En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

How does AWS Roles Anywhere prevent rotation overhead in practice?

0

We're evaluating AWS IAM Roles Anywhere for connecting to our AWS resources from a third-party.

I'm trying to understand why this means "no more distribution, storing, and rotation overheads" (as the AWS blog post suggests) in terms of handling certificates.

During the process of requesting temporary credentials, the third-party service provides a certificate and a private key. Assuming we store our certificate in the AWS Private Certificate Authority, when the certificate is rotated, it will generate a new ticket, with a new private key (I think?).

If that's accurate, how does the third-party get that certificate and private key after rotation? It seems like this will be the same overhead as using a shared secret (IAM auth token) to authenticate.

If the idea is certificates and private keys will be long-lived, this seems to have the same security downsides as providing auth tokens, with significantly more complexity.

https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html

Sujets
Sécurité, identité et conformité
Balises
Gestion des identités et des accès AWS
Langue
English
rePost-User-8472021
demandé il y a un an244 vues
2 réponses
2
Réponse acceptée

Most organisation already have a PKI mechanism defined. The idea here is to use the PKI mechanism with AWS IAM Roles Anywhere. Since they already have PKI, it reduces the overhead to maintain, store or rotate long term AWS access keys and secrets. You can also use IAM Roles Anywhere to provide a consistent experience for managing credentials across hybrid workloads.

For more Information, please refer https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile pictureAWS
Ravikant Sharma
répondu il y a un an
profile picture
EXPERT
Sedat Salman
vérifié il y a un an
1

The certificate can be issued for a longer time (e.g. 1 year) but the keys are rotated more often (every hour). So there are two parts here, setting up the trust anchor with certificates and then having the ability for that host to rotate keys as required, essentially forcing your access keys to expire and be rotated. So the certificates work at the host (linux, windows etc...) level and the keys at the aws services level. There's a good example in this blog: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile pictureAWS
jurajfox
répondu il y a un an
profile picture
EXPERT
Sedat Salman
vérifié il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents