From 7e15c4b1cdfb2ba33c10dbfe7552b3d4e5d6c52e Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Fri, 18 Oct 2024 12:22:37 +0100 Subject: [PATCH] Update notes on AWS constraints --- aws.md | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/aws.md b/aws.md index 431ee77..47262a2 100644 --- a/aws.md +++ b/aws.md @@ -1,18 +1,32 @@ # AWS Roles Anywhere +Some notes on authenticating to AWS using X.509 certificates through the +AWS Roles Anywhere API. + ## Useful Resources - https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication.html - https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html - https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html -## Constraints +## Important Constraints + +### Certificates -End entity certificates must satisfy the following constraints to be used for authentication: -- The certificates MUST be X.509v3. -- Basic constraints MUST include CA: false. -- The key usage MUST include Digital Signature. -- The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected. +> End entity certificates must satisfy the following constraints to be used for authentication: +> +> - The certificates MUST be X.509v3. +> - Basic constraints MUST include CA: false. +> - The key usage MUST include Digital Signature. +> - The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected. + +### Keys > RSA and EC keys are supported; RSA keys are used with the RSA PKCS# v1.5 signing algorithm. EC keys are used with the ECDSA. +This seems like a relatively small problem. The SPIFFE spec does not make +comment on permissible key types, and therefore, an implementation of SPIFFE +could choose to use something other than EC or RSA. However, most +implementations of SPIFFE today (e.g SPIRE, Teleport Workload Identity) use +either EC or RSA as the default and indeed only support EC or RSA. +