- Newest
- Most votes
- Most comments
Most organisation already have a PKI mechanism defined. The idea here is to use the PKI mechanism with AWS IAM Roles Anywhere. Since they already have PKI, it reduces the overhead to maintain, store or rotate long term AWS access keys and secrets. You can also use IAM Roles Anywhere to provide a consistent experience for managing credentials across hybrid workloads.
For more Information, please refer https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
The certificate can be issued for a longer time (e.g. 1 year) but the keys are rotated more often (every hour). So there are two parts here, setting up the trust anchor with certificates and then having the ability for that host to rotate keys as required, essentially forcing your access keys to expire and be rotated. So the certificates work at the host (linux, windows etc...) level and the keys at the aws services level. There's a good example in this blog: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/
Relevant content
- Accepted Answerasked 2 years ago
- asked 6 days ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago