← Back to Blog

IAM Roles Anywhere: Secure AWS Access for Hybrid and On-Premises Workloads

6 min read• by Security Team

IAM Roles Anywhere: Secure AWS Access for Hybrid and On-Premises Workloads

The Problem with Long-Term Credentials

On-premises servers, CI/CD runners, and hybrid workloads that need AWS access have traditionally relied on IAM access keys. These long-term credentials are a significant security risk:

  • Access keys do not expire unless manually rotated
  • Leaked keys grant persistent access until discovered and revoked
  • Key rotation requires coordinated deployment across all systems
  • There is no native way to scope key permissions by workload identity

IAM Roles Anywhere solves this by letting on-premises workloads authenticate to AWS using X.509 certificates issued by your own certificate authority (CA). Instead of static access keys, workloads receive temporary credentials that expire automatically.

Architecture Overview

The IAM Roles Anywhere flow works as follows:

  1. Your CA issues an X.509 certificate to an on-premises workload
  2. The workload presents the certificate to IAM Roles Anywhere
  3. Roles Anywhere validates the certificate against a registered trust anchor
  4. If valid, Roles Anywhere returns temporary AWS credentials scoped to a configured IAM role
  5. The workload uses these credentials like any other AWS session

Setting Up IAM Roles Anywhere

Step 1: Create a Trust Anchor

A trust anchor is the root of trust for IAM Roles Anywhere. You can use AWS Private CA or bring your own external CA.

# Create a trust anchor using AWS Private CA
aws rolesanywhere create-trust-anchor \
  --name "on-prem-workloads-ca" \
  --source "sourceType=AWS_ACM_PCA,sourceData={acmPcaArn=arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcd1234-ef56-gh78-ij90-klmnopqrstuv}" \
  --enabled

# Or create a trust anchor with an external CA certificate
aws rolesanywhere create-trust-anchor \
  --name "external-ca-trust" \
  --source "sourceType=CERTIFICATE_BUNDLE,sourceData={x509CertificateData=$(cat /path/to/ca-cert.pem)}" \
  --enabled

# List trust anchors to verify
aws rolesanywhere list-trust-anchors \
  --query 'trustAnchors[].{Name:name,Id:trustAnchorId,Enabled:enabled}' \
  --output table

Step 2: Create the IAM Role

The IAM role must have a trust policy that allows Roles Anywhere to assume it. You can restrict which certificates can assume the role using condition keys.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rolesanywhere.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:SetSourceIdentity",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/x509Subject/CN": "backup-server.corp.example.com"
        },
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/abcd1234-ef56-gh78-ij90-klmnopqrstuv"
        }
      }
    }
  ]
}

This trust policy restricts role assumption to certificates with a specific Common Name (CN) issued by a specific trust anchor. This prevents any arbitrary certificate from your CA from assuming sensitive roles.

Step 3: Create a Profile

Profiles link trust anchors to IAM roles and can apply additional session policies to further restrict permissions.

# Create a profile with a session policy that restricts S3 access
aws rolesanywhere create-profile \
  --name "backup-server-profile" \
  --role-arns "arn:aws:iam::123456789012:role/OnPremBackupRole" \
  --session-policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject",
          "s3:GetObject",
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::corp-backups-prod",
          "arn:aws:s3:::corp-backups-prod/*"
        ]
      }
    ]
  }' \
  --duration-seconds 3600 \
  --enabled

The session policy acts as a permission boundary for the temporary credentials. Even if the underlying IAM role has broader permissions, the session policy restricts the effective permissions to only what the workload needs.

Using the Credential Helper

AWS provides a credential helper tool (aws_signing_helper) that workloads use to obtain and refresh credentials automatically.

# Install the credential helper
curl -o aws_signing_helper https://rolesanywhere.amazonaws.com/releases/1.1.1/X86_64/Linux/aws_signing_helper
chmod +x aws_signing_helper

# Obtain temporary credentials
./aws_signing_helper credential-process \
  --certificate /etc/pki/workload/cert.pem \
  --private-key /etc/pki/workload/key.pem \
  --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/abcd1234 \
  --profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/efgh5678 \
  --role-arn arn:aws:iam::123456789012:role/OnPremBackupRole

# Configure AWS CLI to use the credential helper automatically
# Add to ~/.aws/config:
# [profile on-prem-backup]
# credential_process = /usr/local/bin/aws_signing_helper credential-process \
#   --certificate /etc/pki/workload/cert.pem \
#   --private-key /etc/pki/workload/key.pem \
#   --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/abcd1234 \
#   --profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/efgh5678 \
#   --role-arn arn:aws:iam::123456789012:role/OnPremBackupRole

Certificate Rotation and Revocation

Rotation Strategy

Certificate rotation should be automated and frequent. Short-lived certificates (30-90 days) reduce the window of exposure if a certificate is compromised.

  • Use your CA's auto-enrollment features to issue new certificates before expiry
  • Deploy new certificates alongside the old ones and switch over gracefully
  • Monitor certificate expiration dates with CloudWatch custom metrics
  • Never share certificates across multiple workloads

Certificate Revocation

If a workload is decommissioned or compromised, you need to revoke its certificate immediately. Roles Anywhere supports both CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol).

Import a CRL into your trust anchor to block specific certificates without replacing the entire CA chain. This is critical for incident response when you need to cut access to a single compromised host without disrupting other workloads.

Use Cases for Hybrid Environments

  • Database backups - On-premises database servers push encrypted backups to S3 using scoped credentials
  • Log shipping - Application servers forward logs to CloudWatch or Kinesis without static keys
  • CI/CD pipelines - Jenkins or GitLab runners on corporate infrastructure deploy to AWS
  • Monitoring integration - On-premises monitoring tools query CloudWatch metrics and alarms
  • Disaster recovery - Failover scripts access AWS resources during regional outages

Security Best Practices

  • One certificate per workload - Never share certificates across servers or applications
  • Restrict trust policies - Use certificate subject conditions to limit which certs can assume each role
  • Short session durations - Set duration-seconds to the minimum needed (900-3600 seconds)
  • Enable CloudTrail logging - All Roles Anywhere API calls are logged, including the certificate subject
  • Use session policies - Always scope down permissions beyond what the IAM role allows
  • Monitor trust anchor activity - Alert on unexpected certificate subjects or unusual access patterns

Securing Roles Anywhere with AccessLens

IAM Roles Anywhere eliminates long-term credentials for hybrid workloads, but it introduces new trust relationships that must be continuously monitored. A misconfigured trust policy or overly broad session policy can expose your AWS accounts to any certificate holder in your PKI infrastructure.

AccessLens helps secure your Roles Anywhere deployment by providing:

  • Trust anchor analysis that maps which certificates can assume which roles across your accounts
  • Session policy evaluation that identifies profiles with overpermissive or missing session restrictions
  • Trust relationship visualization that shows the complete chain from CA to trust anchor to role to permissions
  • Anomaly detection that alerts you when new certificate subjects appear or access patterns change
  • Cross-account risk scoring that quantifies the blast radius if a workload certificate is compromised

Roles Anywhere is a major security improvement over static access keys, but only if the trust relationships and session policies are configured correctly and monitored continuously.

Secure your Roles Anywhere deployment with AccessLens and gain visibility into every certificate-to-role trust relationship across your hybrid environment.

Don't trade one set of credential risks for another. Get the IAM visibility you need to keep hybrid access secure.

Ready to secure your AWS environment?

Get comprehensive IAM visibility across all your AWS accounts in minutes.

Get StartedView Demo

Explore More Topics

AWS IAM

Identity and access management guides

Compliance

Regulatory compliance resources

Security Best Practices

AWS security guidance

Related Articles

Securing Infrastructure as Code: CloudFormation Guardrails and Drift Detection

Protect your AWS infrastructure with CloudFormation security controls including stack policies, drift detection, CloudFormation Guard for policy-as-code, and IAM roles for least-privilege deployments.

Read more →

Advanced CloudTrail Security Monitoring: Beyond Basic Logging

Transform CloudTrail from a compliance checkbox into a powerful security monitoring system with advanced analysis techniques, real-time alerting, and threat detection patterns.

Read more →

Secure Cross-Account Access Patterns at Scale in AWS

Implement secure cross-account access using hub-and-spoke IAM roles, external IDs, Organizations-based trust policies, resource-based policies, and comprehensive audit strategies.

Read more →