We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
The Confused Deputy Problem happens when a trusted entity is misled into doing something wrong because it doesn't know it's being tricked by someone.
Analogy Think of a situation at a bank. You are a customer, and based on your instructions the bank teller handles tasks for your account, like deposits or withdrawals. One day Mr. Unknown walks into the bank pretending to be you. They tell the teller, "Do the money transfer from this customer’s account to mine." If the teller doesn’t confirm the person’s identity, they might accidentally send your money to the wrong person's account.
How this happens in AWS and how can we resolve it?
This can happen in AWS when a trusted AWS service (deputy) is confused and performs unauthorized actions because it doesn't verify from where the request comes.
This often happens in scenarios involving cross-account access or when services interact on behalf of multiple users/accounts.
Requirement: You hired a 3rd party to do the security audit periodically for your AWS account and provide the audit report.
For accessing your AWS account by the 3rd party AWS account:
Create an IAM Role for Cross-Account access and this IAM role is assumed by this 3rd party only
Create a Trust Policy by adding the 3rd party's account Id to the Principal object of the policy
Give the permissions in the policy for accessing the service
Share this role ARN with the 3rd party
3rd party will authenticate with AWS
Assume the Role provided by your account
Access your AWS account
Image not found
3rd party access your account via IAM Role
Trust Policy:
Image not found
configured
The above approach is very secure and AWS security will manage that this 3rd party account only accesses this role.
Now assume the same 3rd party is auditing many other customers' AWS accounts like Customer X and Customer Y along with your account as shown below:
Image not found
3rd party access more than one account for auditing Is there any way the Other Customer can access your account using a third-party account?
Let's try this way: If Customer 'Y' somehow gets Your account's role which you have created for the 3rd party (arn: aws: iam::111111111111/security) by any means like Social Engineering etc. then Customer 'Y' can ask the 3rd party service provider to use Your IAM role to get your audit data.
See the below image for a simple explanation.
Image not found
3rd party is a gave the audit data to Customer Y
Here the 3rd party account is the CONFUSED DEPUTY
Image not found
3rd party Account is the Confused Deputy
Mitigation of Confused Deputy problem
We need some mechanism other than the Account Id to verify the account for which it is configured. So one of the solutions is to create an ExternalId attached to the Account Id and change the Trust policy to explicitly assign the ExternalId.
So whenever the Customer wants to assume the Role and try to access the account they MUST pass the ExternalId as well.
Image not found
Assign ExternalId to all the customers accounts
Trust Policy:
Image not found
Now if Customer Y tries to pass the IAM Role arn: aws: iam::111111111111/security to access Your account via 3rd party account, 3rd party will see the request coming from Customer Y and they will add the ExternalId of Customer Y to the request which will not match and there will be an Access Denied.
Image not found
Extra check using ExternalId to resolve the problem
NOTE: Whenever you grant access to your account to a 3rd party environment always remember to configure the ExternalId (Unique) as a part of your IAM Role.
I have covered ExternalId as the solution here but services like IAM, Resource Policies, and Service Control Policies also help us to mitigate the Confused Deputy Problem.
