Manage an AWS account external ID

The AWS account external ID is only used when adding an AWS account using a cross-account role.

Topics:

What is the external ID?

Along with the cross-account role ARN, the external ID is used to grant access from one AWS role to another. The external ID is provided by a third-party service that wants to assume the role of your account. If you trust that service to act on your behalf, you add that external ID to your cross-account role. In this case, Workload Security is the third-party service that is providing an external ID to you, in order to act on behalf of your AWS account. Workload Security uses this access to synchronize information from your AWS account and maintain an up-to-date record of your resources. For details, see this AWS document: How to Use External ID When Granting Access to Your AWS Resources.

Notes:

  • The external ID is only used when adding an AWS account using a cross-account role.
  • The same external ID is used for all AWS accounts added using cross-account roles.

Configure the external ID

Configuring the external ID is one step in a larger process of adding a cross-account role. See Add an AWS account using a cross-account role for details.

Update the external ID

If you previously added an AWS account using a cross-account role, you might have specified a user-defined external ID. To better align with AWS best-practices, Trend Micro recommends switching to the Workload Security-defined external ID.

AWS accounts that were previously added with a user-defined external ID will continue to function as normal.

Determine whether you're using a user- or manager-defined external ID

If you're not sure whether you're currently using a user- or manager-defined external ID, follow the procedure below to find out.

  1. Log in to Workload Security.
  2. Click Computers.
  3. Right-click the AWS account that was added using a cross-account role and select Properties.
  4. If an Update link appears next to the external ID, it means that a user-defined external ID is currently in use and should be updated. If an Update link does not appear, it's because the Workload Security-defined external ID is currently in use, and no action is necessary.
  5. Repeat this procedure for each account that has been added to Workload Security using a cross-account role.

Update the external ID through the Workload Security console

  1. If you have not already done so, log in to Workload Security, right-click the AWS account you want to update, and select Properties.
  2. Click the Update link that appears next to the external ID. The Update link disappears.
  3. Note the external ID. You'll need it in the next step to configure the cross-account role.
  4. Log in to the AWS account whose external ID you just updated. Update the cross-account role's IAM policy by replacing the old external ID with the new one.
  5. Back on the properties window, click Apply to apply changes.

    Your account's user-defined external ID has now been updated to the Workload Security-defined one.

  6. Repeat this procedure for each account that has been added to Workload Security using a cross-account role.

Update the external ID through the Workload Security API

  1. If you don't already have the new manager-defined external ID, call the /api/awsconnectorsettings endpoint to retrieve it (the ExternalId parameter).
  2. Log in to the AWS account where the cross-account role was configured. Update the cross-account role's IAM policy by replacing the old external ID with the new one. Repeat this step for each account that has been added to Workload Security using a cross-account role.
  3. Using the /api/awsconnectors endpoint, perform an Update action on the account you are updating, with its CrossAccountRoleARN parameter set to the same role ARN as it is currently. Do not provide an external ID in the request object.

    Your account's user-defined external ID has now been updated to the Workload Security-defined one.

Retrieve the external ID

There are a few ways to retrieve the external ID for use with cross-accounts.

Through the 'add account' wizard

Through the Workload Security API

  • Call the /api/awsconnectorsettings endpoint to retrieve it (the ExternalId parameter).

Disable retrieval of the external ID

You might want to disable the ability to view and retrieve the external ID in the Workload Security console to prevent unauthorized access to it. You can retrieve the ID once, store it in a safe place like your secrets manager, and then disable the retrieval for everyone else.

Retrieval can be enabled again at any time.

Disabling retrieval of the external ID also disables the quick setup method of adding AWS accounts.

To disable retrieval:

  1. Log in to Workload Security.
  2. Click Administration at the top.
  3. In the main pane, click the Security tab.
  4. Deselect Enable retrieval and viewing of AWS external ID.
  5. Click Save.

You can also use roles to prevent access to the external ID. For details, see Define roles for users.