Using IAM Roles Anywhere to Help Secure VMware Cloud on AWS Workloads

By Mithil Rangdale, Sr. VMware Specialist Solutions Architect – AWS
By Rahul Gupta, Sr. Solutions Architect – AWS

Amazon Web Services (AWS) recommends using temporary credentials instead of creating long-term credentials such as access keys wherever possible, as noted in the AWS security best practices.

Temporary security credentials, also referred to as short-term credentials, can help limit the impact of inadvertently exposed credentials because they have a limited lifespan and don’t require periodic rotation or revocation. After temporary security credentials expire, AWS will no longer approve authentication and authorization requests made with these credentials.

VMware Cloud on AWS enables customers to easily migrate their workloads and applications from an on-premises vSphere environment into a software-defined data center (SDDC) with a seamless hybrid cloud experience.

Integration of AWS services with VMware Cloud on AWS is a powerful feature that customers can leverage for migration and modernization of their applications that can span across the 200+ AWS services.

In this post, we’ll look at how AWS Identity and Access Management (IAM) Roles Anywhere can enhance the security of workloads running on VMware Cloud on AWS and their integration with AWS services.

We’ll explore common use cases where workloads running on VMware Cloud on AWS need access to AWS services, along with the advantages of using IAM Roles Anywhere for credentials management. Finally, we’ll walk through an example scenario to demonstrate how to set up IAM Roles Anywhere for your workload running on VMware Cloud on AWS.

VMware is an AWS Specialization Partner and leading innovator in enterprise software. Jointly engineered for simplified migration, VMware Cloud on AWS combines compute, network and storage capabilities, allowing customers to leverage VMware tools, skill sets, and governance across your on-premises and cloud environments.

AWS IAM Roles Anywhere Overview

AWS Identity and Access Management (IAM) Roles Anywhere is a feature that allows you to use IAM roles to access AWS services and resources in applications and services outside of AWS.

The IAM Roles Anywhere introductory post discusses how you don’t have to create and manage long-term credentials for each third-party application or service to access AWS services. Instead, you can use the same IAM policies and IAM roles you use with AWS applications to obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS.

Common Use Cases

You can use IAM Roles Anywhere with VMware Cloud on AWS virtual machines (VMs) that require credentials to access AWS services.

Here are a few of the common use cases:

• Hybrid workloads access to AWS services over the course of phased migrations.
• Access secrets stored in AWS Secrets Manager from VMware Cloud on AWS workloads.
• Back up VM data on VMware Cloud on AWS to Amazon Simple Storage Service (Amazon S3).
• Secure access from client/agent on VMware Cloud on AWS VMs to backend databases, such as Amazon RDS, Amazon DynamoDB, and Amazon DocumentDB.

IAM Roles Anywhere for VMware Cloud on AWS Workloads

Following are key advantages of leveraging IAM Roles Anywhere for VMware Cloud on AWS workloads:

• Centralized access management capabilities of the AWS IAM service enables you to use IAM roles, policies, and permissions to control and manage access from your VMware Cloud on AWS workload to AWS services in a consistent and scalable manner.
• Minimizes the need for distributing and embedding long-lived access credentials, such as AWS IAM access keys, that are being used directly in workloads in VMware Cloud on AWS. Instead, your VMs/servers can assume IAM roles temporarily, minimizing the exposure of sensitive credentials and improving overall security.
• Define fine-grained permissions for your VMs by creating custom IAM roles with specific privileges and assign them to your VMs. This granular control ensures each VM/server has only the necessary permissions and aligns with the least privileges principle.
• Enables dynamic and flexible access to simplify access management, allowing you to respond quickly to changing requirements or personnel changes without making changes directly to the VMs/servers themselves.
• Enhance data for your auditing and compliance requirements by tracking and monitoring access events, permissions, and changes through AWS services, such as AWS IAM Access Analyzer and AWS CloudTrail.

Solution Overview

To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your Certificate Authority (CA) for the temporary security credential issuance process. You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere.

In Figure 1, the architecture shows how the application running in VMware Cloud on AWS VMs is using a private CA issued X.509 certificate to request temporary AWS credentials from IAM Roles Anywhere, and then assumes the IAM role with permission to finish the authentication process.

Figure 1 – Certificate-based authentication for applications.

Let’s explore how each component contributes to the solution:

1. The application, running on VMware Cloud on AWS VMs, makes an authentication request to IAM Roles Anywhere, sending along its public key (encoded in a certificate) and a signature signed by the corresponding private key. Your application also specifies the role to assume in the request.
2. On receiving the request, IAM Roles Anywhere first validates the signature with public key, and then validates that the certificate was issued by a trust anchor configured in the account. For more details, see the signature validation documentation. After both validations succeed, your application is now authenticated and IAM Roles Anywhere will create a new role session for the role specified in the request by calling AWS Security Token Service (AWS STS).
3. The application uses the temporary security credentials received to connect to AWS services.

Example Scenario and Walkthrough

Prerequisites

Before you set up IAM Roles Anywhere, you need to have the following requirements in place:

• Certificate bundle of your own CA, or an active AWS Certificate Manager Private Certificate Authority (ACM Private CA) in the same AWS region as IAM Roles Anywhere.
• Network connectivity from virtual machines in VMware Cloud on AWS to execute API calls to IAM Roles Anywhere and other AWS services. You can refer to VMware Cloud on AWS Reference Architectures which depicts various network architecture patterns for VMware Cloud on AWS.
• Administrator permissions for IAM roles and IAM Roles Anywhere.

Set up IAM Roles Anywhere

To use IAM Roles Anywhere for authentication to AWS from your workloads running in VMware Cloud on AWS, you need to create a trust anchor and profile through the IAM Roles Anywhere console. For instructions, refer to the documentation on creating a trust anchor and profile in AWS IAM Roles Anywhere.

Configuration on the VM in VMware Cloud on AWS

Start by verifying an end-entity certificate and associated private key are available locally on the VM in VMware Cloud on AWS. In case you have downloaded the certificates from the ACM Private CA console, you can run the below commands, using the openssl utility, to convert the certificate files from .txt to PEM format:

openssl rsa -in <private_key.txt> -out <private_key.pem> -outform PEM;
openssl x509 -in <certificate.txt> -out <certificate.pem> -outform PEM;

IAM Roles Anywhere provides a credential helper tool that can be used with the process credentials functionality that current AWS SDKs support. This simplifies the signing process for the applications. See the IAM Roles Anywhere documentation to learn how to get the credential helper tool.

To test the functionality, run the credential helper tool (aws_signing_helper) manually on the VM in VMware Cloud on AWS; use the following command:

./aws_signing_helper credential-process \
--certificate /path/to/certificate \
--private-key /path/to/private-key \
--trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID \
--profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID \
--role-arn arn:aws:iam::account:role/role-name-with-path

You should successfully receive session credentials from IAM Roles Anywhere. Once you have confirmed the setup works, you can choose to update or create the ~/.aws/config file and add the signing helper as a credential_process. This enables unattended access for the VM in VMware Cloud on AWS.

To learn more about the AWS Command Line Interface (CLI) configuration file, see configuration and credential file settings.

[user@server .aws]# cat config
[default]
output = json
region = us-east-1
credential_process = ./aws_signing_helper credential-process —certificate /path/to/certificate.pem —private-key /path/to/private_key.pem —trust-anchor-arn arn:aws:rolesanywhere:<region>:<account_id>:trust-anchor/<id> —profile-arn arn:aws:rolesanywhere:<region>:<account_id>:profile/<id> —role-arn arn:aws:iam::<account_id>:role/<role_name>

To verify the configuration works as expected, run the aws sts get-caller-identity CLI command and confirm the assumed role is what you configured in IAM Roles Anywhere. You should also see the role session name contains the serial number of the certificate that was used to authenticate.

Monitoring AWS IAM Roles Anywhere

AWS provides various monitoring tools that enable you to monitor IAM Roles Anywhere, report when something is wrong, and take automatic actions for events. To learn more, see Monitoring IAM Roles Anywhere.

Cost Considerations

IAM Roles Anywhere is available in supported regions at no additional cost. If you have used ACM Private CA to establish trust with IAM Roles Anywhere, then ACM Private CA standard pricing will apply.

Additional Considerations

You can disable the trust anchor in IAM Roles Anywhere to immediately stop new sessions being issued to virtual machines in VMware Cloud on AWS or choose to immediately revoke all permissions to the role’s credentials issued before a certain point in time.

Certificate revocation is supported through the use of imported certificates revocation lists (CRLs). You can upload a CRL that’s generated from your CA, and certificates used for authentication will be checked for their revocation status. IAM Roles Anywhere does not support callbacks to CRL Distribution Points (CDPs) or Online Certificate Status Protocol (OCSP) endpoints.

Another point is to verify you have securely stored the private keys on your VM with appropriate file system permissions.

Cleanup

Complete the following steps to clean up your resources:

• Delete the trust anchor and profile created as part of earlier steps.
• Delete the IAM role that trusts the IAM Roles Anywhere service principal created as part of earlier steps.
• Update the ~/.aws/config file on the VM in VMware Cloud on AWS, and remove the signing helper as a credential_process configured as part of earlier steps.
• Delete the end-entity certificate and associated private key stored locally on your virtual machine.
• Delete ACM Private CA if created as part of prerequisites.

Conclusion

In this post, we discussed how IAM Roles Anywhere service helps you to enable workloads running on VMware Cloud on AWS to interact with AWS APIs securely by eliminating the need to distribute and embed long-term credentials.

We also covered common use cases for using IAM Roles Anywhere for your workloads running on VMware Cloud on AWS and the relevant setup process on a virtual machine in VMware Cloud on AWS.