Do you know what is confused deputy problem in the cloud?


Do you know what is confused deputy problem in the cloud?


To understand this first need to know what is a deputy?


Deputy is a program that takes action on half of the other programs or people. 


For example, when you take a leave from the office you will set up out of the office and ask someone from your team to be contacted in your absence. So your team member is acting as a deputy in your absence for your work.


What is confused, deputy?


A program that has permission given to it for one purpose applies that permission for some other purpose, that is contrary to the original intent of the permission.


For example, your team member is a deputy in your absence and has production access to add/update or delete the rows in the database. Let's say rows should not be deleted from the production database, it should always be added or updated But let's say your team member deletes the row from the database.


This means the user was given permission to add or update (original intent) but the user had to perform a delete operation which it shouldn’t have.


Now you understand what is confused deputy so Let's understand this in terms of cloud processing.


If you decide to hire a third-party company called company A to monitor your AWS account and help to optimize the costs of your AWS account. 


In order to track your daily spending, company A needs to access your AWS resources.


Company A also monitors many other AWS accounts for other customers.

 You can use an IAM role to establish a trusted relationship between your AWS account and Company A account. 


Company A uses Sample role ARN to obtain temporary security credentials to access resources in your AWS account. This means Company A is acting as a deputy to access/monitor your AWS account.


Now let's say another AWS customer also starts using Company A services, now this other consumer asks company A to use the same sample role ARN ,

Company A is using the same sample role ARN to access your AWS account it will end up accessing your AWS account services 


This is how the other customer could gain unauthorized access to your resources. In this example Company A is a "confused deputy.”

 

How can we address the confused deputy problem?


This is actually very simple, In this case, Company A can address Confuse deputy problem by introducing a unique identifier while accessing each account. This will help in accessing the correct AWS account resources for each request.


 So Company A will generate a unique External ID for each consumer and uses that value in its request to assume the role.


This External ID should be unique and should be controlled by Company A and not by its consumer. This will prevent Company A from being confused deputy and granting access to another account's AWS resources.


Hope you have found this information useful



“P.S. If you read it till the end, Thank you!...

This article is part of AWS Career Growth Program (AWS-CGP) by Pravin Mishra

For more AWS related content please visit the website.”

You are welcome to help other cloud enthusiasts to learn AWS by sharing the link to AWS-CGP and join our upcoming batch.

Comments

Post a Comment

Popular posts from this blog

AWS Regions and Availability Zones & Edge Locations

Image
AWS Regions and Availability Zones What are Regions  & AZ? It is a physical location around the world where aws has cluster data centers .  AWS call each group of logical data centers an Availability Zone .  Each AWS Region consists of a minimum of three, isolated, and physically separate AZs within a geographic area. Unlike other cloud providers, who often define a region as a single data center, the multiple AZ design of every AWS Region offers advantages for customers.  Each AZ has independent power, cooling, and physical security and is connected via redundant, ultra-low-latency networks. AWS customers focused on high availability can design their applications to run in multiple AZs to achieve even greater fault-tolerance. AWS infrastructure Regions meet the highest levels of security, compliance, and data protection. AWS provides a more extensive global footprint than any other cloud provider, and to support its global footprint and ensure customers are se...
Read more

Cloud fundamentals

Image
  What is cloud computing? Cloud computing is the on-demand availability of  computer   system resources , especially data storage ( cloud storage ) and  computing power , without direct active management by the user. Its a Pay as you go service , where you don’t need to buy ,own or maintain physical data centres and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS).   What are the benefits of cloud computing? 1.Agility - It goes access to board range of technology so that you can innovate faster   2.Elasticity - You don’t need to over provision the resources 3.Cost savings - Trade fixed expenses (such as data centers and physical servers) for variable expenses, and only pay for IT as you 4.Deploy globally in minutes Cloud Computing Models 1.Infrastructure as a Service (IaaS) Infrastructure as a Service provides you with the highest le...
Read more

Getting Started with AWS

Securing an AWS Account          It is very important to secure your AWS account. Following are some best practices that              can be used to safeguard your AWS account          Safeguard your passwords and access keys Activate multi-factor authentication (MFA) on the AWS account root user  and any users with interactive access to AWS Identity and Access Management (IAM) Limit AWS account root user access to your resources Audit IAM users and their policies frequently Create Amazon Elastic Block Store (Amazon EBS) snapshots, Amazon Relational Database Service (Amazon RDS) snapshots, and Amazon Simple Storage Service (Amazon S3) object versions Use AWS Git projects to scan for evidence of unauthorized use Monitor your account and its resources                     Note:  If you're using AWS Identity Center or IAM federa...
Read more