Does CA-PAM AMI pushed to specific AWS account region come with default security groups? Is there an internal firewall or control over the communication PAM ? Will all the proprietary ports be opened at the PAM OS level always and we should have external security groups created for controlling the traffic?
PAM automatically controls any ports at the OS level, but you will need to create your own AWS security group(s) to route the traffic. PAM AMIs are deployed using the same wizard any other AMI is deployed with and you would select or create a security group during that process.
Here is the list of required ports, this should help you decide which ports need to be opened:
IP Address and Port Assignments for Network Connections - CA Privileged Access Manager - 2.8.3 - CA Technologies Documen…
CA Technologies - North America