How to Grant Access to AWS Resources to Third Party via Roles & External Id

How to Grant Access to AWS Resources to the Third Party via Roles & External Id?

Here we bring the next topic “Granting Access to AWS Resources to Third Party via Roles and External Id” to help you in the AWS Certified Security Specialty exam preparation. This topic comes under the Identity and Access Management (IAM) domain as highlighted in the blueprint of AWS Certified Security Specialty exam guide.

AWS Security Specialty Free test

Note that Identity and Access Management domain constitutes 20% of the total exam weight. So, this article will prove an invaluable resource in your AWS Certified Security Specialty exam preparation.

Problem Statement

Let us take a common use case of consulting companies that need access to resources in an AWS account. Sometimes to carry out an audit of a company’s AWS account, a consultant company might need to have access to AWS resources in the company’s AWS account.

Giving Access Keys or creating an IAM user for this purpose is not the right way to go. Instead, you need to create an IAM Role that could be assumed and then have access to AWS resources (S3 in this example).

Below diagram shows this use case scenario: company aws account

Solution: Granting Access to AWS Resources to Third Party via Roles & External Id

To solve this scenario, you must carry out the following steps:

  • First, we need to create an IAM policy that would grant access to the S3 bucket. This would be done in the Company AWS account.
  • Next, we need to create an IAM role in the Company AWS account. This would have the policy assigned to it.
  • We would ensure that the Consulting AWS account number is given the required permission to assume this role.
  • The Consulting AWS account would then assume the role and then have access to the underlying S3 bucket.

Let’s look at an example on this using the AWS Console

Step 1) Let’s assume that we have a bucket called awsproduction345 in an AWS account called cloud-production aws s3

Step 2) Now let’s go to IAM and create a new policy

create IAM policy

We then add the below JSON to give access to the S3 bucket

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "s3:GetObject",

                "s3:ListBucket",

                "s3:GetBucketLocation"

            ],

            "Resource": "arn:aws:s3:::awsproduction345"

        },

        {

            "Sid": "VisualEditor1",

            "Effect": "Allow",

            "Action": "s3:ListAllMyBuckets",

            "Resource": "*"

        }

    ]

}

set policy permissions

The policy gives access to get the objects from the S3 bucket.

Step 3) Now let us create a role

create IAM roles

Step 4) Next, ensure that the trusted entity is “Another AWS account” (as shown in below image). Also, enter the account number of the AWS Consulting company. So here the consulting company would need to give you their account number.

another AWS account

Step 5) For the role when the time to assign permissions comes, ensure to assign the IAM policy which was created in the earlier step

ensure to assign IAM policy

Let’s assume that we created the policy with the name of CrossAccountS3

Step 6) Next go ahead and create the role.

create role

Step 7) Once the role is created, you need to take the ARN of the role. You need to give the role ARN to the Administrator of the Consulting Company.

role ARN  

Step 8) Now for the consulting company to start using the role, in their account, they need to ensure that a user will have the ability to assume the role

Now let’s assume we are in the consulting company’s (i.e. 3rd party) AWS account. Let’s go to the user who is going to assume the role.

GRANTING ACCESS TO AWS RESOURCES

Step 9) Now go to the permissions and click on Add inline policy

add inline permissions

Step 10) In the JSON editor, add the policy for the user to assume the role which was created in the earlier step

policy to add assume a role

Step 11) Once you log in as the user, you can now switch roles as shown below:

switch roles

Step 12) Provide the account number of the main company’s AWS account, specify the Role name and then switch roles.

adding account number of main company

Once you do this, you will now be able to access the bucket in the production account

granting access to aws s3 bucket

Other Related Resources:

Working with IAM and Bucket Policy

How to use a Central CloudTrail S3 Bucket for Multiple AWS Accounts?

How to set right inbound and outbound rules for Security Groups and NACLs?

Summary

  • Cross-account roles are used to give users access to resources in other AWS accounts.
  • The users can assume the role to have access to the resources in the external account.
  • The IAM policy will govern what type of access will be given to the role.
  • This is more secure than giving Access Keys for accessing the resources.

So, this is how you can grant access to AWS Resources to the third party via roles and external Id. It is very important to cover this topic while you are preparing for the AWS Security Specialty exam. Here we explained the solution with the example of the S3 bucket as an AWS resource. Hope this article helped you to understand the concepts of access granting to the third party. Once done with the preparation, you can check your preparation level with the AWS Certified Security Specialty practice tests.

Preparing with practice tests make you confident enough to pass the exam in the first attempt. So, join us now and become a certified AWS Security Specialist.

Need any other help with your AWS Certified Security Specialty exam preparation? Write in the comment below or reach us at Whizlabs Helpdesk, we’ll be happy to help you!

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

1 thought on “How to Grant Access to AWS Resources to the Third Party via Roles & External Id?”

  1. Hi,

    how and where to generate external ID in 3rd party account. I came across that it would act as an additional layer of security.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top