The confused deputy problem happens when a third-party account you trusted is tricked into assuming a role in a wrong account and potentially disclosing secrets there.

The third-party account could be an incident management vendor, auditor or an accountant that needs access to your AWS account.

This trick could happen when the hacker provides the vendor with a role to assume (with the same name but wrong account) the same time you do, without him knowing.

Solution

Use an external ID generated by the third-party and shared to you. This could be a random number or a customer ID.

1. Provide the role ARN to the vendor.
2. Vendor provides you with an ExternalId.
3. You add a Condition in the role's trust policy.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Principal": {"AWS": "Example Corp's AWS Account ID"},
    "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
  }
}

5. Vendor assumes the role with the ExternalId (via AssumeRole API).

The vendor can't assume the role sent by a hacker unless they deliberately colluded or someone within your organization changed the ExternalId in the trust policy on purpose.

Recommendation

AWS recommends to use Cognito instead of AssumeRole API.