---
title: "Privileged-Access-Management"
type: concept
tags:
  - Security
  - PAM
  - Compliance
  - Cloud
  - DevOps
---

## Definition

Privileged Access Management（PAM，特权访问管理）是一类安全解决方案，用于管理和监控具有 elevated permissions 的账号访问权限。特权账号包括系统管理员、数据库管理员、安全管理员等拥有超出普通用户权限的账号，以及应用程序服务账号、API 账号等非人工身份。

## Core Objectives

1. **凭据保护**：集中存储和管理特权账号密码、SSH 密钥、API Key 等敏感凭据
2. **访问控制**：实施最小权限原则，确保用户仅获得完成任务所需的最小权限
3. **会话监控**：记录和审计所有特权会话，支持事后追溯和合规审查
4. **威胁检测**：实时检测异常特权行为，防止凭据滥用和横向移动攻击

## PAM Architecture

```
┌─────────────────────────────────────────────────────────────┐
│                      PAM Solution                           │
├─────────────────────────────────────────────────────────────┤
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐       │
│  │  Credential │  │   Session   │  │    Risk    │       │
│  │   Vault     │  │   Manager   │  │   Engine   │       │
│  └─────────────┘  └─────────────┘  └─────────────┘       │
│                                                             │
│  ┌─────────────────────────────────────────────┐           │
│  │              Access Control Layer            │           │
│  │  (RBAC, MFA, Policy-based Access)            │           │
│  └─────────────────────────────────────────────┘           │
└─────────────────────────────────────────────────────────────┘
                          ↑
        ┌─────────────────┼─────────────────┐
        ↓                 ↓                 ↓
   ┌─────────┐      ┌─────────┐      ┌─────────┐
   │  Root   │      │   DB    │      │  API    │
   │ Account │      │  Admin  │      │ Service │
   └─────────┘      └─────────┘      └─────────┘
```

## Cloud-Native vs Traditional PAM

| Aspect | Traditional PAM | Cloud-Native (AWS Secrets Manager) |
|--------|-----------------|----------------------------------|
| Deployment | On-prem / Hybrid | Fully managed SaaS |
| Client Agent | Required | Not required |
| Scalability | Manual scaling | Auto-scaling |
| Cost Model | Perpetual license + maintenance | Pay-per-use |
| Integration | Manual configuration | Native AWS integration |

## Key Vendors

- **CyberArk**：Enterprise PAM market leader, on-prem and cloud offerings
- **AWS Secrets Manager**：Cloud-native secrets management
- **HashiCorp Vault**：Cloud-agnostic secrets and privileged access
- **BeyondTrust**：Endpoint privilege management
- **Thycotic**：Privileged access management

## Related Concepts

- [[SecretsManagement]]：敏感信息管理的整体框架
- [[SecretRotation]]：密钥轮换机制
- [[IAM-Roles]]：基于角色的访问控制
- [[Zero-Trust]]：零信任安全模型

## Related Entities

- [[CyberArk]]：Enterprise PAM vendor
- [[AWS]]：Cloud-native secrets management provider
- [[HashiCorp]]：Cloud-agnostic secrets management

## Sources

- [[ctp-topic-37-secrets-certificates-management]] — CyberArk Micro Focus PAM evaluation
- [[ctp-topic-62-aws-secrets-manager]] — AWS-native PAM implementation

## Aliases

- PAM
- Privileged Access Management
- Privileged Identity Management
- PIM