Securing Access to AWS Aurora (PostgreSQL) Database using Zero-Standing Privilege (ZSP)

In this blog we are going to showcase how you can secure access to AWS Aurora PostgreSQL database using Zero-Standing Privilege (ZSP), with the help of CyberArk Secure Infrastructure Access (SIA)- Modern Session Management.

This blog is in continuation to previous, where we discussed Securing Access to AWS Aurora (PostgreSQL) Database using Vaulted Credentials. There are some common steps. For sake of simplicity, I will not repeat those steps here. But I will mention what are the differences. AWS database is also same as used in the previous blog.

Overview of Implementing Zero-Standing Privileges (ZSP) with CyberArk

CyberArk creates a temporary privileged account when connecting to databases using Zero Standing Privileges (ZSP). This account gives the user the necessary permissions to do their work and is deleted when they log out. This ephemeral privileged user is created via an account, called a Strong Account. The Credentials for the Strong Account can be stored in Vault or saved directly in SIA.

For sake of this demo we will use the Vaulted Account. If you choose to use SIA saved credentials, Step One: Configuring the platform, creating a Safe and an Account is not required.

Configure Platform, Create Safe, and Account

We have discussed the process of Platform configuration, Safe creation, and Account Creation, in the previous blog Securing Access to AWS Aurora (PostgreSQL) Database using Vaulted Credentials.

For ZSP, we need to add Secure Infrastructure Privilege Cloud Ephemeral Access Role to the Safe, with Read only access. Following are steps to do so:

1. On the Privilege Cloud tile, navigate to Polices > Safes. Search for the safe and select the safe in result are. On the Safe detail area choose Members Tab. then click on Add Members button.

   

2. On Add Members to Safe form search for Secure Infrastructure Privilege Cloud Ephemeral Access role and select the role in result area and click on Next button.

   

3. On Next page select Read Only permission set and click on Add button.

   

This will save the New Safe permissions.

Add Connector pools and Deploy Connectors

We have already completed this step, in the previous blog Securing Access to AWS Aurora (PostgreSQL) Database using Vaulted Credentials. Steps are same for ZSP.

Add TLS Certificates for target validation

We have already completed this step, in the previous blog Securing Access to AWS Aurora (PostgreSQL) Database using Vaulted Credentials. Steps are same for ZSP.

SIA configurations for Database Vaulted Access

We have already completed this step, in the previous blog Securing Access to AWS Aurora (PostgreSQL) Database using Vaulted Credentials. Steps are same for ZSP.

Add Strong Accounts

To re-iterate in demo we are going to demonstrate Strong Account with Credentials saved in Vault. For this step copy following details from the Account created for database user.

After Copying above information from Account (Account name and Safe), navigate to SIA tile to add Strong Account:

1. Navigate to Strong Account menu. On Strong Accounts page > Select Database tab and click on Add a Strong Account button.

   

2. On Create a Strong Account form, select Vaulted in Privilege Cloud option and complete the form (Safe and Account Name are as per the Account created for vaulted credential, in Privilege Cloud). And click on Create.

   

3. On Successful account creation following message will appear.

   

Onboard the target Databases

1. On SIA tile navigate to Resource Management menu and click on Database.

   

2. On Database Resource page click on Onboard drop down and select PostgreSQL option from menu.

   

3. Enter the Details on Onboard a PostgreSQL Database page. Do note Strong Account can also be created on this form directly.

   

4. Click on Onboard button after completing the form to complete Database Onboarding.

   

Create Recurring Access Policies

1. On SIA tile, Navigate to Recurring Access Policies > Select Database from Create a Policy dropdown.

   

2. On the Form complete the Details. Add Name and Description and Select Time frame as per requirement and click on Next button.

   

3. On next page select PostgreSQL as database type. And on the pop form select the Database Resource we onboarded previously. Click on Apply button.

   

4. Click on Next.

   

5. On Next page Click on Create an Access Rule button > Add Rule Name > then click on Update Member button > Search and Select the User or group or role and click on update > choose Details under Access Window section > Click on Create Rule button> then Click on Activate Policy button.

   

Initiating ZSP Connection to Aurora PostgreSQL DB

We will use Connection Guidance and MFA Caching to get details to connect to database and then use PgAdmin client to initiate connection with above details.

1. On SIA Tile navigate to Connection Guidance menu. Go to Database Tab> Select PostgreSQL as database type> Select Zero standing privilege as asses method> Enter database FQDN in Address. Then copy Hostname and Username.

   

2. Navigate to MFA Caching menu> under Database tab click on Generate button> Copy the password.

   

3. Open PgAdmin > Initiate the Register server process> On general TAB add Name of server > On Parameters tab Select required for the SSL mode and increase the Connection time out.

   

4. Then on Connection tab add the Hostname, Username and Password as copied in previous steps. Click on Save.

   

5. Connection is successfully established.

   

6. We can run and see the Current_User is ephemeral user instead of Postgres user.

   

7. Disconnect from Server and Close the Query window to end the session.

Audit and Session Monitoring

Audit users can go to Audit tile and monitor the queries executed in above session.

1. On Audit tile navigate to Session Monitoring. Filter and select the session. Under Commands tab are the Commands executed by user are displayed.