To enable password checkout feature for Amazon Web Services(AWS) perform the following:
In the Amazon Web Services cloud, create a user and assign permissions or policies to the user. For information about AWS user creation, see AWS Documentation.
In the Privileged Account Manager Administration Console,
You can add the AWS policy template to automatically create an account domain and a rule for the AWS. Then, you can customize the AWS account domain and rule as required. For more information about adding the policy template, see Adding a Policy Template.
Or
You can create an account domain and a rule manually for AWS. For information about creating an account domain for AWS, refer Creating an Account Domain for AWS. For information about creating a rule, see Adding a Rule.
After creating the appropriate account domain and rules for AWS, you can check out the password for the AWS services from the Myaccess page. For more information, see Section 23.0, Requesting and Accessing through User Console
Create a privileged account for the AWS service:
On the home page of the console, click Enterprise Credential Vault.
In the left pane, click Credential Vault.
In the middle pane, click Add Account Domain.
If you have imported a policy template for password checkout, a sample account domain gets created with the name https://ACCOUNT-ID.signin.aws.amazon.com/console_aws. You need to modify the sample account domain by clicking Modify in the details pane.
In the right pane, specify the following information:
Name: Specify the name of the application domain.
The name of the domain should be the AWS user sign-in link followed by an underscore (_) and the application name.
For example, if your AWS user sign-in url is https://<ACCOUNT-ID>.signin.aws.amazon.com/console, you must specify the Account Name as https://<ACCOUNT-ID>.signin.aws.amazon.com/console_aws.
Type: Select Application
Sub-Type: This field gets auto populated with the application name that you have specified in Account Name. For example, if you have specified the Account Name as https://<ACCOUNT-ID>.signin.aws.amazon.com/console_aws.. The Sub-Type will be auto-populated as aws.
Host: Specify the AWS user sign-in url. Also provide the appropriate port number.
Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:
Script: Specify any perl script to reset the account password for the application. For the AWS password reset script, see AWS Password Reset Script. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in Add Custom Fields.
Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. On selecting this option, the Identity Manager driver for Privileged Account Manager takes care of generating random password and synchronizing the password to Identity Manager. The Privileged Account Manager driver checks-in the new password to Privileged Account Manager. Identity Manager takes care of synchronizing password on the applications through the respective application driver. For more information, see the Driver Implementation guide on the PAM documentation page.
NOTE:Before delegating password check-in to Identity Manager, ensure that the Privileged Account Manager driver and the application driver are functional.
Never: You can use this option if you do not want to reset the password.
Password Policy: Select the appropriate password policy. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy, see Specifying Password Policies.
Create Command for subtype: Select this option to create the command for the application. For example, if the application is ABC_PQR a command APP PQR is created for the application, that you use for the application rule.
If you have imported a policy template for application password checkout, the command is created automatically.
Custom Fields: To add additional fields, use Add Custom Fields.
Click Add to save the account domain details.
Add the account domain credentials.
To add the AWS account credentials, you must download the access keypair from the AWS cloud.Then add the AWS Access KeyId as the Privileged Account Manager account domain Username and AWS Secret Key as the Privileged Account Manager account domain Password. For more information about the AWS access key pair, refer AWS IAM User Guide.
For more information about adding the account credentials refer, Adding Shared Account Credentials in the Account Domain
These credentials are provided to the user when they checkout the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.