That's allowed? - Using IAM Roles Anywhere without AWS Private CA

Transcript

1. © 2026, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved. D E V 4 0 1 Ben Bridts That's allowed? - Using IAM Roles Anywhere without AWS Private CA He/him AWS Hero

2. Why?

3. It's free!

4. It's free! Removing static credentials

5. https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf

6. None
7. None
8. None
9. None
10. None
11. None
12. None

13. IAM Roles Anywhere Moving the problem around

14. IAM Roles Anywhere Server IAM Roles Anywhere Certificate + Signature

    1

15. IAM Roles Anywhere Server IAM Roles Anywhere Trust Anchor Certificate

    + Signature 1 2

16. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Trust

    Anchor Certificate + Signature Role 1 2 3

17. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Temporary

    security credential Trust Anchor Certificate + Signature Role 1 2 3 4

18. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Temporary

    security credential Trust Anchor Certificate + Signature Role 1 2 3 4 AWS Managed My Code

19. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4 AWS Managed My Code

20. Self signing

21. Self signing Certificate Authority (CA) Client Certificate

22. Self signing Certificate Authority (CA) Client Certificate

23. Self signing Certificate Authority (CA) Client Certificate

24. Self signing Certificate Authority (CA) Client Certificate

25. Self signing Certificate Authority (CA) Client Certificate client.key stored on

    disk ca.key storage or long ttl

26. Self signing, hardware key Certificate Authority (CA) Client Certificate client.key

    stored on disk ca.key storage or long ttl

27. AWS Private CA Moving the problem around

28. Design a CA hierarchy https://aws.amazon.com/private-ca/pricing/ https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html

29. Belgian Government CA Moving the problem around

30. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid

31. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid

32. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid not my problem

33. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4

34. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4 AWS Managed My Code BE Managed

35. Setting up the AWS Infrastructure

36. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4 AWS Managed My Code BE Managed

37. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

38. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

39. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

40. Sidenote: Session Tags

41. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

42. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4 AWS Managed My Code BE Managed

43. SigV4*

44. IAM Roles Anywhere Server IAM Roles Anywhere Temporary security credential

    Certificate + Signature 1 4
45. None
46. None
47. None

48. AWS4-HMAC-SHA256 AWS4-RSA-SHA256 AWS4-ECDSA-SHA256

49. Hex(HMAC-SHA256(SigningKey, StringToSign) Hex(RSA-SHA256(PrivateKey, StringToSign) Hex(ECDSA-SHA256(PrivateKey, StringToSign)

50. 4. HTTP Request Authorization: AWS4-HMAC-SHA256 Credential=AKIAI…/20250522/eu-west-1/s3/aws4_request, SignedHeaders=…,Signature=$Signature Authorization: AWS4-RSA-SHA256 Credential=$Serial/20250522/eu-west-1/rolesanywhere/aws4_request,

    SignedHeaders=…,Signature=$Signature Authorization: AWS4-ECDSA-SHA256 Credential=$Serial/20250522/eu-west-1/rolesanywhere/aws4_request, SignedHeaders=…,Signature=$Signature

51. AWS IAM Roles Anywhere Credential Helper These go to pkcs11

52. Server IAM Roles Anywhere Temporary security credential Certificate + Signature

    1 4

53. Demo No problem?

54. Some problems • Using a pkcs11 library on MacOS •

    Not needed with `cert-selector` • Limited information in the certificate • PIN code • Caching or serve command

55. Actual Useful ways to use IAMRA Getting "free" CAs •

    Existing PKI • Let's encrypt Getting better key storage • Trusted Platform Modules • Hardware keys

56. Further reading • https://aws.amazon.com/blogs/security/planning-for-your-iam-roles-anywhere- deployment/ • https://aws.amazon.com/blogs/security/connect-your-on-premises-kubernetes- cluster-to-aws-apis-using-iam-roles-anywhere/ • https://www.new23d.com/iam-roles-anywhere-now-for-everyone-with-lets-

    encrypt/ • https://cloudar.be/awsblog/sign-in-with-your-eid-using-aws-iam-roles-anywhere- with-a-smartcard-reader/ • https://github.com/aws/rolesanywhere-credential-helper • https://github.com/WeAreCloudar/cloudformation- samples/tree/main/templates/roles-anywhere-eid • https://learn.microsoft.com/en-us/intune/fundamentals/certificates/overview

57. Thank you! [email protected] benbridts @benbridts