Unable to create AWS ReadOnlyAccess Policy in PAM

book

Article ID: 127503

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

PAM does not allow the Policies in AWS to be referenced by name.  You must copy the json from that policy and create an AWS Policy in PAM with that json included.  At times, doing this will run into a limitation specified by AWS.  There may also be an overhead from PAM that requires that the json be a bit smaller than the AWS specified maximum.  This may prevent users from accessing the AWS Management Console from PAM with the desired policy granted to the endusers.

Environment

Release:
Component: CAPAMX

Resolution

In order to get past the problem described above use the following procedure:
1.  Create an IAM user in AWS, with the ReadOnlyAccess policy assigned.  
2.  Use the Access Key ID and Secret Access Key for that user to create an Access Key target account in PAM.
3.  Create a policy for a PAM user and the xceedium.aws.amazon.com device.  
   a.  On the services tab, select the AWS Management Console SSO and apply the target account you just created.
   b.  Select an AWS Policy that exists in PAM.  
4.  Login to PAM with the new user and go to the Access page.  
5.  Click on the Access Link for the AWS Management Console and test that it does what you want.  

The test performed in house showed that the user was able to perform tasks that required read access but not those requiring write access.  In short, the user could not make any changes.