Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Identify and review IAM roles in central accounts that allow external AWS accounts to assume them. This control uses IAM Access Analyzer to detect cross-account access and applies preventive Service Control Policies (SCPs) to restrict trust policy modifications to approved organization boundaries.
In a Landing Zone environment, central accounts (e.g., Security, Log Archive, Shared Services) often require cross-account roles for operational tasks. However, these roles must only trust verified member accounts within the AWS Organization. This control leverages IAM Access Analyzer to provide continuous monitoring and alerting for any IAM role that allows access from outside a defined zone of trust (typically the AWS Organization). Additionally, an SCP is used to prevent the creation or update of roles with trust policies that don't include the aws:PrincipalOrgID condition, ensuring near-universal organization-level restriction.
Uncontrolled cross-account trust relationships are a significant security risk, allowing potential lateral movement from compromised external accounts into the heart of the landing zone. IAM Access Analyzer provides a cost-effective, native way to identify these risks without the high overhead of AWS Config rules. Combining this with SCPs creates a "belt and suspenders" approach: SCPs prevent blatant misconfigurations, while Access Analyzer detects subtle or authorized but unrecorded external access.
Remediation Strategy
Review IAM Access Analyzer findings to identify and validate cross-account access. Remove unapproved trust principals from IAM role trust policies or coordinate approval via security exceptions.
Enable IAM Access Analyzer at the AWS Organizations level (Delegated Administrator).
Navigate to the Access Analyzer console and filter for findings of type 'External access'.
Filter results to focus on IAM Roles in central/management accounts.
For each finding, identify the 'Trusted entity' (external account ID or ARN).
Compare the trusted entity against the approved organization boundary or allowlist.
If the entity is unapproved, update the role's trust policy to remove the entity.
For legitimate external access (e.g., third-party SaaS), document the approval and archive the finding.
aws accessanalyzer list-findings \
--analyzer-arn <ANALYZER_ARN> \
--filter '{"resourceType": {"eq": ["AWS::IAM::Role"]}, "status": {"eq": ["ACTIVE"]}}'
# Inspect a specific role's trust policy
aws iam get-role --role-name <ROLE_NAME> \
--query 'Role.AssumeRolePolicyDocument'
# Update trust policy (replace with compliant policy document)
aws iam update-assume-role-policy \
--role-name <ROLE_NAME> \
--policy-document file://trust-policy.jsonEnforcement Logic
IAM Access Analyzer continuously monitors resource-based policies (including IAM Role trust policies). It generates a finding whenever a policy allows access to a principal outside of the 'Zone of Trust' (configured as the AWS Organization). The detection is continuous and event-driven, triggered by policy changes.
aws accessanalyzer list-findings \
--analyzer-arn <ANALYZER_ARN> \
--filter '{"resourceType": {"eq": ["AWS::IAM::Role"]}, "isPublic": {"eq": ["false"]}, "status": {"eq": ["ACTIVE"]}}' \
--query 'findings[?principal.AWS != null]'Trusted third-party integrations (e.g., security tooling vendors) may require cross-account access. These must be explicitly approved and documented.
Temporary cross-account access for incident response may be allowed if time-bound and monitored.
IAM Access Analyzer is the preferred tool for cross-account visibility in landing zones due to its native integration with AWS Organizations and zero additional cost for standard findings. Unlike AWS Config, which charges per-evaluation, Access Analyzer monitors policies continuously without extra per-rule fees.