RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.3 and higher, including 8.5 and 8.6 (Fall 2021)
Platform: Amazon Web Services
Existing RSA Authentication Manager customers must open an RSA support case
to request access to the Authentication Manager AMI needed for AWS deployment.
There are two AWS cloud; Commercial and GovCloud, which is hosted on US soil and supported by U.S. citizens. There is no way for RSA to tell which AWS Cloud the license applies to unless we are told by the customer. RSA will assume Commercial unless told otherwise.
After RSA has shared their .AMI file to the customer, the customer will logon and access EC2, to Select an .AMI. Customer should change their search filter to Private (from Public) and search for the word Authentication (not search for AM). This is the same in either commercial AWS or GovCloud, customer should see the RSA .ami file shared from RSA to their license.
In AWS, a Security Group, SG is basically a set of firewall rules between AWS and their customers. RSA expects your SG to allow access from customer site to AWS private VPN cloud for specific network ports needed to manage and use Authentication Manager hosted on AWS.
If no Security group can be added specific to RSA Authentication Manager use, then the default Security Group will be used and some things might not work, e.g. AM might not even deploy per the instructions in the Getting Started Guide.
Some AWS client installations do not allow shared .ami deployments or instantiations. RSA does not have the means to 'build' or create an Authentication Manager appliance on a customers AWS using their .AMIs, i.e. RSA cannot create an AM appliance out of customer's Suse Enterprise Linux .ami by installing our software on top of their .ami. There is no Engineering document on this, and it is not supported, nor is RSA Customer Support even remotely equipped to attempt this. In this situation uploading the RSA .ami via the customer VPN console also would not work.