Symantec Privileged Access Management

Expand all | Collapse all

About changing the password of Cloud Console Account

Jump to Best Answer
  • 1.  About changing the password of Cloud Console Account

    Posted 07-11-2019 12:20 AM

    Could you let me know.

    My customer want to change the passwords of a Cloud Console below using PAM.
    ・AWS
    ・Azure
    ・Office 365
    ・BOX

    After reading document, I guessed below.
    ・We can change the passwords of Azure and Office365 by using ADFS.
    ・We can NOT change the passwords of AWS and BOX.

    Are they all correct?
    If not correct, please let me know how I can change them?

    Thank you in advance.



  • 2.  RE: About changing the password of Cloud Console Account
    Best Answer

    Posted 07-12-2019 08:24 AM
    For AWS see: https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-an-aws-access-credentials-target-connector

    For Box, you would need to develop a custom connector that uses the Box api's: https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/protect-privileged-account-credentials/develop-custom-connectors-for-remote-targets. Unfortunately, I couldn't find any documentation on the Box site about using the api's or SDK's to change the admin account password (or any passwords for that matter).  You may need to contact Box to see if changing passwords is even possible outside the webUI.



    Hope that helps.


  • 3.  RE: About changing the password of Cloud Console Account

    Posted 07-16-2019 01:11 AM
    Hi, Joseph

    Thank you for your advice.

    For Box I would like to suggest to my customer to use ADFS.
    For AWS.
    I saw that document before.
    And then I thought I could not change a password because I set only Secret Access Key,not a password when I make the AWS account.
    Is it not correct?

    Thank you and best regards,





  • 4.  RE: About changing the password of Cloud Console Account

    Posted 07-16-2019 10:22 AM
    Fumiko,

    I am pretty sure that it will manage access keys just fine.  In fact, I don't believe it supports passwords?  Per the documentation:

    For the AWS Access Credential Type setting, you have two options. Complete the other fields for the option you select:

    • Access key
    • EC2 Private key
    PAM manages keys for several target application types (such as SSH keys)... its not just a password manager.

    Joe


  • 5.  RE: About changing the password of Cloud Console Account

    Posted 07-18-2019 11:31 PM
    Dear Joe,

    Thank you for your immediate response and I am so sorry for my late reply.

    I agree with you.
    Many my customer tend to focus on "Password",
    so they offen ask me if PAM can change a password of AWS console account.
    I would like to tell your advice to them politely.

    Thanks and Best regards,


  • 6.  RE: About changing the password of Cloud Console Account

    Posted 07-19-2019 09:51 AM
    It is very easy to test this.  Login to the AWS Management console and create a new account on the IAM page.  Download the csv file for the Access Key ID and Secret Access Key.  Use them to create a new AWS Credentials account.  Make sure that you set "Update both", so that the account will be put in sync.  Without doing this you won't be able to rotate the password.  Add this account to the AWS Management Console SSO service on the xceedium.aws.amazon.com device.  You can also use this account on the 3rd Party page, instead of the account you might normally use.  Confirm that you can login to the AWS Management Console and that PAM is able to refresh AWS devices successfully.  You can now rotate the password, and should still be able to perform both tasks.  I just tested this and it worked for me.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 7.  RE: About changing the password of Cloud Console Account

    Posted 07-22-2019 05:13 AM
    Hello Edward

    Thank you for helpfull advice.
    I tried to set it, but it did not work well.
    When I set "Update both", the following message appeared.
    [PAM-CM-3391 = AWS Key Pair can be changed only by random generation.]
    What should I do about that?

    Best Regards,

    Fumiko


  • 8.  RE: About changing the password of Cloud Console Account

    Posted 07-22-2019 11:04 AM
    I created a defect for this some time ago.  I still see the problem on 3.3, so I am following up.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 9.  RE: About changing the password of Cloud Console Account

    Posted 08-27-2019 04:21 PM
    Hi Fumiko,

    After running into this myself, the issue turned out to be permissions attached to the AWS Access Key (error message should say failed to verify target password, but instead is returning PAM-CM-3391). Please review the below AWS Policy. Additional permissions may be needed for the first synchronization.

    https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_credentials_console.html

    Thanks,
    Josh