Security automation for EC2 instances on AWS

You can discover and automate privilege management based on policies.

Discover and inventory cloud VM

For cloud infrastructure and cloud identity owners, this feature helps you discover and maintain the inventory for all VMs running on cloud service providers. For example, AWS, Azure and GCP.

In Privileged Access Service:

  • You can see all the VMs running on various different Cloud Service Providers.
  • The inventory is updated if a new VM is created or an existing VM is deleted from the cloud service provider.

Single sign on for cloud VMs (No shared local account)

IT admins or Cloud Ops engineers can use their enterprise identity (For example their AD user credentials) and their favorite native client application to log into to the VMs running on the cloud infrastructure.

With Privileged Access Service you can define which users:

  • Have remote access to specific VM machines
  • Can run privilege commands on specific VM machines.

An auditor can also discover who has remote access to VM machines running on the cloud.

Users can login to their authorized VMs using their on-premise enterprise identity, on Windows or Mac with their favorite native SSH client application such as Putty, SecureCRT, RoyalTS, mRemoten, or RDP client application.

Examples

You have 200 EC2 instances running on AWS:

  1. Register a new Privileged Access Service tenant in the AWS marketplace.
  2. Login to Privileged Access Service for the first time.
  3. The Quick Start Wizard will prompt for an IAM access key. The associated IAM permissions for the access keys will be shown.
  4. Provide the IAM access key and follow the steps outlined by the wizard.

    Note:   All 200 AWS EC2 instances are discovered and displayed under the Systems tab.

  5. Point to one of the EC2 instances and launch a SSH session directly from the console.
  6. Use the current login account identity to log into the selected EC2 instance.
  7. Now you can:
    1. Add additional user accounts
    2. Grant permissions to additional user accounts on a selected set of EC2 machines.

    Note:   Only user accounts with granted permissions can log into EC2 machines.

You have the following:

  • EC2 instances deployed into AWS
  • 4 accounts with multiple regions
  • AWS accounts you do not manage
  • One VPC per region per account, 200 systems total:
    • Each of the 5 regions has 20 VPCs
    • Each VPC has 10 instances (5 Windows, 5 Linux)

You can set up all your EC2 instances with cagent enrolled systems. This enables your admins to login using Use My Account, and enables you to remove Linux SSH key access.

Setting up IAM Accounts

Administrative IAM Account

You need an IAM for each AWS account you plan on testing with. If you don't have one already, create an administrative IAM credential for your use, or ask someone to do this for you. We recommend the IAM name of your matches your company's e-mail address.

Note:   Don't use root credentials.

See Adding IAM user accounts for more information.

Discovery IAM Account

You can use your administrative IAM when doing discovery, but a better practice is to create a separate discovery IAM that has just enough privileges for discovery. You need to create a new IAM policy for discovery, and add a new discovery IAM with the policy attached.

To create a new IAM policy and attach it to a new discovery IAM:

  1. Go to the IAM console in AWS.
  2. Click the Create Policy button and select the JSON tab.
  3. Replace the policy text with the following:
    Copy
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:GetUser",
                    "iam:ListAccountAliases",
                    "iam:ListInstanceProfiles",
                    "iam:PassRole",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateSecurityGroup",
                    "ec2:CreateTags",
                    "ec2:Describe*",
                    "ec2:GetPasswordData",
                    "ec2:RunInstances",
                    "ssm:GetCommandInvocation",
                    "ssm:SendCommand",
                    "sqs:DeleteMessage",
                    "sqs:ReceiveMessage"
                ],
                "Resource": "*"
            }
        ]
    }
  4. Click Review Policy .
  5. Name the policy CompanyDiscoveryPolicy.
  6. Click Create Policy.
  7. Create an IAM user with your user's company email address. For example, discovery@company.com.

    Note:   Ensure you allow API access and save the access key and secret to your desktop.

  8. On the Permissions tab for your IAM, click Add Permissions .
  9. Click Attach existing policies directly.
  10. Filter the policies by your company name and check CompanyDiscoveryPolicy.
  11. Click Review and Add Permissions.

EC2 Discovery

Importing AWS Key Pairs

PAS needs the private key pairs for your instances for login. For each of your key-pairs, add them to Resources / SSH Keys.

Configuring PAS Roles

EC2 discovery profiles reference a number of roles.

Create the following roles:

Name Description
Centrify Agent Auth Users

Users in this role are permitted to login to systems enrolled via Centrify Agent.

Centrify Linux Agent Administrators

Users in this role are granted full sudo permissions on systems enrolled via Centrify Agent.

Centrify Windows Agent Administrators

Users in this role are granted full Administrators access on systems enrolled via Centrify Agent.

EC2 discovery optionally enrolls the discovered EC2 instances. Additionally, it configures UMA for Linux instances and gives your Centrify Linux Agent Administrators roles full sudo permissions.

To enable this, configure group visibillity:

  1. Go to Settings / Enrollment / Group Visibility.
  2. Add your Centrify Linux Agent Administrators.

Configuring Sets

EC2 discovery can optionally add discovered systems and accounts to sets. For example, creating manual sets similar to the following:

  • Rich Discovered Systems
  • Rich Discovered Systems Without Credentials
  • Rich Discovered Local Accounts

EC2 State Monitoring

You may optionally configure your discovery profile to monitor EC2 state changes and automatically incrementally add or delete systems without having to wait for the next discovery "run".

To do this, you must first configure the following:

  • An SMS queue used to hold the state change events
  • A CloudWatch rule to send state change events to the queue.

To configure an SQS queue:

  1. Go to the SQS AWS console.
  2. Click the Create Queue button.
  3. For Type of queue select standard.
  4. For Name, enter ec2_state_events or choose a custom name.
  5. Leave the remaining fields with the default settings.
  6. Once the queue is created, Remember the queue URL which will look similar to https://sqs.us-west-1.amazonaws.com/215634055688/ec2-state-events. You will need this information for the CloudWatch rule.

To configure a CloudWatch rule:

  1. Go to the CloudWatch AWS console
  2. Under Events / Rules, click Create rule.
  3. In the Event Source section, click the Edit button for the Event Pattern Preview.
  4. Insert the following text:
    Copy
    {
      "source": [
        "aws.ec2"
      ],
      "detail-type": [
        "EC2 Instance State-change Notification"
      ],
      "detail": {
        "state": [
          "running",
          "stopped",
          "terminated"
        ]
      }
    }
  5. In the Targets section, click the Add Target button.

  6. In the dropdown, select SQS queue.

  7. For the select queue dropdown, choose the SQS queue you created.

Connector auto-deployment feature from the AWS Cloud Provider

You have the option to deploy a connector manually, but it's much simpler and more efficient to use the wizard to deploy a connector.

To deploy a connector:

  1. In the Admin Portal, click Resources > Cloud Providers.
  2. Right-click on a cloud provider Name to open the dropdown and choose Deploy Connector.
  3. Select an IAM User and Region. This will display the VPCs in the selected region for the IAM user account.
  4. Select a VPC and specify an AMI ID.
  5. Select a Subnet.
  6. Select an IAM Role if you want to use the AWS system manager.
  7. Enter a custom Instance Name.
  8. Choose a Security Group or create your own security group.
  9. Choose a KeyPair which will be used to launch the instance.
  10. Click Deploy Connector.

Once the setup is complete, the system will reach out to AWS and create the instance.

Note:   In AWS can will be able to see the pending status under Instances. It will take a few minutes to create, spin up, and deploy the instance. During this process, the system reaches out to AWS, downloads the installer, install the software and any required dependencies, reboots, etc.

As part of the connector registration, the registration is modified to indicate deployment into an AWS EC2 VPC. This information is returned back to PAS enabling it to configure necessary setup on the PAS side. The connector is then used to surface that VPC.

To see the connector mappings, navigate to Settings > Resources > System Connector Mappings.

In the table, you can see the connector(s) used for each subnet. If desired, you can modify the connector information or modify the VPC for the subnet.

Note:   When the connector is registered from the VPC, this information is set it up automatically.

A connector can be added if it's on premises, but the subnet mapping will need to be applied manually.