The "Confused Deputy" issue in AWS is a security risk that potentially allows security vendors to serve as middlemen between an AWS account and two customers. You can read more about this issue on the AWS blog.

To protect against this vulnerability, Aqua CSPM takes a number of steps.

Enforcing UUID Usage for External IDs

All Aqua CSPM account external IDs are UUIDs and cannot be set to anything other than UUIDs. This helps ensure that our users cannot pick (or overwrite) the external IDs that are easier to guess, such as "abc".

Unique External IDs

All Aqua CSPM customers have a pool of 1+ external IDs (more than 1 if performing bulk onboarding) generated for them during the account connection process. These IDs cannot be used by any customer.

Enforcing Generated IDs

When a customer requests to onboard a new AWS account to Aqua CSPM, a new UUID is generated for that customer (tied to the account). That same UUID must be submitted later during the connection finalization process, otherwise the onboarding will fail. If someone else (from a different account) attempts to use the ID, the request will also fail.

With these controls in place, Aqua CSPM ensures that no customer can use Aqua's AWS account to access another customer's AWS resources.