Symantec Privileged Access Management

Tech Tip - AWS Device Status and How it Relates to Importing devices into PAM 

04-19-2017 09:40 PM

After AWS is configured in Config, 3rd Party and Enable Syncing is activated, the running instances that are contained in that account, for the specified Region,  are imported as PAM Devices. Below you can see 3 running AWS instances, voged01-amazon/running, voged01-amazon2/terminated and voged01-amazon3/stopped.


Now you can see the results of the AWS Device refresh that was done after the instances were put into this state.  Only voged01-amazon was imported.


In the image we can see that voged01-amazon3 is now running.


After the next AWS Device Refresh we can see that voged01-amazon3 was imported.


The next image shows voged01-amazon3 stopped again.


Even though voged01-amazon3 is not running it is not removed from PAM after the next Refresh.  It will still be counted against the license.


Once an AWS Instance has been imported into PAM there are only two ways to get it out.  You've already seen that Terminated devices are not imported to PAM, so you may terminate any devices you do not wish to import.  If you have instances that you need to use outside of PAM, but don't want them in PAM, you may add a Tag with the Key field set to XsuiteIgnore, as has been done for voged01-amazon3.  You do not need to supply a Value.


With the XsuiteIgnore Tag added, voged01-amazon3 was deleted on the next Refresh.  It will be imported again if the Tag is removed.


In summary, PAM provides flexibility for you too control what gets imported, in a way that avoids you having to terminate an instance when you want it out of PAM and adding it back in again if the need for it in PAM changes.  You can manage the devices counting against the PAM license without managing the number of instances in AWS.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.