Skip to main content
With external access, you can narrow the resource access grants inventory to the grants that matter most for third-party risk: those that allow a principal outside your AWS organization to reach your accounts and resources.
External access is access to your AWS accounts or resources by a principal outside your AWS organization. This is what AWS Access Analyzer and compliance frameworks call third-party access. The term external matches AWS Access Analyzer and is more precise than cross-account, which only means one account to another regardless of whether it leaves your organization.

Why external access matters

Access that stays inside your organization is governed by your own controls. Access that leaves it is held by someone else: a vendor, a partner, a federated identity, or in the worst case the public internet. You often cannot see how that access is used or revoke it on your own. Many compliance frameworks require you to inventory and review third-party access for exactly this reason.

Identifying external access

A grant is external when its Origin is External. Plerion gives you several ways to isolate these grants:
  • The External access tile: The Resource access grants view counts external grants in the External access tile, and untrusted ones in the Untrusted external access tile.
  • Preset views: Use the External, Untrusted external, Cross-org, or Public chips above the table to jump straight to a slice of external access.
  • The Origin filter: Set the Origin filter to External to show every external grant, then refine by Scope, Trust, or Principal type.
External grants carry one of these scopes: Cross-org (a specific outside account), Federated (an external identity provider), or Public (open to everyone through a wildcard principal). You can also open the External access card on the Entitlements > AWS overview, which opens a panel pre-filtered to external grants only.
External access card on the Entitlements AWS overview opening a panel of external grants

From external to untrusted

Not all external access is a problem. A vendor integration or a CI/CD identity may be exactly what you intended. Plerion separates the access you have confirmed from the access you have not:
  • Trusted: The principal matches an entry on your trusted principals list.
  • Untrusted: An external principal that is not on your trusted principals list.
Untrusted external access is the access most likely to need attention, so Plerion raises a finding for it. To work through your external access:
  1. Review the Untrusted external preset in the inventory.
  2. Add the principals you recognize to your trusted principals.
  3. Investigate and remediate what remains as untrusted external access findings.