Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Confused Deputy - is "external id" really just a "password"?

Tags:

security

passwords

amazon-web-services

Amazon Web Services describes the Confused Deputy Problem and prescribes use of "external ID" as the solution.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html http://blogs.aws.amazon.com/security/blog/tag/Confused+Deputy

The Confused Deputy Problem is also described here: http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html https://en.wikipedia.org/wiki/Confused_deputy_problem

Amongst all the fancy talk however, it appears that ultimately "external ID" is just a password. Am I understanding this right or wrong?

like image 371
Duke Dougal Avatar asked Sep 08 '15 21:09

Duke Dougal

People also ask

What is external ID in AWS?

In abstract terms, the external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.

What is confused deputy problem in AWS?

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

What is PrincipalOrgID AWS?

The aws:PrincipalOrgID key provides an alternative to listing all the account IDs for all AWS accounts in an organization. Previously, to restrict access for Lambda functions to only principals from AWS accounts inside of your organization, users had to individually add each AWS account ID to the resource-based policy.

1 Answers

Yes, the External ID used with IAM Third-Party Roles is a glorified password.

I'll be using the following terms here:

  • ServiceA - Third-party service of AWS accounts
  • User1 - Original well-intentioned user of ServiceA
  • User2 - Devious user of ServiceA trying to get access to User1's AWS account

IAM Roles are a way to ensure that only ServiceA can use User1's IAM Role. User1's IAM Role is tied to ServiceA's AWS account. But the extra External ID is needed to ensure that ServiceA is only acting for User1. Without the External ID, User2 could trick ServiceA into acting for User2.

If User2 guessed User1's IAM Role ARN and can tell ServiceA which External ID to use, then User2 could trick ServiceA into acting on it's behalf in User1's AWS account.

So instead, ServiceA should always dictate the values of the External IDs. This limits the ability of User2 to spoof itself as User1 in the eyes of ServiceA.

like image 142
Matt Houser Avatar answered Sep 20 '22 01:09

Matt Houser
Sign in to Comment

Related questions

Stopping a bot attack server side solution (without a CAPTCHA or JavaScript)
What's the "gadget vulnerability"?
asp.net mvc 3 - don't have option in project properties for "SSL Enabled"
Any open-source software that is similar to Fortify? [closed]
Public SOAP WSDL file a security issue?
Cannot launch applet using Java 7u21
Rename AntiForgeryToken Hidden Input Name from __RequestVerificationToken
How to use npm in an environment with restricted internet access
Node.js & Socket.io: Self-signed certificates for a secure websocket connection
Does OAuth2 allow for authorization using non-password or custom credentials?
Key from String in Java RSA
Django 1.5 is finally insecure?
Cookies received from Server is Secure But Cookies sent to Server is not secure ASP.NET
java.security.SignatureException: Signature does not match
How safe is T-SQL after you replace the ' escape character?
Parse User object ACL
Veracode XML External Entity Reference (XXE)
How do I destroy an http-only cookie while a server is offline?
Security impact of access modifiers (public, private, internal, protected)
does git reset delete history?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!