SEC03-BP09: Share resources securely with a third party

You might need to share resources with a third party, such as a content delivery network (CDN), a contractor, or a shared service provider. When you share resources with a third party, use mechanisms such as cross-account roles with external IDs, resource-based policies, or third-party access management to maintain control over who can access your resources and under what conditions.

Implementation guidance

Sharing resources with third parties introduces additional security considerations beyond internal sharing. It’s essential to implement strong controls, monitoring, and governance to ensure that third-party access remains secure and compliant with your organization’s security policies.

Key steps for implementing this best practice:

1. Establish third-party access governance:
   • Define policies for third-party access to your resources
   • Implement approval processes for third-party access requests
   • Document third-party relationships and access requirements
   • Establish contractual security requirements for third parties
   • Create procedures for onboarding and offboarding third parties
2. Implement secure access mechanisms:
   • Use cross-account IAM roles with external IDs for third-party access
   • Implement time-limited access with automatic expiration
   • Use resource-based policies with specific conditions
   • Apply network-level restrictions where possible
   • Avoid sharing long-term credentials or access keys
3. Apply additional security controls:
   • Implement multi-factor authentication requirements
   • Use IP address restrictions for third-party access
   • Apply time-based access controls
   • Implement session monitoring and recording
   • Use encryption for data shared with third parties
4. Monitor and audit third-party access:
   • Track all third-party access activities
   • Set up alerts for unusual access patterns
   • Generate regular reports on third-party access
   • Implement automated compliance checks
   • Maintain detailed audit trails
5. Implement data protection measures:
   • Classify data before sharing with third parties
   • Apply appropriate encryption for shared data
   • Implement data loss prevention (DLP) controls
   • Use data masking or tokenization where appropriate
   • Establish data retention and deletion policies
6. Regularly review and validate access:
   • Conduct periodic reviews of third-party access
   • Validate business justification for continued access
   • Update access permissions based on changing requirements
   • Remove access when no longer needed
   • Test access revocation procedures

Implementation examples

Example 1: Cross-account role for third-party access with external ID

Code snippet hidden for website display

Example 2: S3 bucket policy for secure third-party data sharing

Code snippet hidden for website display

Example 3: Lambda function for third-party access monitoring

Code snippet hidden for website display

Example 4: CloudFormation template for third-party access setup

Code snippet hidden for website display

AWS services to consider

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. Use IAM roles with external IDs for secure third-party access without sharing credentials.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Essential for monitoring and auditing third-party access activities.

Amazon CloudWatch

Monitors your AWS resources and the applications you run on AWS in real time. Set up alerts and dashboards for third-party access monitoring.

AWS Key Management Service (KMS)

Makes it easy for you to create and manage cryptographic keys and control their use. Use KMS to encrypt data shared with third parties.

Amazon S3

Object storage service that offers industry-leading scalability, data availability, security, and performance. Use S3 bucket policies and encryption for secure data sharing with third parties.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Use Config rules to monitor compliance with third-party access policies.

Benefits of sharing resources securely with third parties

• Enhanced security: Maintains control over third-party access while enabling necessary collaboration
• Improved compliance: Supports regulatory requirements for third-party data sharing and access control
• Better risk management: Reduces risks associated with third-party access through proper controls
• Operational efficiency: Enables secure collaboration without compromising security posture
• Audit readiness: Provides comprehensive audit trails for third-party access activities
• Scalable governance: Establishes repeatable processes for managing third-party relationships
• Incident response: Enables quick identification and response to third-party security incidents

Related resources

Related Resources

• AWS Well-Architected Framework - Share resources securely with a third party
• Providing access to an AWS account owned by a third party
• AWS global condition context keys
• How to use external ID when granting access to your AWS resources
• How to monitor and visualize failed SSH access attempts to Amazon EC2 Linux instances
• How to create a secure account structure using AWS Organizations and AWS SSO