Background This is the fifth and final article in the series titled "A Playbook to secure your Amazon AWS Infrastructure using Centrify and Active Directory" in the previous post we discussed how t...
In this article we'll discuss how to use Centrify Privilege Service to provide shared account password management, privilege session management plus recording and strong access controls. Here are the detailed goals:
To provide a redundant secure point of access for AWS-hosted systems
To provide password lifecycle services: request-approve-check-out-check-in-rotate-auto/rotate
To provide temporary access (sessions and password checkouts)
To provide application to application password management capabilities
To provide advanced jumpbox access to SSH and RDP systems in AWS
To be able to proctor SSH and RDP sessions in real time
To be able to review session transcription and provide session replay (DVR)
To provide advanced access controls like strong authentication, time-fencing, geo-fencing and more
To continue to leverage Active Directory or use other identity schemes(LDAP, Google Directory, Social Identity, Centrify Cloud Directory or even a SAML IdP as the identity source)
Minimize exposure by eliminating the need for elastic IPs (publicly facing)
Centrify Privilege Service Architecture
In summary, it is a SaaS-based Password Manager and Jump Box (in Gartner speak, provides SAPM, PSM and AAPM), however it uses the assets of identity service: Federation, Workflow, AD-Bridge, Multifactor Authentication and more. CPS has a connector-based architecture like this:
This means that there are several ways to use Privilege Service in IaaS scenarios. However, I will focus on this type of design:
The benefit oft his design is that it allows flexibility. Here are some highlights:
The single source of identity continues to be the on-premises Active Directory. AD Principals (like groups) can be used to control entitlements like who can access the management portal, check out passwords, modify resources, etc.
Allows for connected or disconnected AWS connectivity. Cloud Connectors in AWS act as jumpboxes, regardless of the EC2 scheme (domain-joined or not) the connectivity is centralized.
Allow access only from corporate network: Users must be on-premises to access AWS assets
Geo-fencing: access can be limited to only corporate locations.
Workflow: Resource and password check-outs can use an access request system (Centrify or ServiceNOW)
Temporary access control.
Time-to-Market: Password and session access can be deployed in minutes by launching an instance and deploying a cloud connector. The same goes for internal datacenters.
We'll discuss some planning and provide some implementation/verification videos:
Planning
Stakeholders: Infrastructure Lead, Directory Services Lead, Security lead, AWS SME, UNIX/Linux or Windows image lead, Database (SQL Server) SME etc.
Discussion topics:
What are the systems that need to be accessed? The answer to this question has implications for AWS security groups. For example, the security group where Cloud Connectors will be residing must be able to establish connections over port 22 (SSH) and 3389 (RDP).
What are the user populations that need access to AWS systems? This determines the identity stores. User populations can be full-time employees, contractors, vendors, etc. Depending on the existing strategy, maybe not all users have AD accounts, this is where identity flexibility of CPS becomes handy. Some examples: - Temporary contractors may be provisioned in the Centrify Cloud Directory instead of AD. - Perhaps ADFS has been implemented or partners need access, in that case CPS can be the service provider in a federation relationship.
What are the groups that should manage the system? what are their entitlements? The answer to this question has directory service and functional implications.
What are the security controls to be put in place? (strong auth, geo-fencing, time-based controls, workflow/approvals) The data classification of the systems determines the controls that should be in place. The most basic could be that all AWS access must be generated from the corporate IP range, and access to the portal requires strong authentication.
Password Management lifecycle questions: Should approvals be required for password checkouts? Should multiple password check-outs allowed? should passwords be rotated in a specific interval? Should password health be monitored? should password be allowed from mobile devices? Should passwords for temporary systems be managed? Should active directory account passwords be managed?
Password Storage Should the Centrify Secure Storage be used or is a physical or virtual HSM (Safenet SecureKey) available?
Will AAPM or self-registration be needed? The answer to this question has implications for AWS images or DevOps. Centrify provides a Linux package (CLI toolkit); this allows for automation and automatic system registration.
Monitoring and Reporting What events should be sent to log aggregation (SIEM) platforms? What reports should be generated and who are the consumers of these reports?
Attestation What is the process of validating that certain privileged users should have (or continue to have) access to certain resources?
Session Recording What is the data retention policy for audited sessions? How many concurrent sessions (SSH/RDP) can be expected? These topics are covered in depth in Chapter 2 of the DirectAudit Administrator's guide.
Implementation
In this example, I will use an AWS environment with Active Directory to:
Add a cloud connector for privilege service session management
Manually register some EC2 Linux and Windows systems for jumpbox accesss
Manually manage the password of a local Linux, Windows and Active Directory domain account.
Use two AD groups: AWS-CPS-Full Access and AWS-CPS-Read-only access. Members of the 2nd group must request access for password checkouts or proxied sessions.
Enforce Strong Authentication.
Using the CLI toolkit for CLI password checkouts and manual/automtatic resource and account registration.
Moderation note: Due to the blog's 20K character limitation, videos will be used.
Requirements for this Lab
An AWS instance with Active Directory (managed by you or hosted by Amazon)
Two AD groups: AWS-CPS-FullControl & AWS-CPS-Limited
A Domain Administrator to authorize the cloud connector
Outbound Internet connectivity via single-attached Elastic IP or Internet gateway (preferred)
From Centrify you'll need:
A Centrify Privilege Service evaluation or production tenant with sysadmin-like credentials.
The Installation bits for Centrify DirectAudit
A domain-joined system for: a) Centrify Cloud Connector (although not recommended, this can be the DC if running a simple lab). Cloud connectors require outbound HTTPS connectivity and to act as jumpboxes for Linux and Windows systems, they should have connectivity over TCP ports 22 and 3389 (or your custom ports if changed). b) DirectAudit components: this will be the not recommended all-in one scenario (Database/Collector/Agent).
Test Linux and Windows EC2 instances.
Optional: An Android/iOS mobile device for Touch/OTP MFA or a Yubikey 4 or NEO for OATH OTP
Requirements Verification
Installing a Cloud Connector
Installing DirectAudit
Configuring Roles for CPS Access
Configuring Workflow and Approvals
Using the CLI Tookit (AAPM)
Managing Active Directory Domain Account Passwords
Session Management, Proctoring, Capture and Replay
Different directory sources for different user populations
Smart Card Authentication
Bulk import of systems
CLI tookit baked into master AWS EC2 Linux instance.
Use of PowerShell to automatically register Windows accounts
Limited visibility of resources using the Privilege Portal login right.
End of Series - Conclusion
This ends the series on AWS and hopefully you've seen how the Centrify product lines: Server Suite, Privilege Service and Identity Service work together to secure your AWS environments while balancing operational efficiency and productivity.