Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using IAM Roles Anywhere for free

Avatar for Ben Bridts Ben Bridts
September 24, 2025
Technology
0
2

Using IAM Roles Anywhere for free

IAM Roles Anywhere is a great way to get temporary security credentials on on-premises, or mulit-cloud or edge devices. However the complexity of managing your own PKI or the cost of using an AWS Private CA might have stopped you from seriously considering it. In this session we will look at how IAM Roles anywhere works and why that means we can use low-cost solutions like a yubikey for authentication. Just for fun we’ll even use a Belgian Identity Card to access our AWS Account.

Delivered at AWS Community Day Utrecht 2025

Avatar for Ben Bridts

Ben Bridts

September 24, 2025
Tweet

More Decks by Ben Bridts

See All by Ben Bridts
The Hidden Costs of Managed Open Source
Avatar for Ben Bridts benbridts
0
17
re:Invent re:Cap 2023: Evolving your architecture
Avatar for Ben Bridts benbridts
0
55
A closer look at new ways to manage access - EKS Pod Identiy and S3 Access Grant
Avatar for Ben Bridts benbridts
0
10
From ‘huh?’ to privilege escalation
Avatar for Ben Bridts benbridts
0
25
re:Invent re:Cap - Removing Heavy Lifting
Avatar for Ben Bridts benbridts
0
96
Policy as Code: Putting best practices in your repository
Avatar for Ben Bridts benbridts
0
180
(Don't) try this at work - Lightning Talk
Avatar for Ben Bridts benbridts
0
130
AWS Systems Manager
Avatar for Ben Bridts benbridts
1
140
Do(n’t) try this at work - Technically, you _can_ do this
Avatar for Ben Bridts benbridts
0
190

Other Decks in Technology

See All in Technology
What is BigQuery?
Avatar for Aizack aizack_harks
0
130
SOC2取得の全体像
Avatar for shonansurvivors shonansurvivors
1
360
職種別ミートアップで社内から盛り上げる アウトプット文化の醸成と関係強化/ #DevRelKaigi
Avatar for Ichiro Nishiuma nishiuma
2
130
Function calling機能をPLaMo2に実装するには / PFN LLMセミナー
Avatar for Preferred Networks pfn
PRO
0
880
ACA でMAGI システムを社内で展開しようとした話
Avatar for Yuji Masaoka | まっぴぃ mappie_kochi
0
220
GA technologiesでのAI-Readyの取り組み@DataOps Night
Avatar for yuto16 yuto16
0
260
OCI Network Firewall 概要
Avatar for oracle4engineer oracle4engineer
PRO
1
7.8k
ユニットテストに対する考え方の変遷 / Everyone should watch his live coding
Avatar for mdstoy mdstoy
0
120
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
Avatar for oracle4engineer oracle4engineer
PRO
2
5.4k
PLaMo2シリーズのvLLM実装 / PFN LLM セミナー
Avatar for Preferred Networks pfn
PRO
2
950
VCC 2025 Write-up
Avatar for bata_24 bata_24
0
180
「AI駆動PO」を考えてみる - 作る速さから価値のスループットへ:検査・適応で未来を開発 / AI-driven product owner. scrummat2025
Avatar for yosuke nagai yosuke_nagai
4
540

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
46
7.6k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
185
22k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
11
880
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
960
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
132
19k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
9.7k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
368
20k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k

Transcript

  1. Using IAM Roles Anywhere for free Ben Bridts

  2. https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None

  9. IAM Roles Anywhere Moving the problem around

  10. IAM Roles Anywhere Server IAM Roles Anywhere Certificate + Signature

    1

  11. IAM Roles Anywhere Server IAM Roles Anywhere Trust Anchor Certificate

    + Signature 1 2

  12. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Trust

    Anchor Certificate + Signature Role 1 2 3

  13. IAM Roles Anywhere Server IAM Roles Anywhere AWS STS Temporary

    security credential Trust Anchor Certificate + Signature Role 1 2 3 4

  14. AWS Private CA

  15. Design a CA hierarchy https://aws.amazon.com/private-ca/pricing/ https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html

  16. Belgian Government CA Moving the other problem

  17. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid

  18. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid

  19. https://repository.eidpki.belgium.be/#/home https://www.ibz.rrn.fgov.be/nl/burger/identiteitsdocumenten/eid not my problem

  20. Server IAM Roles Anywhere AWS STS Temporary security credential Trust

    Anchor Certificate + Signature Role 1 2 3 4

  21. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  22. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  23. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  24. IAM Roles Anywhere AWS STS Trust Anchor Role 2 3

  25. AWS IAM Roles Anywhere Credential Helper These go to pkcs11

  26. Server IAM Roles Anywhere Temporary security credential Certificate + Signature

    1 4

  27. Demo No problem?

  28. Some problems • Finding the right pkcs11 library on MacOS

    • Limited information in the certificate • PIN code • Caching or serve command

  29. Actual Useful ways to use IAMRA Getting "free" CAs •

    Exiting PKI • Hardware keys with attestation • Let's encrypt Getting better key storage • Trusted Platform Modules • Hardware keys

  30. Further reading • https://aws.amazon.com/blogs/security/planning-for-your-iam-roles- anywhere-deployment/ • https://aws.amazon.com/blogs/security/connect-your-on-premises- kubernetes-cluster-to-aws-apis-using-iam-roles-anywhere/ • https://cloudar.be/awsblog/sign-in-with-your-eid-using-aws-iam-

    roles-anywhere-with-a-smartcard-reader/ • https://github.com/aws/rolesanywhere-credential-helper • https://github.com/WeAreCloudar/cloudformation- samples/tree/main/templates/roles-anywhere-eid

  31. Thank you! [email protected] benbridts @benbridts