AWS Role Trust Provider

The AWS Role Trust Provider supports attestation within the AWS environment. Aembit Edge Components can currently be deployed in several AWS services that support AWS Role Trust Provider attestation:

• EC2 instances with an attached IAM role
• AWS Role instances
• ECS Fargate containers
• Lambda containers

Match rules

The following match rules are available for this Trust Provider type:

• accountId
• assumedRole
• roleArn
• username

For a description of the match rule fields available in the AWS Role Trust Provider, please refer to the AWS documentation.

AWS Role support

Aembit supports AWS Role-Based Trust Providers by enabling you to create a new Trust Provider using the Aembit Tenant UI. Follow the steps below to create the AWS Role Trust Provider.

1. On the Trust Providers page, click on the New button to open the Trust Providers dialog window.

2. In the dialog window, enter the following information:

• Name: The name of the Trust Provider
• Description: An optional text description for the Trust Provider
• Trust Provider: A drop-down menu that lists the different Trust Provider types

3. Select AWS Role from the Trust Provider drop-down menu.

4. Click on the Match Rules link to open an instance of the Match Rules drop-down menu.

• If you use the roleARN value, make sure it is in the following format: arn:aws:sts::<ACCOUNT_ID>:assumed-role/<ROLE_NAME>/<EC2_INSTANCE_ID>

• If you use the username value, make sure it is in the following format: <USER_NAME>:<EC2_INSTANCE_ID>

Note

The username value refers to the AccessKeyId field in Amazon’s IAM Roles for Amazon EC2 documentation.

5. Click Save when finished. Your new EC2 Trust Provider will appear on the main Trust Providers page.

ECS Fargate container support

You must assign an AWS IAM role with AmazonECSTaskExecutionRolePolicy permission to your ECS tasks.

Note

There are multiple ways to perform the following steps (e.g. UI, API, CDK, Terraform, etc.). The steps below are one approach; however, select the way that is most appropriate for your organization.

1. Check the existence of AWS IAM ecsTaskExecutionRole. Please refer to the AWS documentation for more information.

2. Create AWS IAM ecsTaskExecutionRole if this is missing. Please refer to the AWS documentation for more information.

3. Retrieve the ARN of ecsTaskExecutionRole role. This should look like arn:aws:iam::<account_id>:role/ecsTaskExecutionRole

4. Assign this role in your ECS task definition by setting the task role and task execute role fields.

Lambda Container Support

If you are using this Trust Provider for attestation of workloads running in a Lambda container environment, you may utilize the following match rules:

• accountId
• roleArn

The Lambda Container roleArn is structured as follows:

arn:aws:sts::<accountId>:assumed-role/<functionRoleName>/<functionName>