Manage an AWS account external ID

The AWS account external ID is only used when adding an AWS account using a cross-account role.


What is the external ID?

Along with the cross-account role ARN, the external ID is used to grant access from one AWS role to another. The external ID is provided by a third-party service that wants to assume the role of your account. If you trust that service to act on your behalf, you add that external ID to your cross-account role. In this case, Deep Security is the third-party service that is providing an external ID to you, in order to act on behalf of your AWS account. Deep Security uses this access to synchronize information from your AWS account and maintain an up-to-date record of your resources. For details, see this AWS document: How to Use External ID When Granting Access to Your AWS Resources.


  • The external ID is only used when adding an AWS account using a cross-account role.
  • The same external ID is used for all AWS accounts added using cross-account roles. There is one ID per tenant.

Configure the external ID

Configuring the external ID is one step in a larger process of adding a cross-account role. See Add an AWS account using a cross-account role for details.

Update the external ID

If you previously added an AWS account using cross-account role, you might have specified a user-defined external ID. To better align with AWS best-practices, Trend Micro recommends switching to the manager-defined external ID.

AWS accounts that were previously added with a user-defined external ID will continue to function as normal.

Retrieve the external ID

There are a few ways to retrieve the external ID for use with cross-accounts.

Disable retrieval of the external ID

You might want to disable the ability to view and retrieve the external ID in the manager to prevent unauthorized access to it. You can retrieve the ID once, store it in a safe place like your secrets manager, and then disable the retrieval for everyone else.

Retrieval can be enabled again at any time.

To disable retrieval:

  1. Log in to Deep Security Manager.
  2. Click Administration at the top.
  3. In the main pane, click the Security tab.
  4. Deselect Enable retrieval and viewing of AWS external ID.
  5. Click Save.

You can also use roles to prevent access to the external ID. For details, see Define roles for users.