To help organizations address the challenge of monitoring privileged users in the Cloud environment, and detecting, alerting, and responding to high-risk privileged access,
Privileged Threat Analytics capabilities can be used to improve the efficiency of Cloud security teams and to secure threats within the Amazon Web Services (AWS) environment.
This solution provides the following functionality:
Detect unmanaged Access Keys and Passwords for IAM accounts
- Detect the most privileged accounts in AWS
- Take Shadow Admins into consideration
- Add the IAM privileged user to pending accounts as part of automatic remediation
Detect compromised privileged IAM accounts
- Detect privileged cloud activities that bypassed the Vault, and alert on suspected credentials theft attempts
- Alert and take control over the managed accounts by initiating password rotation or Access key re-creation
- PAS version version 10.8 and up (Vault + PVWA + CPM + PTA required)
- Network environment must contain NAT Gateway for the Lambda deployment to succeed. We advise using the CyberArk network template with NAT Gateway
- Network access from the VPC where the Lambda is deployed to PTA
- For the solution deployment, you need the following permissions:
- Deploy cloud formation
- S3 full permissions
- SNS full permissions
- Deploy Lambda
- Create IAM role
- Before running the solution, create a dedicated bucket in the region where you will perform the deployment with the following files :
- MySnsToPta.zip
- PtaCloudTrailToSns.zip
| Parameter | Description |
|---|---|
| Bucket Name | Enter the name of the bucket of the solution Lambda |
| Solution Subnet | Enter the subnet in which the solution will be deployed |
| Solution VPC | Enter the VPC in which the solution will be deployed |
| PTA IP | Enter the IP of the PTA |
| PTA Port | Enter the PTA Port for delivering logs |
For Lambda:
- In the AWS console, go to Lambda service.
- Locate the Lambda which contains "SNSToPTAFunction" in its name
- Update the "PTAIP" environment variable to the appropriate value.
For Security Group:
- In the AWS console go to EC2 service
- In the EC2 Dashboard, under "Network & Security", Select "Security Group"
- Locate the security group called "PTA-AWS-Solution-SG"
- Go to the "Outbound" tab and update the destination IP for PTA tcp port rule to the appropriate value.
- Logs : In AWS console → go to Lambda service → Choose your lambda’s name from the list → Press on monitoring → press on “view logs in cloudwatch”
-
Delete the cloud formation stack
-
Delete the Solution trigger that is located under : Cloud Watch→ Rules
Copyright (c) 2019 CyberArk Software Ltd.
GNU Lesser General Public License v2.