AWS Command Line Utility Proxy

AWS CLI Proxy is an add-on to support zero trust connections for Amazon AWS command line tool.

The option allows users to share privileged access to AWS infrastructure without sharing AWS keys.

The function uses AWS Access Keys record type to create records to store an AWS Access Key and a Secret Key.

Users with Connect permissions to the record can execute AWS command line utility directing it through PAM AWS CLI Proxy using an PAM REST API token as a secret key and a Record ID-based access key.

 

PAM AWS Proxy will forward the request to AWS servers using AWS keys from the record and return the result back to the client while generating audit logs, a session report and session events with the commands executed by the command line utility.

PAM AWS CLI Proxy respects role-based Permissions to the record, configured access request workflows including time-, location- and approval-based access as well as API Token expiration and location validation.

PAM AWS CLI Proxy operates on the protocol level allowing tools other than native AWS CLI tool to take advantage of AWS CLI Proxy.

Instructions

  1. Enable HTTP Proxy by going to Administration / Settings / Parameters under the Proxy section and setting the value from Disabled to Enabled.

  2. Note that AWS CLI Proxy requires a special license to enable the option.

  3. Restart the PamManagement service and wait for 2 minutes before proceeding to the next step.

  4. Go to Administration / Record Types and enable the AWS Access Keys record type.

  5. Go to Records / All Records or Favorites and add a new AWS Access Keys record.

  6. Set the required Name value and the optional Description and/or Reference Record values.

  7. The Access Key ID field should be the ID of the same Access Key used to run the AWS CLI tool, and the Secret Key field value should be the raw AWS Access Key. Both values can be found under Security credentials in AWS.

  8. Users with Connect permissions to the record can execute AWS command line utility directing it through PAM AWS CLI Proxy.

  9. To redirect AWS CLI tool to PAM record, users should use the following properties.

Note that AWS CLI tool has multiple ways to specify these properties. The description below references environment variables. Follow documentation for AWS CLI tool about different methods to specify these parameters.

  • HTTPS_PROXYPAM HTTP Proxy URL in the form pam.company.com:8081
  • AWS_CA_BUNDLE – Path to PAM HTTP Proxy certificate downloaded from Management / My Profile / Preferences / Certificate
  • AWS_ACCESS_KEY_IDPAM user and asset definition in the form TOKEN-ID#RECORD where TOKEN-ID is REST API token ID generated using Administration / Tokens screen. RECORD is either PAM Record ID or record search criteria identifying a single record with AWS access keys.
  • AWS_SECRET_ACCESS_KEY – REST API token generated using Administration / Token screen. TOKEN-ID in the AWS_ACCCESS_KEY specification references the ID of the same token.