How does AWS Roles Anywhere prevent rotation overhead in practice?

0

We're evaluating AWS IAM Roles Anywhere for connecting to our AWS resources from a third-party.

I'm trying to understand why this means "no more distribution, storing, and rotation overheads" (as the AWS blog post suggests) in terms of handling certificates.

During the process of requesting temporary credentials, the third-party service provides a certificate and a private key. Assuming we store our certificate in the AWS Private Certificate Authority, when the certificate is rotated, it will generate a new ticket, with a new private key (I think?).

If that's accurate, how does the third-party get that certificate and private key after rotation? It seems like this will be the same overhead as using a shared secret (IAM auth token) to authenticate.

If the idea is certificates and private keys will be long-lived, this seems to have the same security downsides as providing auth tokens, with significantly more complexity.

https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html

asked 10 months ago221 views
2 Answers
2
Accepted Answer

Most organisation already have a PKI mechanism defined. The idea here is to use the PKI mechanism with AWS IAM Roles Anywhere. Since they already have PKI, it reduces the overhead to maintain, store or rotate long term AWS access keys and secrets. You can also use IAM Roles Anywhere to provide a consistent experience for managing credentials across hybrid workloads.

For more Information, please refer https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile pictureAWS
answered 10 months ago
profile picture
EXPERT
reviewed 10 months ago
1

The certificate can be issued for a longer time (e.g. 1 year) but the keys are rotated more often (every hour). So there are two parts here, setting up the trust anchor with certificates and then having the ability for that host to rotate keys as required, essentially forcing your access keys to expire and be rotated. So the certificates work at the host (linux, windows etc...) level and the keys at the aws services level. There's a good example in this blog: https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/

profile pictureAWS
answered 10 months ago
profile picture
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions