AWS Confused Deputy - is "external id" really just a "password"?

Question

Amazon Web Services describes the Confused Deputy Problem and prescribes use of "external ID" as the solution.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html http://blogs.aws.amazon.com/security/blog/tag/Confused+Deputy

The Confused Deputy Problem is also described here: http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html https://en.wikipedia.org/wiki/Confused_deputy_problem

Amongst all the fancy talk however, it appears that ultimately "external ID" is just a password. Am I understanding this right or wrong?

Answer 1

Yes, the External ID used with IAM Third-Party Roles is a glorified password.

I'll be using the following terms here:

• ServiceA - Third-party service of AWS accounts
• User1 - Original well-intentioned user of ServiceA
• User2 - Devious user of ServiceA trying to get access to User1's AWS account

IAM Roles are a way to ensure that only ServiceA can use User1's IAM Role. User1's IAM Role is tied to ServiceA's AWS account. But the extra External ID is needed to ensure that ServiceA is only acting for User1. Without the External ID, User2 could trick ServiceA into acting for User2.

If User2 guessed User1's IAM Role ARN and can tell ServiceA which External ID to use, then User2 could trick ServiceA into acting on it's behalf in User1's AWS account.

So instead, ServiceA should always dictate the values of the External IDs. This limits the ability of User2 to spoof itself as User1 in the eyes of ServiceA.