https://aws.amazon.com/ko/blogs/security/iam-roles-anywhere-with-an-external-certificate-authority/
$ openssl genrsa -aes256 -out test-rootca.key 2048
# 비밀번호 입력
# CSR 요청 파일 생성
$ cat test_rootca_openssl.conf
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = test-rootca.key # 해당 키 파일 이름
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA
[req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
organizationName = Organization Name (eg, company)
organizationName_default = test Inc. # Organization 이름 설정
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = test project # Project 이름 설정
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = test's Self Signed CA #CN설정
commonName_max = 64
# CSR 생성
$ openssl req -new -key test-rootca.key -out test-rootca.csr -config test_rootca_openssl.conf
# CRT 파일 생성
$ openssl x509 -req -days 3650 \
-extensions v3_ca \
-set_serial 1 \
-in test-rootca.csr \
-signkey test-rootca.key \
-out test-rootca.crt \
-extfile test_rootca_openssl.conf \
-sha256
# 결과 확인 ( Signature validation 을 만족하는지 확인 할 것 )
$ openssl x509 -text -in test-rootca.crt
# Security account) trust achor에 등록
# iam -> role -> role anywhere 관리 -> trust achor 생성 -> 외부인증서 번들 등록
# Security account) iam role Anywhere 전용 역할 생성
# 사용사례를 Roles Anywhere 클릭후 필요한 권한 설정할 것
# 해당 Policy를 추가
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
],
"Resource": "arn:aws:iam::${biz_account}:role/${biz_account_role}"
}
]
}
# Security account) Role Anywhere Profile 생성
# iam role anywhere 역할을 설정해줌
# Role Anywhere 사용을 위한 인증서 발급
$ openssl genrsa -aes256 -out test.com.key 2048
# CSR 요청 파일 생성
[req]
default_bits = 2048
default_md = sha256
default_keyfile = test-rootca.key
distinguished_name = req_distinguished_name
extensions = v3_user
[v3_user]
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.test.com
DNS.2 = test.com
DNS.3 = *.test.com
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
organizationName = Organization Name (eg, company)
organizationName_default = test Inc.
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = test Project
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = test.com
commonName_max = 64
$ openssl req -new -key test.com.key -out test.com.csr -config test_host_openssl.conf
# CRT 파일 생성
$ openssl x509 -req -days 1825 -extensions v3_user -in test.com.csr \
-CA test-rootca.crt -CAcreateserial \
-CAkey test-rootca.key \
-out test.com.crt \
-extfile test_host_openssl.conf \
-sha256
# 1페이지에 있는 조건 확인
$ openssl x509 -text -in test.com.crt
# Biz Account) IAM Role 생성
# iam -> role -> role 생성 -> 신뢰관계 설정
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${security account}:root"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
# 권한 설정 및 CN으로 제어
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": ”test.com"
}
}
}
]
}
# CRT 파일 생성
$ openssl x509 -req -days 1825 -extensions v3_user -in test.com.csr \
-CA test-rootca.crt -CAcreateserial \
-CAkey test-rootca.key \
-out test.com.crt \
-extfile test_host_openssl.conf \
-sha256
# 1페이지에 있는 조건 확인
$ openssl x509 -text -in test.com.crt
# Biz Account) IAM Role 생성
# iam -> role -> role 생성 -> 신뢰관계 설정
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${security}:root"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
# 권한 설정 및 CN으로 제어
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": ”test.com"
}
}
}
]
}
# aws_signing_helper 설치
# https://docs.aws.amazon.com/ko_kr/rolesanywhere/latest/userguide/credential-helper.html
$ wget https://rolesanywhere.amazonaws.com/releases/1.1.1/X86_64/Linux/aws_signing_helper
$ chmod 755 aws_signing_helper
# 확인
$ ./aws_signing_helper credential-process \
--certificate test.com.crt \
--private-key test.com.key \
--trust-anchor-arn ${security account trsut anchor arn}\
--profile-arn ${security account profile arn} \
--role-arn ${security account role arn}
{"Version":1,"AccessKeyId":”${ACCESS_KEY_ID}","SecretAccessKey":”${Secret_ACCESS_KEY}","SessionToken":”${Session Token}","Expiration":"2023-11-07T05:45:58Z"}
$ cp aws_signing_helper test.com.crt test.com.key ~/.aws/
$ cd ~/.aws/
$ vi config
[profile security-account-roles-anywhere-1]
credential_process = ./aws_signing_helper credential-process --certificate test.com.crt --private-key test.com.key --trust-anchor-arn ${trust anchor arn} --profile-arn ${profile arn} --role-arn ${role arn}
[profile biz1]
role_arn=${biz role arn}
source_profile= security-account-roles-anywhere-1
region=ap-northeast-1
# 결과확인
$ aws sts get-caller-identity --profile biz1
# 결과 확인
$ aws ec2 describe-instances --profile biz1
# Biz Account Role 정책 CN condition 변경시
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/x509Subject/CN": "taylorswift.com"
}
}
}
]
}
# 결과 확인
$ aws ec2 describe-instances --profile biz1
- fail
유사 IT 항해