What is Confused Deputy Problem?
The confused deputy problem is when a more-privileged service can be tricked into using its own permissions to act on a resource the caller should not have access to.
The name comes from a classic security pattern: a "deputy" (a service with broad permissions of its own) is fooled into misusing that authority on behalf of a less-privileged caller. In AWS, this typically happens with cross-service, cross-account access — Service A in your account calls Service B, and Service B has no way to tell whether the request is legitimately about your resource or was engineered by an attacker referencing your resource from a different account.
AWS's standard fix is the aws:SourceArn and aws:SourceAccount global condition keys on resource-based / trust policies. They let the resource policy require that the calling service is acting specifically on behalf of a named source resource or account, closing the gap that lets an unrelated caller impersonate a legitimate one. Cross-account role trust policies use a similar pattern with a shared ExternalId condition.
Example
"Condition": {
"StringEquals": { "aws:SourceAccount": "123456789012" },
"ArnLike": { "aws:SourceArn": "arn:aws:dms:*:123456789012:task:*" }
}Common mistake
Writing a trust or resource policy that allows a service principal (e.g. dms.amazonaws.com, s3.amazonaws.com) without any aws:SourceArn / aws:SourceAccount condition. It works in testing but leaves the policy open to any caller who can get that service to reference your resource — including from someone else's account.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.