Set Up the AWS API Proxy
The AWS API Proxy provides security restrictions for AWS API access. The proxy is available for deployment in AWS AMI format.
capam32
The AWS API Proxy provides
Privileged Access Manager
security restrictions for AWS API access. The proxy is available for deployment in AWS AMI format.To use the AWS API Proxy, obtain
Privileged Access Manager
licensing to support the required number of proxy users. Contact your CA Account Representative for more information.If you use both the VMware NSX API Proxy and AWS API Proxy, each proxy must be on a different subnet.
To use the AWS API Proxy 2.1, enable it on the
Privileged Access Manager
appliance.Follow these steps:
- Go toCredentials,Manage A2A,Mappings.
- Find the map between the AWS API Proxy Access Accounts and AWS API Proxy Clients.
- Select the following checkboxes as noted: Check Execution User ID, Uncheck Execution Path, and Uncheck File Path.
- Save the mapping.
- Go to thePolicies,Manage Policiespage. Delete all the password view options between thexceedium.aws.amazon.comand the AWS API proxy users.Leave the actual AWS API Proxy service as it was. If the user did not have an AWS API Proxy service that is defined, you can delete the policy instead.
- Delete all target accounts belonging to the target application AWS API Proxy Access Credential accounts.ThePrivileged Access Managerdatabase is now ready for use with proxies.
- Navigate in the Credential Manager GUI toGroups,User Groups. SelectAddand create a group with the following values:
- Name– AWS Proxy Accessors
- Description– Promote or demote users to be able to add or delete Proxy target accounts
- Role– TargetAdmin
- Target Group– AWS API Proxy Access Accounts
As each AWS API Proxy assigned User logs in, they find on their landing page, or Access page, that they have a drop-down list. This list lets them view a password to use the proxy. After they view the password, the account will be created and reused.
The AWS API Proxy privilege can now be assigned to User Groups and to individual Users. If you assign the privilege at a group level, each User in the group has their own proxy target account created the first time they log in and attempt to view the password. The number of users is limited to the number of licensed users.