Automating Security for EC2 Instances on AWS

You can discover and automate privilege management based on policies.

Discover and maintain inventory for VMs

For cloud infrastructure and cloud identity owners, this feature helps you discover and maintain the inventory for all VMs running on AWS cloud service providers.

In Privileged Access Service:

  • You can see all the VMs running on various different Cloud Service Providers.
  • The inventory is updated if a new VM is created or an existing VM is deleted from the cloud service provider.

Use SSO for Cloud VMs

IT admins or Cloud Ops engineers can use their enterprise identity (For example their AD user credentials) and their favorite native client application to log into to the VMs running on the cloud infrastructure without using a shared local account.

With Privileged Access Service you can define which users:

  • Have remote access to specific VM machines
  • Can run privilege commands on specific VM machines.

An auditor can also discover who has remote access to VM machines running on the cloud.

Users can login to their authorized VMs using their on-premise enterprise identity, on Windows or Mac with their favorite native SSH client application such as Putty, SecureCRT, RoyalTS, mRemoten, or RDP client application.

Examples

You have the following:

  • EC2 instances deployed into AWS
  • 4 accounts with multiple regions
  • AWS accounts you do not manage

  • One VPC per region per account, 200 systems total:

    • Each of the 5 regions has 20 VPCs
    • Each VPC has 10 instances (5 Windows, 5 Linux)

You can set up all your EC2 instances with Delinea Client enrolled systems. This enables your admins to login using Use My Account, and enables you to remove Linux SSH key access.

Set up IAM Accounts

Creating an Administrative IAM Account

You need an IAM for each AWS account you plan on discovering. If you don't have one already, create an administrative IAM credential for your use, or ask someone to do this for you. We recommend your IAM name matches your company's e-mail address.

The use of root credentials is highly discouraged.

See Adding IAM User Accounts for more information.

Creating a Discovery IAM Account

You can use your administrative IAM when doing discovery, but a better practice is to create a separate discovery IAM that has just enough privileges for discovery. You need to create a new IAM policy for discovery, and add a new discovery IAM with the policy attached.

To create a new IAM policy and attach it to a new discovery IAM:

  1. Go to the IAM console in AWS.

  2. Click the Create Policy button and select the JSON tab.

  3. Replace the policy text with the following:

    "Copy"

    Copy 
    {
        "Version": "2012-10-17",    "Statement": [        {            "Effect": "Allow",            "Action": [                "iam:GetUser",                "iam:ListAccountAliases",                "iam:ListInstanceProfiles",                "iam:PassRole",                "ec2:AuthorizeSecurityGroupIngress",                "ec2:CreateSecurityGroup",                "ec2:CreateTags",                "ec2:Describe*",                "ec2:GetPasswordData",                "ec2:RunInstances",                "ssm:GetCommandInvocation",                "ssm:SendCommand",                "sqs:DeleteMessage",                "sqs:ReceiveMessage"            ],            "Resource": "*"        }    ]}

  4. Click Review Policy .

  5. Name the policy CompanyDiscoveryPolicy.

  6. Click Create Policy.

  7. Create an IAM user with your user's company email address. For example, discovery@company.com.

    Ensure you allow API access and save the access key and secret to your desktop.

  8. On the Permissions tab for your IAM, click Add Permissions .

  9. Click Attach existing policies directly.

  10. Filter the policies by your company name and check CompanyDiscoveryPolicy.

  11. Click Review and Add Permissions.

Configuring EC2 Discovery

Importing AWS Key Pairs

PAS needs the private key pairs for your instances for login. For each of your key-pairs, add them to Resources / SSH Keys.

Configuring PAS Roles

EC2 discovery profiles optionally reference a number of Privileged Access Service roles.

Create the following roles:

DelineaDelineaDelineaDelineaDelineaDelinea
Name Description
Delinea Client Auth Users Users in this role are permitted to login to systems enrolled via Delinea Client.
Delinea Client for LinuxAdministrators Users in this role are granted full sudo permissions on systems enrolled via Delinea Client.
Delinea Client for Windows Administrators Users in this role are granted full Administrators access on systems enrolled via Delinea Client.

EC2 discovery optionally enrolls the discovered EC2 instances. Additionally, it configures Use My Account for Linux instances and gives your Delinea Client for Linux Administrators roles full sudo permissions. Add members to this role to grant them access.

Configuring Sets

EC2 discovery can optionally add discovered systems and accounts to sets. For example, creating manual sets similar to the following:

  • Discovered systems
  • Discovered systems without credentials
  • Discovered local accounts

Creating Cloud Providers

For each target discovery account a cloud provider must be created. See "Create a discovery IAM account."

Create a Discovery Profile

To add a discovery profile:

  1. In the Admin Portal navigate to Discovery > Systems and Accounts > Profiles.

  2. Click Add Discovery Profile.

  3. Choose a discovery method. For example, AWS EC2 Instances.

  4. Enter the discovery profile Name and optional Description and click Next.

  5. Each discovery profile requires a minimum of one Discovery Scope. A scope identifies which instances you want discovered.

    Use the Delete button next to a scope if you need to delete an existing scope.

    To add a discovery scope:

    You will need a cloud provider to create a new scope. For more information see "Create cloud providers."

    1. Click Add to create a new scope.

    2. Select a cloud provider.

    3. Under Credential to use for selected cloud provider, choose a credential to use with the cloud provider and click Next.

    4. Select at least one data center. For AWS, this list displays the available AWS regions.

      You can select VPCs and/or subnets. To see VPCs and subnets, click the + icon next to a region and/or VPC.

      You can optionally set the following by using the selection options under their associated columns:

      • FQDN (Fully Qualified Domain name)
      • Proxy
      • System Type
      • System Name

    5. Click Next.

    6. Add at least 1 SSH key pair. Use the Upload button or the drag-and-drop window to upload a new key pair or click Choose to select an existing one.

    7. Click Done.

  6. Click Next.

  7. Enter the following information:

    • Enrollment Options
    • Additional Action

    Enrollment of Windows systems requires the systems to be managed with AWS Systems Manager.

  8. Click Next.

  9. (Optional) Click Add to add a new monitor setting and click Next.

  10. (Optional) Click Add to add a new scheduling setting and click Next.

  11. (Optional) Click Add to add a new permission setting and click Next.

  12. Click Done.

Configuring a Discovery Profile for EC2 State Monitoring

You may optionally configure your discovery profile to monitor EC2 state changes and automatically incrementally add or delete systems without having to wait for the next discovery "run".

To do this, you must first configure the following:

  • SQS queue used to receive the stage change events
  • CloudWatch rule to send state change events to the queue.

To configure an SQS queue:

  1. Go to the SQS AWS console.
  2. Click the Create Queue button.
  3. For Type of queue select standard.
  4. For Name, enter ec2_state_events or choose a custom name.
  5. Leave the remaining fields with the default settings.
  6. Once the queue is created, remember the queue URL which will look similar to https://sqs.us-west-1.amazonaws.com/215634055688/ec2-state-events. You will need this information for the CloudWatch rule.

To configure an Amazon Event Bridge Rule:

  1. Go to the Amazon Event Bridge Console.

  2. Create an Amazon Event Bridge rule called ec2-state-watcher

  3. Navigate to Events > Enter Rules

  4. Select the default Event bus and set the Name to ec2-state-watcher.

    You can leave the Description blank.

  5. Click Create Rule.

  6. In the Event Source section, click the Edit button to display the Event Pattern Preview page.

  7. Set the following information:

    1. Event pattern: enabled
    2. Pre-defined pattern by service: enabled
    3. Service Provider: AWS
    4. Service Name: EC2
    5. Event Type: EC2 instance state-change notification
    6. Specific states: running, terminated, stopped
    7. Any instance: enabled

  8. Insert the following text:

    Copy 
    {
      "source": [    "aws.ec2"  ],  "detail-type": [    "EC2 Instance State-change Notification"  ],  "detail": {    "state": [      "running",      "stopped",      "terminated"    ]  }}

  9. Select Event bus and set AWS default event bus to enabled

  10. Select Targets and set:

    1. Target to SQS queue.
    2. Queue to the name of your SQS queue

  11. In the dropdown, select SQS queue.

  12. For the select queue dropdown, choose the SQS queue you created.

Auto-Deployment from AWS Cloud using a Connector

In order to establish an SSH or RDP session to your discovered instances, you need one or more connectors that have connectivity to the instances. There are a number of network topologies you can use to meet this requirement. The most common methods are:

  • Deploy connector(s) into each VPC where you have instances.

    The connector needs to have outbound connectivity, but does not require inbound connectivity.

  • Deploy a connector on-premise and establish VPN(s) from the connector to reach your discovered instances.

Once you've established connectivity to the instances, you have the option to deploy a connector manually, but it's much simpler and more efficient to use the wizard to deploy a connector.

To deploy a connector:

  1. In the Admin Portal, click Resources > Cloud Providers.
  2. Right-click on a cloud provider Name to open the dropdown and choose Deploy Connector.
  3. Select an IAM User and Region. This will display the VPCs in the selected region for the IAM user account.
  4. Select a VPC and specify an AMI ID.
  5. Select a Subnet.
  6. Optionally select an IAM Role for the instance. For example, you can choose a role that will enable the AWS system manager.
  7. Enter a custom Instance Name.
  8. Choose a Security Group or create your own security group.
  9. Choose a KeyPair which will be used to launch the instance.
  10. Click Deploy Connector.

Once the setup is complete, the system will reach out to AWS and create the instance.

In AWS can will be able to see the pending status under Instances. It will take a few minutes to create, spin up, and deploy the instance. During this process, the system reaches out to AWS, downloads the installer, install the software and any required dependencies, reboots, etc.

As part of the connector registration, Delinea PAS sets up a Resource Connector Mapping. This is used to route traffic through a connector when establishing sessions to the discovered systems. The connector is then used to surface that VPC.

To see the connector mappings, navigate to Settings > Resources > Resource Connector Mappings.

In the table, you can see the connector(s) used for each VPC. If desired, you can modify the connectors used to reach the VPC.

When aconnector is deployed to a VPC, this information is set it up automatically.

A connector can be added if it's on premises, but the VPC mapping will need to be applied manually.