AWS Security Academy · Lesson

Cross-Account Roles and Resource Policies

Grant one account scoped access to resources in another.

Why Cross-Account Access

Real architectures span many accounts: a production account, a logging account, a shared-services account. Workloads and people often need to reach resources across these boundaries.

The secure way is never to copy credentials between accounts. Instead, you grant scoped access using cross-account roles or resource-based policies.

The Cross-Account Role Pattern

The most common pattern is a role in the target account that a principal in the source account assumes.

The role's trust policy names the source account or principal.
The source principal calls AssumeRole and receives temporary credentials.
It then acts in the target account within the role's permissions.

All lessons in this course

Single Sign-On with IAM Identity Center
SAML, OIDC, and Web Identity Federation
Cross-Account Roles and Resource Policies
Auditing Sharing with IAM Access Analyzer

← Back to AWS Security Academy