The aim of this guide is to provide detailed, step-by-step instructions on how to set up and install One Identity Safeguard for Privileged Sessions in an Amazon Web Services (AWS) virtual environment.
The document comprises the following sections:
Prerequisites collects the requirements that you must comply with before deploying Safeguard for Privileged Sessions on AWS.
Limitations lists the limitations that apply when installing Safeguard for Privileged Sessions in an AWS virtual environment.
Installing Safeguard for Privileged Sessions on Amazon Web Services describes how to install Safeguard for Privileged Sessions in an AWS virtual environment.
The following prerequisites must be met before deploying Safeguard for Privileged Sessions on Amazon Web Services:
You have a valid One Identity Safeguard for Privileged Sessions license.
One Identity Safeguard for Privileged Sessions uses the "Bring your own license" model. Note that to deploy two active Safeguard for Privileged Sessions nodes as an availability set, you must purchase two standalone Safeguard for Privileged Sessions licenses. To purchase a license, contact our Support Team.
You have an Amazon Web Services account and privileges to access the Amazon Elastic Compute Cloud (EC2) service.
You have secure access to your Amazon Virtual Private Cloud (VPC) resources, for example, through the use of a Virtual Private Network (VPN).
You have working knowledge of the Safeguard for Privileged Sessions installation process.
You have familiarity with AWS EC2.
The following limitations apply when deploying Safeguard for Privileged Sessions on Amazon Web Services:
If High Availability (HA) operation mode is required in a virtual environment, use the HA function provided by the virtual environment.
When running Safeguard for Privileged Sessions in a virtual environment, use a single network interface.
During AWS installation, connecting directly to the Internet using a public IP address is not supported. Instead, you must access the Internet via a Virtual Private Network or a jump host.
To deploy One Identity Safeguard for Privileged Sessions on Amazon Web Services, complete the following steps.
This chapter uses a number of screenshots for illustration purposes. Note that these are added here for reference only as the look and feel (but not the contents) of the Amazon user interface may change without this guide showing the latest changes.
Log in to Amazon Web Services.
Once logged in, go to INSTANCES > Instances in the left-hand navigation pane, and then click Launch Instance. Alternatively, from the menu, select Services > Compute > EC2 > INSTANCES > Instances.
Figure 1: Instances page
The Step 1: Choose an Amazon Machine Image (AMI) page comes up.
Choose an AMI that corresponds to the type of Virtual Machine (VM) that you wish to launch an instance from:
Click My AMIs in the left-hand navigation pane.
Go to Ownership, and select the Shared with me checkbox. Deselect the Owned by me checkbox. This will apply a filter and display the AMIs relevant to you.
Click your preferred AMI, and click Select next to it.
To quickly find the AMI you are looking for, type a search keyword in the Search my AMIs search box and hitEnter.
Figure 2: Step 1: Choose an Amazon Machine Image (AMI)
The Step 2: Choose an Instance Type page comes up.
Choose an instance type:
Select an instance type by clicking the checkbox next to it.
The minimum memory requirement is 8 GiB, that is, type t2.large. For your specific memory requirement, contact Support.
ClickNext: Configure Instance Details.
Figure 3: Step 2: Choose an Instance Type
The Step 3: Configure Instance Details page comes up.
Configure instance details:
Select the required Virtual Private Cloud (VPC) from the Network list.
Choose a subnet to launch the instance into.
Exposing Safeguard for Privileged Sessions to the public Internet during installation is not supported at all, therefore, you must use a VPN or jump host to reach your instance and configure it.
Ensure that the Auto-assign Public IP field is set to Disable or Use subnet setting (Disable). This is required so that you do not get assigned a public IP address.
Use the default values for all other fields or change them as required.
You can leave the Network interfaces part untouched as using just one network interface will suffice.
Note, however, that if you launch Safeguard for Privileged Sessions with a single interface configured, then that interface will act as the management interface.
ClickNext: Add Storage.
Figure 4: Step 3: Configure Instance Details
The Step 4: Add Storage page comes up.
Add storage to your instance:
Set the size of your instance's store volume.
It is important that you choose this value wisely as once you have launched the instance, you will not be able to go back and modify it. The minimum storage size is 20 GiB, while the maximum allowed value is 16 TB (16384 GB).
Set the volume type of your instance's store volume.
SSD provides better performance than a Magnetic hard drive, however, it is also more expensive.
For a customer specific volume type and disc recommendation, contact Support to discuss your needs.
Selecting the Delete on Termination checkbox will automatically delete your store volume on terminating the instance. This is useful as this will free up storage place, and you will not have to pay for a store volume you are not using anymore. However, note that deleting the store volume will also delete your non-archived audit data.
ClickNext: Add Tags.
Figure 5: Step 4: Add Storage
The Step 5: Add Tag page comes up.
Create a tag for your instance:
Add a meaningful key-value pair that will help you later on to easily identify your instance.
ClickNext: Configure Security Group.
Figure 6: Step 5: Add Tags
The Step 6: Configure Security Group page comes up.
Configure security group:
Set a new or an existing security group to control how Safeguard for Privileged Sessions is accessed.
Exposing Safeguard for Privileged Sessions to the public Internet during installation is not supported at all, therefore, you must use a VPN or jump host to reach your instance and configure it. As for exposing the logging interface to the Internet after installation, contact Support to discuss your needs and how those could be met.
To achieve the above: restrict your security group to those users and log clients that access Safeguard for Privileged Sessions from a secure network, and not over the public Internet. For example, if you are using a jump host, then you need a security group that will allow only your dedicated VPC to connect to your Safeguard for Privileged Sessions. If there is a VPN to your home network or some other secure network, that can be allowed as well.
Click Review and Launch.
Figure 7: Step 6: Configure Security Group
The Step 7: Review Instance Launch page comes up.
Before launching your instance, double-check whether all details have been set as intended:
Under Instance Type, you have at least 8 GiB of memory assigned.
Under Instance Details, the Assign Public IP option is set to Disable or Use subnet setting (Disable).
Make any changes if required.
Once you are happy with all settings, click Launch.
Figure 8: Step 7: Review Instance Launch
The Select an existing key pair or create a new key pair pop-up window comes up.
On the Select an existing key pair or create a new key pair pop-up window:
Select the Proceed without a key pair option.
Tick the checkbox that says "I acknowledge that I will not be able to connect to this instance unless I already know the password built into this AMI".
Click Launch Instances.
Figure 9: Step 7: Review Instance Launch — Key pair pop-up window
The Launch Status page comes up informing you that your instance is launching.
To view your instance's status, click View Instances.
Figure 10: Launch Status page
The Instances page comes up, which should now display the instance you have just launched. Depending on the size of the instance, installation may take up to 1-5 minutes.
To access your Safeguard for Privileged Sessions instance and start configuring it using the welcome wizard, you will need your instance's IP address and the netmask of your chosen subnet, both of which you can obtain from the AWS user interface.
Safeguard for Privileged Sessions expects that the IP address provided will not change, therefore, before retrieving the IP address, perform the following check:
Click the instance you have just added, and select Actions > Networking > Manage Private IP Addresses from the menu at the top.
Figure 11: Instances page — Actions menu
The Manage Private IP Addresses pop-up window comes up.
To ensure that the IP address stays the same, make sure that the Allow reassignment option is unchecked.
Figure 12: Instances page — Manage Private IP Addresses pop-up window
To obtain and use the IP address of the instance to access the welcome wizard:
Click the instance on the Instances page.
This will display the description of the instance, including its private IP address.
Select the value in the Private IPs field and copy it.
Figure 13: Instances page — Instance description
Paste the IP you copied in your browser and accept the displayed certificate. The welcome wizard appears.
The Safeguard for Privileged Sessions welcome wizard automatically preloads the IP address, Prefix, Default GW and DNS server fields as shown in the image below.
If data is not automatically preloaded in your welcome wizard as shown in the image below, contact Support.
Figure 14: Welcome wizard — Preloaded fields
For detailed information on the Safeguard for Privileged Sessions welcome wizard, see "The Welcome Wizard and the first login" in the Administration Guide.