You can add and configure the Amazon Web Services cloud provider in the Privileged Access Service system by performing the following steps.
To add a cloud provider
- In the Admin Portal, click Resources > Cloud Providers. Click Add Cloud Provider: add a Name and Account ID. Click Next.
- You can choose to vault your root user account or click Next . Note the Centrify Browser Extension is required to perform root account login and password rotation capabilities. Vault the root user password by entering the Root user email address and Password. After specifying the root account credentials, you can optionally select to enable interactive password management, which provides automated guidance for updating and managing the root account password. Under Interactive password rotation , set values for Enable interactive password rotation. By selecting Yes, you can further set the following:
- Prompt to change root password every login and password checkin: Displays a prompt with an option to interactively rotate the root account password after every root account login attempt or password checkin.
- Enable password rotation reminders: Displays a banner message with an option to interactively rotate the root account password after the specified minimum number of days since last rotation has expired. Enabling this also allows you to set the minimum number of days since last rotation to trigger a reminder.
Once you have made all the password rotation settings, click Next.
- Next, assign permissions to the root user account. Click Add to add a user, group, or role through the wizard. Click the checkboxes of permissions you wish to assign the user and lick Next.
- And finally, optionally configure MFA challenge rules for root account login and password checkout. Click Add Rule to configure challenge conditions and set authentication profiles. Click Add Filter to add a filter. For more information on authentication rules, see Creating authentication rules.
- Click Done.
Once you have added a cloud provider you can perform the following actions on an individual cloud provider: Add to Set, Delete, and if you vaulted your root account you can Login to that cloud provider. Additionally, you can:
- vault IAM users,
- manage root accounts,
- add IAM users,
- assign permissions,
- manage activity,
- assign policy,
- view policy summary, and
- add/modify sets of cloud providers.
To learn more about cloud provider capabilities select from the following topics:
Here, you add and vault IAM users. For more information on vaulting IAM users, see Vaulting IAM user Access Key Secrets.
For Centrify PAS root accounts, you can vault a password. The vault root user account allows you to store the root user password in the Centrify vault. You can then retrieve and check in that password whenever you like. For more information on root user accounts, see Vaulting a cloud provider root user account.
Allows you to add and retrieve access keys for your cloud provider account. Additionally, you can delete access keys for your account. For information on how to add an IAM user to your cloud provider account, see Adding and managing IAM users for a cloud provider account.
Allows you to add permissions to your cloud provider account. For more information on permissions, see Assigning permissions.
Allows you to view cloud provider activity including the account email address that was added along with the time it was added.
Allows you to add policy to your cloud provider account. For more information on policy, see Creating authentication rules.
For users and resources, the summary shows the summation of all policies applied and the name of the policy set applying the policy. By default, the summary for an individual resource is for the logged-in user viewing the summary as shown in the selected user field at the top of the screen.
You can add a cloud provider to a set. Additionally, there are two account sets for cloud providers:
- AWS IAM Accounts - this report lists the AWS IAM accounts that have been added to the cloud provider instance.
- AWS Root Accounts - this report lists the root accounts that have been vaulted with Centrify PAS.