Similar to abusing IAM and STS, we can also abuse IAM and KMS to let Amazon do our service-to-service authentication for us. Unlike STS, though, KMS is almost perfect for this use case.
Let’s recap a bit from the STS post, though. What I’m aiming for is service to service authentication with the following specs:
- Has no chicken and egg trust problem. Re-use AWS to provide the chicken, we’ll use it to lay the eggs.
- Can be used only from one service to another service. The service receiving the token shouldn’t be able to reuse the token to impersonate the sender.