External ID and the Confused Deputy

When you let a third party assume a role in your account, a security risk called the confused deputy problem can arise. The external ID is the simple but vital control that prevents it. This pattern appears on the exam whenever a SaaS vendor needs access to your AWS account.

A confused deputy is a trusted entity (the deputy) that is tricked into using its authority on behalf of an attacker. In AWS, a third-party service has permission to assume roles in many customer accounts; an attacker could trick it into assuming your role if nothing ties the request to the legitimate customer relationship.