PowerBroker for Unix & Linux (PBUL), BeyondTrust’s gold-standard solution for Unix/Linux privilege management, comes with a very powerful and flexible Policy Engine that enables organizations to satisfy even the most complex privileged access requirements. In this blog I will explain how that Policy Engine leverages an API for third-party solutions, such as cloud applications and DevOps tools, to enable full orchestration across an environment, in this case, Amazon AWS.
With PowerBroker, it’s possible to interface with Amazon AWS IAM in order to verify that users are properly authorized via a Role or a Group, or a specific permission, before allowing them to execute a specific command on a specific server. If an administrator wants to issue a command to restart a server instance in AWS, the PBUL Policy Engine can first verify that the user is a member of the appropriate permission Group, and that the user is authorized for the specific server instance. Other conditions can also be included, like time of day, the day of the week, the user’s location, and any other third-party solution scripted through PBUL policy.
In order to make this work, let’s look at the example below. First, we need to define a couple of sample groups in AWS IAM. Our sample user, McDavis, is a member of the DevOps Group. The groups are shown below (not his membership):
Then, we use a simple test script (aws_test.sh) to our PowerBroker policy:
## The following user, mcdavis, is used to test AWS query.
## The following user, mcdavis, is used to test AWS query.
if (user in { "mcdavis" } && basename(command) in { "aws_test.sh","aws_test"}) {
# do not allow these commands to be delegated
print ("user called aws_test.sh");
if (basename(command) in { "aws_test.sh","aws_test"}) {
print ("command is aws_test.sh");
include '/etc/pb/aws_functions.conf';
RetrieveAWS_Group();
DELIM=",";
AWSFIELDS=split(AWSDATA,DELIM);
print(AWSFIELDS);
COUNT=0;
COUNTER=0;
TEST=split(AWSDATA, "\n");
for Lines in TEST {
TEST2=split(Lines, ",");
COUNT=length(TEST2);
COUNT2=( COUNT -1);
while ( COUNTER <= COUNT2 ) {
if ( TEST2[COUNTER] == "DevOps" ) {
print("Congratulations - you are a member of the DevOps Group, so you are authorized to execute this command");
COUNTER++;
}
else
{
COUNTER++;
}
} # End while
COUNT=0;
COUNTER=0;
} # End for
}
accept("This is a restricted command aws_test.sh -- '" + basename(command) + "'.");
}
When you execute the script as a part of a “test” policy, you are able to determine the AWS IAM group membership as shown below:
While this is a simplistic sample, it demonstrates three important things:
- The power of the PowerBroker for Unix & Linux scripting language to integrate into third-party solutions.
- The integration from PowerBroker for Unix & Linux to support group membership of AWS IAM users.
- The support of PowerBroker for Unix & Linux in DevOps and Cloud environments in support of next-generation technologies.
Michel Bluteau, Sr. Sales Engineer, BeyondTrust
Michel has been interfacing with many organizations in different verticals around the world, over the last decade, trying to capture Requirements and Use Cases in Identity Management, Compliance, and more recently Privileged Account Management. Michel’s expertise with various platforms including SAP, ServiceNow, .NET and Java, allows him to contribute to integration and share his experience and solutions. Recently, Michel has also been focusing on the User Experience and how to leverage Web Services API made available more and more for both on-premises and cloud based applications and platforms.