Symantec Privileged Access Management

Expand all | Collapse all

HOW TO: Integrate with AWS Command Line Interface

  • 1.  HOW TO: Integrate with AWS Command Line Interface

    Posted 15 days ago
    Edited by Sebastiano Alighieri 14 days ago
    I'm working on a PAM implementation in which the client wishes to manage AWS CLI privileged access through PAM.

    Has this been done before?

    Is this documented anywhere?

    Can we leverage the AWS API Proxy to accomplish this - can we setup an aws cli profile to funnel commands through the API Proxy?

    Can the client leverage AWS SSO leveraging Active Directory Credentials and publish the AWS CLI as a Remote App?

    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------


  • 2.  RE: HOW TO: Integrate with AWS Command Line Interface

    Broadcom Employee
    Posted 14 days ago
    I have never done it, and just looked at the documentation and was surprised there is nothing there about actually using the API proxy.

    As I understand it, it should work with the CLI natively.  There would be no need to use a Remote App or RDP... Pretty sure the user just logs into pam clicks the link to use the proxy and runs their commands... it redirects the api calls to the proxy, which authenticates as necessary.

    Then I could be wrong, its been a long time since I saw a demo of this feature.


  • 3.  RE: HOW TO: Integrate with AWS Command Line Interface

    Posted 14 days ago
    Thanks for the feedback.

    I'm curious to know if the API Proxy commands are the "same" as the AWS CLI commands - do you know?

    And yes - the documentation would be great to have.

    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------



  • 4.  RE: HOW TO: Integrate with AWS Command Line Interface

    Broadcom Employee
    Posted 13 days ago
    The API proxy is just that, a proxy... it doesn't have 'commands'.  Essentially it acts like a web proxy for calls to the AWS api's.

    Instead of the https API traffic going directly to AWS, it instead goes to the proxy.  The proxy makes the call to AWS, allowing it to supply the credentials in the process.   The proxy then returns the result of the API call back to the user.

    The part I don't see documented is whether or not the user needs to do anything different from the calling end to have it actually use the proxy.   I don't think the API proxy will automatically intercept all AWS API calls, but I could be wrong?