Symantec Privileged Access Management

I'm working on a PAM implementation in which the client wishes to manage AWS CLI privileged access through PAM.

Has this been done before?

Is this documented anywhere?

Can we leverage the AWS API Proxy to accomplish this - can we setup an aws cli profile to funnel commands through the API Proxy?

Can the client leverage AWS SSO leveraging Active Directory Credentials and publish the AWS CLI as a Remote App?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

I have never done it, and just looked at the documentation and was surprised there is nothing there about actually using the API proxy.

As I understand it, it should work with the CLI natively.  There would be no need to use a Remote App or RDP... Pretty sure the user just logs into pam clicks the link to use the proxy and runs their commands... it redirects the api calls to the proxy, which authenticates as necessary.

Then I could be wrong, its been a long time since I saw a demo of this feature.
Original Message:
Sent: 01-11-2021 09:20 AM
From: Sebastiano Alighieri
Subject: HOW TO: Integrate with AWS Command Line Interface

I'm working on a PAM implementation in which the client wishes to manage AWS CLI privileged access through PAM.

Has this been done before?

Is this documented anywhere?

Can we leverage the AWS API Proxy to accomplish this - can we setup an aws cli profile to funnel commands through the API Proxy?

Can the client leverage AWS SSO leveraging Active Directory Credentials and publish the AWS CLI as a Remote App?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Thanks for the feedback.

I'm curious to know if the API Proxy commands are the "same" as the AWS CLI commands - do you know?

And yes - the documentation would be great to have.

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

Original Message:
Sent: 01-12-2021 12:48 PM
From: Joseph Fry
Subject: HOW TO: Integrate with AWS Command Line Interface

I have never done it, and just looked at the documentation and was surprised there is nothing there about actually using the API proxy.

As I understand it, it should work with the CLI natively.  There would be no need to use a Remote App or RDP... Pretty sure the user just logs into pam clicks the link to use the proxy and runs their commands... it redirects the api calls to the proxy, which authenticates as necessary.

Then I could be wrong, its been a long time since I saw a demo of this feature.
Original Message:
Sent: 01-11-2021 09:20 AM
From: Sebastiano Alighieri
Subject: HOW TO: Integrate with AWS Command Line Interface

I'm working on a PAM implementation in which the client wishes to manage AWS CLI privileged access through PAM.

Has this been done before?

Is this documented anywhere?

Can we leverage the AWS API Proxy to accomplish this - can we setup an aws cli profile to funnel commands through the API Proxy?

Can the client leverage AWS SSO leveraging Active Directory Credentials and publish the AWS CLI as a Remote App?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------

The API proxy is just that, a proxy... it doesn't have 'commands'.  Essentially it acts like a web proxy for calls to the AWS api's. 

Instead of the https API traffic going directly to AWS, it instead goes to the proxy.  The proxy makes the call to AWS, allowing it to supply the credentials in the process.   The proxy then returns the result of the API call back to the user.

The part I don't see documented is whether or not the user needs to do anything different from the calling end to have it actually use the proxy.   I don't think the API proxy will automatically intercept all AWS API calls, but I could be wrong?
Original Message:
Sent: 01-12-2021 01:05 PM
From: Sebastiano Alighieri
Subject: HOW TO: Integrate with AWS Command Line Interface

Thanks for the feedback.

I'm curious to know if the API Proxy commands are the "same" as the AWS CLI commands - do you know?

And yes - the documentation would be great to have.

------------------------------
Services Architect
HCL Technologies Ltd

Original Message:
Sent: 01-12-2021 12:48 PM
From: Joseph Fry
Subject: HOW TO: Integrate with AWS Command Line Interface

I have never done it, and just looked at the documentation and was surprised there is nothing there about actually using the API proxy.

As I understand it, it should work with the CLI natively.  There would be no need to use a Remote App or RDP... Pretty sure the user just logs into pam clicks the link to use the proxy and runs their commands... it redirects the api calls to the proxy, which authenticates as necessary.

Then I could be wrong, its been a long time since I saw a demo of this feature.
Original Message:
Sent: 01-11-2021 09:20 AM
From: Sebastiano Alighieri
Subject: HOW TO: Integrate with AWS Command Line Interface

I'm working on a PAM implementation in which the client wishes to manage AWS CLI privileged access through PAM.

Has this been done before?

Is this documented anywhere?

Can we leverage the AWS API Proxy to accomplish this - can we setup an aws cli profile to funnel commands through the API Proxy?

Can the client leverage AWS SSO leveraging Active Directory Credentials and publish the AWS CLI as a Remote App?

------------------------------
Services Architect
HCL Technologies Ltd
------------------------------