We are at BLACK HAT USA 2022, come see us at #IC75, check out our BlackHAT training sessions
Cloud Security

What is Roles Anywhere, the Newest Feature in AWS IAM?

July 11, 2022

Cover image vector created by pch.vector

On July 6, Amazon Web Services (AWS) announced a new feature on their Identity and Access Management (IAM) service called 'Roles Anywhere'.


As the name suggests, Roles Anywhere allows workloads that run outside of AWS to assume temporary AWS credentials to access AWS resources.


In this article, I'll talk about what IAM Roles Anywhere is, how it works, and what problems it's solving for cloud security in AWS.


For more info, check out this Twitter thread by AWS instructor Abhay Bhargav:


How did access management work before Roles Anywhere?


Since the early days of AWS, on-prem resources with AWS access have typically used keys and secrets.


Traditionally, these keys were either hardcoded into the application, or they were stored in environment variables.


While this approach works well in on-premises environments, it's far more difficult to manage keys in cloud-based environments.


This is because the key needs to be accessible from both the application and the underlying infrastructure.


Not only are keys and secrets harder to manage, if they're compromised, they give unrestricted access to all your AWS resources.


Now with Roles Anywhere, AWS IAM is better able to manage access management and security. Let's understand why.


Want weekly updates on what's new in Cloud Security, Kubernetes, and AppSec? Follow Abhay Bhargav on Twitter.


Why are Roles better for AWS security?


When it comes to cloud security in AWS, Roles provide a better way to manage access to AWS resources.


Long-lived credentials are never a good idea in the cloud, given how easily they can be compromised. In many cases, you may not even know when a users credentials are compromised


Roles are a far more secure because they can be rotated frequently. That way, even if your credentials get compromised, their security impact is reined in by a significant margin.


With roles, you can give a user just the permissions they need to do their job, and nothing more.


For example, you might create a role called 'ec2-reader' that allows users to view information about all of your EC2 instances but does not allow them to modify anything. You could then assign the 'ec2-reader' role to specific users or groups as needed.


This way, if the user's credentials are compromised, the attacker only has access to the limited set of resources that the role allows.

We've got courses in both AWS IAM Security as well as Secrets in AWS. Check them out now.


What is Roles Anywhere and how does it work?


Roles Anywhere is a new feature in AWS IAM that lets you use temporary credentials to access AWS resources from a non-AWS workload or application.


For example, you could use Roles Anywhere to allow an on-premises database to access data in an S3 bucket.


Or if you use Kubernetes, you can create a role that maps specific permissions on AWS resources to specific Kubernetes objects (pods, services, etc.).


This can be a great way to extend the functionality of your AWS resources and make them more versatile.


In order to use Roles Anywhere, you need to generate a Certificate Authority (CA) and certificates for each AWS resource you want to use.


You can do this by using the AWS public key infrastructure (PKI) feature. Generate a CA in the AWS Certificate Manager Private Certificate Authority (ACM Private CA), and generate certificates for each resource you want to use with Roles Anywhere.


To actually use this Role with your on-prem app and server, you need to leverage the new credential helper.


This is a a utility from AWS built into the CLI and the AWS SDK that allows you to pass the certificate with the key, profile, role, and trust anchor.


Previously, enabling Roles for non-AWS workloads required a ton of automation with SPIFFE/SPIRE or something similar.


Certificates are still not a substitute for OIDC, it's far easier to leverage Roles now using Roles Anywhere.


By the way, we've got a course on AWS IAM in our AWS Security Learning Path. Start learning now with a free account.

Aneesh Bhargav

Aneesh Bhargav

When Aneesh is not creating career-focused security content, he’s probably playing video games.