sshcom / privx-on-aws Goto Github PK

View Code? Open in Web Editor NEW

20.0 7.0 7.0 4.19 MB

PrivX - Just-in-time Access Management

License: Apache License 2.0

JavaScript 0.38% TypeScript 99.39% Makefile 0.23%

zero-trust iam pam authentication access-control passwordless-authentication passwordless identity jumphost ssh

privx-on-aws's Introduction

PrivX - Just-in-time Access Management

Available as Infrastructure as a Code on AWS for fast deployment.

PrivX is a lean and modern privileged access management solution to automate your AWS, Azure and GCP infrastructure access management in one multi-cloud solution. While it offers super great cloud experience, you can also easily connect your on-prem infrastructure to it for a single pane of glass access control and monitoring. This project further simplifies PrivX on-boarding experience with deployment automation using infrastructure as a code tooling.

Inspiration

Having seen how permanent passwords and left-behind and forgotten SSH keys enable access to critical environments years after they were actually created and needed, we started the PrivX project in order to get rid of the passwords and keys – to get rid of any permanent access altogether. We wanted to build a solution that only grants access when it's needed & on the level needed. Later on this approached was coined Just-in-Time-Access and the method as Zero Standing Privileges (ZSP) by industry analysts while part of the larger Zero Trust trend of always (re-)verifying a user before any access is granted.

PrivX automates the process of granting and revoking access by integrating & fetching identities and roles from your identity management system (LDAP, AD etc) and ensures your engineering and admin staff have one-click access to the right infrastructure resources at the right access level. You will also get full audit trail and monitoring - vital if you are handling sensitive data or for example open access for third parties to your environment.

Learn more about PrivX and get your trial license.

To learn how PrivX works, please check out this video.

SSH experience

RDP experience

Getting Started

The latest version of Infrastructure as a Code is available at master branch of the repository. All development, including new features and bug fixes, take place on the master branch using forking and pull requests as described in contribution guidelines.

Requirements

We are using AWS CDK and TypeScript to code PrivX infrastructure components. You have to configure your environment with node and npm version 10.x or later and install required components.

## with brew on MacOS
brew install node

## then install CDK
npm install -g typescript ts-node aws-cdk

Obtain access to target AWS Account. You shall have ability to create/delete AWS resources.
Obtain subdomain, domain name(s) and configure AWS Route53 HostedZone. If you have a fresh AWS Account or missing domain name, you can request one from AWS.

Deployments

Use AWS CDK command line tools to deploy PrivX to your AWS Account. Please note, the process consists of multiple stages:

##
## 1. clone privx-on-aws repository locally
git clone https://github.com/SSHcom/privx-on-aws
cd privx-on-aws

##
## 2. pre-config deployment process by configure environment and
##    installing dependent components  
export AWS_ACCESS_KEY_ID=Your-Access-Key
export AWS_SECRET_ACCESS_KEY=Your-Secret-Key
export CDK_DEFAULT_ACCOUNT=Your-Account-Id
export CDK_DEFAULT_REGION=eu-west-1
export AWS_DEFAULT_REGION=eu-west-1
npm install

##
## 3. configure and bootstrap target AWS region with AWS CDK.
##    Please note, the process requires domain name here.
##    the corresponding hosted zone must be properly configured otherwise
##    deployment fails.
cdk bootstrap aws://${CDK_DEFAULT_ACCOUNT}/${CDK_DEFAULT_REGION} \
  -c domain=example.com

##
## 4. deploy PrivX, you need to define a few variables here
##    subdomain   unique name of your privx instance. 
##                DO NOT USE any non-alphabet characters including 
##                punctuation in the subdomain name
##
##    cidr        allocate unique class A network `cidr` block for AWS VPC
##                default value 10.0.0.0/16 fits to majority of deployments
##
##    email       address to deliver CloudWatch alerts
##
##    sshkey      AWS SSH key pair to access PrivX instance for debugging 
##                purpose, keep empty to disable ssh access 
##                See more about ssh key from AWS documentation
##                https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
##
cdk deploy privx-on-aws \
  -c cidr=10.0.0.0/16 \
  -c subdomain=privx \
  -c domain=example.com \
  -c [email protected] \
  -c sshkey=aws-keypair-name

In few minutes, your own instance of PrivX solution is available. Please check our playbook or raise GitHub issue if you have any troubles with deployment process. The deployment build entire PrivX architecture in your AWS account.

Open a Web browser with your fully qualified domain name, e.g. https://privx.example.com.

The login credentials for superuser is available in your AWS Account:

Choose right region
Goto AWS Secrets Manager > Secrets > KeyVault...
Scroll to Secret value section
Click Retrieve secret value

In the final step, please obtain a license code to activate your environment.

Next Steps

Getting Started with PrivX
Learn more about PrivX Users and Permissions
Check Online Administrator Manual
Read our playbook for advanced deployment and configuration use-cases.

Bugs

If you experience any issues with the library, please let us know via GitHub issues. We appreciate detailed and accurate reports that help us to identity and replicate the issue.

Specify the configuration of your environment. Include which operating system you use and the versions of runtime environments.
Attach logs, screenshots and exceptions, in possible.
Reveal the steps you took to reproduce the problem, include code snippet or links to your project.

How To Contribute

The project is Apache 2.0 licensed and accepts contributions via GitHub pull requests:

Fork it
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Added some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

The development requires TypeScript and AWS CDK

npm install -g typescript ts-node aws-cdk

git clone https://github.com/SSHcom/privx-on-aws
cd privx-on-aws

npm install
npm run build
npm run test
npm run lint

License

privx-on-aws's People

Contributors

Stargazers

Watchers

Forkers

fogfish hynespm praveenviswanath tejesh-wise juslop1 efdeweksnd jjh-ssh

privx-on-aws's Issues

Support native clients

IP traffic on ports 2222 and 3389 has to be routed to PrivX instances.

Use CloudWatch to log PrivX events.

InDebt alarms are flaky

The threshold and period is misconfigured. The alarms says

Threshold Crossed: 1 datapoint was received for 4 periods and 3 missing datapoints were treated as [NonBreaching].

It should use 5 min period for InDebts alarms

Error when deploying stack

Hello,

When trying to deploy stack I'm getting an error 'Cannot read property 'split' of undefined

Here is log output:

cdk deploy albertprivxtest18 -c cidr=10.100.0.0/16 -c domain=<mydomain.com> -c [email protected] -c sshkey=test-albert -c name=albertprivxtest18 -vvv --debug
CDK toolkit version: 1.108.0 (build b23f781)
Command line arguments: {
  _: [ 'deploy' ],
  c: [
    'cidr=10.100.0.0/16',
    'domain=<mydomain.com>',
    '[email protected]',
    'sshkey=test-albert',
    'name=albertprivxtest18'
  ],
  context: [
    'cidr=10.100.0.0/16',
    'domain=<mydomain.com>',
    '[email protected]',
    'sshkey=test-albert',
    'name=albertprivxtest18'
  ],
  v: 3,
  verbose: 3,
  debug: true,
  defaultAccount: ############,
  defaultRegion: 'us-east-1',
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  fail: false,
  all: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  ci: false,
  execute: true,
  force: false,
  f: false,
  parameters: [ {} ],
  'previous-parameters': true,
  previousParameters: true,
  '$0': '/usr/local/bin/cdk',
  STACKS: [ 'albertprivxtest18' ],
  'S-t-a-c-k-s': [ 'albertprivxtest18' ]
}
CLI argument context: cidr=10.100.0.0/16
CLI argument context: domain=<mydomain.com>
CLI argument context: [email protected]
CLI argument context: sshkey=test-albert
CLI argument context: name=albertprivxtest18
cdk.json: {
  "app": "ts-node src/index",
  "requireApproval": "never"
}
cdk.context.json: {
  "availability-zones:account=############:region=us-east-1": [
    "us-east-1a",
    "us-east-1b",
    "us-east-1c",
    "us-east-1d",
    "us-east-1e",
    "us-east-1f"
  ],
  "hosted-zone:account=############:domainName=<mydomain.com>:region=us-east-1": {
    "Id": "/hostedzone/Z06499273BCK97TD82YGA",
    "Name": "<mydomain.com>."
  }
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'ts-node src/index',
  requireApproval: 'never',
  context: {
    cidr: '10.100.0.0/16',
    domain: '<mydomain.com>',
    email: '[email protected]',
    sshkey: 'test-albert',
    name: 'albertprivxtest18'
  },
  debug: true,
  assetMetadata: true,
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
Determining if we're on an EC2 instance.
Does not look like an EC2 instance.
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Retrieved account ID ############ from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ############
context: {
  'availability-zones:account=############:region=us-east-1': [
    'us-east-1a',
    'us-east-1b',
    'us-east-1c',
    'us-east-1d',
    'us-east-1e',
    'us-east-1f'
  ],
  'hosted-zone:account=############:domainName=<mydomain.com>:region=us-east-1': { Id: '/hostedzone/Z06499273BCK97TD82YGA', Name: '<mydomain.com>.' },
  cidr: '10.100.0.0/16',
  domain: '<mydomain.com>',
  email: '[email protected]',
  sshkey: 'test-albert',
  name: 'albertprivxtest18',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '############',
  CDK_DEBUG: 'true',
  CDK_CONTEXT_JSON: '{"availability-zones:account=############:region=us-east-1":["us-east-1a","us-east-1b","us-east-1c","us-east-1d","us-east-1e","us-east-1f"],"hosted-zone:account=############:domainName=<mydomain.com>:region=us-east-1":{"Id":"/hostedzone/Z06499273BCK97TD82YGA","Name":"<mydomain.com>."},"cidr":"10.100.0.0/16","domain":"<mydomain.com>","email":"[email protected]","sshkey":"test-albert","name":"albertprivxtest18","aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '7.0.0',
  CDK_CLI_VERSION: '1.108.0'
}
Cannot read property 'split' of undefined
TypeError: Cannot read property 'split' of undefined
    at Minimatch.match (/usr/local/lib/node_modules/aws-cdk/node_modules/minimatch/minimatch.js:717:9)
    at minimatch (/usr/local/lib/node_modules/aws-cdk/node_modules/minimatch/minimatch.js:107:42)
    at CloudAssembly.selectStacks (/usr/local/lib/node_modules/aws-cdk/lib/api/cxapp/cloud-assembly.ts:121:13)
    at CdkToolkit.selectStacksForDeploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:385:35)
    at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:111:20)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:210:9)

thank you,

Albert Sheynkman