Skip to content

AWS Connect and Validate

Overview

Connect to AWS and validate the connection, either by assuming a role or using static ACCESS_KEY_ID and SECRET_ACCESS_KEY

Assuming a Role

In AWS (Amazon Web Services), roles and associated terms like ARN (Amazon Resource Name) and External ID are part of its Identity and Access Management (IAM) system, which is designed to securely manage access to AWS services and resources.

What is an ARN?

An ARN is a unique identifier that is used to specify a resource unambiguously across all of AWS. It’s not a secret, just a reference. Every AWS resource can be identified by an ARN, which is used in IAM policies, Amazon Resource Names (ARNs), and API calls to refer to specific resources within AWS. The format of an ARN includes information about the resource type, region, and name, looking something like this:

arn:aws:service:region:account:resourceType/resourceName

For example, an ARN for an S3 bucket might look like arn:aws:s3:::my-bucket-name.

What is an External ID?

An External ID is a feature in AWS that is used when you have a third-party application (Comnoco in this case) assuming an IAM role within your AWS account. It is a way to prevent the “confused deputy” problem, where a service is tricked into acting on behalf of a malicious actor. The External ID can be thought of as a secret key that the third-party service must provide when assuming the role, making it significantly harder for unauthorized entities to assume the role even if they have somehow obtained other necessary details.

How They Work Together

When a Comnoco needs to access your AWS resources (like S3 or DynamoDB) on your behalf, you can create an IAM role with policies that specify what actions are allowed on those resources. You then allow the third-party to assume this role. The ARN is used to specify which role the third-party should assume, and the External ID is used as an additional security measure to ensure that only the intended third-party can assume the role.

Are Either Considered a Secret?

  • ARN: No, an ARN is not considered a secret. It is a publicly identifiable piece of information that specifies a resource within AWS. However, exposing ARNs can potentially help an attacker to gather information about your AWS environment, so it’s wise not to share them unnecessarily.
  • External ID: Yes, the External ID can be considered a secret, especially in the context of a third-party service assuming a role in your AWS account. It acts as a shared secret between your AWS account and the third-party service to prevent unauthorized access.

Parameters

ParameterParameterValid BlocksRequired
Set a Dynamic Name Show the Dynamic Name slot in the tree so that it can be set statically or dynamically Boolean Block Group No
Dynamic Name The dynamic name of this item Text Block Group No
Attributes Metadata values for this block. Used in XML and multipart/form-data. Text Block Group No
AWS Connection Type The type of connection to use, either static or Assumed Role Text Block Group No
AWS Access Key ID The access key ID to use for the connection Text Block Group No
AWS Secret Access Key The secret access key to use for the connection Secret Block Group No
AWS Role ARN The ARN of the role to assume Text Block Group No
AWS External ID The external ID of the role to assume Secret Block Group No