Imprivata Privileged Access Management Product Update 2.3.202012062257

December 6, 2020

PAM Update: Introduced AWS CLI Proxy add-on to support zero trust connections for Amazon AWS command line tool

This update adds AWS CLI Proxy to support zero trust connections for Amazon AWS command-line tool, forward tunnel option for transparent perimeter deployments, host and port controls for SSH Proxy tunnel sessions, and password reset option for Unix hosts to use sudo-based shadow account requiring a password prompt.

Introduced AWS CLI Proxy add-on

The update introduces AWS CLI Proxy add-on to support zero trust connections for the Amazon AWS command-line tool. The option allows sharing privileged access to AWS infrastructure without sharing AWS keys. The function uses AWS Access Keys record type to create records to store AWS Access Key and Secret Key.

Users with Connect permissions to the record can execute AWS command-line utility directing it through PAM AWS CLI Proxy using PAM REST API token as a secret key and a Record ID-based access key.

The System AWS Proxy will forward the request to AWS servers using AWS keys from the record and return the result back to the client while generating audit logs, session reports and session events with the commands executed by the command-line utility.

The System ASW CLI Proxy respects role-based permissions to the record, configured access request workflows including time-, location- and approval-based access as well as API Token expiration and location validation.

The System AWS CLI Proxy operates on the protocol level allowing tools other than the native AWS CLI tool to take advantage of AWS CLI Proxy.

To enable the System AWS CLI Proxy, server owners should enable the System HTTP Proxy in Administration / Settings / Parameters section and restart the service.

Note that AWS CLI Proxy requires a special license to enable the option.

To redirect the AWS CLI tool to the System record, users should use the following properties. Note that the AWS CLI tool has multiple ways to specify these properties.

The description below references environment variables.

Follow the documentation for the AWS CLI tool about different methods to specify these parameters.

  • HTTPS_PROXY – PAM HTTP Proxy URL in the form https://xtam.company.com:8081
  • HTTP_PROXY – PAM HTTP Proxy URL in the form https://xtam.company.com:8081
  • AWS_CA_BUNDLE – Path to PAM HTTP Proxy certificate downloaded from Management / My Profile / Preferences / Certificate
  • AWS_ACCESS_KEY_ID – PAM user and asset definition in the form TOKEN-ID#RECORD where TOKEN-ID is REST API token ID generated using Administration / Tokens screen. RECORD is either PAM Record ID or record search criteria identifying a single record with AWS access keys
  • AWS_SECRET_ACCESS_KEY – REST API token generated using Administration / Token screen. TOKEN-ID in the AWS_ACCCESS_KEY specification references the ID of the same token

Added the option to control forwarding host and forwarding port when connecting to SSH tunnels built using SSH Proxy

The update adds security restrictions on the SSH Proxy tunnels forward hosts and ports to limit user options to connect to only allowed servers and ports in the destination networks.

The option allows defining strictly controlled tunnel options for specified point-to-point communications.

When the tunnel is designed to connect only to specified service on selected computers, the option restricts the option for a user to connect to other computers or to other services by building a different tunnel through the same privileged asset.

SSH Proxy produces an Operation Error audit log record for the attempt to build a tunnel for a restricted forward-host or port.

 

To enable the option to add the following fields to the record type of the tunnel record:

  • AllowedHosts (Type: String, Display name: Allowed Hosts) with value is a comma separated list of allowed host, mask/bits or ipFrom-ipTo range (example: 10.0.0.31,10.1.2.0/24,10.2.0.10-10.2.0.30)
  • AllowedPorts (Type: String, Display name: Allowed Ports) with value is a comma-separated list of allowed port or portFrom-portTo range (example: 1433,14000-14100)

Added forward tunnel option to Transparent Perimeter deployment

The update adds the option for the node to establish and to maintain a forward tunnel to the master node to limit all traffic from the remote node to the master node to SSH tunnel port 22 including HTTPS traffic from remote worker to the master node as well as reverse traffic from the master node to remote session managers.

The option further simplifies remote network requirements for the remote node configuration.

The configuration for the forward tunnels is performed using the following properties on the remote node in $XTAM/web/conf/catalina.properties file:

  • xtam.forward.tunnel[0].remoteHost=Master node host for SSH connection
  • xtam.forward.tunnel[0].remotePort=Master node port for SSH connection
  • xtam.forward.tunnel[0].remoteUser=Master node user for SSH connection
  • xtam.forward.tunnel[0].remotePassword=Master node user password or Private Key password for SSH connection
  • xtam.forward.tunnel[0].remoteKey=Optional path to master node Private Key for SSH connection as an alternative for remoteUser
  • xtam.forward.tunnel[0].forwardHost=Host in the master node network to forward tunnel to
  • xtam.forward.tunnel[0].forwardPortLocal=Forwarded port on the remote node to map as a master node port
  • xtam.forward.tunnel[0].forwardPortRemote=Master node port to forward traffic to (usually 443)
  • xtam.forward.tunnel[0].forwardBindingAddress=Binding address on the remote node to expose the port to other interfaces

Note that index in xtam.forward.tunnel configuration allows specifying multiple tunnels maintained by the remote node. Forward tunnel SSH connection could be established using user/password or user / private key (optionally with password).

Also, note that for proper HTTPS configuration the remote node DNS resolution of the master node name should be defined for the local host of the remote node.

Added the option to reset Unix password using sudo based shadow account prompting for the password

The update added the option to manage accounts on Unix Hosts using a shadow account that can reset passwords using the sudo function that prompts for the shadow account password.

To use this option use the script Password Reset Remote SSH using Shadow with Prompt.

The option extends the library of password reset strategies working in different configurations.