For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-au9.md. A documentation index is available at /llms.txt.

AWS IAM role with external cross-account trust relationship does not use an external ID

iam

Description

To reduce the risk of confused deputy attacks, external vendors should use an external ID when assuming a role in your AWS account.

Rationale

The use of external IDs mitigate the risk of confused deputy attacks.

Remediation

Ensure all external identities use an external ID when assuming a role in your AWS account.