AWS Security ChangesHomeSearch

AWS rolesanywhere medium security documentation change

Service: rolesanywhere · 2025-04-28 · Security-related medium

File: rolesanywhere/latest/userguide/trust-model.md

Summary

Corrected X.509 terminology, updated OpenSSL command syntax, and modified certificate serial number padding rules

Security assessment

The change to left-pad certificate serial numbers with zeros addresses potential validation inconsistencies in trust policies, which could prevent certificate parsing errors or mismatches in security-critical operations.

Diff

diff --git a/rolesanywhere/latest/userguide/trust-model.md b/rolesanywhere/latest/userguide/trust-model.md
index 7ca145d07..ba8ba9c49 100644
--- a//rolesanywhere/latest/userguide/trust-model.md
+++ b//rolesanywhere/latest/userguide/trust-model.md
@@ -9 +9 @@ Role trustsSignature validationTrust policySource identity rulesRevocation
-AWS Identity and Access Management Roles Anywhere works by bridging the trust model of IAM and Public Key Infrastructure (PKI). The model connects the role, the IAM Roles Anywhere service principal, and identities encoded in X509 certificates, that are issued by a Certificate Authority (CA). 
+AWS Identity and Access Management Roles Anywhere works by bridging the trust model of IAM and Public Key Infrastructure (PKI). The model connects the role, the IAM Roles Anywhere service principal, and identities encoded in X.509 certificates, that are issued by a Certificate Authority (CA). 
@@ -31 +31 @@ To examine the contents of a certificate, use the following command:
-    $openssl x509 -text -noout -in certificate.pem
+    $openssl x.509 -text -noout -in certificate.pem
@@ -185 +185 @@ The following example shows a trust policy that adds a condition based on the `I
-X509v3 certificates may include an extension to define additional identities, call Subject Alternative Names (SANs). The SAN can have multiple values, each of which can be one of nine types – Domain Name System (DNS) names, Uniform Resource Indicators (URIs), Directory Names, IP addresses, "Other" names, EDI party names, X400 addresses, RFC 822 names, or registered OIDs. IAM Roles Anywhere will map the **first** value of the following types: `DNS Names`, `Directory Name (DN)`, and `URI Names`. The resulting tags will be prefixed with x509SAN, with a corresponding type code. The type code will be one of DNS, URI, or Name. For values of type DN, the individual RDNs will be parsed, as with Subject and Issuer.
+X.509v3 certificates may include an extension to define additional identities, call Subject Alternative Names (SANs). The SAN can have multiple values, each of which can be one of nine types – Domain Name System (DNS) names, Uniform Resource Indicators (URIs), Directory Names, IP addresses, "Other" names, EDI party names, X400 addresses, RFC 822 names, or registered OIDs. IAM Roles Anywhere will map the **first** value of the following types: `DNS Names`, `Directory Name (DN)`, and `URI Names`. The resulting tags will be prefixed with x509SAN, with a corresponding type code. The type code will be one of DNS, URI, or Name. For values of type DN, the individual RDNs will be parsed, as with Subject and Issuer.
@@ -350 +350 @@ We define a source identity prefix as follows:
-  * `"ID="`: the common name of the subject in the certificate is not set.
+  * `"ID="`: the common name of the subject in the certificate is not set. This value is left-padded with zero to be even in length.
@@ -357,11 +356,0 @@ We define a source identity prefix as follows:
-The value following a source identity prefix is as follows: 
-
-  * `"CN="`: the common name of the subject in the certificate.
-
-  * `"ID="`: the hex-encoded certificate serial number. This value is left-padded with zero to be even in length.
-
-  * `""`: the common name of the subject in the certificate.
-
-
-
-