AWS Confused Vice - is this "external identifier" really just a "password"?

Question

AWS Confused Vice - is this "external identifier" really just a "password"?

Amazon Web Services describes the Confused Vice issue and instructs to use the "external identifier" as a solution.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html http://blogs.aws.amazon.com/security/blog/tag/Confused+Deputy

The Confused Vice issue is also described here: http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html https://en.wikipedia.org/wiki/Confused_deputy_problem

However, among all the bizarre conversations, it seems that the “external identifier” is just a password. Do I get it right or wrong?

+4

security passwords amazon-web-services

Duke dougal Sep 08 '15 at 9:33

source share

1 answer

Matt Houser · Accepted Answer · 2015-09-09T01:01:47+0000

Yes, the external ID used with third-party IAM is the distinguished password.

Here I will use the following terms:

ServiceA - AWS Third-Party Account Service
User1 - Original ServiceA User’s Blissful Intent
User2 — The user who uses ServiceA is trying to access the AWS User1 account.

IAM roles are a way to ensure that only ServiceA can use the I1 User1 role. User1 The IAM role is tied to the ServiceA AWS account. But an additional external ID is needed to ensure that ServiceA is valid only for User1. Without an external identifier, User2 can trick ServiceA into action for User2.

User2 User1 IAM Role ARN ServiceA, ID , User2 ServiceA, User1 AWS.

ServiceA . User2 User1 ServiceA.

AWS Confused Vice - is this "external identifier" really just a "password"?

More articles: