Password Management in AWS

Secret Server manages AWS key secrets through direct usage of the AWS IAM API. In order to do this, the following permissions are required.

Amazon IAM Keys

Password changing, privileged password changing, and running heartbeats are available for Amazon IAM key secrets. When an Amazon IAM key has its password changed through Secret Server, the new secret key is generated automatically and is not set by user input.

During password changing, you can disable or remove old keys through settings available in the advanced configuration:

  • <add key="ShouldDeletePreviousKey" value="true" />

  • <add key="ShouldInactivatePreviousKey" value="true" />

Altering advanced settings can significantly impact the performance and behavior of Secret Server, so there is no direct link anywhere in Secret Server to the Advanced Settings page. If you need to change any advanced setting (as mentioned in this guide), please contact Delinea Technical Support.

Amazon IAM Console Password

Password changing, and privileged password changing are available for Amazon IAM console password secrets. Due to AWS IAM's restrictions on programmatic integration, this secret type cannot use Secret Server heartbeat.

In addition, an Amazon IAM key secret must be associated with an Amazon IAM console password secret for password changing to occur. To associate the two:

  1. Create the Amazon IAM console password secret, and an Amazon IAM Key secret for an account that has the permissions to change the console user's password. This can be the console account's own access keys, if the user has permission.

  2. Navigate to the RPC tab of the Amazon IAM Console Password.

  3. Under Change Password Using Privileged Account select Edit and choose the IAM key secret created in the previous step. RPC should now be possible on the console password secret.

Permissions Required for Secret Key Changes

These permissions are at the most granular level. You can implement broader methods through wildcard resource restrictions, permission policies, or groups.

Privileged Permissions: (those the AWS account needs to change another users' access keys):

  • iam:DeleteAccessKey on resource arn:aws:iam::<account>:user/<otherUserName>

  • iam:UpdateAccessKey on resource arn:aws:iam::<account>:user/<otherUserName>

  • iam:CreateAccessKey on resource arn:aws:iam::<account>:user/<otherUserName>

  • iam:ListAccessKeys on resource arn:aws:iam::<account>:user/<otherUserName>

Basic Permissions (those the AWS account needs to change its own access keys):

  • iam:DeleteAccessKey on resource arn:aws:iam::<account>:user/${aws:username}

  • iam:UpdateAccessKey on resource arn:aws:iam::<account>:user/${aws:username}

  • iam:CreateAccessKey on resource arn:aws:iam::<account>:user/${aws:username}

  • iam:ListAccessKeys on resource arn:aws:iam::<account>:user/${aws:username}

Permissions Required for Changing the Amazon IAM Console Password

These permissions are at the most granular level. You can implement broader methods through wildcard resource restrictions, permission policies, or groups.

The permissions are:

  • Privileged Permission: iam:UpdateLoginProfile on resource arn:aws:iam::account>:user/<otherUserName>

  • Basic Permission: iam:ChangePassword on resource arn:aws:iam::<account>:user/${aws:username}