filter available to import specific accounts. 

Question:

  1. Can I upload these accounts manually to Saviynt and still perform the password rotation for these manually onboarded accounts in AWS using AWS connector ?

 

NageshK
Saviynt Employee
Saviynt Employee

@Dheeraj_Reddy While import brings in all the IAM Accounts, only the specific ones identified in your PAM_CONFIG will be enabled for PAM requests. Does that work for you?

Thanks

Nagesh K

Question:

  1. As we have a requirement to filter AWS accounts before importing it to Saviynt. can we filter the accounts before importing ?
  2. Can I upload these accounts manually to Saviynt and still perform the password rotation for these manually onboarded accounts in AWS using AWS connector ?

@Dheeraj_Reddy follow up clarification

  1. When you say filter AWS accounts before importing to Saviynt, Does that mean you don't even want to bring the accounts or you don't want to enable certain accounts for PAM? If you don't even want to bring certain accounts to Saviynt then it is NO
  2. You can definitely upload accounts manually. But when you say password rotation manually, How are you going to initiate it, Is it using Change Password Feature or you are talking about rotation process through PAM process?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Dheeraj_Reddy
New Contributor III
New Contributor III

For question 2: Once we upload AWS privilege accounts manually- is it possible to change the password automatically using the AWS connector (which I believe it can be done, but need confirmation) through PAM process ?

No. Because to change the password automatically through PAM process first account needs to be PAM Enabled, to do so may have to run PAM bootstrap job which will bring all the accounts from target.

Only other way is to manually enable PAM on all AWS Privilege Accounts then you may be able to achieve password rotation through PAM process.

But still trying to understand the use case of not bringing all accounts.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Dheeraj_Reddy
New Contributor III
New Contributor III

As per your statement "No. Because to change the password automatically through PAM process first account needs to be PAM Enabled, to do so may have to run PAM bootstrap job which will bring all the accounts from target."

My understanding is whenever PAM bootstrap job runs, it will get the accounts from the endpoint (not the target ie.., AWS) and make the accounts specified in PAM config as PAM enabled. let me know if you have any reference link or document that says the PAM bootstrap job import these accounts from target ie.., AWS ?

Our use case: We have a requirement to import only IAM accounts who have admin privileges to the AWS console and enable them to perform PAM specific activities through Saviynt on AWS. As you know Saviynt AWS connector doesn't support filtering the accounts so we decided to take the manual approach (disconnected approach). Once we import these accounts manually we will make them as PAM enabled and perform password rotation through PAM process.

@NageshK 

@Dheeraj_Reddy Nope that's not true. When you run bootstrap it will connect to target based on the connection you configured on respective endpoint and it pulls all the accounts based on connection configuration. And then it tries on enable PAM on only accounts you configured in PAM_Config


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

UVP
New Contributor II
New Contributor II

@NageshK  @sk  Thanks for information.

Please let us know whether below disconnected approach will work or not.

Once we import these privileged accounts manually in Saviynt. we will manually make them as PAM enabled and perform password rotation through PAM process using AWS connector.

Let us know your thoughts on this.

Thanks,

NageshK
Saviynt Employee
Saviynt Employee

@UVP Yes, you can always import the accounts manually. However, make sure that you furnish all details exactly as how the AWS Import process would bring in. You can check this for a dev env and see what all account properties are populated when AWS Account import job is run. Once you have done that, you can trigger Bootstrap job. 

I suggest you upload 2 accounts manually and try it first. 

Thanks

Nagesh K