Third Party Access Control

One-Click Least Privilege. Zero Disruption.

© 2025 Sonrai Security. All rights reserved.

Overview

The Cloud Permissions Firewall (CPF) provides a simple and effective way to manage third-party access across all accounts within your AWS Organization.

What is third-party Access into AWS Accounts?

Third-party access in in this context refers to the ability of external entities such as vendors, partners, or contractors, to access resources and services within an AWS account. This access can be granted for various purposes, including system integration, support, and collaboration.

How does Sonrai know which accounts are considered third party?

The originating account for all trusted principals in either IAM Trust Relationships or Resource Policies are extracted and evaluated against the overall set of your known accounts. If the account in question is not within the list of your known accounts, and/or is on our list of known external identities, then it is deemed a third party.

Why is it important to control third-party access?

Controlling third-party access is crucial for several reasons:

• Security: Unauthorized access can lead to data breaches, loss of sensitive information, and potential misuse of resources

• Compliance: Many industries have regulatory requirements that mandate strict control over who can access data and systems

• Risk Management: Limiting access reduces the risk of malicious activities and helps in maintaining the integrity of your cloud environment(s)

• Accountability: Monitoring and controlling access ensures that all actions can be traced back to the responsible party, aiding in auditing and accountability

How does the Cloud Permissions Firewall manage third-party access?

The firewall leverages Resource Control Policies (RCPs) to manage access for third parties. This functionality will allow the Cloud Permissions Firewall to create control policies that block access to a number of resource types including S3, STS, KMS, SQS, Secrets Manager).

Further to that, you can disable or protect other services for those third party account(s) as needed!

Reference: See here for information on AWS RCPs & here for information on RCP use within the firewall.

---

Pre-Requisites

Enable RCPs (Required)

Resource Control Policies (RCPs) must be enabled in your AWS Organization to allow the Cloud Permissions Firewall to properly manage and secure third-party access.

tip

Learn how to enable RCPs in your AWS Organization.

---

Third Party Catalogue

The Cloud Permissions Firewall has a catalogue of third-party accounts that have access to your AWS accounts.

This catalogue is comprised of known vendors Sonrai has validated, as well as any custom third party vendors added by customers (once formally validated by Sonrai).

Examples of validated third parties within the firewall catalogue:

CheckPoint     

 Census

 

 Qualys

etc.

---

How Does It Work?

Within the Service page, manage external access to your cloud resources' privileged permissions to reduce risks associated with supply chain attacks and vendor-related breaches.

If completely disabling access to an entire third party is not viable, review each account role's policy to pare down to least privilege (where possible).

IAM Roles

For identities (i.e. roles), third parties are identified using the account specified in the trust relationship attached to the IAM role. For example in the following trust relationship, 123456789123 would be the account evaluated.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789123:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Resource Policies

For direct resource access, the firewall will evaluate all the relevant resource policies for supported services and identify any third-party principals. In the following example of a KMS key policy, 123456788123, 123456789456 and 917634341498 would all be evaluated.

{
  "Id": "key-consolepolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456788123:root"
        ]
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789321:role/Admin"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789456:role/DMS-Redshift-endpoint-access-role"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789456:role/DMS-Redshift-endpoint-access-role"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }
  ]
}

Third Party Access Control

Within the firewall, there are six (6) states of third-party access. Each state change for a third party account requires you to redeploy the roles to apply the changes to your cloud.

State Name	Description
Blocked	All third party access is blocked in all accounts [at the selected scope] A third party is blocked at either Organization-level or a lower selected scope (i.e. OU, individual account, etc.) and those changes have been applied to your cloud
Blocked (Pending)	The "Block Access" button is clicked for a third party table row entry resulting in the third party pending being blocked [at the selected scope] These changes are visible within the Pending Changes list
Partially Blocked	Some third party access is blocked in all accounts [at the selected scope] A third party is disabled at a lower scope (i.e. OU, individual account, etc.) while other scopes under the Organization remain granted
Partially Blocked (Pending)	There are a set of pending changes that when applied will lead to the third party being partially blocked [at the selected scope] These changes are visible within the Pending Changes list.
Granted	All third party access is granted in all accounts [at the selected scope] A third party is granted access at either Organization-level or a lower selected scope (i.e. OU, individual account, etc.) and those changes have been applied to your cloud
Granted (Pending)	The "Grant Access" button is clicked for a third party table row entry resulting in the third party pending being granted access [at the selected scope] These changes are visible within the Pending Changes list

You also have the choice to either block or grant all new third party access (from that date/time onward):

Grant All New

Third parties newly added at this scope will be granted immediate access.

Block All New Mode

In "Block All New" mode, newly added third parties may only gain access via Permissions on Demand requests.

info

Any pre-existing third parties (at the date/time of the toggle) will retain their current status of granted or blocked access.

Rows with a lock icon are deemed to be necessary and cannot be blocked (Example: "Sonrai Security Third Party account access is required and cannot be blocked.")

Though you cannot take any action on these locked rows, you can still view more information about the third party account. In this example, the accounts shown are not within the list of known accounts for the Organization and as such are deemed a third party account:

Account Access

Click on the accounts number within the row to view all of the accounts which the third party accounts can access:

Here, you can see the list of accounts the third party has access to and for each:

a) the trust relationship that enabled this access

b) the level of permissions the third party can leverage (i.e. read, write, etc. actions)

Resource Access

Clicking on the resources number within the row will display all of the resources the third party account(s) can access:

Click on the "Policy" button to view the associated resource control policy:

Blocking Third Party Access

Blocking access for a specific third party (to all accounts/resources for a selected scope) is as simple as:

1. Clicking the "Block Access" button on the row of the third party you would like to block
2. Clicking the "Confirm" button on the confirmation dialog
3. Deploying those newly staged Pending Changes

---

Renaming Third Party Entries

To rename a third party entry, click on the pencil icon within the row of the third party you would like to rename it:

Next, you can choose from Sonrai's third party catalogue:

Or create a name for your new third party:

In the third party accounts tab, you will see all accounts identified as belonging to this third party:

You can add more 'unknown' accounts to any third party within the catalogue (Sonrai's or your custom third parties) to see the account(s) show within this tab, as desired.

---

FAQ

What if there is no access control in place for a third party?

The state defaults to granted.

Why is the third party showing as 'Unknown'?

If both name and iconId are blank, we label the Third Party as "Unknown" and display only the ID.