Quick Links & Suggestions
Press Enter to search site, Esc to exit
↑↓ Navigate

How does IAM assume-role work and how do you implement cross-account access securely?

Hard Topic: AWS May 24, 2026

Cross-account access uses the sts:AssumeRole API. A role in Account B has a trust policy that allows Account A to assume it:

# Trust policy on role in Account B
{
  "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT_A_ID:root"
  },
  "Action": "sts:AssumeRole"
}

Account A’s entity calls aws sts assume-role to get temporary credentials (up to 12 hours) for Account B. Security controls:

  • Add ExternalId condition for third-party access (prevents confused deputy attacks)
  • Add MFA condition for sensitive roles
  • Use SCPs at the AWS Organization level to restrict what can be assumed
← Previous What is the difference between S3 Standard, S3... Next → What is AWS ECS and when would you...

Practice Similar Questions

What is the difference between horizontal and vertical scaling in...
Easy
How do you implement least-privilege IAM policies and why is...
Hard
Explain AWS Lambda cold starts and how to mitigate them...
Hard
Back to AWS Topics