AWS Search unavailable when accessed through CA PAM

book

Article ID: 207714

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

AWS search is unavailable when AWS MGMT console is accessed from CA PAM. After submitting a search string, instead of search results we get message "Unified search service is unavailable. Try your search again later."

Cause

For some accounts the search may redirect to URLs that are not covered in the default access list defined in the "AWS Management Console SSO" service in PAM. The PAM session logs should have a message if a service tries to access a URL that is not allowed. In this case it involved URLs ending in aws.a2z.com, a valid AWS domain.

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Adding *.aws.a2z.com to the access list in the PAM service "AWS Management Console SSO" resolved the problem. Review the PAM session logs for any other URLs whose access may be denied.

As of Feb 2021 a defect is open with PAM Engineering to review the default access list and consider adding entries such as the one mentioned above. But the use of URLs is controlled by AWS, not PAM, and there always will be a chance that the access list needs to be expanded to allow the service to work reliably.