Cloud Security Index
aws

high

Compliance Frameworks

BETA
CIS AWS Foundations Benchmark
1.16
NIST 800-53
AC-3, AC-6
AWS Well-Architected Framework
SEC 03
ISO 27001
A.9.4.1

// Beta Mapping Disclaimer

Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.

Overview

Identify and review IAM roles in central accounts that allow external AWS accounts to assume them. This control uses IAM Access Analyzer to detect cross-account access and applies preventive Service Control Policies (SCPs) to restrict trust policy modifications to approved organization boundaries.

In a Landing Zone environment, central accounts (e.g., Security, Log Archive, Shared Services) often require cross-account roles for operational tasks. However, these roles must only trust verified member accounts within the AWS Organization. This control leverages IAM Access Analyzer to provide continuous monitoring and alerting for any IAM role that allows access from outside a defined zone of trust (typically the AWS Organization). Additionally, an SCP is used to prevent the creation or update of roles with trust policies that don't include the aws:PrincipalOrgID condition, ensuring near-universal organization-level restriction.

Uncontrolled cross-account trust relationships are a significant security risk, allowing potential lateral movement from compromised external accounts into the heart of the landing zone. IAM Access Analyzer provides a cost-effective, native way to identify these risks without the high overhead of AWS Config rules. Combining this with SCPs creates a "belt and suspenders" approach: SCPs prevent blatant misconfigurations, while Access Analyzer detects subtle or authorized but unrecorded external access.

Remediation Strategy

Review IAM Access Analyzer findings to identify and validate cross-account access. Remove unapproved trust principals from IAM role trust policies or coordinate approval via security exceptions.

1.

Enable IAM Access Analyzer at the AWS Organizations level (Delegated Administrator).

2.

Navigate to the Access Analyzer console and filter for findings of type 'External access'.

3.

Filter results to focus on IAM Roles in central/management accounts.

4.

For each finding, identify the 'Trusted entity' (external account ID or ARN).

5.

Compare the trusted entity against the approved organization boundary or allowlist.

6.

If the entity is unapproved, update the role's trust policy to remove the entity.

7.

For legitimate external access (e.g., third-party SaaS), document the approval and archive the finding.

aws accessanalyzer list-findings \
  --analyzer-arn <ANALYZER_ARN> \
--filter '{"resourceType": {"eq": ["AWS::IAM::Role"]}, "status": {"eq": ["ACTIVE"]}}'

# Inspect a specific role's trust policy
aws iam get-role --role-name <ROLE_NAME> \
  --query 'Role.AssumeRolePolicyDocument'

# Update trust policy (replace with compliant policy document)
aws iam update-assume-role-policy \
  --role-name <ROLE_NAME> \
  --policy-document file://trust-policy.json

Enforcement Logic

Automatedaws-api

IAM Access Analyzer continuously monitors resource-based policies (including IAM Role trust policies). It generates a finding whenever a policy allows access to a principal outside of the 'Zone of Trust' (configured as the AWS Organization). The detection is continuous and event-driven, triggered by policy changes.

aws accessanalyzer list-findings \
  --analyzer-arn <ANALYZER_ARN> \
  --filter '{"resourceType": {"eq": ["AWS::IAM::Role"]}, "isPublic": {"eq": ["false"]}, "status": {"eq": ["ACTIVE"]}}' \
  --query 'findings[?principal.AWS != null]'
SPEC_METADATA

Complexity
medium
Impact
disruptive
Likelihood
high
Residual Risk
medium
Scope
ou
Environment
production, non-production
Resources
iam-role
Remediation
resource
Auto-Remediate
Available
Category
iam
Enforcement
recommended
Tags
iamcross-accounttrust-relationshipsaccess-controlleast-privilegelanding-zonescpaccess-analyzer

Owner
Cloud Security Team
Type
team
Frequency
quarterly

// EXCEPTION

Trusted third-party integrations (e.g., security tooling vendors) may require cross-account access. These must be explicitly approved and documented.

// EXCEPTION

Temporary cross-account access for incident response may be allowed if time-bound and monitored.

// SYSTEM_NOTE

IAM Access Analyzer is the preferred tool for cross-account visibility in landing zones due to its native integration with AWS Organizations and zero additional cost for standard findings. Unlike AWS Config, which charges per-evaluation, Access Analyzer monitors policies continuously without extra per-rule fees.