Attempt to login to AWS Management Console fails

book

Article ID: 142480

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When an attempt is made to login to the AWS Management Console, we get the following error message:

PAM-CMN-2280: Unable to calculate AWS URL for policy PowerUserAccess using user friendly account name AccountUser1 - error was PAM-CM-1301: The AWS client reports that communications with the AWS server failed; the error message is: Unable to execute HTTP request: Connection refused (Connection refused).

There is a firewall between PAM and AWS. What URLs does PAM access that we need to open up the firewall for? Do all connections go through PAM, or are there direct connections from the PAM client to AWS?

Cause

PAM does not connect to a fixed AWS URL. The signin URL depends on the account and region being used and is retrieved from AWS at the time the service is launched from the access page. This is done by accessing the following URLs from the PAM server:

sts.amazonaws.com

signin.aws.amazon.com

Whether or not the actual connection to the AWS management console goes through the PAM server depends on the "Route through CA PAM" flag setting in the "AWS Management Console SSO" TCP/UDP service in PAM. By default this flag is not checked, which means that the PAM client will connect directly to the AWS management console.

Environment

Affects all supported PAM releases as of January 2020.

Resolution

The PAM server needs to be able to connect to sts.amazonaws.com and signin.aws.amazon.com. Once launched, the Web Portal running on the local desktop/laptop where the PAM client runs, needs to be able to access the servers listed in the access list of the "AWS Management Console SSO" service configured in PAM. For PAM 3.3 the list is as follows:

ocsp.verisign.com
images-na.ssl-images-amazon.com
*.cloudfront.net
*.amazon.com
*.amazonaws.com
*.amazonaws-us-gov.com
*.awsstatic.com
*.amazonwebservices.com

If the "AWS Management Console SSO" service is updated by setting the "Route through CA PAM" flag to force all communication to go through the PAM server, then this list of URLs needs to be accessible from the PAM server.

 

Additional Information

The "Route through CA PAM" flag does NOT impact the PAM session recording feature. Sessions can be recording whether or not the flag is set, because the PAM browser is used for Web Portal access in both cases.