OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

Setting Up IAM Roles for Cross-Account Access

By admin@oculuscyber.com

October 11, 2025

Setting Up IAM Roles for Cross-Account Access in AWS

Cross-account access is a common requirement in multi-account AWS environments — for example, allowing developers in one account to access S3 buckets or EC2 instances in another. The most secure and scalable way to achieve this is through IAM roles with trusted relationships, rather than long-term credentials.

1. The Core Concept

An IAM role defines a set of permissions and can be assumed by trusted entities (users, applications, or services) in other AWS accounts.When a user assumes the role, AWS temporarily provides security credentials scoped to that role's permissions.

This model enforces least privilege and eliminates the need to share access keys across accounts.

2. Example Scenario

Let's assume:

  • Account A (123456789012): The developer account (caller).
  • Account B (987654321098): The resource owner account (host of an S3 bucket).

Goal: Allow users in Account A to read from the S3 bucket in Account B.

3. Step-by-Step Setup

Step 1: Create a Role in the Target Account (Account B)

  1. Go to IAM → Roles → Create Role.
  2. Select Another AWS Account and enter the ID of Account A (123456789012).
  3. Attach permissions, e.g., S3 read-only access:
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-shared-bucket", "arn:aws:s3:::my-shared-bucket/*"]
    }
  ]
}
  4. Name it CrossAccountS3ReadRole.

Trust Policy Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
      "Action": "sts:AssumeRole"
    }
  ]
}

Step 2: Allow Users in Account A to Assume the Role

Attach the following policy to the users or groups in Account A:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::987654321098:role/CrossAccountS3ReadRole"
    }
  ]
}

Users can now assume the role via CLI:

aws sts assume-role \
  --role-arn arn:aws:iam::987654321098:role/CrossAccountS3ReadRole \
  --role-session-name DevAccess

This returns temporary credentials valid for up to one hour.

Step 3: Use Temporary Credentials

You can export the credentials into environment variables:

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

Then interact with the S3 bucket as if it were local:

aws s3 ls s3://my-shared-bucket

4. Best Practices

  • Use role assumption over resource-based policies for tighter control.
  • Limit trust policies to specific roles or users, not entire accounts.
  • Enable CloudTrail to monitor AssumeRole events.
  • Rotate roles periodically and enforce MFA for sensitive operations.

In short:Cross-account IAM roles let you share AWS resources securely and temporarily — without sharing permanent credentials. This model scales cleanly across teams, accounts, and automation pipelines while maintaining full traceability.