Vaulting a Cloud-Provider Root-User Account

In Delinea PAS, root accounts allow you to vault a password. Vaulting the cloud provider root account in Delinea PAS allows you to securely store the root account credentials and manage access. Additionally, you can configure Delinea as the MFA device for the AWS account.

To vault or edit a cloud provider root user account

1. In the Admin Portal, navigate to Resources > CloudProviders. Select an existing cloud provider.

   You can also vault a cloud provider root user account when you are adding a new cloud provider. For information on adding a new cloud provider, see Managing a Cloud Provider Account

2. Click Root Account and click Vault Root User Account. Enter Root User Email Address and Password.
3. Under Interactive Password Rotation, choose Yes to Enable interactive password rotation on demand rotation of your root account password from Delinea PAS.

   

4. For Prompt to change root password every login and password checkin, choose Yes. If this is enabled, you will be prompted to interactively rotate the password each time you login and checkin. When you click Yes to rotate password, you are taken back to the update password screen in the AWS console and the root account password is automatically rotated, concluding at the AWS account information page:

   

5. Select Yes for Enable password rotation reminders to set a minimum number of days since last rotation to trigger a reminder. The reminder is a banner that displays in the cloud provider user interface.
6. And finally, click the Root Account Virtual MFA Device button to configure Delinea as the MFA virtual device for the AWS root account.

Once you have vaulted a cloud provider root user account, you can right-click the account and perform the following actions:

Login:

If you have the Login permission set for the cloud provider, you can log into the cloud provider root account.

Checkout:

If you have the Checkout permission, you can check out the password for a stored account to use it for access to a system. When you check out a password, you choose whether to display or copy it to the clipboard for use.

Show Password is only active for 15 seconds. PAS will hide the password after 15 seconds as a security measure.

Update Password:

This allows you to update the root user's password.

Rotate Password:

This allows you to rotate the root user password. Unlike account password rotations, the root user account rotation is done on the user interface. If you lose connection with your browser after you have clicked Rotate Password, the password is not lost. You can retrieve it by doing the following:

1. Right-click and select Checkout, you will receive an error message, click Close on the error message. PAS is in an "uncertain password state."
2. Go back, right-click and select Checkout again and click Show Password. You will then see a screen asking which password you want to checkout, the proposed or last known password:

   

3. Copy the password. Go back to the account, right-click and choose Update Password.
4. The account is no longer in an uncertain state. Go back, right-click the account and Checkin.

Add to Set:

This allows you to add this root account to a set of accounts.

Set MFA Token:

This enables Delinea as the MFA device. When you choose this option:

1. The Delinea as AWS Root Account MFA Virtual Device wizard:

   

2. Clicking Security Credentials takes you to the root cloud provider's account page. There, you Activate MFA,

   

   choose MFA type and click Continue.

   

3. Set up the virtual MFA device by entering two consecutive MFA codes that you get by copying the secret key from the cloud provider:

   

   and pasting it into the Delinea wizard and click Next:

   

   copy the code generated by Delinea:

   

   and paste it back into the cloud provider set up page:

   

   Once again, AWS requires two consecutive MFA codes be generated and pasted back into their set up page. As such, do this whole step once more to enter two codes and click Assign MFA when complete. You will see a success screen indicating it was a success and that Delinea is now the MFA virtual device for this account.

   

4. Go back into Delinea and click Confirm.

   

   Now, the PAS vault has the MFA secret and it can issue MFA codes. To do this, right-click on the account and click Get MFA Code :

   

   and this account generates MFA codes to use to login manually:

   

Delete:

Use to delete the root user account.

Once vaulted, you can drill deeper into a root account by clicking the account. Here, you can view or set the following for the root account:

Managing permissions on your root user account:

Allows you to add permissions to your root user account. These permissions are specific to the AWS account. For more information on permissions, see Assigning Permissions

Managing settings on your root user account:

Use to view account settings for the root user account.

Viewing password history on your root user account:

Use to view retired passwords for the root user account.

Managing policy on your root user account:

Allows you to add policy to the root user account. For more information on managing policy, see Creating Authentication Rules

Enabling workflow on your root user account:

Use to enable workflow for the root user account. For more information on workflow, see Enabling Request and Approval Workflow

Viewing activity on your root user account:

Use to view root user account activity. The following are activities updates specific to the root user accounts:

• Update.
• Permission granted.
• Viewing the password.
• Checking out the password.
• Login.
• Password rotation.

Viewing policy summary for your root user account:

Use to view root user account policy summary.