This is the fifth and final article in the series titled "A Playbook to secure your Amazon AWS Infrastructure using Centrify and Active Directory" in the previous post we discussed how to integrate your Linux and Windows systems to Centrify zones in AWS Active Directory for the purposes of authentication and privilege management.
In this article we'll discuss how to use Centrify Privilege Service to provide shared account password management, privilege session management and recording and strong access controls. Here are the detailed goals:
- To provide a redundant secure point of access for AWS-hosted systems
- To provide password lifecycle services: request-approve-check-out-check-in-rotate-auto/rotate
- To provide temporary access (sessions and password checkouts)
- To provide application to application password management capabilities
- To provide advanced jumpbox access to SSH and RDP systems in AWS
- To be able to proctor in real time
- To be able to review session transcription and provide session replay
- To provide advanced access controls like strong authentication, time-fencing, geo-fencing and more
- To continue to leverage Active Directory or use other identity schemes(LDAP, Google Directory, Social Identity, Centrify Cloud Directory or even a SAML IdP as the identity source)
- Minimize exposure by eliminating the need for elastic IPs (publicly facing)
I've written about CPS in the community before, for some features and demos review this article: http://centrifying.blogspot.com/2015/08/in-depth-centrify-privilege-service.html
In summary, it is a SaaS-based Password Manager and Jump Box (in Gartner speak, provides SAPM, PSM and AAPM), however it uses the assets of identity service: Federation, Workflow, AD-Bridge, Multifactor Authentication and more. CPS has a connector-based architecture like this:
This means that there are several ways to use Privilege Service in IaaS scenarios. However, I will focus on this type of design:
The benefit oft his design is that it allows flexibility. Here are some highlights:
- The single source of identity continues to be the on-premises Active Directory. AD Principals (like groups) can be used to control entitlements like who can access the management portal, check out passwords, modify resources, etc.
- Allows for connected or disconnected AWS connectivity. Cloud Connectors in AWS act as jumpboxes, regardless of the EC2 scheme (domain-joined or not) the connectivity is centralized.
- Advanced Controls like
- Step-up authentication: Centrify MFA, OATH OTP, Phone factor, SMS, Email, PKI/Smartcard
- Allow access only from corporate network: Users must be on-premises to access AWS assets
- Geo-fencing: access can be limited to only corporate locations.
- Workflow: Resource and password check-outs can use an access request system (Centrify or ServiceNOW)
- Temporary access control.
- Time-to-Market: Password and session access can be deployed in minutes by launching an instance and deploying a cloud connector. The same goes for internal datacenters.
Stakeholders: Infrastructure Lead, Directory Services Lead, Security lead, AWS SME, UNIX/Linux or Windows image lead, Database (SQL Server) SME etc.
- What are the systems that need to be accessed?
The answer to this question has implications for AWS security groups. For example, the security group where Cloud Connectors will be residing must be able to establish connections over port 22 (SSH) and 3389 (RDP).
- What are the user populations that need access to AWS systems?
This determines the identity stores. User populations can be full-time employees, contractors, vendors, etc. Depending on the existing strategy, maybe not all users have AD accounts, this is where identity flexibility of CPS becomes handy. Some examples:
- Temporary contractors may be provisioned in the Centrify Cloud Directory instead of AD.
- Perhaps ADFS has been implemented or partners need access, in that case CPS can be the service provider in a federation relationship.
- What are the groups that should manage the system? what are their entitlements?
The answer to this question has directory service and functional implications.
- What are the security controls to be put in place? (strong auth, geo-fencing, time-based controls, workflow/approvals)
The data classification of the systems determines the controls that should be in place. The most basic could be that all AWS access must be generated from the corporate IP range, and access to the portal requires strong authentication.
- Password Management lifecycle questions:
Should approvals be required for password checkouts? Should multiple password check-outs allowed? should passwords be rotated in a specific interval? Should password health be monitored? should password be allowed from mobile devices? Should passwords for temporary systems be managed? Should active directory account passwords be managed?
- Password Storage
Should the Centrify Secure Storage be used or is a physical or hardware HSM (Safenet SecureKey) available?
- Will AAPM or self-registration be needed?
The answer to this question has implications for AWS images or DevOps. Centrify provides a Linux package (CLI toolkit); this allows for automation and automatic system registration.
- Monitoring and Reporting
What events should be sent to log aggregation (SIEM) platforms? What reports should be generated and who are the consumers of these reports?
What is the process of validating that certain privileged users should have (or continue to have) access to certain resources?
- Session Recording
What is the data retention policy for audited sessions? How many concurrent sessions (SSH/RDP) can be expected?
These topics are covered in depth in Chapter 2 of the DirectAudit Administrator's guide.
In this example, I will use an AWS environment with Active Directory to:
- Add a cloud connector for privilege service session management
- Manually register some EC2 Linux and Windows systems for jumpbox accesss
- Manually manage the password of a local Linux, Windows and Active Directory domain account.
- Use two AD groups: AWS-CPS-Full Access and AWS-CPS-Read-only access. Members of the 2nd group must request access for password checkouts or proxied sessions.
- Enforce Strong Authentication.
- Using the CLI toolkit for CLI password checkouts and manual and automatic.
Requirements for this Lab
- An AWS instance with Active Directory (managed by you or hosted by Amazon)
- Two AD groups: AWS-CPS-FullControl & AWS-CPS-Limited
- A Domain Administrator to authorize the cloud connector
- Outbound Internet connectivity via single-attached Elastic IP or Internet gateway (preferred)
- From Centrify you'll need:
- A Centrify Privilege Service evaluation or production tenant with sysadmin-like credentials.
- The Installation bits for Centrify DirectAudit
- A domain-joined system for:
a) Centrify Cloud Connector (although not recommended, this can be the DC if running a simple lab). Cloud connectors require outbound HTTPS connectivity and to act as jumpboxes for Linux and Windows systems, they should have connectivity over TCP ports 22 and 3389 (or your custom ports if changed).
b) DirectAudit components: this will be the not recommended all-in one scenario (Database/Collector/Agent).
- Test Linux and Windows EC2 instances.
- Optional: An Android/iOS mobile device for Touch/OTP MFA or a Yubikey 4 or NEO for OATH OTP
Installing a Cloud Connector
Configuring Roles for CPS Access
Configuring Workflow and Approvals
Using the CLI Tookit (AAPM)
Managing Active Directory Domain Account Passwords
Session Management, Proctoring, Capture and Replay
Dashboards and Reports
Advanced Controls (Policies, Authentication Profiles, Strong Authentication)
Some of the adjustments that can be made include:
- Password storage: HSM or Secure Centrify Storage
- Different directory sources for different user populations
- Smart Card Authentication
- Bulk import of systems
- CLI tookit baked into master AWS EC2 Linux instance.
- Use of PowerShell to automatically register Windows accounts
- Limited visibility of resources using the Privilege Portal login right.
End of Series - Conclusion
This ends the series on AWS and hopefully you've seen how the Centrify product lines: Server Suite, Privilege Service and Identity Service work together to secure your AWS environments while balancing operational efficiency and productivity.