PAM Vault Lab

Enterprise Privileged Access Management with AWS Secrets Manager Sync

Production-ready PAM practice environment with hybrid cloud secret synchronization between HashiCorp Vault and AWS Secrets Manager

The Problem

PAM Practice is Prohibitively Expensive

Enterprise PAM challenges for learning:

CyberArk licensing costs $50K+ annually
No home lab options for commercial PAM solutions
Theory without practice doesn't build skills
Certification prep requires hands-on experience

Learning PAM without access to:

Real secrets management workflows
Dynamic credential generation
Password rotation automation
Multi-system integration patterns

What PAM Professionals Need

Modern privileged access requires:

Hands-on practice with enterprise patterns
$0 lab environment for experimentation
CyberArk concept mapping for certification
Hybrid cloud integration for modern architecture
Automation tooling (Ansible, PowerShell, Python)
Monitoring and audit capabilities

This lab provides enterprise PAM at zero cost.

The Solution: PAM Vault Lab

Complete PAM practice environment aligned with CyberArk PAM-DEF concepts:

Capability	Technology	Outcome
Secrets Management	Vault KV v2 Engine	Versioned secret storage
Dynamic Credentials	Database Secrets Engine	On-demand credential generation
Password Rotation	Rotation Scripts + Lambda	Automated credential refresh
Hybrid Cloud Sync	AWS Secrets Manager	Multi-cloud secret management
Session Monitoring	Prometheus + Grafana	Real-time PAM metrics
Audit Logging	Vault Audit Device	Complete compliance trail

Screenshots

Dashboard Views

Vault Dashboard
Stealth dark theme

Secrets Browser
KV v2 engine management

Dynamic Credentials
Database secret generation

Additional Views

PKI Management
Certificate authority operations

Audit Logs
Compliance-ready audit trail

Why AWS Secrets Manager? (v1.1)

The Integration Rationale

AWS Secrets Manager was chosen for v1.1 because:

Enterprise Standard - Native AWS secret management
Rotation Support - Built-in Lambda rotation
Hybrid Cloud - Connect on-prem Vault to cloud
boto3 SDK - Official Python integration
Compliance Ready - SOC 2, PCI-DSS compatible

Skills Demonstrated

Hybrid cloud secret management
Bidirectional synchronization patterns
AWS Lambda rotation handlers
Conflict resolution strategies
Secret health scoring algorithms

Before vs After

Metric	v1.0	v1.1
Cloud Integration	None	AWS Secrets
Sync Direction	Manual	Bidirectional
Rotation Triggers	Local	Lambda Events
Health Scoring	Basic	Comprehensive

Sync Capabilities

Vault to AWS push
AWS to Vault pull
Conflict resolution (newest wins)
Audit trail on both sides
Health score calculation
Staleness detection

CyberArk PAM-DEF Alignment

CyberArk Concept Mapping

CyberArk Component	Vault Equivalent	Lab Exercise
Digital Vault	KV Secrets Engine	Exercise 1, 2
CPM	Rotation Scripts	Exercise 4
PSM	SSH Proxy (concept)	Exercise 3
PVWA	Vault UI/API	All exercises
Dual Control	Policies + Approvals	Exercise 2
Dynamic Credentials	Database Engine	Exercise 3
Audit	Audit Device	Exercise 5

Why This Lab Works

For CyberArk PAM-DEF Preparation:

HashiCorp Vault mirrors CyberArk's architecture:

Vault (Safe) = KV Secrets Engine
CPM = Rotation automation
PSM = Session proxy concepts
PVWA = Web UI and API access

Knowledge transfers directly to CyberArk exams while providing hands-on practice at zero cost.

Cost Comparison:

CyberArk License: $50K+/year
This Lab: $0

Architecture

                              INFRASTRUCTURE LAYER
    ┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
    │  HashiCorp      │    │   PostgreSQL    │    │     MySQL       │
    │  Vault Server   │    │   Database      │    │   Database      │
    │  ─────────────  │    │  ─────────────  │    │  ─────────────  │
    │  KV v2 Engine   │    │  Target System  │    │  Target System  │
    │  PKI Engine     │    │  Dynamic Creds  │    │  Dynamic Creds  │
    │  DB Engine      │    │                 │    │                 │
    └────────┬────────┘    └────────┬────────┘    └────────┬────────┘
             │                      │                      │
             └──────────────────────┼──────────────────────┘
                                    │
                                    ▼
    ┌─────────────────────────────────────────────────────────────────┐
    │                    SECRET SYNC ENGINE (v1.1)                     │
    │                                                                  │
    │  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────┐  │
    │  │  AWS Secrets │  │ Secret Sync  │  │  Rotation Handler    │  │
    │  │  Connector   │  │ Manager      │  │                      │  │
    │  │ ────────────│  │ ────────────│  │ ────────────────────│  │
    │  │ boto3 SDK    │  │ Bidirectional│  │ Lambda Compatible    │  │
    │  │ Mock Mode    │  │ Sync         │  │ Health Scoring       │  │
    │  │ Health Score │  │ Conflict Res │  │ Rollback Support     │  │
    │  └──────────────┘  └──────────────┘  └──────────────────────┘  │
    └─────────────────────────────┬───────────────────────────────────┘
                                  │
            ┌─────────────────────┼─────────────────────┐
            ▼                     ▼                     ▼
    ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
    │    React     │      │  Prometheus  │      │   AWS        │
    │   Frontend   │      │  + Grafana   │      │   Secrets    │
    │              │      │              │      │   Manager    │
    │ Vault Stealth│      │ PAM Metrics  │      │ Hybrid Cloud │
    │ Dark Theme   │      │ Dashboards   │      │ Sync Target  │
    └──────────────┘      └──────────────┘      └──────────────┘

Quick Start

Prerequisites

Docker Desktop 20.10+
Docker Compose 2.0+
Python 3.9+ (for automation)
8GB RAM minimum

Installation

# Clone repository
git clone https://github.com/MikeDominic92/pam-vault-lab.git
cd pam-vault-lab

# Configure environment
cp .env.example .env

# Start the lab
docker-compose up -d

# Initialize Vault
docker exec -it vault /scripts/init-vault.sh
# SAVE THE ROOT TOKEN AND UNSEAL KEYS!

Access Points

Vault UI: http://localhost:8200
Grafana: http://localhost:3000 (admin/admin)
Prometheus: http://localhost:9090
Frontend: http://localhost:3001

Lab Exercises

Progressive Learning Path

Exercise	Topic	CyberArk Concept
01	Vault Basics	PVWA, Digital Vault
02	Secret Management	Safe Management
03	Dynamic Credentials	CPM, JIT Access
04	Password Rotation	CPM Rotation
05	Audit & Logging	Audit Trail

v1.1 AWS Integration Example

from src.integrations import AWSSecretsConnector, SecretSyncManager, SyncDirection

# Initialize connector (mock mode for demos)
aws_connector = AWSSecretsConnector(mock_mode=True)

# Create a secret in AWS
aws_connector.create_secret(
    name='prod-database-credentials',
    secret_value={'username': 'admin', 'password': 'S3cur3P@ss!'},
    description='Production database credentials'
)

# Bidirectional sync
sync_manager = SecretSyncManager(mock_mode=True)
result = sync_manager.sync_secret(
    secret_name='database/prod',
    direction=SyncDirection.VAULT_TO_AWS
)

print(f"Sync status: {result.status}")
print(f"Synced at: {result.timestamp}")

# Handle rotation events
from src.integrations import RotationEventHandler

handler = RotationEventHandler(mock_mode=True)
schedule = handler.schedule_rotation(
    secret_name='database-creds',
    rotation_interval_days=30
)

Use Cases

1. CyberArk Certification Prep

Scenario: Preparing for PAM-DEF exam.

Lab Exercises:

Practice vault operations (Exercise 1)
Learn secret lifecycle (Exercise 2)
Understand rotation (Exercise 4)
Master audit logging (Exercise 5)

Outcome: Hands-on PAM experience at $0 cost.

2. Hybrid Cloud Migration

Scenario: Moving from on-prem to cloud PAM.

Integration:

Deploy Vault locally
Enable AWS Secrets Manager sync
Migrate secrets with bidirectional sync
Validate with health scoring

Outcome: Zero-downtime secret migration.

3. Dynamic Database Credentials

Scenario: Eliminate static database passwords.

Implementation:

Configure Database Secrets Engine
Create dynamic credential roles
Set TTL and max TTL
Integrate with applications

Outcome: No more shared passwords.

4. Automated Rotation

Scenario: 90-day password rotation policy.

Automation:

Configure rotation schedule
AWS Lambda trigger integration
Sync rotated secrets to cloud
Audit trail for compliance

Outcome: Automated compliance.

Project Structure

pam-vault-lab/
├── docker-compose.yml          # Infrastructure definition
├── vault/
│   ├── config/vault.hcl       # Vault server configuration
│   ├── policies/              # Access control policies
│   └── scripts/               # Initialization scripts
├── src/
│   └── integrations/          # v1.1: AWS integration
│       ├── aws_secrets_connector.py  # AWS Secrets Manager ops
│       ├── secret_sync.py            # Bidirectional sync
│       └── rotation_handler.py       # Rotation events
├── automation/
│   ├── ansible/               # Ansible playbooks
│   ├── powershell/            # Windows scripts
│   └── python/                # Python clients
├── exercises/                  # Step-by-step labs
├── frontend/                   # React dashboard
└── docs/                       # Documentation

Skills Demonstrated

Category	Technologies
PAM	HashiCorp Vault, CyberArk Concepts, Secrets Management
Cloud Integration	AWS Secrets Manager, boto3 SDK
Infrastructure	Docker, Docker Compose, Prometheus, Grafana
Automation	Python, Ansible, PowerShell
Security	Dynamic Credentials, Rotation, Audit
Frontend	React, TypeScript, Vault Stealth Theme

Cost Analysis

Running PAM Vault Lab is free:

Component	Cost	Notes
HashiCorp Vault	$0	Open source
Docker/Compose	$0	Free for personal use
PostgreSQL/MySQL	$0	Open source
Prometheus/Grafana	$0	Open source
AWS Integration	$0	Mock mode available
Total	$0	vs CyberArk $50K+

True Enterprise PAM Practice at Zero Cost

Roadmap

v1.0: Core PAM lab with Vault, databases, monitoring
v1.1: AWS Secrets Manager integration
v1.2: Azure Key Vault integration
v1.3: HashiCorp Boundary for session management
v2.0: Multi-node Vault cluster with HA

Author

Mike Dominic

GitHub: @MikeDominic92
Focus: PAM + Cloud Secrets Management

Built for CyberArk PAM-DEF certification prep with enterprise-grade AWS hybrid cloud integration.
_{This is a portfolio project. Production deployment requires proper Vault hardening and AWS credentials.}

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
.github		.github
automation		automation
docs		docs
exercises		exercises
frontend		frontend
monitoring		monitoring
src/integrations		src/integrations
targets		targets
tests		tests
vault		vault
.env.example		.env.example
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
docker-compose.yml		docker-compose.yml

License

MikeDominic92/pam-vault-lab

Folders and files

Latest commit

History

Repository files navigation

PAM Vault Lab

Enterprise Privileged Access Management with AWS Secrets Manager Sync

The Problem

PAM Practice is Prohibitively Expensive

What PAM Professionals Need

The Solution: PAM Vault Lab

Screenshots

Dashboard Views

Additional Views

Why AWS Secrets Manager? (v1.1)

The Integration Rationale

Skills Demonstrated

Before vs After

Sync Capabilities

CyberArk PAM-DEF Alignment

CyberArk Concept Mapping

Why This Lab Works

Architecture

Quick Start

Prerequisites

Installation

Access Points

Lab Exercises

Progressive Learning Path

v1.1 AWS Integration Example

Use Cases

1. CyberArk Certification Prep

2. Hybrid Cloud Migration

3. Dynamic Database Credentials

4. Automated Rotation

Project Structure

Skills Demonstrated

Cost Analysis

Roadmap

Author

About

Topics

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages