This is a very cool feature. AWS is breaking more barrier. This was a requirement at a previous gig. Now with this feature, you can keep your on-premises workload and still use AWS in an hybrid fashion.
I see how this reduces operational complexity, but a genuine question: how does it improve security posture? If the private key is compromised anyone with that key can obtain AWS credentials until the certificate expires, or until it's known that it was compromised, and the cert is added to the x509 certificate revocation list. Given that you would protect your long-term access keys in the same way you would protect your private key, is the risk not the same?
Yeah I was thinking the same thing as I watched the video. I suppose you would have a passphrase on the key... so that'd give you an additional layer. However if using this for some automation, then not so much.
It doesn't...at small scale. But consider a large scale situation with hundreds or thousands of non-AWS servers needing AWS access. If you use a single IAM User, rotating the Access Key would mean the entire fleet must be updated together; if/when any one server fails the process the entire fleet process is stuck. It's also of course a security risk to reuse the same long-lived keys on every server, as well as makes tracing more difficult as the malicious requests could have come from anything in the fleet since they all use the same principle. The answer to all those issues before was to create an IAM User for each and every one of those servers, each with its own access key/secret to rotate and otherwise manage. Access keys also have no intrinsic expiration so it's more difficult to ensure compliance. Managing them in a fleet situation is also security sensitive and error prone as they're effectively just plaintext passwords and there's no good/certified off-the-shelf solutions for managing plain text passwords across fleets of servers. This lets you throw all that IAM User shenanigans out the window and cleanly plug in standards based, certified PKI management systems of your choosing. Each server in the fleet gets its own x.509 cert (with an intrinsic expiration!) rather than an IAM User resource and raw Access Key pair to manage. You're right in that it's largely a play to reduce operational complexity...but at scale reducing operational complexity IS improving security posture.
while this is a great feature, many companies will not be able to afford $400/month private CA cost. this will definitely be a game changer in many organisations.
This is a very cool feature. AWS is breaking more barrier. This was a requirement at a previous gig. Now with this feature, you can keep your on-premises workload and still use AWS in an hybrid fashion.
I see how this reduces operational complexity, but a genuine question: how does it improve security posture? If the private key is compromised anyone with that key can obtain AWS credentials until the certificate expires, or until it's known that it was compromised, and the cert is added to the x509 certificate revocation list. Given that you would protect your long-term access keys in the same way you would protect your private key, is the risk not the same?
Yeah I was thinking the same thing as I watched the video. I suppose you would have a passphrase on the key... so that'd give you an additional layer. However if using this for some automation, then not so much.
It doesn't...at small scale. But consider a large scale situation with hundreds or thousands of non-AWS servers needing AWS access. If you use a single IAM User, rotating the Access Key would mean the entire fleet must be updated together; if/when any one server fails the process the entire fleet process is stuck. It's also of course a security risk to reuse the same long-lived keys on every server, as well as makes tracing more difficult as the malicious requests could have come from anything in the fleet since they all use the same principle.
The answer to all those issues before was to create an IAM User for each and every one of those servers, each with its own access key/secret to rotate and otherwise manage. Access keys also have no intrinsic expiration so it's more difficult to ensure compliance. Managing them in a fleet situation is also security sensitive and error prone as they're effectively just plaintext passwords and there's no good/certified off-the-shelf solutions for managing plain text passwords across fleets of servers.
This lets you throw all that IAM User shenanigans out the window and cleanly plug in standards based, certified PKI management systems of your choosing. Each server in the fleet gets its own x.509 cert (with an intrinsic expiration!) rather than an IAM User resource and raw Access Key pair to manage.
You're right in that it's largely a play to reduce operational complexity...but at scale reducing operational complexity IS improving security posture.
Thank you for creating this feature!
What would be session life in this case, dose it carries max session duration of respective iam role or infinite?
while this is a great feature, many companies will not be able to afford $400/month private CA cost. this will definitely be a game changer in many organisations.
you can use your own CA, but yes agreed there should be an easier way to do this like SSM Hybrid activations
This is my BFF he is brilliant
This is really interesting