Set Up the AWS API Proxy

The AWS API Proxy provides security restrictions for AWS API access. The proxy is available for deployment in AWS AMI format.
capam32
The AWS API Proxy provides 
Privileged Access Manager
 security restrictions for AWS API access. The proxy is available for deployment in AWS AMI format.
To use the AWS API Proxy, obtain 
Privileged Access Manager
 licensing to support the required number of proxy users. Contact your CA Account Representative for more information.
If you use both the VMware NSX API Proxy and AWS API Proxy, each proxy must be on a different subnet.
To use the AWS API Proxy 2.1, enable it on the 
Privileged Access Manager
 appliance.
 
Follow these steps:
 
  1. Go to 
    Credentials
    Manage A2A
    Mappings
    .
    1. Find the map between the AWS API Proxy Access Accounts and AWS API Proxy Clients.
    2. Select the following checkboxes as noted: Check Execution User ID, Uncheck Execution Path, and Uncheck File Path.
    3. Save the mapping.
  2. Go to the 
    Policies
    Manage Policies
     page. Delete all the password view options between the 
    xceedium.aws.amazon.com
     and the AWS API proxy users.
    Leave the actual AWS API Proxy service as it was. If the user did not have an AWS API Proxy service that is defined, you can delete the policy instead.
  3. Delete all target accounts belonging to the target application AWS API Proxy Access Credential accounts.
    The 
    Privileged Access Manager
     database is now ready for use with proxies.
  4. Navigate in the Credential Manager GUI to 
    Groups
    User Groups
    . Select 
    Add
     and create a group with the following values:
  •  
    Name
     – AWS Proxy Accessors
  •  
    Description
     – Promote or demote users to be able to add or delete Proxy target accounts
  •  
    Role
     – TargetAdmin
  •  
    Target Group
     – AWS API Proxy Access Accounts
As each AWS API Proxy assigned User logs in, they find on their landing page, or Access page, that they have a drop-down list. This list lets them view a password to use the proxy. After they view the password, the account will be created and reused.
The AWS API Proxy privilege can now be assigned to User Groups and to individual Users. If you assign the privilege at a group level, each User in the group has their own proxy target account created the first time they log in and attempt to view the password. The number of users is limited to the number of licensed users.