Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using IAM Roles Anywhere for free

Avatar for Ben Bridts Ben Bridts
September 24, 2025
Technology
1
3

Using IAM Roles Anywhere for free

IAM Roles Anywhere is a great way to get temporary security credentials on on-premises, or mulit-cloud or edge devices. However the complexity of managing your own PKI or the cost of using an AWS Private CA might have stopped you from seriously considering it. In this session we will look at how IAM Roles anywhere works and why that means we can use low-cost solutions like a yubikey for authentication. Just for fun we’ll even use a Belgian Identity Card to access our AWS Account.

Delivered at AWS Community Day Utrecht 2025

Avatar for Ben Bridts

Ben Bridts

September 24, 2025
Tweet

More Decks by Ben Bridts

See All by Ben Bridts
The Hidden Costs of Managed Open Source
Avatar for Ben Bridts benbridts
0
19
re:Invent re:Cap 2023: Evolving your architecture
Avatar for Ben Bridts benbridts
0
55
A closer look at new ways to manage access - EKS Pod Identiy and S3 Access Grant
Avatar for Ben Bridts benbridts
0
13
From ‘huh?’ to privilege escalation
Avatar for Ben Bridts benbridts
0
26
re:Invent re:Cap - Removing Heavy Lifting
Avatar for Ben Bridts benbridts
0
99
Policy as Code: Putting best practices in your repository
Avatar for Ben Bridts benbridts
0
180
(Don't) try this at work - Lightning Talk
Avatar for Ben Bridts benbridts
0
130
AWS Systems Manager
Avatar for Ben Bridts benbridts
1
140
Do(n’t) try this at work - Technically, you _can_ do this
Avatar for Ben Bridts benbridts
0
190

Other Decks in Technology

See All in Technology
あなたの知らない Linuxカーネル脆弱性の世界
Avatar for Recruit recruitengineers
PRO
3
150
From Natural Language to K8s Operations: The MCP Architecture and Practice of kubectl-ai
Avatar for Bo-Yi Wu appleboy
0
190
ストレージエンジニアの仕事と、近年の計算機について / 第58回 情報科学若手の会
Avatar for Preferred Networks pfn
PRO
3
750
Behind Postgres 18: The People, the Code, & the Invisible Work | Claire Giordano | PGConfEU 2025
Avatar for Claire Giordano clairegiordano
0
120
物体検出モデルでシイタケの収穫時期を自動判定してみた。 #devio2025
Avatar for Lamaglama39 lamaglama39
0
280
AWS UG Grantでグローバル20名に選出されてre:Inventに行く話と、マルチクラウドセキュリティの教科書を執筆した話 / The Story of Being Selected for the AWS UG Grant to Attending re:Invent, and Writing a Multi-Cloud Security Textbook
Avatar for Yuji Oshima yuj1osm
1
130
様々なファイルシステム
Avatar for Satoru Takeuchi sat
PRO
0
240
事業開発におけるDify活用事例
Avatar for KentaroFujii kentarofujii
5
1.4k
20251027_findyさん_音声エージェントLT
Avatar for Almondoイベント担当 almondo_event
0
280
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
5
44k
AWS DMS で SQL Server を移行してみた/aws-dms-sql-server-migration
Avatar for emi emiki
0
220
What's new in OpenShift 4.20
Avatar for Red Hat Livestreaming redhatlivestreaming
0
200

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
238
140k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.6k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
57k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
2.8k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
13
920
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
4.9k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
127
54k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
25k
Visualization
Avatar for Eitan Lees eitanlees
149
16k

Transcript

  1. Using IAM Roles Anywhere for free Ben Bridts

  2. https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None

  9. IAM Roles Anywhere Moving the problem around

  10. IAM Roles Anywhere Server IAM Roles Anywhere Certificate + Signature

    1

  11. IAM Roles Anywhere Server IAM Roles Anywhere Trust Anchor Certificate

    + Signature 1 2

  12. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Trust

    Anchor Certificate + Signature Role 1 2 3

  13. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Temporary

    security credential Trust Anchor Certificate + Signature Role 1 2 3 4

  14. AWS Private CA

  15. Design a CA hierarchy https://aws.amazon.com/private-ca/pricing/ https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html

  16. Belgian Government CA Moving the other problem

  17. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid

  18. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid

  19. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid not my problem

  20. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4

  21. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  22. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  23. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  24. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  25. AWS IAM Roles Anywhere Credential Helper These go to pkcs11

  26. Server IAM Roles Anywhere Temporary security credential Certificate + Signature

    1 4

  27. Demo No problem?

  28. Some problems • Finding the right pkcs11 library on MacOS

    • Limited information in the certificate • PIN code • Caching or serve command

  29. Actual Useful ways to use IAMRA Getting "free" CAs •

    Exiting PKI • Hardware keys with attestation • Let's encrypt Getting better key storage • Trusted Platform Modules • Hardware keys

  30. Further reading • https://aws.amazon.com/blogs/security/planning-for-your-iam-roles- anywhere-deployment/ • https://aws.amazon.com/blogs/security/connect-your-on-premises- kubernetes-cluster-to-aws-apis-using-iam-roles-anywhere/ • https://cloudar.be/awsblog/sign-in-with-your-eid-using-aws-iam-

    roles-anywhere-with-a-smartcard-reader/ • https://github.com/aws/rolesanywhere-credential-helper • https://github.com/WeAreCloudar/cloudformation- samples/tree/main/templates/roles-anywhere-eid

  31. Thank you! [email protected] benbridts @benbridts