Skip to main content

Update Cross-Account IAM Role External ID

This topic discusses how to update the external ID for the cross-account IAM role when manually integrating AWS.

Update the External ID

  1. Ensure you have copied the external ID generated by the Lacework Console.
  2. Log in to your AWS account.
  3. Go to the Identity and Access Management (IAM) dashboard.
  4. Click Roles in the left sidebar. A list of existing IAM roles appears.
  5. Click the cross-account role you created when following the prerequisite steps in Cross-Account IAM Role.
  6. Click Trust relationships.
  7. Click Edit trust policy.
  8. Change the value for "sts:ExternalId": to the external ID that you copied from the Lacework Console during the manual integration.
  9. Click Update policy.

For details about the external ID format, refer to External ID Format.

Why Use an External ID Generated from the Lacework Console?

Lacework uses an external ID that the Lacework Console generates instead of one that you generate in order to prevent the confused deputy problem.

External ID Format

The Lacework-generated external ID follows this format:

lweid:<csp>:<version>:<lw_tenant_name>:<acct_id>:<random_string_size_10>

Example:

lweid:aws:v2:acmeinc:123456789012:dkl31.09ip

Where:

: - Used as a delimiter.

lweid - A static string.

<csp> - The cloud service provider, for AWS integrations it uses aws.

<version> - The EID format version, this is version 2 so it uses the static string v2.

<lw_tenant_name> - The unique tenant name, part of the URL <account>.lacework.net (examples: acmeinc, supercompany).

<acct_id> - The AWS account being integrated.

<random_string> - A random string of size = 10 that can ONLY contain letters, numbers, and these special characters = , . @ : / -

Additional AWS documentation reference information for IAM and AWS STS quotas.