03/21/2023 11:36 AM
Remote access server for PAM is setup in our environment.
We have 12 AWS tenants (AWS individual accounts) and we are planning to establish trust between EIC and these 12 AWS tenants individually.
Now, we need clarity whether we need to configure plugin for AWS console credential less sessions or not ? If yes, what information we need to provide to the Saviynt CloudOps team.
Do we need to provide all the 12 AWS tenants accountID's to Saviynt ?
03/22/2023 11:16 AM
03/23/2023 08:31 AM
@Dheeraj_Reddy @UVP You do not need to configure plugin. Once you create the AWS Connections (one connection for each account), Import Accounts and Access to Saviynt, you will have to trigger Bootstrap job on each of those to onboard the IAM Accounts for console access. Once the Bootstrap is complete, you will be able to select the "AWS Console" option while submitting privilege request against the AWS Endpoint. Please check the below article and let us know for any additional questions.
03/23/2023 11:48 AM
Thanks @NageshK for the information,
We have a requirement to filter AWS accounts before importing it to Saviynt. As you know AWS connector doesn't have any filter available to import specific accounts.
03/24/2023 01:22 PM
@Dheeraj_Reddy While import brings in all the IAM Accounts, only the specific ones identified in your PAM_CONFIG will be enabled for PAM requests. Does that work for you?
03/24/2023 01:30 PM
03/24/2023 05:11 PM
@Dheeraj_Reddy follow up clarification
03/27/2023 07:58 AM
For question 2: Once we upload AWS privilege accounts manually- is it possible to change the password automatically using the AWS connector (which I believe it can be done, but need confirmation) through PAM process ?
03/27/2023 08:04 AM
No. Because to change the password automatically through PAM process first account needs to be PAM Enabled, to do so may have to run PAM bootstrap job which will bring all the accounts from target.
Only other way is to manually enable PAM on all AWS Privilege Accounts then you may be able to achieve password rotation through PAM process.
But still trying to understand the use case of not bringing all accounts.
03/27/2023 08:31 AM - edited 03/27/2023 08:33 AM
As per your statement "No. Because to change the password automatically through PAM process first account needs to be PAM Enabled, to do so may have to run PAM bootstrap job which will bring all the accounts from target."
My understanding is whenever PAM bootstrap job runs, it will get the accounts from the endpoint (not the target ie.., AWS) and make the accounts specified in PAM config as PAM enabled. let me know if you have any reference link or document that says the PAM bootstrap job import these accounts from target ie.., AWS ?
Our use case: We have a requirement to import only IAM accounts who have admin privileges to the AWS console and enable them to perform PAM specific activities through Saviynt on AWS. As you know Saviynt AWS connector doesn't support filtering the accounts so we decided to take the manual approach (disconnected approach). Once we import these accounts manually we will make them as PAM enabled and perform password rotation through PAM process.
03/27/2023 08:53 AM
@Dheeraj_Reddy Nope that's not true. When you run bootstrap it will connect to target based on the connection you configured on respective endpoint and it pulls all the accounts based on connection configuration. And then it tries on enable PAM on only accounts you configured in PAM_Config
03/28/2023 07:43 AM
@NageshK @sk Thanks for information.
Please let us know whether below disconnected approach will work or not.
Once we import these privileged accounts manually in Saviynt. we will manually make them as PAM enabled and perform password rotation through PAM process using AWS connector.
Let us know your thoughts on this.
03/28/2023 12:07 PM
@UVP Yes, you can always import the accounts manually. However, make sure that you furnish all details exactly as how the AWS Import process would bring in. You can check this for a dev env and see what all account properties are populated when AWS Account import job is run. Once you have done that, you can trigger Bootstrap job.
I suggest you upload 2 accounts manually and try it first.