How does IAM assume-role work and how do you implement cross-account access securely?

Cross-account access uses the sts:AssumeRole API. A role in Account B has a trust policy that allows Account A to assume it:

# Trust policy on role in Account B
{
  "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT_A_ID:root"
  },
  "Action": "sts:AssumeRole"
}

Account A’s entity calls aws sts assume-role to get temporary credentials (up to 12 hours) for Account B. Security controls:

• Add ExternalId condition for third-party access (prevents confused deputy attacks)
• Add MFA condition for sensitive roles
• Use SCPs at the AWS Organization level to restrict what can be assumed