Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

How does AWS Roles Anywhere prevent rotation overhead in practice?

0

We're evaluating AWS IAM Roles Anywhere for connecting to our AWS resources from a third-party.

I'm trying to understand why this means "no more distribution, storing, and rotation overheads" (as the AWS blog post suggests) in terms of handling certificates.

During the process of requesting temporary credentials, the third-party service provides a certificate and a private key. Assuming we store our certificate in the AWS Private Certificate Authority, when the certificate is rotated, it will generate a new ticket, with a new private key (I think?).

If that's accurate, how does the third-party get that certificate and private key after rotation? It seems like this will be the same overhead as using a shared secret (IAM auth token) to authenticate.

If the idea is certificates and private keys will be long-lived, this seems to have the same security downsides as providing auth tokens, with significantly more complexity.

https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html

Argomenti
Sicurezza, identità e conformità
Tag
Gestione identità e accesso AWS
Lingua
English
rePost-User-8472021
posta un anno fa244 visualizzazioni
2 Risposte
2
Risposta accettata

Most organisation already have a PKI mechanism defined. The idea here is to use the PKI mechanism with AWS IAM Roles Anywhere. Since they already have PKI, it reduces the overhead to maintain, store or rotate long term AWS access keys and secrets. You can also use IAM Roles Anywhere to provide a consistent experience for managing credentials across hybrid workloads.

For more Information, please refer https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile pictureAWS
Ravikant Sharma
con risposta un anno fa
profile picture
ESPERTO
Sedat Salman
verificato un anno fa
1

The certificate can be issued for a longer time (e.g. 1 year) but the keys are rotated more often (every hour). So there are two parts here, setting up the trust anchor with certificates and then having the ability for that host to rotate keys as required, essentially forcing your access keys to expire and be rotated. So the certificates work at the host (linux, windows etc...) level and the keys at the aws services level. There's a good example in this blog: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile pictureAWS
jurajfox
con risposta un anno fa
profile picture
ESPERTO
Sedat Salman
verificato un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente