Roles Anywhere abuse: when a stolen certificate mints AWS credentials
AWS Roles Anywhere trades an X.509 certificate for live role credentials. Steal a chaining cert and you mint sessions from anywhere. There is no password to reset.
AWS IAM Roles Anywhere lets workloads outside AWS get role credentials by presenting a client certificate that chains to a registered trust anchor. That is convenient, and it is also the problem: whoever holds a chaining certificate can mint credentials, with no key and no password involved.
How the attack works
The attacker obtains a client certificate whose chain validates against your trust anchor, then calls rolesanywhere:CreateSession from outside your build estate. Roles Anywhere exchanges the certificate for temporary credentials on the workload role, and the session reads from the data lake just as the legitimate agent would. CloudTrail records each CreateSession with the source address and the certificate subject and serial, so a session from an unexpected source using an off-inventory certificate is the tell. The attacker replays the same certificate to refresh credentials as each short session nears expiry. In ATT&CK terms this is T1199, Trusted Relationship, with T1550, Use Alternate Authentication Material.
Why it works
The trust anchor accepted too broad a certificate population, and the role behind it carried more privilege than the workload needed, with no source condition constraining where sessions could originate. Any certificate that chains is treated as the workload.
How to fix it
There is no password here, so the containment is to sever the certificate trust: disable or rotate the trust anchor, or add the offending serial to the certificate revocation list, so no new sessions mint. Then attach an explicit deny on the role keyed on aws:TokenIssueTime before your cutoff to kill credentials already issued. You cannot revoke one temporary credential, so you deny the whole class by issue time. Afterward, constrain the trust anchor and profile by certificate attributes and source, least-privilege the role, and enforce short-lived certificates with automated rotation and revocation that is actually consumed.
Practice it
We built this as a GraphLattice Range scenario so responders rehearse the anchor and revocation-list cut plus the token-issue-time deny, instead of chasing a key rotation that does not exist.