Adding an External ID to your Trust Policy

Follow

Adding an External ID to your Trust Policy

After creating an IAM role (such as when adding a billing source), you can choose to add its external ID to your IAM role trust policy. This optional security layer helps prevent unauthorized access to the account.

Adding the external ID to your trust policy helps ensure other tenants cannot trick Kion into providing access to your role or account. Kion stores a unique external ID for each AWS account it manages and always provides this ID when assuming roles. Requiring this external ID in your trust policy protects against malicious attempts to access accounts by falsely assuming different roles.

When you create an IAM role, we generate two IDs:

  • Service External ID. This ID is used by the Kion Service Role, which performs automated actions. This service external ID is automatically added for new accounts when using AWS Organizations.

    There are some cases where it must be manually added, including when adding new billing sources, adding new accounts without organization access, or if you want to add it for an account that existed before release release 3.6.16.

  • CAR External ID. This ID is used to verify user cloud access roles. When a user cloud access role is created that can access this account, the CAR external ID is automatically added to your trust policy. This only affects user cloud access roles, not account, service, or custom roles. You do not need to manually update your trust policy with this ID.

To edit your AWS trust policy with a service external ID:

  1. In the AWS console, sign in to your billing source account.
  2. Navigate to IAM > Access Management > Roles.
  3. Select the cloudtamer-service-role.
  4. Select Trust Relationships.
  5. Click Edit Trust Policy.
  6. Add the following condition block inline, replacing Service-XXXXXXX with your service external ID.

    The service external ID for your billing source account can be found by navigating in the Kion Applicaiton to Accounts > Billing Sources and selecting your AWS billing source.

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": <ARN>
    			},
    			"Action": "sts:AssumeRole",
    			"Condition": {
    				"StringEquals": {
    					"sts:ExternalId": "Service-XXXXXXX"
    				}
    			}
    		},
    		{
    			"Effect": "Allow",
    			"Principal": {
    				"AWS": <ARN>
    			},
    			"Action": "sts:TagSession"
    		}
    	]
    }				

    If you use session tags for attribute-based access control, the external ID and any session tags must be in separate statements. Make sure to include the comma between statements.

  7. Click Update Policy.

If there are times when you manually add accounts in Kion (for example, if you don't use AWS organizations), you will need to repeat this process for each account, adding the service external IDs for those accounts to their individual trust policies. This is also true when enabling AWS GovCloud account creation.

When adding multiple IDs to a trust policy, you can add an array of IDs to the same condition ("sts:ExternalId": ["EXTERNAL_ID", "SECOND_ID", "THIRD_ID"]).

Related Articles