StrongDM 101 · Resources · Part 1
📋 StrongDM 101 · September 2025

Introduction to
Resources — Part 1

A comprehensive interactive guide covering policies, authentication, cloud resources, and server access types within the StrongDM platform.

6
Modules
42
Slides Covered
5
Knowledge Checks
MODULE 01
Introduction to Policies
Understanding context-based access controls and policy-based action enforcement in StrongDM.
🔑
Core Idea: Traditional access control is binary — you either have access or you don't. StrongDM policies add dynamic, context-aware layers of control on top of basic access, enabling granular enforcement of what users can actually do once inside.
🪪

Identity (Static)

Who the user is — verified through IDP integrations and StrongAuth. The foundation of access control.

🖥️

Device Context

Trust the device — endpoint verification via EPP/EDR integrations ensures the machine meets security posture requirements.

Time & Location

Context-aware controls based on IP address, geographic location, and time-of-day to flag unusual access patterns.

Action Control (New!)

The newest trust layer — scrutinize and control the specific database actions a user performs, not just whether they have access.

Policy-Based ACCESS Control
  • Binary grant: in or out
  • Authorizes access to the whole resource
  • Visibility exists but cannot prevent misuse
  • Reactive — clean up after an incident
Policy-Based ACTION Control
  • Fine-grained per-action authorization
  • Controls atomic operations (SELECT, DROP, etc.)
  • Context evaluated continuously in-session
  • Proactive — prevents unsanctioned actions
Database Actions Covered by PBAC
CREATE TABLE ALTER TABLE DROP TABLE INSERT UPDATE DELETE SELECT MODIFY ROLES IMPORT / EXPORT BACKUP CREATE INDEX DROP INDEX

Permissions are fine-grained and context is evaluated continuously throughout the session for every type of action. Currently supported for PostgreSQL resources — support for additional database types will follow.

How Policy Evaluation Works

Each policy contains one or more statements. Each statement is a rule that either permits or forbids a user (or principal) to act on a resource, given a defined context.

StrongDM uses Cedar-based policies — a structured policy language — alongside a zero-trust, context-based evaluation engine. Policies can also introduce friction mechanisms: MFA challenges, approval workflows, and action justification requirements.

Three Topline Benefits of Policy-Based Controls
① Reduce Risk
Control exactly who can do what, where, when, and how with databases. Protect sensitive data and maintain data integrity by preventing unintended operations.
② Compliance
Policy-based action control ensures real-time, verifiable Zero Trust compliance. Audit trails deepened by requiring users to justify actions and log their reasons.
③ Simplify AuthZ
Centralize authorization for databases and extended teams. Modify policies according to business needs — define custom roles or enable secure, delegated authorization.
📚 Reference Documentation
TopicLink
Context-based policies overviewstrongdm.com/docs/admin/policies/#overview
Allow or forbid access by default#allow-or-forbid-access-by-default
Policy Library#policy-library
Policy Editor#policy-editor
Policy Evaluation#policy-evaluation
Policy Monitor#policy-monitor
Viewing Policy Logsdocs/.../view/#view-policy-logs

📝 Knowledge Check — Policies

1. What is the key difference between Policy-Based ACCESS Control and Policy-Based ACTION Control?

ACTION control only applies outside of business hours
ACCESS control grants binary resource access; ACTION control governs specific operations a user can perform once inside
They are the same thing — both control access to resources

2. Which friction mechanism can a policy introduce in addition to allow/deny?

VPN requirement
MFA challenge, approval workflow, or action justification
IP allowlisting only
MODULE 02
MFA Enforcement
Multi-Factor Authentication enforcement across databases, servers, and network devices.
⚠️
Note for StrongDM 101 Labs: Full-featured MFA requires integration with 3rd-party services (Duo, Okta) and is not available within the StrongDM-in-a-box framework. This module is included as an introduction. Full setup details are in the StrongDM 201 — Authentication course.
🗄️

Postgres & SSH

Enforce MFA at connection time for PostgreSQL databases and SSH server sessions. Video walkthrough: 5 min 22 sec.

🖥️

Windows Remote Desktop

Require MFA before granting RDP access to Windows servers. Video walkthrough: 2 min 28 sec.

🌐

Network Devices

Apply MFA enforcement to routers and switches managed through StrongDM. Video: 2 min 57 sec.

🏛️

Oracle DB

MFA enforcement for Oracle database access. Video walkthrough available: 3 min 22 sec.

Supported MFA Integrations
TOTP (Time-Based OTP) Duo Okta

StrongDM supports Time-Based One Time Passwords (TOTP) natively, as well as MFA via Duo and Okta. Each integration has its own setup guide in StrongDM TechDocs.

📚 Reference Documentation
TopicLink
Multi-Factor Authentication (TechDocs)docs/.../authentication/mfa/
Setting up MFA#set-up-multi-factor-authentication
MFA with Duodocs/.../mfa-duo/
MFA with Oktadocs/.../mfa-okta/
Blog: Why MFA is Importantstrongdm.com/blog/why-mfa-is-important

📝 Knowledge Check — MFA

1. Why is full-featured MFA not available in the StrongDM-in-a-box lab?

MFA is a paid add-on and requires a special license
It requires integration with 3rd-party services outside StrongDM that are not available in the sandbox
MFA only works with cloud resources, not on-premise labs
MODULE 03
Cloud Resources
Extending StrongDM controls to Cloud Service Providers and cloud applications.
☁️
What are Cloud Resources? Cloud resources provide an additional level of control over how users use and configure Cloud Service Providers (CSPs) and cloud applications — beyond what native Identity & Access Management (IAM) functionality on those platforms already provides.
🟠

Amazon Web Services

Supports AWS, AWS Management Console, and AWS Management Console (Static Key Pair) resource types within StrongDM.

🔵

Microsoft Azure

Supports both Azure (Certificate) and Azure (Password) authentication types for cloud resource access control.

🔴

Google Cloud Platform

GCP cloud resource type enables StrongDM-governed access to Google Cloud infrastructure and services.

❄️

Snowsight

Snowsight (Snowflake Web Console) is supported as a cloud resource type for governing access to Snowflake analytics environments.

CLI Configuration Videos
TopicDuration
Configure AWS CLI in StrongDM3 min 50 sec
Configure Azure CLI in StrongDM2 min 54 sec
Configure Google CLI in StrongDM2 min 34 sec
📚 Reference Documentation
TopicLink
Cloud Resources (TechDocs)docs/admin/resources/clouds/
MODULE 04
TCP Connections
Managing access to arbitrary TCP-based resources not covered by other StrongDM resource types.
🔌
When to use TCP: The TCP connection resource type is a catch-all for resources that accept TCP connections but don't have a purpose-built StrongDM resource type. Important: TCP does not record session content — only connection metadata is logged.
💡
TCP vs. Website Resource: A TCP connection can manage website access, but a dedicated Website resource type provides far greater visibility into web traffic. Always prefer purpose-built resource types when available.
What TCP Connection Logs Contain
Who accessed When it occurred Bytes sent (tx) Bytes received (rx)

TCP logs are accessible at Logs > Queries in the Admin UI. Compare this to a Website resource, whose logs appear at Logs > Web and contain full HTTP request headers, URLs, methods, and more.

Configuration Fields
Display Name
Name shown in the StrongDM console to distinguish this resource from others. Cannot include special characters.
Server Type
Select TCP as the generic server type. Other options include RDP, RDP (Certificate Based), and various SSH types.
Hostname
The hostname or IP address of the target server used to establish the connection.
Port
The port the target server listens on. Default value is 3389.
Port Override
Auto-generated value between 1024 and 59999 not used by any other resource. The StrongDM client listens on this port and forwards traffic to the resource.
Resource Tags
Key-value pairs used for identifying resources in automation use-cases and policy targeting.
📚 Reference Documentation
TopicLink
Add a TCP connectiondocs/.../servers/rawtcp/

📝 Knowledge Check — TCP

1. What data does a TCP connection resource record in its logs?

Full HTTP request content including headers, URL, and response body
All SQL queries executed during the session
Who accessed, when, and bytes sent/received — no session content
MODULE 05
SSH Servers
Connecting to and managing SSH resources, including session recording and replay capabilities.
🔐
Lab Note: The default StrongDM-in-a-box environment installs an OpenSSH server for demonstrating SSH resource protection. To log on, use the StrongDM client loopback address and port combination shown in the StrongDM client UI.
SSH Server Types

StrongDM supports four SSH server types, differing in how credentials are passed to the resource:

Certificate Based
StrongDM issues short-lived SSH certificates — no static keys stored. Most secure option.
Customer Managed Key
The customer supplies and manages their own SSH private key stored in StrongDM.
Password Instruqt Lab
Username/password credentials — used in the Instruqt lab environment exercises.
Public Key SDM-in-a-Box
StrongDM-generated SSH key pair. Used in the StrongDM-in-a-box optional lab guide.
SSH Session Recording & Replay

StrongDM automatically records SSH sessions for later replay. Session recordings become available after the session ends at Logs > SSH in the Admin UI.

Replays can be viewed two ways:

Admin UI
Navigate to Logs > SSH, find the session, and click the play button directly in the browser interface.
CLI Replay
Copy the sdm ssh play <session-id> command shown in the UI and run it on your terminal/command line.
📚 Reference Documentation
TopicLink
SSH with Public Keydocs/.../ssh-public-key/
SSH with Customer Managed Keydocs/.../ssh-customer-key/
SSH with Certificate Authdocs/.../ssh-certificate-auth/
Identity Alias for SSHdocs/.../ssh-identity-alias/
Port Forwardingdocs/.../port-forwarding/
Viewing SSH Replaysdocs/.../view/#view-ssh-replays

📝 Knowledge Check — SSH

1. Where are SSH session replays found in the StrongDM Admin UI?

Resources > Servers > Sessions
Logs > SSH
Audit > Recordings

2. How many SSH server types does StrongDM support?

Two (Password and Public Key only)
Three
Four (Certificate Based, Customer Managed Key, Password, Public Key)
MODULE 06
RDP Servers
Connecting to Windows servers via Remote Desktop Protocol with StrongDM session control and recording.
🖥️
How to Connect: To access an RDP server via StrongDM, connect using the loopback address (127.0.0.1) plus the Port Override defined for the RDP resource — e.g., 127.0.0.1:10003. StrongDM auto-assigns this port during resource creation.
RDP Server Types

StrongDM supports two RDP server types, differing in how credentials are passed:

RDP Instruqt Lab
Standard RDP with username/password credentials stored in StrongDM. Used in the Instruqt lab environment.
RDP (Certificate Based)
Certificate-based authentication for RDP connections — more secure, eliminates static password storage.
RDP Session Recording & Replay

StrongDM records RDP sessions as visual replays — including the actual desktop interactions. Replays become available after the session ends at Logs > RDP in the Admin UI.

Unlike SSH (which also supports CLI replay), RDP replays are viewed only from the Admin UI — click the Play button next to the session entry in the RDP Replays log.

SSH vs RDP — Similarities
  • Both support session recording
  • Both use Port Override (auto-assigned)
  • Both support Certificate Auth variants
  • Both support Identity Alias
  • Replays viewable in Admin UI
SSH vs RDP — Differences
  • SSH: 4 server types; RDP: 2 types
  • SSH replays viewable via CLI too
  • RDP: visual desktop replay; SSH: terminal text
  • SSH logs at Logs > SSH; RDP at Logs > RDP
📚 Reference Documentation
TopicLink
Connect to RDP serverdocs/.../servers/rdp/
RDP with Certificate Authdocs/.../rdp-certificate-auth/
Identity Alias for RDPdocs/.../rdp-identity-alias/
Viewing RDP Replaysdocs/.../view/#view-rdp-replays