AWS Command Line Utility Proxy

AWS CLI Proxy is an add-on to support zero trust connections for Amazon AWS command line tool. The option allows to share privileged access to AWS infrastructure without sharing AWS keys. The function uses AWS Access Keys record type to create records to store AWS Access Key and Secret Key. Users with Connect permissions to the record can execute AWS command line utility directing it through XTAM AWS CLI Proxy using XTAM REST API token as a secret key and a Record ID-based access key. XTAM AWS Proxy will forward the request to AWS servers using AWS keys from the record and return the result back to the client while generating audit logs, session report and session events with the commands executed by the command line utility. XTAM ASW CLI Proxy respects role-based permissions to the record, configured access request workflows including time-, location- and approval-based access as well as API Token expiration and location validation.

XTAM AWS CLI Proxy operates on the protocol level allowing tools other than native AWS CLI tool to take advantage of AWS CLI Proxy.

  • To enable XTAM AWS CLI Proxy, server owners should enable XTAM HTTP Proxy in Administration / Settings / Parameters section and restart the service. Note that AWS CLI Proxy requires special license to enable the option.
  • To redirect AWS CLI tool to XTAM record, users should use the following properties.

Note that AWS CLI tool has multiple ways to specify these properties. The description below references environment variables. Follow documentation for AWS CLI tool about different methods to specify these parameters.

  • HTTPS_PROXY – XTAM HTTP Proxy URL in the form https://xtam.company.com:8081
  • HTTP_PROXY – XTAM HTTP Proxy URL in the form https://xtam.company.com:8081
  • AWS_CA_BUNDLE – Path to XTAM HTTP Proxy certificate downloaded from Management / My Profile / Preferences / Certificate
  • AWS_ACCESS_KEY_ID – XTAM user and asset definition in the form TOKEN-ID#RECORD where TOKEN-ID is REST API token ID generated using Administration / Tokens screen. RECORD is either XTAM Record ID or record search criteria identifying a single record with AWS access keys
  • AWS_SECRET_ACCESS_KEY – REST API token generated using Administration / Token screen. TOKEN-ID in the AWS_ACCCESS_KEY specification references the ID of the same token