CSPM uses the AWS-recommended best practice for connecting: a third-party cross-account role with an external ID and IP restriction. This is an IAM role that you create and then give CSPM the permission to assume. Even if a malicious user obtained the role information, they could not assume it from any AWS account other than CSPM's. CSPM then uses this role to make AWS API calls to your account.