All Products
Search

This Product

    Resource Access Management:Use external IDs to prevent the confused deputy issue

    Document Center

    Resource Access Management:Use external IDs to prevent the confused deputy issue

    Last Updated:Jun 16, 2023

    This topic describes the scenarios of external IDs. This topic also describes how external IDs work and how to use external IDs.

    Scenarios

    In some cases, enterprises require third-party vendors to manage their cloud resources in scenarios such as log audit, cost management, and security monitoring. In these scenarios, cross-account access is involved because enterprises grant the third-party vendors the permissions to access their cloud resources. Alibaba Cloud Resource Access Management (RAM) provides the AssumeRole operation to implement cross-account access.

    A third-party vendor may need to access multiple Alibaba Cloud accounts of multiple customers. If an attacker deceives the third-party vendor and the vendor considers the attacker as a customer, the real customer encounters the confused deputy issue. The confused deputy issue is a security issue that occurs when a trusted entity is deceived or misled by a malicious entity to perform unauthorized operations. After the malicious entity deceives the trusted entity to gain unauthorized access, the malicious entity becomes a confused deputy. Alibaba Cloud RAM provides external IDs to prevent the confused deputy issue. For more information, see AssumeRole.

    How external IDs work

    1. A third-party vendor generates a unique external ID for each customer. Each external ID is a random string.

    2. After a customer obtains the external ID from the third-party vendor, the customer adds the external ID to the trust policy of the role that is assumed by the third-party vendor to access the resources of the customer.

    3. When the third-party vendor calls the AssumeRole operation to assume the role, the third-party vendor must specify the external ID that is generated for the customer. If no external ID is provided or the provided external ID is invalid, the call fails.

    Procedure

    In this example, the third-party vendor is Deputy, the Alibaba Cloud account of the vendor is Deputy_Account, the Alibaba Cloud account of the customer is Customer_Account, and the external ID provided by the vendor to the customer is abcd1234. Deputy needs to access the resources of Customer_Account by using Deputy_Account.

    1. The customer creates a RAM role within Customer_Account, selects Deputy_Account as the trusted entity for the RAM role, and grants the required permissions to the RAM role.

      For more information, see Create a RAM role for a trusted Alibaba Cloud account and Grant permissions to a RAM user.

    2. The customer modifies the trust policy of the RAM role by adding an ExternalId condition. The trusted entity can assume the RAM role only when the entity provides abcd1234 as the external ID. 

      {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::<deputy-accountId>:root"
        ]
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "abcd1234"
        }
      }
    }
  ],
  "Version": "1"
}

      For more information, see Edit the trust policy of a RAM role.

    3. When Deputy assumes the RAM role to access the resources of Customer_Account, Deputy provides abcd1234.

      In this example, Deputy sets the ExternalId parameter to abcd1234 in request parameters to call the AssumeRole operation. For more information, see AssumeRole.

    4. Deputy uses the Security Token Service (STS) token that is generated to access the resources of Customer_Account.

    References

    Use a RAM role to grant permissions across Alibaba Cloud accounts