{"id":169,"date":"2022-11-20T06:42:27","date_gmt":"2022-11-20T06:42:27","guid":{"rendered":"https:\/\/vasanthselvaraj.com\/?p=169"},"modified":"2025-02-16T02:16:05","modified_gmt":"2025-02-16T02:16:05","slug":"aws-iam-roles-anywhere-advance-topic","status":"publish","type":"post","link":"https:\/\/vasanthselvaraj.com\/?p=169","title":{"rendered":"AWS IAM Roles Anywhere &#8211; Part 2"},"content":{"rendered":"\n<p>In the previous <a href=\"https:\/\/vasanthselvaraj.com\/?p=137\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>, I showed you how to create AWS IAM Roles Anywhere with external CA and in this post am going to discuss about some advance topics such as <\/p>\n\n\n\n<ul>\n<li>How to revoke a certificate<\/li>\n\n\n\n<li>How to restrict the user assuming IAM role based on subject CN value<\/li>\n\n\n\n<li>How to restrict the roles only from authorised networks<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How to revoke a certificate<\/h2>\n\n\n\n<p>There are multiple scenarios where you want to revoke an entity certificates like compromised entity or during off-boarding of user. To demonstrate the certificate revocation I am going to use ACM PCA (AWS certificate Management Private certificate Authority) and the Certificate revocation is using certificate revocation list(CRL) or Online Certificate Status Protocol(OCSP) or both.  IAM Roles anywhere has a limitation where it cannot talk to CRL provider&#8217;s directly so it has to be imported using CLI. Steps involved to revoke the certificate using CRL.<\/p>\n\n\n\n<ul>\n<li>Revoke the certificate from ACM PCA and the ACM PCA deposits the CRL certificate into Amazon S3 bucket<\/li>\n\n\n\n<li>Retrieve the CRL from the S3 bucket<\/li>\n\n\n\n<li>Import CRL to AWS IAM Roles anywhere<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">ACM PCA revocation<\/h3>\n\n\n\n<p>Login to AWS Console and navigate the ACM PCA to revoke a certificate. Copy the certificate id and serial number to revoke.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"129\" src=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1024x129.png\" alt=\"\" class=\"wp-image-171\" srcset=\"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1024x129.png 1024w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-300x38.png 300w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-768x97.png 768w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1536x193.png 1536w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2048x257.png 2048w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-850x107.png 850w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"141\" src=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-1024x141.png\" alt=\"\" class=\"wp-image-172\" srcset=\"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-1024x141.png 1024w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-300x41.png 300w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-768x105.png 768w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-1536x211.png 1536w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-2048x281.png 2048w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1-850x117.png 850w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code has-cyan-bluish-gray-background-color has-background\"><code>aws acm-pca revoke-certificate --certificate-authority-arn arn:aws:acm-pca:ap-southeast-2:&lt;AWS ACCOUNT ID&gt;:certificate-authority\/4891e018-d1d9-4105-8118-0a01be7cf393 --certificate-serial &lt;certificate serial number&gt; --revocation-reason \"KEY_COMPROMISE\"<\/code><\/pre>\n\n\n\n<p>After revoking the certificate from AWS PCA and CRL will be imported into S3 bucket.  And the pre-requisite for revoking the certificate is to have AWS S3 bucket configured with access policies, BPA and encryption. More details for<a href=\"https:\/\/aws.amazon.com\/premiumsupport\/knowledge-center\/acm-pca-crl\/\" target=\"_blank\" rel=\"noreferrer noopener\"> configuring CRL with ACM PCA<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Retrieve the CRL from AWS S3 bucket<\/h3>\n\n\n\n<p>Download the CRL from S3 bucket <\/p>\n\n\n\n<pre class=\"wp-block-code has-cyan-bluish-gray-background-color has-background\"><code>aws s3 cp s3:\/\/BUCKET_NAME\/crl\/4891e018-d1d9-4105-8118-0a01be7cf393.crl .<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-black-color has-cyan-bluish-gray-background-color has-text-color has-background\"><code> openssl crl -inform DER -in 4891e018-d1d9-4105-8118-0a01be7cf393.crl -noout -text\nCertificate Revocation List (CRL):\n        Version 2 (0x1)\n    Signature Algorithm: sha256WithRSAEncryption\n        Issuer: \/C=AU\/O=IAM Roles Anywhere demo\/OU=STAM\/ST=NSW\/CN=IAM Roles Anywhere root CA\/L=Sydney\n        Last Update: Nov  8 09:29:48 2022 GMT\n        Next Update: Nov 15 10:29:48 2022 GMT\n        CRL extensions:\n            X509v3 CRL Number:\n                1667903388536\n            X509v3 Authority Key Identifier:\n                keyid:6D:2D:9E:1D:76:3C:BD:5A:6B:9F:BC:7B:67:AB:2E:2A:C7:BE:F7:A8\n\nRevoked Certificates:\n    Serial Number: <strong>4636A0D843AEC74C1D7607A40623E335<\/strong>\n        Revocation Date: Nov  8 10:27:52 2022 GMT\n        CRL entry extensions:\n            X509v3 CRL Reason Code:\n                Key Compromise<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Import the CRL to AWS IAM Roles anywhere<\/h3>\n\n\n\n<p>Steps to import the CRL to AWS IAM Roles anywhere<\/p>\n\n\n\n<ol>\n<li>create the PEM file from downloaded from S3 CRL bucket<\/li>\n\n\n\n<li>upload the CRL using <code>import-crl<\/code> command<\/li>\n\n\n\n<li>Enable the CRL using CLI and CRL is ready to use now<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl crl -inform DER -in 4891e018-d1d9-4105-8118-0a01be7cf393.crl &gt; revoke.pem\n\naws rolesanywhere import-crl --crl-data fileb:\/\/revoke.pem \\\n--name Revoke-CRL \\\n--trust-anchor-arn arn:aws:rolesanywhere:ap-southeast-2:XXXXXXX:trust-anchor\/166bddfd-1ac1-4d0a-aa97-5b5b5b077db3\n\naws rolesanywhere list-crls\naws rolesanywhere enable-crl --crl-id &lt;CRL Value&gt;<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\u276f aws s3 ls\n\nError when retrieving credentials from custom-process: 2022\/11\/19 19:04:36 AccessDeniedException:<em><strong> Certificate revoked<\/strong><\/em><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">How to restrict the user assuming IAM role based on subject CN value<\/h2>\n\n\n\n<p>When you start signing the entity certificates with root CA all certificates have the same trust so one way to restrict some roles accessed by certain users is by adding condition in IAM trust policy.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": &#91;\n        {\n            \"Sid\": \"\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"Service\": \"rolesanywhere.amazonaws.com\"\n            },\n            \"Action\": &#91;\n                \"sts:AssumeRole\",\n                \"sts:SetSourceIdentity\",\n                \"sts:TagSession\"\n            ],\n            \"Condition\": {\n                \"StringEquals\": {\n<strong>                    \"aws:PrincipalTag\/x509Subject\/CN\": \"terraform.iamrole.test\"<\/strong>\n                }\n            }\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n<p>And more ways to restrict the role access refer the <a href=\"https:\/\/docs.aws.amazon.com\/rolesanywhere\/latest\/userguide\/trust-model.html\" target=\"_blank\" rel=\"noreferrer noopener\">documentation<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to restrict the access from authorised networks?<\/h2>\n\n\n\n<p>One way to restrict the access using session policies limit the permissions by the role&#8217;s permission policy<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"994\" src=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2-1024x994.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2-1024x994.png 1024w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2-300x291.png 300w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2-768x745.png 768w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2-1536x1490.png 1536w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2-850x825.png 850w, https:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-2.png 1614w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">IP Condition <\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>We have learnt how to achieve fine grained access based on user subject and CIDR address using trust policy and session policies respectively and also learnt how to revoke the certificate using CRL.<\/p>\n\n\n\n<p>So IAM Roles anywhere is x.509 certificate based authentication provides mechanism to access AWS resources from on-premise or other cloud provider. Regardless, security controls is required to protect the certificate private keys using ACL and certificate issuances should be governed appropriately.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the previous post, I showed you how to create AWS IAM Roles Anywhere with external CA and in this post am going to discuss about some advance topics such as How to revoke a certificate There are multiple scenarios where you want to revoke an entity certificates like compromised entity or during off-boarding of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0},"categories":[8,4],"tags":[12,10,13],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>AWS IAM Roles Anywhere - Part 2 - Vasanth Selvaraj<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/vasanthselvaraj.com\/?p=169\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AWS IAM Roles Anywhere - Part 2 - Vasanth Selvaraj\" \/>\n<meta property=\"og:description\" content=\"In the previous post, I showed you how to create AWS IAM Roles Anywhere with external CA and in this post am going to discuss about some advance topics such as How to revoke a certificate There are multiple scenarios where you want to revoke an entity certificates like compromised entity or during off-boarding of...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/vasanthselvaraj.com\/?p=169\" \/>\n<meta property=\"og:site_name\" content=\"Vasanth Selvaraj\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-20T06:42:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-16T02:16:05+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1024x129.png\" \/>\n<meta name=\"author\" content=\"VS\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"VS\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=169\",\"url\":\"https:\/\/vasanthselvaraj.com\/?p=169\",\"name\":\"AWS IAM Roles Anywhere - Part 2 - Vasanth Selvaraj\",\"isPartOf\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\"},\"datePublished\":\"2022-11-20T06:42:27+00:00\",\"dateModified\":\"2025-02-16T02:16:05+00:00\",\"author\":{\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d\"},\"breadcrumb\":{\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=169#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/vasanthselvaraj.com\/?p=169\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/vasanthselvaraj.com\/?p=169#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/box2411.temp.domains\/~vasselva\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS IAM Roles Anywhere &#8211; Part 2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#website\",\"url\":\"https:\/\/box2411.temp.domains\/~vasselva\/\",\"name\":\"Vasanth Selvaraj\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d\",\"name\":\"VS\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g\",\"caption\":\"VS\"},\"url\":\"https:\/\/vasanthselvaraj.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AWS IAM Roles Anywhere - Part 2 - Vasanth Selvaraj","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/vasanthselvaraj.com\/?p=169","og_locale":"en_US","og_type":"article","og_title":"AWS IAM Roles Anywhere - Part 2 - Vasanth Selvaraj","og_description":"In the previous post, I showed you how to create AWS IAM Roles Anywhere with external CA and in this post am going to discuss about some advance topics such as How to revoke a certificate There are multiple scenarios where you want to revoke an entity certificates like compromised entity or during off-boarding of...","og_url":"https:\/\/vasanthselvaraj.com\/?p=169","og_site_name":"Vasanth Selvaraj","article_published_time":"2022-11-20T06:42:27+00:00","article_modified_time":"2025-02-16T02:16:05+00:00","og_image":[{"url":"http:\/\/vasanthselvaraj.com\/wp-content\/uploads\/2022\/11\/image-1024x129.png"}],"author":"VS","twitter_card":"summary_large_image","twitter_misc":{"Written by":"VS","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/vasanthselvaraj.com\/?p=169","url":"https:\/\/vasanthselvaraj.com\/?p=169","name":"AWS IAM Roles Anywhere - Part 2 - Vasanth Selvaraj","isPartOf":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website"},"datePublished":"2022-11-20T06:42:27+00:00","dateModified":"2025-02-16T02:16:05+00:00","author":{"@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d"},"breadcrumb":{"@id":"https:\/\/vasanthselvaraj.com\/?p=169#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/vasanthselvaraj.com\/?p=169"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/vasanthselvaraj.com\/?p=169#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/box2411.temp.domains\/~vasselva"},{"@type":"ListItem","position":2,"name":"AWS IAM Roles Anywhere &#8211; Part 2"}]},{"@type":"WebSite","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#website","url":"https:\/\/box2411.temp.domains\/~vasselva\/","name":"Vasanth Selvaraj","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/box2411.temp.domains\/~vasselva\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/4f1389c368b6d56abbf122ef1ffddb0d","name":"VS","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/box2411.temp.domains\/~vasselva\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f363d6f3a44a96f83133417d14b78c63?s=96&d=mm&r=g","caption":"VS"},"url":"https:\/\/vasanthselvaraj.com\/?author=1"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/169"}],"collection":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=169"}],"version-history":[{"count":6,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/169\/revisions"}],"predecessor-version":[{"id":305,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=\/wp\/v2\/posts\/169\/revisions\/305"}],"wp:attachment":[{"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vasanthselvaraj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}