There are several DynamoDB tables in your AWS account.
A third-party AWS account needs to read the data in the tables for audit purposes.
You are configuring a cross-account IAM role, and IAM entities in the third party account can assume the role through the sts:AssumeRole API to access AWS resources. In the meantime, there may be a Confused Deputy problem which is that another user uses your role ARN to gain access to your AWS resources by way of the third party. How would you prevent the Confused Deputy problem in this scenario?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect because this is not how AWS Cognito identity pool works, and you cannot assign a token to your IAM role.
Option B is incorrect because including account ID cannot prevent the Confused Deputy issue as other parties can still assume the role successfully through the third party account.
Option C is CORRECT because the external ID will be checked when IAM entities assume the role, which prevents the Confused Deputy problem.
AWS does not treat the external ID as a secret.
After creating a secret like an access key pair or a password in AWS, you cannot view them again.
The external ID for a role can be seen by anyone with permission to view the role.
Option D is incorrect because checking the account ID is not enough.
The external ID should also be checked to prevent other unexpected entities from assuming your IAM role.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html.The Confused Deputy problem is a security vulnerability that occurs when a trusted entity, such as an IAM role, is manipulated by an attacker to gain access to resources that the trusted entity has permission to access. In this scenario, the attacker would assume the cross-account IAM role and access the DynamoDB tables that the third party is authorized to access, potentially compromising the security of your AWS resources.
To prevent this problem, you need to implement measures that ensure that only the intended IAM entities can assume the cross-account IAM role.
Option A, configuring an identity pool in AWS Cognito and assigning a token for your IAM role, is not an appropriate solution because tokens can be easily stolen or manipulated, leading to unauthorized access.
Option B is the correct solution. By ensuring that only the third party's AWS account ID is included in the principal field of the cross-account IAM role, you limit access to only the intended party. This solution is straightforward, secure, and easy to implement.
Option C is a viable solution, but it requires additional configuration and management. By asking the third party for an external ID that it includes when it assumes the IAM role, and checking the external ID in the role's trust policy, you can ensure that only authorized entities can assume the role. However, this method requires additional configuration and management, which may not be necessary if the solution in option B is used.
Option D is not the best solution, as it only limits access to a specific AWS account ID, which may not be sufficient to prevent unauthorized access. An attacker could still manipulate the role to gain access to resources that the role is authorized to access.
In summary, the best solution to prevent the Confused Deputy problem in this scenario is to ensure that only the third party's AWS account ID is included in the principal field of the cross-account IAM role.