Dhruv AHUJA
Dhruv is a former SRE and founded Chaser Systems in 2020. He's mostly Wiresharking, tinkering with PKI or tuning stacks as he once did in the low-latency world of financial data, only this time for network security. He is also a Rust programmer, cares deeply about developer experience, dabbles in cryptography and holds a master's degree in Advanced Software Engineering from King's College London. He's always 5 years of practice away from being able to play Chopin on the piano – an accomplishment that will surely coincide with IPv6 overtaking IPv4.
Session
This talk will explore a lesser-known technique for deploying IAM Roles Anywhere on platforms without a key management service or secret storage, safely.
An impediment to the adoption of IAMRA is the absence of an existing PKI solution, or the expense and expertise needed to run a Private CA. Therefore, we will look at integrating Route 53 with an ACME-enabled PKI, such as Let's Encrypt, for device enrollment with autonomous short-lived certificate issuance.
Come along for a deep dive into:
(1) Configuring IAMRA with targeted CA certificates.
(2) Certificate Attribute Mappings for client authentication.
(3) The corresponding Trust Policy on a Role.
(4) Extending AWS SDK via their credential helper so temporary session credentials are transparently returned to the calling process.
We will also build detection for abuse of private keys from logs in CloudTrail, should they leak.
For contrast, using a hardware-backed private key store, such as Yubikey, with an ACME-enabled PKI will also be demonstrated.