What is Roles Anywhere, the Newest Feature in AWS IAM?

Cover image vector created by pch.vector

‍

On July 6, Amazon Web Services (AWS) announced a new feature on their Identity and Access Management (IAM) service called 'Roles Anywhere'.

As the name suggests, Roles Anywhere allows workloads that run outside of AWS to assume temporary AWS credentials to access AWS resources.

In this article, I'll talk about what IAM Roles Anywhere is, how it works, and what problems it's solving for cloud security in AWS.

For more info, check out this Twitter thread by AWS instructor Abhay Bhargav:

ICYMI, @AWS introduced a new IAM feature yesterday called "Roles Anywhere". This is a big deal! It allows your non-AWS resources (on-prem, other cloud, kubernetes, etc) to assume AWS roles to access resources on AWS (like S3, @dynamodb, etc). Let's explore this. A 🧵 1/
— Abhay Bhargav is @localhost (@abhaybhargav) July 7, 2022

How did access management work before Roles Anywhere?

Since the early days of AWS, on-prem resources with AWS access have typically used keys and secrets.

Traditionally, these keys were either hardcoded into the application, or they were stored in environment variables.

While this approach works well in on-premises environments, it's far more difficult to manage keys in cloud-based environments.

This is because the key needs to be accessible from both the application and the underlying infrastructure.

Not only are keys and secrets harder to manage, if they're compromised, they give unrestricted access to all your AWS resources.

Now with Roles Anywhere, AWS IAM is better able to manage access management and security. Let's understand why.

Want weekly updates on what's new in Cloud Security, Kubernetes, and AppSec? Follow Abhay Bhargav on Twitter.

Why are Roles better for AWS security?

Roles are the way to better security in the cloud. A 🧵1/
— Abhay Bhargav is @localhost (@abhaybhargav) July 1, 2022

When it comes to cloud security in AWS, Roles provide a better way to manage access to AWS resources.

Long-lived credentials are never a good idea in the cloud, given how easily they can be compromised. In many cases, you may not even know when a users credentials are compromised

Roles are a far more secure because they can be rotated frequently. That way, even if your credentials get compromised, their security impact is reined in by a significant margin.

With roles, you can give a user just the permissions they need to do their job, and nothing more.

For example, you might create a role called 'ec2-reader' that allows users to view information about all of your EC2 instances but does not allow them to modify anything. You could then assign the 'ec2-reader' role to specific users or groups as needed.

This way, if the user's credentials are compromised, the attacker only has access to the limited set of resources that the role allows.

‍

We've got courses in both AWS IAM Security as well as Secrets in AWS. Check them out now.

What is Roles Anywhere and how does it work?

Roles Anywhere is a new feature in AWS IAM that lets you use temporary credentials to access AWS resources from a non-AWS workload or application.

For example, you could use Roles Anywhere to allow an on-premises database to access data in an S3 bucket.

Or if you use Kubernetes, you can create a role that maps specific permissions on AWS resources to specific Kubernetes objects (pods, services, etc.).

This can be a great way to extend the functionality of your AWS resources and make them more versatile.

In order to use Roles Anywhere, you need to generate a Certificate Authority (CA) and certificates for each AWS resource you want to use.

You can do this by using the AWS public key infrastructure (PKI) feature. Generate a CA in the AWS Certificate Manager Private Certificate Authority (ACM Private CA), and generate certificates for each resource you want to use with Roles Anywhere.

To actually use this Role with your on-prem app and server, you need to leverage the new credential helper.

This is a a utility from AWS built into the CLI and the AWS SDK that allows you to pass the certificate with the key, profile, role, and trust anchor.

Previously, enabling Roles for non-AWS workloads required a ton of automation with SPIFFE/SPIRE or something similar.

Certificates are still not a substitute for OIDC, it's far easier to leverage Roles now using Roles Anywhere.

By the way, we've got a course on AWS IAM in our AWS Security Learning Path. Start learning now with a free account.

‍

Source for article

Aneesh Bhargav

Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.

Rajesh Kanumuru

Rajesh Kanumuru works at we45 as a Cloud Security Lead. Rajesh is a builder and breaker of Cloud applications. He has created some pioneering works in the area of Cloud Security. He is actively researching the effects of emerging technologies on cloud security. Since 2020, Rajesh has mostly been involved with research, development and building solutions around we45 and AppSecEngineer's training offerings. He consults with organizations to help them implement Cloud Security successfully. Rajesh has co-authored and trained a course on Purple Team AWS that was delivered by we45 at BlackHat USA. When AFK, he can be found on the cricket pitch.