Providing Access to AWS Accounts Owned by Third Parties
When third parties require access to your organization's AWS resources, you can use roles to delegate access to them. For example, a third party might provide a service for managing your AWS resources. With IAM roles, you can grant these third parties access to your AWS resources without sharing your AWS security credentials. Instead, the third party can access your AWS resources by assuming a role that you create in your AWS account.
Third parties must provide you with the following information for you to create a role that they can assume:
The third party's AWS account ID. You specify their AWS account ID as the principal when you define the trust policy for the role.
An external ID that the third party uses to uniquely associate you with your role. You specify this third party-provided ID as a condition when you define the trust policy for the role. For more information about the external ID, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
The permissions that the third party requires to work with your AWS resources. You specify these permissions when defining the role's access policy. This policy defines what actions they can take and what resources they can access.
After you create the role, you must provide the role's Amazon Resource Name (ARN) to the third party. They require your role's ARN in order to use the role.
For details about creating a role to delegate access to a third party, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
When you grant third parties access to your AWS resources, they can access any resource that you give them permissions to and their use of your resources is billed to you. Ensure that you limit their use of your resources appropriately.