Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adobe Sign and AWS IAM Cleanup #72

Merged
merged 4 commits into from
Feb 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,6 @@ function Write-Log {
# Write Log data
$MessageString = "{0}`t| {1}`t| {2}`t| {3}" -f $Timestamp, $MessageLevel,$logApplicationHeader, $Message
$MessageString | Out-File -FilePath $LogFile -Encoding utf8 -Append -ErrorAction SilentlyContinue
# $Color = @{ 0 = 'Green'; 1 = 'Cyan'; 2 = 'Yellow'; 3 = 'Red'}
# Write-Host -ForegroundColor $Color[$ErrorLevel] -Object ( $DateTime + $Message)
}
}

Expand All @@ -77,7 +75,6 @@ try {
}
#endregion Error Handling Functions

#New-AccessKeys -RootAccessKey $args[0] -RootSecretKey $args[1] -IAMUser $args[2] -IAMUserAccessKey $args[3] -SecretId $args[4] -Url "https://ps01.thycotic.blue/secretserver" -UserName $args[5] -Password $args[6]
#Begin Main Process

try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ This scanner will scan AWS for administrative accounts.

- Merge Fields: Leave Blank

- Script: Copy and paste the Script included in the file [AWS IAM User Discovery.ps2](./AWS%20IAM%20User%20Discovery.ps1)
- Script: Copy and paste the Script included in the file [AWS IAM User Discovery.ps1](./AWS%20IAM%20User%20Discovery.ps1)

- Click Save

Expand Down
20 changes: 10 additions & 10 deletions Scripts/SecretServer/AWS/AWS-IAM Users/Instructions.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ This connector utilizes a Service Account along with its Access Key and Secret.
- View and Manage all users
- View all group memberships
- View all permission policy assignments
- Installation of AWS Tools PowerShell module install on all Secret Server Distributed Engines that will be involved in RPC and Discovery processes. For more information on AWS Tools click [here](https://www.powershellgallery.com/packages/AWS.Tools.IdentityManagement/)
- Installation of AWS Tools PowerShell module install on all Secret Server Distributed Engines that will be involved in RPC and Discovery processes. For more information on AWS Tools click [here](https://www.powershellgallery.com/packages/AWS.Tools.IdentityManagement/).

## Create AWS Service Account
- Consult your AWS Administrator to create a user to be used as the Service Account.
- Document the Access Key and Secret Key.
- Assign the permissions detailed in the [Prerequisites Section](#prerequisites)
- Assign the permissions detailed in the [Prerequisites Section](#prerequisites).


## Creating secret template for AWS Accounts
Expand All @@ -34,8 +34,8 @@ The following steps are required to create the Secret Template for AWS Users:
- Log in to the Delinea Secret Server (If you have not already done so)
- Navigate to Admin / Secret Templates
- Click on Create / Import Template
- Click on Import.
- Copy and Paste the XML in the [AWS User Advanced.xml File](./Templates/AWS%20User%20Advanced%20Template.xml)
- Click on Import
- Copy and Paste the XML in the [AWS User Advanced.xml file](./Templates/AWS%20User%20Advanced%20Template.xml)
- Click on Save
- This completes the creation of the User Account template

Expand All @@ -46,8 +46,8 @@ The following steps are required to create the Secret Template for the AWS Privi
- Log in to the Delinea Secret Server (If you have not already done so)
- Navigate to Admin / Secret Templates
- Click on Create / Import Template
- Click on Import.
- Copy and Paste the XML in the [AWS Service Account Advanced Privileged Template.xml File](./Templates/AWS%20Service%20Account%20Advanced%20Template.xml)
- Click on Import
- Copy and Paste the XML in the [AWS Service Account Advanced Privileged Template.xml file](./Templates/AWS%20Service%20Account%20Advanced%20Template.xml)
- Click on Save
- This completes the creation of the Privileged Account template

Expand All @@ -57,19 +57,19 @@ The following steps are required to create the Secret Template for the AWS Privi
- Log in to the Delinea Secret Server (If you have not already done so)
- Navigate to Secrets
- Click on Create Secret
- Select the AWS Service Account template created in the earlier step [Above](#aws-service-account-template).
- Select the AWS Service Account template created in the earlier step [above](#aws-service-account-template).
- Fill out the required fields with the information from the application registration
- Secret Name (for example AWS Service Account )
- The following field values are as created in the [Prerequisites Section](#prerequisites)
- Username
- Access Key
- Secret Key
- Admin-Criteria - Comma Separated List of AWS Policies used to determine Admin Accounts (Policy Name=Policy arn
- Admin-Criteria - Comma Separated List of AWS Policies used to determine Admin Accounts (Policy Name=Policy, an
example: Admin Access=arn:aws:iam::aws:policy/AdministratorAccess","Service-accounts,Custom Access=arn:aws:iam::aws:policy/CustomAccess"
- SVC-Account-Criteria Comma Separated List of AWS Groups used to determine Service Accounts
- SVC-Account-Criteria Comma Separated List of AWS Groups used to determine Service Accounts,
example: Service-Accounts1,ServiceAccounts2
- Click Create Secret
- This completes the creation of a secret in Secret Server for the AWS Privileged Account
- This completes the creation of a secret in Secret Server for the AWS Privileged Account

## Next Steps

Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# AWS Remote Password Changer

**NOTE** AWS IAM User Password Changer does not support Heartbeats. If the password change fails an error will be reported
**NOTE** AWS IAM User Password Changer does not support Heartbeats. If the password change fails an error will be reported.

## Associate the Amazon IAM Console Password Privileged Account Remote Password Changer with the AWS IAM User template
## Associate the Amazon IAM Console Password Privileged Account Remote Password Changer with the AWS IAM User Template
- Log in to the Delinea Secret Server
- Navigate to Admin / Secret Templates
- Click on the AWS User Advanced template created in the [instructions.md file](../Instructions.md)
Expand All @@ -12,7 +12,7 @@
- Password Type to use: Select the Amazon IAM Console Password Privileged Account
- Click on Save

## Associate AWS Service account to AWS secret
## Associate AWS Service Account to AWS Secret
To be able to correctly use the password changer, the AWS Service account must be associated with the AWS IAM User secret. This can be done by following the steps below:
- Log in to the Delinea Secret Server
- Navigate to Secrets
Expand Down
Empty file.
2 changes: 1 addition & 1 deletion Scripts/SecretServer/AWS/AWS-IAM Users/readme.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# AWS Delinea Secret Server Integration

This package is designed to discover and Manage AWS User Accounts. It will provide detailed instructions and the necessary Scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the instructions.md document which can be found [Here](./Instructions.md)
This package is designed to discover and manage AWS User Accounts. It will provide detailed instructions and the necessary scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the instructions.md document which can be found [here](./Instructions.md).

## Connector Functions

Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
$args = @("Default","api.na1.adobesign.com", "3AAABLblqZhDgUgDAXcpI9wbn1uaA0L_EvnsFST0qfWWxyKZOB9R8m6txuMYii2rK9saXwv2RlFRUmA7icf5pYOpO6JK_AXbP","true","ServiceAccounts=CBJCHBCAABAADKXZhgQc1ZiSl3WydXp9KbAFLPdSF4Qm")
#region define variables
#Define Argument Variables

Expand Down Expand Up @@ -42,8 +41,6 @@ function Write-Log {
# Write Log data
$MessageString = "{0}`t| {1}`t| {2}`t| {3}" -f $Timestamp, $MessageLevel,$logApplicationHeader, $Message
$MessageString | Out-File -FilePath $LogFile -Encoding utf8 -Append -ErrorAction SilentlyContinue
# $Color = @{ 0 = 'Green'; 1 = 'Cyan'; 2 = 'Yellow'; 3 = 'Red'}
# Write-Host -ForegroundColor $Color[$ErrorLevel] -Object ( $DateTime + $Message)
}
}
#endregion Error Handling Functions
Expand Down Expand Up @@ -296,8 +293,6 @@ catch {

$headers = @{
"Authorization" = "Bearer $accessToken"
#"Accept" = "application/json, application/xml"
#"Content-Type" = "application/json, application/xml"
}

Write-Log -Errorlevel 0 -Message "Obtaining List of URIs"
Expand Down Expand Up @@ -365,10 +360,7 @@ while ($null -ne $pageObj.nextCursor) {


#region Main Process
<#
if Discovery Mode is set to default, only retreive local administrators will be run
#>

#if Discovery Mode is set to default, only retreive local administrators will be run
$adminAccounts = New-Object System.Collections.ArrayList
$adminuser = New-Object -TypeName PSObject

Expand Down
72 changes: 9 additions & 63 deletions Scripts/SecretServer/AdobeSign/Instructions.md
Original file line number Diff line number Diff line change
@@ -1,63 +1,21 @@
Adobe Acrobat Sign Connector base configuration



# Adobe Acrobat Sign Connector base configuration
This connector provides the following functions



- Discovery of Local Accounts
- Discovery of Account Admin Accounts
- Discovery of Service Accounts



Follow the Steps below to complete the base setup for the Connector.



## Prepare Authentication



## Adobe Sign Integration Key



### Adobe Sign Integration Key
This connector utilizes Adobe Sign integration key to authenticate API calls.



Follow the instruction to create and Integration Key.



[here] (https://helpx.adobe.com/sign/kb/how-to-create-an-integration-key.html)


Follow the instruction to create and Integration Key [here](https://helpx.adobe.com/sign/kb/how-to-create-an-integration-key.html).
### Prerequisites



- Access to a Adobe Sign instance with administrative privileges.

- A generated Adobe Sign Integration Key



## Creating secret template for Adobe Sign Accounts



### Adobe Sign User Account Template



The following steps are required to create the Secret Template for ServiceNow Users:



- Log in to the Delinea Secret Server (If you have not already done so)

- Navigate to Admin / Secret Templates
Expand All @@ -66,21 +24,15 @@ The following steps are required to create the Secret Template for ServiceNow Us

- Click on Import.

- Copy and Paste the XML in the [Adobe Sign Account.xml File](./Templates/Adobe%20Sign%20Account.xml)
- Copy and Paste the XML in the [Adobe Sign Account.xml file](./Templates/Adobe%20Sign%20Account.xml)

- Click on Save

- This completes the creation of the User Account template



### Adobe Sign Integration Key Template
### Adobe Sign Integration Key Template



The following steps are required to create the Secret Template for Adobe Sign Integration Key:


The following steps are required to create the Secret Template for Adobe Sign Integration Key:

- Log in to the Delinea Secret Server (If you have not already done so)

Expand All @@ -90,13 +42,11 @@ The following steps are required to create the Secret Template for Adobe Sign In

- Click on Import.

- Copy and Paste the XML in the [Adobe Sign Integration Key.xml File](./Templates/Adobe%20Sign%20Integration%20Key.xml)
- Copy and Paste the XML in the [Adobe Sign Integration Key.xml file](./Templates/Adobe%20Sign%20Integration%20Key.xml)

- Click on Save

- This completes the creation of the Integration Key template


- This completes the creation of the Integration Key template


## Create Secret in Secret Server for the Adobe Sign Privileged Account
Expand All @@ -107,7 +57,7 @@ The following steps are required to create the Secret Template for Adobe Sign In

- Click on Create Secret

- Select the template created in the earlier step [Above](#adobe-sign-integration-key-template).
- Select the template created in the earlier step [above](#adobe-sign-integration-key-template).

- Fill out the required fields with the information from the application registration

Expand All @@ -128,10 +78,6 @@ Example:

- This completes the creation of a secret in Secret Server for the Adobe Sign Privilaged Account



## Next Steps



Once the tasks above are completed you can now proceed to create a [Discovery Scanner](./Discovery/readme.md)
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ If you have not already done, so, please follow the steps in the **Instructions.
- **Merge Fields**: Leave Blank
- **Script**: Copy and paste the Script included in the file [Adobe Sign RPC Placeholder.ps1](./Adobe%20Sign%20RPC%20Placeholder.ps1)
- Click Save
- This completes the creation of the Remote Password Changing Script
- This completes the creation of the Remote Password Changing Script

### Heartbeat Script

Expand All @@ -39,7 +39,7 @@ If you have not already done, so, please follow the steps in the **Instructions.
- **Merge Fields**: Leave Blank
- **Script**: Copy and paste the Script included in the file [Adobe Sign Heartbeat Placeholder.ps1](./Adobe%20Sign%20Heartbeat%20Placeholder.ps1)
- Click Save
- This completes the creation of the Adobe Sign Heartbeat Script
- This completes the creation of the Adobe Sign Heartbeat Script

## Create Password Changer

Expand Down
Empty file.
16 changes: 2 additions & 14 deletions Scripts/SecretServer/AdobeSign/readme.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,11 @@
# Adobe Acrobat Sign Delinea Secret Server Integration



This package is designed to discover Adobe Acrobat Sign Accounts. It will provide detailed instructions and the necessary Scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the instructions.md document which can be found [Here](./Instructions.md)


This package is designed to discover Adobe Acrobat Sign Accounts. It will provide detailed instructions and the necessary Scripts to perform these functions. Before beginning to implement any of the specific processes it is a requirement to perform the tasks contained in the instructions.md document which can be found [here](./Instructions.md)

## Functionality



- Discovery of Local accounts including the ability to determine Admin, Service and Local accounts (in Advanced Mode)



NOTE - Adobe Sign does not support Remote Password changing or Heartbeat. There is a placeholder script along with instructions that can be used to create a "Place holder/Mock" password changer that will allow the importing of discovered accounts.
NOTE - Adobe Sign does not support Remote Password Changing or Heartbeat. There is a placeholder script along with instructions that can be used to create a "Place holder/Mock" password changer that will allow the importing of discovered accounts.

# Disclaimer



The provided scripts are for informational purposes only and are not intended to be used for any production or commercial purposes. You are responsible for ensuring that the scripts are compatible with your system and that you have the necessary permissions to run them. The provided scripts are not guaranteed to be error-free or to function as intended. The end user is responsible for testing the scripts thoroughly before using them in any environment. The authors of the scripts are not responsible for any damages or losses that may result from the use of the scripts. The end user agrees to use the provided scripts at their own risk. Please note that the provided scripts may be subject to change without notice.
Loading