Skip to main content

Update the External ID of an Existing AWS Integration

To strengthen our security posture, Lacework is introducing a new external ID format for all AWS integrations. The new format allows you to prevent the confused deputy problem and cross-service impersonation.

This topic describes how to update the external ID of an existing AWS integration.

The external IDs for the following AWS integrations must be updated:


To use Terraform to update the external ID format, see Update All AWS Terraform Modules.

  • Configuration
  • CloudTrail+Configuration
  • EKS Audit Log
  • Agentless Workload Scanning (Single account)
  • Agentless Workload Scanning (Organization)
  • AWS Security Hub
  • Amazon Elastic Container Registry (with IAM role-based authentication)
  • S3 data export

Update the External ID

Generate a New External ID in the Lacework Console

  1. Log in to the Lacework Console as a user with cloud accounts write permissions.
  2. Go to Settings > Cloud accounts and click the existing AWS integration that needs a new external ID.
  3. Click the Edit icon.
  4. Click the Refresh icon next to the External ID. This generates a new external ID that complies with the new format.
  5. Click the Copy icon next to the External ID.
  6. Leave the cloud account edit window open and unsaved.

Update the External ID in the AWS Console

  1. Log in to your AWS account.
  2. Go to the Identity and Access Management (IAM) dashboard.
  3. Click Roles in the left sidebar. A list of existing IAM roles appears.
  4. Choose the role you want to update, which is one of the following:
    • For existing integrations - The role that the existing integration uses. You can view this role in the Lacework Console by going to Settings > Cloud accounts and clicking the existing integration.
    • For new integrations - The cross-account IAM role you created when completing the AWS integration prerequisites.
  5. Click Trust relationships.
  6. Click Edit trust policy.
  7. Change the value for "sts:ExternalId": to the external ID that you copied from the Lacework Console.
  8. Click Update policy.

Save the Integration in the Lacework Console

  1. Return to the cloud account edit window in the Lacework Console.
  2. Click Save to finish the external ID update.

External ID Format

The Lacework-generated external ID follows this format:





: - Used as a delimiter.

lweid - A static string.

<csp> - The cloud service provider, for AWS integrations it uses aws.

<version> - The EID format version, this is version 2 so it uses the static string v2.

<tenant_name> - The unique tenant name, part of the URL <account> (examples: acmeinc, supercompany).

<aws_account_id> - The AWS account being integrated.

<random_string_size_10> - A random string of size = 10 that can ONLY contain letters, numbers, and these special characters = , . @ : / -

Additional AWS documentation reference information for IAM and AWS STS quotas.

Update All AWS Terraform Modules

If you plan to use Terraform to update the external ID format, update the following Terraform modules to the versions indicated:

  • lacework/terraform-aws-agentless-scanning v0.14.0 or later
  • lacework/terraform-aws-cloudtrail v1.0.3 or later
  • lacework/terraform-aws-config v0.7.2 or later
  • lacework/terraform-aws-alerts-to-s3 v0.4.1 or later
  • lacework/terraform-aws-iam-role v0.4.1 or later
  • lacework/terraform-aws-cloudtrail-controltower v0.4.0 or later

After the Terraform modules have been updated, apply infrastructure changes.