- What is confused deputy problem in AWS?
- What is confused deputy problem in security context?
- Is external ID a secret?
- What is STS external ID?
What is confused deputy problem in AWS?
To continue the previous example, Example Corp requires access to certain resources in your AWS account. ... That customer could then use your role ARN to gain access to your AWS resources by way of Example Corp. This form of permission escalation is known as the confused deputy problem.
What is confused deputy problem in security context?
The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.
Is external ID a secret?
AWS does not treat the external ID as a secret. After you create a secret like an access key pair or a password in AWS, you cannot view them again. The external ID for a role can be seen by anyone with permission to view the role.
What is STS external ID?
At a high level, the external ID is a piece of data that can be passed to the AssumeRole API of the Security Token Service (STS). You can then use the external ID in the condition element in a role's trust policy, allowing the role to be assumed only when a certain value is present in the external ID.