Documentation

Discovery of AWS Secrets

Suggest Edits

Discovery of AWS Secrets

Use discovery to locate AWS Secrets that are in AWS Secrets Manager.

Prerequisites

  • You must install a Jumpoint on an EC2 instance in an AWS environment.
  • You must assign an IAM role to the EC2 instance that has the IAMFullAccess and SecretsManagerReadWrite permission.

Initiate an AWS Secrets discovery job

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. Click the Discovery tab.
    The Discovery tab displays.

  3. Click New Discovery Job.
    The Discovery: New Job page displays.

  4. You have the following four options to choose:

    • Windows Domain
    • Local Windows Accounts on Jump Clients
    • AWS Secrets
    • Password Safe

  5. Click AWS Secrets.

  6. Click Continue.

  7. For Jumpoint, select the AWS Jumpoint.

    ℹ️

    Discovery of clustered Jumpoints only supports all nodes on EC2 instances in the same organization.

  8. Click Start Discovery.

  9. From the Discovery Results table, select the items you want to import.

  10. Click Import Selected.

  11. For Account Group, you can specific a particular group you want the results to reside, or select the Default Group.

  12. Click Start Import.

  13. Click Yes if the dialog box says "This process cannot be stopped after it is started. Are you sure you want to continue?"

  14. Click Done Importing.

  15. From the Vault > Accounts page, click the AWS Secrets tab to display the AWS Secrets table.

Checkout an account

  1. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  2. Click the AWS Secrets tab.

  3. From the AWS Secrets table, select the account you want to checkout. The user must have Inject And Checkout Vault role, otherwise the Checkout button in step 4 does not display.

  4. Click Checkout .

  5. The AWS Secret dialog box displays.
    You can either view the secret , copy the secret , or download the secret by clicking the Download Secret button.

  6. After you make your selection, click Close.

In the Status field of the AWS Secrets table, it displays that item is checked out.

Rotate Secrets

From the main menu, click Privileged Remote Access > Vault.
The Vault page opens and the Accounts tab displays by default.

  1. Click the AWS Secrets tab.

  2. From the AWS Secrets table, select the account you want to rotate.

  3. Click Rotate or select the horizontal ellipsis from the row in the table and select Rotate Secret.
    The Rotate Summary displays.

  4. Click Start Rotation.

In the Status field of the AWS Secrets table, it displays that the item is in rotation.

Once rotation is complete, the Password Age information updates with a time stamp of a few seconds.

ℹ️

A Lambda function is needed for rotate secrets to work.

Edit Secrets

  1. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the AWS Secrets tab.
  3. From the AWS Secrets table, select the account you want to edit.
  4. Click Edit.
  5. Make the necessary changes and click Save.

    ℹ️

    You cannot make changes to the Name field. Changes to imported accounts must be made in the originating system and will be reflected after re-discovery.

Delete Secrets

  1. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  2. Click the AWS Secrets tab.
  3. From the AWS Secrets table, select the account you want to delete.
  4. Click Delete.
  5. A confirmation dialog box displays, click Yes.

Credential injection of AWS Secrets account

AWS Secrets accounts are available for injection into matching Jump Clients from the representative console. At the time of injection, the Credential Store dialog box displays.

  1. For the Credential Store option, click the dropdown and select the appropriate AWS Secrets account.

  2. Click OK.

  3. To view all the AWS Secrets accounts available for credential injection, click the Vault tab at the top of the screen.

  4. In the Search bar, enter AWS Secret.
    A list of only AWS Secret account displays.

  5. Users with the Inject and Checkout role can also select a AWS Secret account from the list and choose the appropriate option of Check In or Check Out.

Updated 22 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.