Posted On: Sep 22, 2023

AWS Identity and Access Management (IAM) Roles Anywhere is now available in the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions. IAM Roles Anywhere enables workloads that run outside of AWS to access AWS resources using IAM roles and policies in the same way you do from your AWS workloads. IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials.

With IAM Roles Anywhere you can use temporary credentials instead of long-lived credentials, which can help improve your security posture. Using IAM Roles Anywhere can reduce support costs and operational complexity through using the same access controls, deployment pipelines, and testing processes across all of your workloads. You can get started by establishing the trust between your AWS environment and your public key infrastructure (PKI). You do this by creating a trust anchor where you either reference your AWS Private Certificate Authority (AWS Private CA) or register your own certificate authorities (CAs) with IAM Roles Anywhere. By adding one or more roles to a profile and enabling IAM Roles Anywhere to assume these roles, your workloads can use the client certificate issued by your CAs to make secure requests to AWS and get temporary credentials to access the AWS environment.

IAM Roles Anywhere is available at no additional cost. AWS Private CA standard pricing will apply, when used. To learn more about IAM Roles Anywhere, visit the User Guide and the AWS Security blog post.