Roles Anywhere explanation

JaimePolop · JaimePolop · commit f3afa739ad49 · 2025-09-29T22:53:29.000+02:00
diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
@@ -135,6 +135,11 @@ aws_signing_helper credential-process \
   --role-arn arn:aws:iam::123456789012:role/Admin
 ```
 
+The trust anchor validates that the client certificate `readonly.pem` comes from its authorized CA, when the trust anchor was created the CA’s public certificate was included (and now used to validate `readonly.pem`). Inside `readonly.pem` is the public key, which AWS uses to verify that the signature was made with its corresponding private key `readonly.key`.
+
+The certificate also proves identity and provides attributes (such as CN or OU) that the `default` profile transforms into tags, which the role’s trust policy can use to decide whether to authorize access, if there are no conditions in the trust policy, those tags are ignored and anyone with a valid certificate is allowed through.
+
+For this attack to be possible, both the trust anchor and the default profile must be active.
 
 ### References
 
