IAM Roles Anywhere – now for everyone with Let's Encrypt
Dhruv Ahuja
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Dhruv Ahuja presents a clever, practical approach to using **AWS IAM Roles Anywhere** with free **Let's Encrypt** certificates as a PKI, eliminating the need for expensive private certificate authorities or full SPIFFE infrastructure when authenticating non-AWS workloads to AWS. The talk walks through the complete implementation: using Let's Encrypt's **staging intermediate certificates** as trust anchors, the **ACME protocol** with DNS-01 validation for certificate issuance, constraining access via X.509 subject common name conditions in IAM trust policies, and a novel private key theft detection mechanism inspired by nuclear weapons environmental sensing that uses **TOTP (Time-based One-Time Passwords)** derived from environment fingerprints as session names, enabling retrospective validation through CloudTrail.
AI review
Clever hack using Let's Encrypt staging intermediates as Roles Anywhere trust anchors for $2/year instead of $400/month AWS Private CA. The TOTP environment fingerprinting for private key theft detection -- inspired by nuclear weapons environmental sensing -- is genuinely creative. Not a vulnerability talk, but a solid practical contribution that shows real engineering creativity.