{"id":68630,"date":"2018-12-19T09:53:45","date_gmt":"2018-12-19T09:53:45","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=68630"},"modified":"2020-08-31T17:59:32","modified_gmt":"2020-08-31T17:59:32","slug":"granting-access-to-aws-resources-to-third-party","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/granting-access-to-aws-resources-to-third-party\/","title":{"rendered":"How to Grant Access to AWS Resources to the Third Party via Roles &#038; External Id?"},"content":{"rendered":"<p style=\"text-align: justify;\">Here we bring the next topic &#8220;<em>Granting Access to AWS Resources to Third Party via Roles and External Id<\/em>&#8221; to help you in the AWS Certified Security Specialty exam preparation. This topic comes under the <em>Identity and Access Management (IAM)<\/em> domain as highlighted in the blueprint of AWS Certified Security Specialty exam guide.<\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/free-test\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"size-full wp-image-68666 aligncenter\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/AWS-Security-Specialty-Free-test.jpg\" alt=\"AWS Security Specialty Free test\" width=\"728\" height=\"90\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/AWS-Security-Specialty-Free-test.jpg 728w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/AWS-Security-Specialty-Free-test-300x37.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/AWS-Security-Specialty-Free-test-640x79.jpg 640w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/AWS-Security-Specialty-Free-test-681x84.jpg 681w\" sizes=\"(max-width: 728px) 100vw, 728px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">Note that Identity and Access Management domain constitutes 20% of the total exam weight. So, this article will prove an invaluable resource in your <a href=\"https:\/\/www.whizlabs.com\/blog\/prepare-aws-certified-security-specialty-exam\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Certified Security Specialty exam preparation<\/a>.<\/p>\n<h2 class=\"p3\"><span class=\"s1\">Problem Statement<\/span><\/h2>\n<p class=\"p3\"><span class=\"s1\">Let us take a common use case of consulting companies that need access to resources in an AWS account. Sometimes to carry out an audit of a company\u2019s AWS account, a consultant company might need to have access to AWS resources in the company\u2019s AWS account.<\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Giving Access Keys or creating an IAM user for this purpose is not the right way to go. Instead, you need to create an IAM Role that could be assumed and then have access to AWS resources (S3 in this example).<\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Below diagram shows this use case scenario:<\/span>\u00a0<img decoding=\"async\" class=\"aligncenter wp-image-68634 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-1.png\" alt=\"company aws account\" width=\"495\" height=\"201\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-1.png 495w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-1-300x122.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><\/p>\n<h2 class=\"p3\"><span class=\"s1\">Solution: Granting Access to AWS Resources to Third Party via Roles &amp; External Id<\/span><\/h2>\n<p class=\"p3\"><span class=\"s1\">To solve this scenario, you must carry out the following steps:<\/span><\/p>\n<ul class=\"ul1\">\n<li class=\"li3\"><span class=\"s1\">First, we need to create an IAM policy that would grant access to the S3 bucket. This would be done in the Company AWS account.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">Next, we need to create an IAM role in the Company AWS account. This would have the policy assigned to it.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">We would ensure that the Consulting AWS account number is given the required permission to assume this role.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">The Consulting AWS account would then assume the role and then have access to the underlying S3 bucket.<\/span><\/li>\n<\/ul>\n<p class=\"p3\"><span class=\"s1\">Let\u2019s look at an example on this using the AWS Console<\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 1) Let\u2019s assume that we have a bucket called awsproduction345 in an AWS account called cloud-production<\/span>\u00a0<img decoding=\"async\" class=\"aligncenter wp-image-68649 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/GRANTING-ACCESS-TO-AWS-RESOURCES-NEW1.png\" alt=\"aws s3\" width=\"404\" height=\"242\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/GRANTING-ACCESS-TO-AWS-RESOURCES-NEW1.png 404w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/GRANTING-ACCESS-TO-AWS-RESOURCES-NEW1-300x180.png 300w\" sizes=\"(max-width: 404px) 100vw, 404px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 2) Now let\u2019s go to IAM and create a new policy<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68636 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-3.png\" alt=\"create IAM policy\" width=\"565\" height=\"306\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-3.png 565w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-3-300x162.png 300w\" sizes=\"(max-width: 565px) 100vw, 565px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">We then add the below JSON to give access to the S3 bucket<\/span><\/p>\n<pre class=\"p3\"><span class=\"s1\">{<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>\"Version\": \"2012-10-17\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>\"Statement\": [<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 <\/span>{<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Sid\": \"VisualEditor0\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Effect\": \"Allow\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Action\": [<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"s3:GetObject\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"s3:ListBucket\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"s3:GetBucketLocation\"<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>],<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Resource\": \"arn:aws:s3:::awsproduction345\"<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 <\/span>},<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 <\/span>{<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Sid\": \"VisualEditor1\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Effect\": \"Allow\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Action\": \"s3:ListAllMyBuckets\",<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span>\"Resource\": \"*\"<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 \u00a0 <\/span>}<\/span>\n\n<span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>]<\/span>\n\n<span class=\"s1\">}<\/span><\/pre>\n<p class=\"p3\"><span class=\"s1\"><img decoding=\"async\" class=\"aligncenter wp-image-68637 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-4.png\" alt=\"set policy permissions\" width=\"572\" height=\"369\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-4.png 572w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-4-300x194.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-4-341x220.png 341w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">The policy gives access to get the objects from the S3 bucket.<\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 3) Now let us create a role<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68638 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-5.png\" alt=\"create IAM roles\" width=\"426\" height=\"415\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-5.png 426w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-5-300x292.png 300w\" sizes=\"(max-width: 426px) 100vw, 426px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 4) Next, ensure that the trusted entity is \u201cAnother AWS account\u201d (as shown in below image). Also, enter the account number of the AWS Consulting company. So here the consulting company would need to give you their account number.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68639 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-6.png\" alt=\"another AWS account\" width=\"580\" height=\"272\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-6.png 580w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-6-300x141.png 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 5) For the role when the time to assign permissions comes, ensure to assign the IAM policy which was created in the earlier step<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68640 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-7.png\" alt=\"ensure to assign IAM policy\" width=\"581\" height=\"299\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-7.png 581w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-7-300x154.png 300w\" sizes=\"(max-width: 581px) 100vw, 581px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Let\u2019s assume that we created the policy with the name of CrossAccountS3<\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 6) Next go ahead and create the role.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68641 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-8.png\" alt=\"create role\" width=\"591\" height=\"313\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-8.png 591w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-8-300x160.png 300w\" sizes=\"(max-width: 591px) 100vw, 591px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 7) Once the role is created, you need to take the ARN of the role. You need to give the role ARN to the Administrator of the Consulting Company.<\/span><\/p>\n<p class=\"p5\"><span class=\"s1\"><span class=\"Apple-converted-space\"><img decoding=\"async\" class=\"aligncenter wp-image-68633 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources.png\" alt=\"role ARN\" width=\"592\" height=\"239\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources.png 592w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-300x121.png 300w\" sizes=\"(max-width: 592px) 100vw, 592px\" \/>\u00a0\u00a0<\/span><\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 8) Now for the consulting company to start using the role, in their account, they need to ensure that a user will have the ability to assume the role<\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Now let\u2019s assume we are in the consulting company\u2019s (i.e. 3<\/span><span class=\"s5\"><sup>rd<\/sup><\/span><span class=\"s1\"> party) AWS account. Let\u2019s go to the user who is going to assume the role.<\/span><\/p>\n<p><span class=\"s1\"><img decoding=\"async\" class=\"aligncenter wp-image-68642 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-9.png\" alt=\"GRANTING ACCESS TO AWS RESOURCES\" width=\"584\" height=\"162\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-9.png 584w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-9-300x83.png 300w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/><\/span><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 9) Now go to the permissions and click on Add inline policy<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68643 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-10.png\" alt=\"add inline permissions\" width=\"575\" height=\"210\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-10.png 575w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-10-300x110.png 300w\" sizes=\"(max-width: 575px) 100vw, 575px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 10) In the JSON editor, add the policy for the user to assume the role which was created in the earlier step<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68644 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-11.png\" alt=\"policy to add assume a role\" width=\"579\" height=\"233\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-11.png 579w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-11-300x121.png 300w\" sizes=\"(max-width: 579px) 100vw, 579px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 11) Once you log in as the user, you can now switch roles as shown below:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68645 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-12.png\" alt=\"switch roles\" width=\"362\" height=\"329\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-12.png 362w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-12-300x273.png 300w\" sizes=\"(max-width: 362px) 100vw, 362px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Step 12) Provide the account number of the main company\u2019s AWS account, specify the Role name and then switch roles.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68646 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/granting-access-to-aws-resources-13.png\" alt=\"adding account number of main company\" width=\"572\" height=\"217\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-13.png 572w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/granting-access-to-aws-resources-13-300x114.png 300w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><\/p>\n<p class=\"p3\"><span class=\"s1\">Once you do this, you will now be able to access the bucket in the production account<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-68648 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/GRANTING-ACCESS-TO-AWS-RESOURCES-NEW.png\" alt=\"granting access to aws s3 bucket\" width=\"586\" height=\"174\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/GRANTING-ACCESS-TO-AWS-RESOURCES-NEW.png 586w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/GRANTING-ACCESS-TO-AWS-RESOURCES-NEW-300x89.png 300w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><\/p>\n<blockquote><p><strong>Other Related Resources:<\/strong><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/blog\/iam-and-bucket-policies\/\" target=\"_blank\" rel=\"noopener noreferrer\">Working with IAM and Bucket Policy<\/a><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/blog\/using-central-cloudtrail-s3-bucket-for-multiple-aws-accounts\/\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">How to use a Central CloudTrail S3 Bucket for Multiple AWS Accounts?<\/a><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/blog\/set-right-rules-for-security-groups-and-nacls\/\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">How to set right inbound and outbound rules for Security Groups and NACLs?<\/a><\/p><\/blockquote>\n<h4 class=\"p3\" style=\"text-align: justify;\"><span class=\"s1\">Summary <\/span><\/h4>\n<ul class=\"ul1\" style=\"text-align: justify;\">\n<li class=\"li3\"><span class=\"s1\">Cross-account roles are used to give users access to resources in other AWS accounts.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">The users can assume the role to have access to the resources in the external account.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">The IAM policy will govern what type of access will be given to the role.<\/span><\/li>\n<li class=\"li3\"><span class=\"s1\">This is more secure than giving Access Keys for accessing the resources.<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">So, this is how you can grant access to AWS Resources to the third party via roles and external Id. It is very important to cover this topic while you are preparing for the AWS Security Specialty exam. Here we explained the solution with the example of the S3 bucket as an AWS resource. Hope this article helped you to understand the concepts of access granting to the third party. Once done with the preparation, you can check your preparation level with the <a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Certified Security Specialty practice tests<\/a>.<\/p>\n<p style=\"text-align: justify;\">Preparing with practice tests make you confident enough to pass the exam in the first attempt. So, join us now and become a certified AWS Security Specialist.<\/p>\n<p style=\"text-align: justify;\"><em>Need any other help with your AWS Certified Security Specialty exam preparation? Write in the comment below or reach us at\u00a0<a href=\"https:\/\/help.whizlabs.com\/hc\/en-us\/requests\/new\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">Whizlabs Helpdesk<\/a>, we\u2019ll be happy to help you!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here we bring the next topic &#8220;Granting Access to AWS Resources to Third Party via Roles and External Id&#8221; to help you in the AWS Certified Security Specialty exam preparation. This topic comes under the Identity and Access Management (IAM) domain as highlighted in the blueprint of AWS Certified Security Specialty exam guide. Note that Identity and Access Management domain constitutes 20% of the total exam weight. So, this article will prove an invaluable resource in your AWS Certified Security Specialty exam preparation. Problem Statement Let us take a common use case of consulting companies that need access to resources [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":68657,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[58,230,235,827,921,1390],"class_list":["post-68630","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-access-to-s3-bucket","tag-aws-certified-security-specialty","tag-aws-certified-security-specialty-practice-tests","tag-grant-access-to-aws-resources-to-third-party","tag-identity-and-access-management","tag-roles-external-id"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",600,315,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2-150x150.png",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2-300x158.png",300,158,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",600,315,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",600,315,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",600,315,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",600,315,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",24,13,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",48,25,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",96,50,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",150,79,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",300,158,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2-250x250.png",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",600,315,false],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",96,50,false],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/How-to-Grant-Access-to-AWS-Resources-to-Third-Party-via-Roles-External-Id_-2.png",150,79,false]},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":1,"uagb_excerpt":"Here we bring the next topic &#8220;Granting Access to AWS Resources to Third Party via Roles and External Id&#8221; to help you in the AWS Certified Security Specialty exam preparation. This topic comes under the Identity and Access Management (IAM) domain as highlighted in the blueprint of AWS Certified Security Specialty exam guide. Note that&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/68630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=68630"}],"version-history":[{"count":1,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/68630\/revisions"}],"predecessor-version":[{"id":75911,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/68630\/revisions\/75911"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/68657"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=68630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=68630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=68630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}